mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 201 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12406 Commits
33 Branches
Tree: 3e776af806
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3e776af806'
${ noResults }
redmine/test/integration/api_test/authentication_test.rb

authentication_test.rb 5.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. # Redmine - project management software

  2. # Copyright (C) 2006-2016  Jean-Philippe Lang

  3. #

  4. # This program is free software; you can redistribute it and/or

  5. # modify it under the terms of the GNU General Public License

  6. # as published by the Free Software Foundation; either version 2

  7. # of the License, or (at your option) any later version.

  8. #

  9. # This program is distributed in the hope that it will be useful,

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  12. # GNU General Public License for more details.

  13. #

  14. # You should have received a copy of the GNU General Public License

  15. # along with this program; if not, write to the Free Software

  16. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  17. 

  18. require File.expand_path('../../../test_helper', __FILE__)

  19. 

  20. class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base

  21.   fixtures :users

  22. 

  23.   def test_api_should_deny_without_credentials

  24.     get '/users/current.xml', {}

  25.     assert_response 401

  26.     assert_equal User.anonymous, User.current

  27.     assert response.headers.has_key?('WWW-Authenticate')

  28.   end

  29. 

  30.   def test_api_should_accept_http_basic_auth_using_username_and_password

  31.     user = User.generate! do |user|

  32.       user.password = 'my_password'

  33.     end

  34.     get '/users/current.xml', {}, credentials(user.login, 'my_password')

  35.     assert_response 200

  36.     assert_equal user, User.current

  37.   end

  38. 

  39.   def test_api_should_deny_http_basic_auth_using_username_and_wrong_password

  40.     user = User.generate! do |user|

  41.       user.password = 'my_password'

  42.     end

  43.     get '/users/current.xml', {}, credentials(user.login, 'wrong_password')

  44.     assert_response 401

  45.     assert_equal User.anonymous, User.current

  46.   end

  47. 

  48.   def test_api_should_accept_http_basic_auth_using_api_key

  49.     user = User.generate!

  50.     token = Token.create!(:user => user, :action => 'api')

  51.     get '/users/current.xml', {}, credentials(token.value, 'X')

  52.     assert_response 200

  53.     assert_equal user, User.current

  54.   end

  55. 

  56.   def test_api_should_deny_http_basic_auth_using_wrong_api_key

  57.     user = User.generate!

  58.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  59.     get '/users/current.xml', {}, credentials(token.value, 'X')

  60.     assert_response 401

  61.     assert_equal User.anonymous, User.current

  62.   end

  63. 

  64.   def test_api_should_accept_auth_using_api_key_as_parameter

  65.     user = User.generate!

  66.     token = Token.create!(:user => user, :action => 'api')

  67.     get "/users/current.xml?key=#{token.value}", {}

  68.     assert_response 200

  69.     assert_equal user, User.current

  70.   end

  71. 

  72.   def test_api_should_deny_auth_using_wrong_api_key_as_parameter

  73.     user = User.generate!

  74.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  75.     get "/users/current.xml?key=#{token.value}", {}

  76.     assert_response 401

  77.     assert_equal User.anonymous, User.current

  78.   end

  79. 

  80.   def test_api_should_accept_auth_using_api_key_as_request_header

  81.     user = User.generate!

  82.     token = Token.create!(:user => user, :action => 'api')

  83.     get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}

  84.     assert_response 200

  85.     assert_equal user, User.current

  86.   end

  87. 

  88.   def test_api_should_deny_auth_using_wrong_api_key_as_request_header

  89.     user = User.generate!

  90.     token = Token.create!(:user => user, :action => 'feeds') # not the API key

  91.     get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}

  92.     assert_response 401

  93.     assert_equal User.anonymous, User.current

  94.   end

  95. 

  96.   def test_api_should_trigger_basic_http_auth_with_basic_authorization_header

  97.     ApplicationController.any_instance.expects(:authenticate_with_http_basic).once

  98.     get '/users/current.xml', {}, credentials('jsmith')

  99.     assert_response 401

  100.   end

  101. 

  102.   def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header

  103.     ApplicationController.any_instance.expects(:authenticate_with_http_basic).never

  104.     get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'

  105.     assert_response 401

  106.   end

  107. 

  108.   def test_invalid_utf8_credentials_should_not_trigger_an_error

  109.     invalid_utf8 = "\x82".force_encoding('UTF-8')

  110.     assert !invalid_utf8.valid_encoding?

  111.     assert_nothing_raised do

  112.       get '/users/current.xml', {}, credentials(invalid_utf8, "foo")

  113.     end

  114.   end

  115. 

  116.   def test_api_request_should_not_use_user_session

  117.     log_user('jsmith', 'jsmith')

  118. 

  119.     get '/users/current'

  120.     assert_response :success

  121. 

  122.     get '/users/current.json'

  123.     assert_response 401

  124.   end

  125. 

  126.   def test_api_should_accept_switch_user_header_for_admin_user

  127.     user = User.find(1)

  128.     su = User.find(4)

  129. 

  130.     get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

  131.     assert_response :success

  132.     assert_equal su, assigns(:user)

  133.     assert_equal su, User.current

  134.   end

  135. 

  136.   def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user

  137.     get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}

  138.     assert_response 412

  139.   end

  140. 

  141.   def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user

  142.     user = User.find(5)

  143.     assert user.locked?

  144. 

  145.     get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}

  146.     assert_response 412

  147.   end

  148. 

  149.   def test_api_should_not_accept_switch_user_header_for_non_admin_user

  150.     user = User.find(2)

  151.     su = User.find(4)

  152. 

  153.     get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}

  154.     assert_response :success

  155.     assert_equal user, assigns(:user)

  156.     assert_equal user, User.current

  157.   end

  158. end