Test API authentification once.

git-svn-id: http://svn.redmine.org/redmine/trunk@13675 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2014-11-30 14:11:56 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2014-11-30 14:11:56 +0000
commit: 372b24627b70d43402d7e54dfb370bcdfe0ec8ba (patch)
tree: bf78235ebadb1f42ec930698d254b0359123970f /test/integration
parent: e7518a9e0c191af82c1ff26082e5ece0dc4cf61b (diff)
download: redmine-372b24627b70d43402d7e54dfb370bcdfe0ec8ba.tar.gz
redmine-372b24627b70d43402d7e54dfb370bcdfe0ec8ba.zip
8 files changed, 73 insertions, 223 deletions
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
index b8c9e0746..8452717e3 100644
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -28,6 +28,79 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '0'
   end
 
+  def test_api_should_deny_without_credentials
+    get '/users/current.xml', {}
+    assert_response 401
+    assert_equal User.anonymous, User.current
+    assert response.headers.has_key?('WWW-Authenticate')
+  end
+
+  def test_api_should_accept_http_basic_auth_using_username_and_password
+    user = User.generate! do |user|
+      user.password = 'my_password'
+    end
+    get '/users/current.xml', {}, credentials(user.login, 'my_password')
+    assert_response 200
+    assert_equal user, User.current
+  end
+
+  def test_api_should_deny_http_basic_auth_using_username_and_wrong_password
+    user = User.generate! do |user|
+      user.password = 'my_password'
+    end
+    get '/users/current.xml', {}, credentials(user.login, 'wrong_password')
+    assert_response 401
+    assert_equal User.anonymous, User.current
+  end
+
+  def test_api_should_accept_http_basic_auth_using_api_key
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'api')
+    get '/users/current.xml', {}, credentials(token.value, 'X')
+    assert_response 200
+    assert_equal user, User.current
+  end
+
+  def test_api_should_deny_http_basic_auth_using_wrong_api_key
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'feeds') # not the API key
+    get '/users/current.xml', {}, credentials(token.value, 'X')
+    assert_response 401
+    assert_equal User.anonymous, User.current
+  end
+
+  def test_api_should_accept_auth_using_api_key_as_parameter
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'api')
+    get "/users/current.xml?key=#{token.value}", {}
+    assert_response 200
+    assert_equal user, User.current
+  end
+
+  def test_api_should_deny_auth_using_wrong_api_key_as_parameter
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'feeds') # not the API key
+    get "/users/current.xml?key=#{token.value}", {}
+    assert_response 401
+    assert_equal User.anonymous, User.current
+  end
+
+  def test_api_should_accept_auth_using_api_key_as_request_header
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'api')
+    get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
+    assert_response 200
+    assert_equal user, User.current
+  end
+
+  def test_api_should_deny_auth_using_wrong_api_key_as_request_header
+    user = User.generate!
+    token = Token.create!(:user => user, :action => 'feeds') # not the API key
+    get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
+    assert_response 401
+    assert_equal User.anonymous, User.current
+  end
+
   def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
     ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
     get '/users/current.xml', {}, credentials('jsmith')
diff --git a/test/integration/api_test/http_basic_login_test.rb b/test/integration/api_test/http_basic_login_test.rb
deleted file mode 100644
index 2fbf61006..000000000
--- a/test/integration/api_test/http_basic_login_test.rb
+++ /dev/null
@@ -1,43 +0,0 @@
-# Redmine - project management software
-# Copyright (C) 2006-2014  Jean-Philippe Lang
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-require File.expand_path('../../../test_helper', __FILE__)
-
-class Redmine::ApiTest::HttpBasicLoginTest < Redmine::ApiTest::Base
-  fixtures :projects, :trackers, :issue_statuses, :issues,
-           :enumerations, :users, :issue_categories,
-           :projects_trackers,
-           :roles,
-           :member_roles,
-           :members,
-           :enabled_modules
-
-  def setup
-    Setting.rest_api_enabled = '1'
-    Setting.login_required = '1'
-    project = Project.find('onlinestore')
-    EnabledModule.create(:project => project, :name => 'news')
-  end
-
-  def teardown
-    Setting.rest_api_enabled = '0'
-    Setting.login_required = '0'
-  end
-
-  should_allow_http_basic_auth_with_username_and_password(:get, "/projects/onlinestore/news.xml")
-  should_allow_http_basic_auth_with_username_and_password(:get, "/projects/onlinestore/news.json")
-end
diff --git a/test/integration/api_test/http_basic_login_with_api_token_test.rb b/test/integration/api_test/http_basic_login_with_api_token_test.rb
deleted file mode 100644
index 62133990b..000000000
--- a/test/integration/api_test/http_basic_login_with_api_token_test.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# Redmine - project management software
-# Copyright (C) 2006-2014  Jean-Philippe Lang
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-require File.expand_path('../../../test_helper', __FILE__)
-
-class Redmine::ApiTest::HttpBasicLoginWithApiTokenTest < Redmine::ApiTest::Base
-  fixtures :projects, :trackers, :issue_statuses, :issues,
-           :enumerations, :users, :issue_categories,
-           :projects_trackers,
-           :roles,
-           :member_roles,
-           :members,
-           :enabled_modules
-
-  def setup
-    Setting.rest_api_enabled = '1'
-    Setting.login_required = '1'
-  end
-
-  def teardown
-    Setting.rest_api_enabled = '0'
-    Setting.login_required = '0'
-  end
-
-  should_allow_http_basic_auth_with_key(:get, "/news.xml")
-  should_allow_http_basic_auth_with_key(:get, "/news.json")
-end
diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb
index b63ce88ef..68b9c6b77 100644
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -48,44 +48,6 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '1'
   end
 
-  # Use a private project to make sure auth is really working and not just
-  # only showing public issues.
-  should_allow_api_authentication(:get, "/projects/private-child/issues.xml")
-  should_allow_api_authentication(:get, "/projects/private-child/issues.json")
-
-  should_allow_api_authentication(:get, "/issues/6.xml")
-  should_allow_api_authentication(:get, "/issues/6.json")
-
-  should_allow_api_authentication(
-    :post,
-    '/issues.xml',
-    {:issue => {:project_id => 1, :subject => 'API test', :tracker_id => 2, :status_id => 3}},
-    {:success_code => :created}
-  )
-  should_allow_api_authentication(:post,
-                                  '/issues.json',
-                                  {:issue => {:project_id => 1, :subject => 'API test',
-                                   :tracker_id => 2, :status_id => 3}},
-                                  {:success_code => :created})
-
-  should_allow_api_authentication(:put,
-                                  '/issues/6.xml',
-                                  {:issue => {:subject => 'API update', :notes => 'A new note'}},
-                                  {:success_code => :ok})
-  should_allow_api_authentication(:put,
-                                  '/issues/6.json',
-                                  {:issue => {:subject => 'API update', :notes => 'A new note'}},
-                                  {:success_code => :ok})
-
-  should_allow_api_authentication(:delete,
-                                  '/issues/6.xml',
-                                  {},
-                                  {:success_code => :ok})
-  should_allow_api_authentication(:delete,
-                                  '/issues/6.json',
-                                  {},
-                                  {:success_code => :ok})
-
   test "GET /issues.xml should contain metadata" do
     get '/issues.xml'
     assert_select 'issues[type=array][total_count=?][limit="25"][offset="0"]',
diff --git a/test/integration/api_test/news_test.rb b/test/integration/api_test/news_test.rb
index 67984e70f..a450c4765 100644
--- a/test/integration/api_test/news_test.rb
+++ b/test/integration/api_test/news_test.rb
@@ -31,9 +31,6 @@ class Redmine::ApiTest::NewsTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '1'
   end
 
-  should_allow_api_authentication(:get, "/projects/onlinestore/news.xml")
-  should_allow_api_authentication(:get, "/projects/onlinestore/news.json")
-
   test "GET /news.xml should return news" do
     get '/news.xml'
 
diff --git a/test/integration/api_test/projects_test.rb b/test/integration/api_test/projects_test.rb
index 16c556dde..32d5eb919 100644
--- a/test/integration/api_test/projects_test.rb
+++ b/test/integration/api_test/projects_test.rb
@@ -27,23 +27,6 @@ class Redmine::ApiTest::ProjectsTest < Redmine::ApiTest::Base
     set_tmp_attachments_directory
   end
 
-  # TODO: A private project is needed because should_allow_api_authentication
-  # actually tests that authentication is *required*, not just allowed
-  should_allow_api_authentication(:get, "/projects/2.xml")
-  should_allow_api_authentication(:get, "/projects/2.json")
-  should_allow_api_authentication(:post,
-                                  '/projects.xml',
-                                  {:project => {:name => 'API test', :identifier => 'api-test'}},
-                                  {:success_code => :created})
-  should_allow_api_authentication(:put,
-                                  '/projects/2.xml',
-                                  {:project => {:name => 'API update'}},
-                                  {:success_code => :ok})
-  should_allow_api_authentication(:delete,
-                                  '/projects/2.xml',
-                                  {},
-                                  {:success_code => :ok})
-
   test "GET /projects.xml should return projects" do
     get '/projects.xml'
     assert_response :success
diff --git a/test/integration/api_test/token_authentication_test.rb b/test/integration/api_test/token_authentication_test.rb
deleted file mode 100644
index 2728232e2..000000000
--- a/test/integration/api_test/token_authentication_test.rb
+++ /dev/null
@@ -1,42 +0,0 @@
-# Redmine - project management software
-# Copyright (C) 2006-2014  Jean-Philippe Lang
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-require File.expand_path('../../../test_helper', __FILE__)
-
-class Redmine::ApiTest::TokenAuthenticationTest < Redmine::ApiTest::Base
-  fixtures :projects, :trackers, :issue_statuses, :issues,
-           :enumerations, :users, :issue_categories,
-           :projects_trackers,
-           :roles,
-           :member_roles,
-           :members,
-           :enabled_modules
-
-  def setup
-    Setting.rest_api_enabled = '1'
-    Setting.login_required = '1'
-  end
-
-  def teardown
-    Setting.rest_api_enabled = '0'
-    Setting.login_required = '0'
-  end
-
-  # Using the NewsController because it's a simple API.
-  should_allow_key_based_auth(:get, "/news.xml")
-  should_allow_key_based_auth(:get, "/news.json")
-end
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index f44948c54..89fdadaf8 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -24,45 +24,6 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '1'
   end
 
-  should_allow_api_authentication(:get, "/users.xml")
-  should_allow_api_authentication(:get, "/users.json")
-  should_allow_api_authentication(:post,
-    '/users.xml',
-     {:user => {
-        :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
-        :mail => 'foo@example.net', :password => 'secret123'
-      }},
-    {:success_code => :created})
-  should_allow_api_authentication(:post,
-    '/users.json',
-    {:user => {
-       :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
-       :mail => 'foo@example.net'
-    }},
-    {:success_code => :created})
-  should_allow_api_authentication(:put,
-    '/users/2.xml',
-    {:user => {
-        :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed',
-        :mail => 'jsmith@somenet.foo'
-    }},
-    {:success_code => :ok})
-  should_allow_api_authentication(:put,
-    '/users/2.json',
-    {:user => {
-        :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed',
-        :mail => 'jsmith@somenet.foo'
-    }},
-    {:success_code => :ok})
-  should_allow_api_authentication(:delete,
-    '/users/2.xml',
-    {},
-    {:success_code => :ok})
-  should_allow_api_authentication(:delete,
-    '/users/2.xml',
-    {},
-    {:success_code => :ok})
-
   test "GET /users/:id.xml should return the user" do
     get '/users/2.xml'
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2014-11-30 14:11:56 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2014-11-30 14:11:56 +0000
commit	372b24627b70d43402d7e54dfb370bcdfe0ec8ba (patch)
tree	bf78235ebadb1f42ec930698d254b0359123970f /test/integration
parent	e7518a9e0c191af82c1ff26082e5ece0dc4cf61b (diff)
download	redmine-372b24627b70d43402d7e54dfb370bcdfe0ec8ba.tar.gz redmine-372b24627b70d43402d7e54dfb370bcdfe0ec8ba.zip