Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: 1cca1870bf
Branches Tags
zammad
/
spec
/
requests
/
session_spec.rb

session_spec.rb 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. require 'rails_helper'
    2. 

  2. 

  3. RSpec.describe 'Sessions endpoints', type: :request do
    4. 

  4. 

  5.   describe 'GET /signshow' do
    6. 

  6. 

  7.     context 'user logged in' do
    8. 

  8. 

  9.       subject(:user) { create(:agent_user, password: password) }
    10. 

  10. 

  11.       let(:password) { SecureRandom.urlsafe_base64(20) }
    12. 

  12.       let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
    13. 

  13. 

  14.       before do
    15. 

  15.         params = {
    16. 

  16.           fingerprint: fingerprint,
    17. 

  17.           username:    user.login,
    18. 

  18.           password:    password
    19. 

  19.         }
    20. 

  20.         post '/api/v1/signin', params: params, as: :json
    21. 

  21.       end
    22. 

  22. 

  23.       it 'leaks no sensitive data' do
    24. 

  24.         params = { fingerprint: fingerprint }
    25. 

  25.         get '/api/v1/signshow', params: params, as: :json
    26. 

  26. 

  27.         expect(json_response['session']).not_to include('password')
    28. 

  28.       end
    29. 

  29.     end
    30. 

  30.   end
    31. 

  31. 

  32.   describe 'GET /auth/sso (single sign-on)' do
    33. 

  33.     context 'with invalid user login' do
    34. 

  34.       let(:login) { User.pluck(:login).max.next }
    35. 

  35. 

  36.       context 'in "REMOTE_USER" request env var' do
    37. 

  37.         let(:env) { { 'REMOTE_USER' => login } }
    38. 

  38. 

  39.         it 'returns unauthorized response' do
    40. 

  40.           get '/auth/sso', as: :json, env: env
    41. 

  41. 

  42.           expect(response).to have_http_status(:unauthorized)
    43. 

  43.         end
    44. 

  44.       end
    45. 

  45. 

  46.       context 'in "HTTP_REMOTE_USER" request env var' do
    47. 

  47.         let(:env) { { 'HTTP_REMOTE_USER' => login } }
    48. 

  48. 

  49.         it 'returns unauthorized response' do
    50. 

  50.           get '/auth/sso', as: :json, env: env
    51. 

  51. 

  52.           expect(response).to have_http_status(:unauthorized)
    53. 

  53.         end
    54. 

  54.       end
    55. 

  55. 

  56.       context 'in "X-Forwarded-User" request header' do
    57. 

  57.         let(:headers) { { 'X-Forwarded-User' => login } }
    58. 

  58. 

  59.         it 'returns unauthorized response' do
    60. 

  60.           get '/auth/sso', as: :json, headers: headers
    61. 

  61. 

  62.           expect(response).to have_http_status(:unauthorized)
    63. 

  63.         end
    64. 

  64.       end
    65. 

  65.     end
    66. 

  66. 

  67.     context 'with valid user login' do
    68. 

  68.       let(:user) { User.last }
    69. 

  69.       let(:login) { user.login }
    70. 

  70. 

  71.       context 'in Maintenance Mode' do
    72. 

  72.         before { Setting.set('maintenance_mode', true) }
    73. 

  73. 

  74.         context 'in "REMOTE_USER" request env var' do
    75. 

  75.           let(:env) { { 'REMOTE_USER' => login } }
    76. 

  76. 

  77.           it 'returns 401 unauthorized' do
    78. 

  78.             get '/auth/sso', as: :json, env: env
    79. 

  79. 

  80.             expect(response).to have_http_status(:unauthorized)
    81. 

  81.             expect(json_response).to include('error' => 'Maintenance mode enabled!')
    82. 

  82.           end
    83. 

  83.         end
    84. 

  84. 

  85.         context 'in "HTTP_REMOTE_USER" request env var' do
    86. 

  86.           let(:env) { { 'HTTP_REMOTE_USER' => login } }
    87. 

  87. 

  88.           it 'returns 401 unauthorized' do
    89. 

  89.             get '/auth/sso', as: :json, env: env
    90. 

  90. 

  91.             expect(response).to have_http_status(:unauthorized)
    92. 

  92.             expect(json_response).to include('error' => 'Maintenance mode enabled!')
    93. 

  93.           end
    94. 

  94.         end
    95. 

  95. 

  96.         context 'in "X-Forwarded-User" request header' do
    97. 

  97.           let(:headers) { { 'X-Forwarded-User' => login } }
    98. 

  98. 

  99.           it 'returns 401 unauthorized' do
    100. 

  100.             get '/auth/sso', as: :json, headers: headers
    101. 

  101. 

  102.             expect(response).to have_http_status(:unauthorized)
    103. 

  103.             expect(json_response).to include('error' => 'Maintenance mode enabled!')
    104. 

  104.           end
    105. 

  105.         end
    106. 

  106.       end
    107. 

  107. 

  108.       context 'in "REMOTE_USER" request env var' do
    109. 

  109.         let(:env) { { 'REMOTE_USER' => login } }
    110. 

  110. 

  111.         it 'returns a new user-session response' do
    112. 

  112.           get '/auth/sso', as: :json, env: env
    113. 

  113. 

  114.           expect(response).to redirect_to('/#')
    115. 

  115.         end
    116. 

  116. 

  117.         it 'sets the :user_id session parameter' do
    118. 

  118.           expect { get '/auth/sso', as: :json, env: env }
    119. 

  119.             .to change { request&.session&.fetch(:user_id) }.to(user.id)
    120. 

  120.         end
    121. 

  121.       end
    122. 

  122. 

  123.       context 'in "HTTP_REMOTE_USER" request env var' do
    124. 

  124.         let(:env) { { 'HTTP_REMOTE_USER' => login } }
    125. 

  125. 

  126.         it 'returns a new user-session response' do
    127. 

  127.           get '/auth/sso', as: :json, env: env
    128. 

  128. 

  129.           expect(response).to redirect_to('/#')
    130. 

  130.         end
    131. 

  131. 

  132.         it 'sets the :user_id session parameter' do
    133. 

  133.           expect { get '/auth/sso', as: :json, env: env }
    134. 

  134.             .to change { request&.session&.fetch(:user_id) }.to(user.id)
    135. 

  135.         end
    136. 

  136.       end
    137. 

  137. 

  138.       context 'in "X-Forwarded-User" request header' do
    139. 

  139.         let(:headers) { { 'X-Forwarded-User' => login } }
    140. 

  140. 

  141.         it 'returns a new user-session response' do
    142. 

  142.           get '/auth/sso', as: :json, headers: headers
    143. 

  143. 

  144.           expect(response).to redirect_to('/#')
    145. 

  145.         end
    146. 

  146. 

  147.         it 'sets the :user_id session parameter on the client' do
    148. 

  148.           expect { get '/auth/sso', as: :json, headers: headers }
    149. 

  149.             .to change { request&.session&.fetch(:user_id) }.to(user.id)
    150. 

  150.         end
    151. 

  151.       end
    152. 

  152.     end
    153. 

  153.   end
    154. 

  154. end
    155.