api_auth_from_spec.rb 9.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Api Auth From', type: :request do
  4. let(:admin) do
  5. create(:admin, groups: Group.all)
  6. end
  7. let(:agent) do
  8. create(:agent)
  9. end
  10. let(:customer) do
  11. create(:customer, firstname: 'From')
  12. end
  13. describe 'request handling' do
  14. it 'does From auth - ticket create admin for customer by id' do
  15. params = {
  16. title: 'a new ticket #3',
  17. group: 'Users',
  18. priority: '2 normal',
  19. state: 'new',
  20. customer_id: customer.id,
  21. article: {
  22. body: 'some test 123',
  23. },
  24. }
  25. authenticated_as(admin, from: customer.id)
  26. post '/api/v1/tickets', params: params, as: :json
  27. expect(response).to have_http_status(:created)
  28. expect(json_response).to be_a(Hash)
  29. expect(customer.id).to eq(json_response['created_by_id'])
  30. end
  31. it 'does From auth - ticket create admin for customer by login (upcase)' do
  32. params = {
  33. title: 'a new ticket #3',
  34. group: 'Users',
  35. priority: '2 normal',
  36. state: 'new',
  37. customer_id: customer.id,
  38. article: {
  39. body: 'some test 123',
  40. },
  41. }
  42. authenticated_as(admin, from: customer.login.upcase)
  43. post '/api/v1/tickets', params: params, as: :json
  44. expect(response).to have_http_status(:created)
  45. expect(json_response).to be_a(Hash)
  46. expect(customer.id).to eq(json_response['created_by_id'])
  47. end
  48. it 'does From auth - ticket create admin for customer by login' do
  49. ActivityStream.cleanup(1.year)
  50. params = {
  51. title: 'a new ticket #3',
  52. group: 'Users',
  53. priority: '2 normal',
  54. state: 'new',
  55. customer_id: customer.id,
  56. article: {
  57. body: 'some test 123',
  58. },
  59. }
  60. authenticated_as(admin, from: customer.login)
  61. post '/api/v1/tickets', params: params, as: :json
  62. expect(response).to have_http_status(:created)
  63. json_response_ticket = json_response
  64. expect(json_response_ticket).to be_a(Hash)
  65. expect(customer.id).to eq(json_response_ticket['created_by_id'])
  66. authenticated_as(admin)
  67. get '/api/v1/activity_stream?full=true', params: {}, as: :json
  68. expect(response).to have_http_status(:ok)
  69. json_response_activity = json_response
  70. expect(json_response_activity).to be_a(Hash)
  71. ticket_created = nil
  72. json_response_activity['record_ids'].each do |record_id|
  73. activity_stream = ActivityStream.find(record_id)
  74. next if activity_stream.object.name != 'Ticket'
  75. next if activity_stream.o_id != json_response_ticket['id'].to_i
  76. ticket_created = activity_stream
  77. end
  78. expect(ticket_created).to be_truthy
  79. expect(customer.id).to eq(ticket_created.created_by_id)
  80. get '/api/v1/activity_stream', params: {}, as: :json
  81. expect(response).to have_http_status(:ok)
  82. json_response_activity = json_response
  83. expect(json_response_activity).to be_a(Array)
  84. ticket_created = nil
  85. json_response_activity.each do |record|
  86. activity_stream = ActivityStream.find(record['id'])
  87. next if activity_stream.object.name != 'Ticket'
  88. next if activity_stream.o_id != json_response_ticket['id']
  89. ticket_created = activity_stream
  90. end
  91. expect(ticket_created).to be_truthy
  92. expect(customer.id).to eq(ticket_created.created_by_id)
  93. end
  94. it 'does From auth - ticket create admin for customer by email' do
  95. params = {
  96. title: 'a new ticket #3',
  97. group: 'Users',
  98. priority: '2 normal',
  99. state: 'new',
  100. customer_id: customer.id,
  101. article: {
  102. body: 'some test 123',
  103. },
  104. }
  105. authenticated_as(admin, from: customer.email)
  106. post '/api/v1/tickets', params: params, as: :json
  107. expect(response).to have_http_status(:created)
  108. expect(json_response).to be_a(Hash)
  109. expect(customer.id).to eq(json_response['created_by_id'])
  110. end
  111. it 'does From auth - ticket create admin for unknown' do
  112. params = {
  113. title: 'a new ticket #3',
  114. group: 'Users',
  115. priority: '2 normal',
  116. state: 'new',
  117. customer_id: customer.id,
  118. article: {
  119. body: 'some test 123',
  120. },
  121. }
  122. authenticated_as(admin, from: 99_449_494_949)
  123. post '/api/v1/tickets', params: params, as: :json
  124. expect(response).to have_http_status(:forbidden)
  125. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  126. expect(json_response).to be_a(Hash)
  127. expect(json_response['error']).to eq("No such user '99449494949'")
  128. end
  129. it 'does From auth - ticket create customer for admin' do
  130. params = {
  131. title: 'a new ticket #3',
  132. group: 'Users',
  133. priority: '2 normal',
  134. state: 'new',
  135. customer_id: customer.id,
  136. article: {
  137. body: 'some test 123',
  138. },
  139. }
  140. authenticated_as(customer, from: admin.email)
  141. post '/api/v1/tickets', params: params, as: :json
  142. expect(response).to have_http_status(:forbidden)
  143. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  144. expect(json_response).to be_a(Hash)
  145. expect(json_response['error']).to eq("Current user has no permission to use 'From'/'X-On-Behalf-Of'!")
  146. end
  147. it 'does From auth - ticket create admin for customer by email but no permitted action' do
  148. params = {
  149. title: 'a new ticket #3',
  150. group: 'secret1234',
  151. priority: '2 normal',
  152. state: 'new',
  153. customer_id: customer.id,
  154. article: {
  155. body: 'some test 123',
  156. },
  157. }
  158. authenticated_as(admin, from: customer.email)
  159. post '/api/v1/tickets', params: params, as: :json
  160. expect(response).to have_http_status(:unprocessable_entity)
  161. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  162. expect(json_response).to be_a(Hash)
  163. expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
  164. end
  165. context 'when Token Admin has no ticket.* permission' do
  166. let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }
  167. let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }
  168. let(:admin_user_role) do
  169. create(:role).tap { |role| role.permission_grant('admin.user') }
  170. end
  171. it 'creates Ticket because of behalf of user permission' do
  172. params = {
  173. title: 'a new ticket #3',
  174. group: 'Users',
  175. priority: '2 normal',
  176. state: 'new',
  177. customer_id: customer.id,
  178. article: {
  179. body: 'some test 123',
  180. },
  181. }
  182. authenticated_as(admin, from: customer.email, token: token)
  183. post '/api/v1/tickets', params: params, as: :json
  184. expect(response).to have_http_status(:created)
  185. expect(json_response).to be_a(Hash)
  186. expect(customer.id).to eq(json_response['created_by_id'])
  187. end
  188. end
  189. context 'when customer account has device user permission' do
  190. let(:customer_user_devices_role) do
  191. create(:role).tap { |role| role.permission_grant('user_preferences.device') }
  192. end
  193. let(:customer) do
  194. create(:customer, firstname: 'Behalf of', role_ids: Role.signup_role_ids.push(customer_user_devices_role.id))
  195. end
  196. it 'creates Ticket because of behalf of customer user, which should not trigger a new user device', performs_jobs: true do
  197. params = {
  198. title: 'a new ticket #3',
  199. group: 'Users',
  200. priority: '2 normal',
  201. state: 'new',
  202. customer_id: customer.id,
  203. article: {
  204. body: 'some test 123',
  205. },
  206. }
  207. authenticated_as(admin, from: customer.email)
  208. post '/api/v1/tickets', params: params, as: :json
  209. expect(response).to have_http_status(:created)
  210. expect(customer.id).to eq(json_response['created_by_id'])
  211. expect { perform_enqueued_jobs }.not_to change(UserDevice, :count)
  212. end
  213. end
  214. end
  215. describe 'user lookup' do
  216. it 'does From auth - user lookup by ID' do
  217. authenticated_as(admin, from: customer.id)
  218. get '/api/v1/users/me', as: :json
  219. expect(json_response.fetch('id')).to be customer.id
  220. end
  221. it 'does From auth - user lookup by login' do
  222. authenticated_as(admin, from: customer.login)
  223. get '/api/v1/users/me', as: :json
  224. expect(json_response.fetch('id')).to be customer.id
  225. end
  226. it 'does From auth - user lookup by email' do
  227. authenticated_as(admin, from: customer.email)
  228. get '/api/v1/users/me', as: :json
  229. expect(json_response.fetch('id')).to be customer.id
  230. end
  231. # https://github.com/zammad/zammad/issues/2851
  232. it 'does From auth - user lookup by email even if email starts with a digit' do
  233. customer.update! email: "#{agent.id}#{customer.email}"
  234. authenticated_as(admin, from: customer.email)
  235. get '/api/v1/users/me', as: :json
  236. expect(json_response.fetch('id')).to be customer.id
  237. end
  238. end
  239. end