1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
# Redmine - project management software
# Copyright (C) 2006-2014 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
require File.expand_path('../../../test_helper', __FILE__)
class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
fixtures :users
def test_api_should_deny_without_credentials
get '/users/current.xml', {}
assert_response 401
assert_equal User.anonymous, User.current
assert response.headers.has_key?('WWW-Authenticate')
end
def test_api_should_accept_http_basic_auth_using_username_and_password
user = User.generate! do |user|
user.password = 'my_password'
end
get '/users/current.xml', {}, credentials(user.login, 'my_password')
assert_response 200
assert_equal user, User.current
end
def test_api_should_deny_http_basic_auth_using_username_and_wrong_password
user = User.generate! do |user|
user.password = 'my_password'
end
get '/users/current.xml', {}, credentials(user.login, 'wrong_password')
assert_response 401
assert_equal User.anonymous, User.current
end
def test_api_should_accept_http_basic_auth_using_api_key
user = User.generate!
token = Token.create!(:user => user, :action => 'api')
get '/users/current.xml', {}, credentials(token.value, 'X')
assert_response 200
assert_equal user, User.current
end
def test_api_should_deny_http_basic_auth_using_wrong_api_key
user = User.generate!
token = Token.create!(:user => user, :action => 'feeds') # not the API key
get '/users/current.xml', {}, credentials(token.value, 'X')
assert_response 401
assert_equal User.anonymous, User.current
end
def test_api_should_accept_auth_using_api_key_as_parameter
user = User.generate!
token = Token.create!(:user => user, :action => 'api')
get "/users/current.xml?key=#{token.value}", {}
assert_response 200
assert_equal user, User.current
end
def test_api_should_deny_auth_using_wrong_api_key_as_parameter
user = User.generate!
token = Token.create!(:user => user, :action => 'feeds') # not the API key
get "/users/current.xml?key=#{token.value}", {}
assert_response 401
assert_equal User.anonymous, User.current
end
def test_api_should_accept_auth_using_api_key_as_request_header
user = User.generate!
token = Token.create!(:user => user, :action => 'api')
get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
assert_response 200
assert_equal user, User.current
end
def test_api_should_deny_auth_using_wrong_api_key_as_request_header
user = User.generate!
token = Token.create!(:user => user, :action => 'feeds') # not the API key
get "/users/current.xml", {}, {'X-Redmine-API-Key' => token.value.to_s}
assert_response 401
assert_equal User.anonymous, User.current
end
def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
get '/users/current.xml', {}, credentials('jsmith')
assert_response 401
end
def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
assert_response 401
end
def test_invalid_utf8_credentials_should_not_trigger_an_error
invalid_utf8 = "\x82".force_encoding('UTF-8')
assert !invalid_utf8.valid_encoding?
assert_nothing_raised do
get '/users/current.xml', {}, credentials(invalid_utf8, "foo")
end
end
def test_api_request_should_not_use_user_session
log_user('jsmith', 'jsmith')
get '/users/current'
assert_response :success
get '/users/current.json'
assert_response 401
end
def test_api_should_accept_switch_user_header_for_admin_user
user = User.find(1)
su = User.find(4)
get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
assert_response :success
assert_equal su, assigns(:user)
assert_equal su, User.current
end
def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user
get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}
assert_response 412
end
def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user
user = User.find(5)
assert user.locked?
get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}
assert_response 412
end
def test_api_should_not_accept_switch_user_header_for_non_admin_user
user = User.find(2)
su = User.find(4)
get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
assert_response :success
assert_equal user, assigns(:user)
assert_equal user, User.current
end
end
|
