From 372b24627b70d43402d7e54dfb370bcdfe0ec8ba Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 30 Nov 2014 14:11:56 +0000 Subject: Test API authentification once. git-svn-id: http://svn.redmine.org/redmine/trunk@13675 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- test/integration/api_test/authentication_test.rb | 73 ++++++++++++++++++++++ test/integration/api_test/http_basic_login_test.rb | 43 ------------- .../http_basic_login_with_api_token_test.rb | 41 ------------ test/integration/api_test/issues_test.rb | 38 ----------- test/integration/api_test/news_test.rb | 3 - test/integration/api_test/projects_test.rb | 17 ----- .../api_test/token_authentication_test.rb | 42 ------------- test/integration/api_test/users_test.rb | 39 ------------ 8 files changed, 73 insertions(+), 223 deletions(-) delete mode 100644 test/integration/api_test/http_basic_login_test.rb delete mode 100644 test/integration/api_test/http_basic_login_with_api_token_test.rb delete mode 100644 test/integration/api_test/token_authentication_test.rb (limited to 'test/integration') diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb index b8c9e0746..8452717e3 100644 --- a/test/integration/api_test/authentication_test.rb +++ b/test/integration/api_test/authentication_test.rb @@ -28,6 +28,79 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '0' end + def test_api_should_deny_without_credentials + get '/users/current.xml', {} + assert_response 401 + assert_equal User.anonymous, User.current + assert response.headers.has_key?('WWW-Authenticate') + end + + def test_api_should_accept_http_basic_auth_using_username_and_password + user = User.generate! do |user| + user.password = 'my_password' + end + get '/users/current.xml', {}, credentials(user.login, 'my_password') + assert_response 200 + assert_equal user, User.current + end + + def test_api_should_deny_http_basic_auth_using_username_and_wrong_password + user = User.generate! do |user| + user.password = 'my_password' + end + get '/users/current.xml', {}, credentials(user.login, 'wrong_password') + assert_response 401 + assert_equal User.anonymous, User.current + end + + def test_api_should_accept_http_basic_auth_using_api_key + user = User.generate! + token = Token.create!(:user => user, :action => 'api') + get '/users/current.xml', {}, credentials(token.value, 'X') + assert_response 200 + assert_equal user, User.current + end + + def test_api_should_deny_http_basic_auth_using_wrong_api_key + user = User.generate! + token = Token.create!(:user => user, :action => 'feeds') # not the API key + get '/users/current.xml', {}, credentials(token.value, 'X') + assert_response 401 + assert_equal User.anonymous, User.current + end + + def test_api_should_accept_auth_using_api_key_as_parameter + user = User.generate! + token = Token.create!(:user => user, :action => 'api') + get "/users/current.xml?key=#{token.value}", {} + assert_response 200 + assert_equal user, User.current + end + + def test_api_should_deny_auth_using_wrong_api_key_as_parameter + user = User.generate! + token = Token.create!(:user => user, :action => 'feeds') # not the API key + get "/users/current.xml?key=#{token.value}", {} + assert_response 401 + assert_equal User.anonymous, User.current + end + + def test_api_should_accept_auth_using_api_key_as_request_header + user = User.generate! + token = Token.create!(:user => user, :action => 'api') + get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s} + assert_response 200 + assert_equal user, User.current + end + + def test_api_should_deny_auth_using_wrong_api_key_as_request_header + user = User.generate! + token = Token.create!(:user => user, :action => 'feeds') # not the API key + get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s} + assert_response 401 + assert_equal User.anonymous, User.current + end + def test_api_should_trigger_basic_http_auth_with_basic_authorization_header ApplicationController.any_instance.expects(:authenticate_with_http_basic).once get '/users/current.xml', {}, credentials('jsmith') diff --git a/test/integration/api_test/http_basic_login_test.rb b/test/integration/api_test/http_basic_login_test.rb deleted file mode 100644 index 2fbf61006..000000000 --- a/test/integration/api_test/http_basic_login_test.rb +++ /dev/null @@ -1,43 +0,0 @@ -# Redmine - project management software -# Copyright (C) 2006-2014 Jean-Philippe Lang -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -require File.expand_path('../../../test_helper', __FILE__) - -class Redmine::ApiTest::HttpBasicLoginTest < Redmine::ApiTest::Base - fixtures :projects, :trackers, :issue_statuses, :issues, - :enumerations, :users, :issue_categories, - :projects_trackers, - :roles, - :member_roles, - :members, - :enabled_modules - - def setup - Setting.rest_api_enabled = '1' - Setting.login_required = '1' - project = Project.find('onlinestore') - EnabledModule.create(:project => project, :name => 'news') - end - - def teardown - Setting.rest_api_enabled = '0' - Setting.login_required = '0' - end - - should_allow_http_basic_auth_with_username_and_password(:get, "/projects/onlinestore/news.xml") - should_allow_http_basic_auth_with_username_and_password(:get, "/projects/onlinestore/news.json") -end diff --git a/test/integration/api_test/http_basic_login_with_api_token_test.rb b/test/integration/api_test/http_basic_login_with_api_token_test.rb deleted file mode 100644 index 62133990b..000000000 --- a/test/integration/api_test/http_basic_login_with_api_token_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -# Redmine - project management software -# Copyright (C) 2006-2014 Jean-Philippe Lang -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -require File.expand_path('../../../test_helper', __FILE__) - -class Redmine::ApiTest::HttpBasicLoginWithApiTokenTest < Redmine::ApiTest::Base - fixtures :projects, :trackers, :issue_statuses, :issues, - :enumerations, :users, :issue_categories, - :projects_trackers, - :roles, - :member_roles, - :members, - :enabled_modules - - def setup - Setting.rest_api_enabled = '1' - Setting.login_required = '1' - end - - def teardown - Setting.rest_api_enabled = '0' - Setting.login_required = '0' - end - - should_allow_http_basic_auth_with_key(:get, "/news.xml") - should_allow_http_basic_auth_with_key(:get, "/news.json") -end diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb index b63ce88ef..68b9c6b77 100644 --- a/test/integration/api_test/issues_test.rb +++ b/test/integration/api_test/issues_test.rb @@ -48,44 +48,6 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '1' end - # Use a private project to make sure auth is really working and not just - # only showing public issues. - should_allow_api_authentication(:get, "/projects/private-child/issues.xml") - should_allow_api_authentication(:get, "/projects/private-child/issues.json") - - should_allow_api_authentication(:get, "/issues/6.xml") - should_allow_api_authentication(:get, "/issues/6.json") - - should_allow_api_authentication( - :post, - '/issues.xml', - {:issue => {:project_id => 1, :subject => 'API test', :tracker_id => 2, :status_id => 3}}, - {:success_code => :created} - ) - should_allow_api_authentication(:post, - '/issues.json', - {:issue => {:project_id => 1, :subject => 'API test', - :tracker_id => 2, :status_id => 3}}, - {:success_code => :created}) - - should_allow_api_authentication(:put, - '/issues/6.xml', - {:issue => {:subject => 'API update', :notes => 'A new note'}}, - {:success_code => :ok}) - should_allow_api_authentication(:put, - '/issues/6.json', - {:issue => {:subject => 'API update', :notes => 'A new note'}}, - {:success_code => :ok}) - - should_allow_api_authentication(:delete, - '/issues/6.xml', - {}, - {:success_code => :ok}) - should_allow_api_authentication(:delete, - '/issues/6.json', - {}, - {:success_code => :ok}) - test "GET /issues.xml should contain metadata" do get '/issues.xml' assert_select 'issues[type=array][total_count=?][limit="25"][offset="0"]', diff --git a/test/integration/api_test/news_test.rb b/test/integration/api_test/news_test.rb index 67984e70f..a450c4765 100644 --- a/test/integration/api_test/news_test.rb +++ b/test/integration/api_test/news_test.rb @@ -31,9 +31,6 @@ class Redmine::ApiTest::NewsTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '1' end - should_allow_api_authentication(:get, "/projects/onlinestore/news.xml") - should_allow_api_authentication(:get, "/projects/onlinestore/news.json") - test "GET /news.xml should return news" do get '/news.xml' diff --git a/test/integration/api_test/projects_test.rb b/test/integration/api_test/projects_test.rb index 16c556dde..32d5eb919 100644 --- a/test/integration/api_test/projects_test.rb +++ b/test/integration/api_test/projects_test.rb @@ -27,23 +27,6 @@ class Redmine::ApiTest::ProjectsTest < Redmine::ApiTest::Base set_tmp_attachments_directory end - # TODO: A private project is needed because should_allow_api_authentication - # actually tests that authentication is *required*, not just allowed - should_allow_api_authentication(:get, "/projects/2.xml") - should_allow_api_authentication(:get, "/projects/2.json") - should_allow_api_authentication(:post, - '/projects.xml', - {:project => {:name => 'API test', :identifier => 'api-test'}}, - {:success_code => :created}) - should_allow_api_authentication(:put, - '/projects/2.xml', - {:project => {:name => 'API update'}}, - {:success_code => :ok}) - should_allow_api_authentication(:delete, - '/projects/2.xml', - {}, - {:success_code => :ok}) - test "GET /projects.xml should return projects" do get '/projects.xml' assert_response :success diff --git a/test/integration/api_test/token_authentication_test.rb b/test/integration/api_test/token_authentication_test.rb deleted file mode 100644 index 2728232e2..000000000 --- a/test/integration/api_test/token_authentication_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -# Redmine - project management software -# Copyright (C) 2006-2014 Jean-Philippe Lang -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -require File.expand_path('../../../test_helper', __FILE__) - -class Redmine::ApiTest::TokenAuthenticationTest < Redmine::ApiTest::Base - fixtures :projects, :trackers, :issue_statuses, :issues, - :enumerations, :users, :issue_categories, - :projects_trackers, - :roles, - :member_roles, - :members, - :enabled_modules - - def setup - Setting.rest_api_enabled = '1' - Setting.login_required = '1' - end - - def teardown - Setting.rest_api_enabled = '0' - Setting.login_required = '0' - end - - # Using the NewsController because it's a simple API. - should_allow_key_based_auth(:get, "/news.xml") - should_allow_key_based_auth(:get, "/news.json") -end diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb index f44948c54..89fdadaf8 100644 --- a/test/integration/api_test/users_test.rb +++ b/test/integration/api_test/users_test.rb @@ -24,45 +24,6 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '1' end - should_allow_api_authentication(:get, "/users.xml") - should_allow_api_authentication(:get, "/users.json") - should_allow_api_authentication(:post, - '/users.xml', - {:user => { - :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname', - :mail => 'foo@example.net', :password => 'secret123' - }}, - {:success_code => :created}) - should_allow_api_authentication(:post, - '/users.json', - {:user => { - :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname', - :mail => 'foo@example.net' - }}, - {:success_code => :created}) - should_allow_api_authentication(:put, - '/users/2.xml', - {:user => { - :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed', - :mail => 'jsmith@somenet.foo' - }}, - {:success_code => :ok}) - should_allow_api_authentication(:put, - '/users/2.json', - {:user => { - :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed', - :mail => 'jsmith@somenet.foo' - }}, - {:success_code => :ok}) - should_allow_api_authentication(:delete, - '/users/2.xml', - {}, - {:success_code => :ok}) - should_allow_api_authentication(:delete, - '/users/2.xml', - {}, - {:success_code => :ok}) - test "GET /users/:id.xml should return the user" do get '/users/2.xml' -- cgit v1.2.3