api_auth_spec.rb 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Api Auth', type: :request do
  4. around do |example|
  5. orig = ActionController::Base.allow_forgery_protection
  6. begin
  7. ActionController::Base.allow_forgery_protection = true
  8. example.run
  9. ensure
  10. ActionController::Base.allow_forgery_protection = orig
  11. end
  12. end
  13. let(:admin) { create(:admin) }
  14. let(:agent) { create(:agent) }
  15. let(:customer) { create(:customer) }
  16. let(:two_factor_method_enabled) { true }
  17. before do
  18. stub_const('Auth::BRUTE_FORCE_SLEEP', 0)
  19. Setting.set('two_factor_authentication_method_authenticator_app', two_factor_method_enabled)
  20. end
  21. describe 'request handling' do
  22. it 'does basic auth - admin' do
  23. Setting.set('api_password_access', false)
  24. authenticated_as(admin)
  25. get '/api/v1/sessions', params: {}, as: :json
  26. expect(response).to have_http_status(:forbidden)
  27. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  28. expect(json_response).to be_a(Hash)
  29. expect(json_response['error']).to eq('API password access disabled!')
  30. Setting.set('api_password_access', true)
  31. get '/api/v1/sessions', params: {}, as: :json
  32. expect(response).to have_http_status(:ok)
  33. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  34. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  35. expect(json_response).to be_a(Hash)
  36. expect(json_response).to be_truthy
  37. end
  38. it 'does basic auth - agent' do
  39. Setting.set('api_password_access', false)
  40. authenticated_as(agent)
  41. get '/api/v1/tickets', params: {}, as: :json
  42. expect(response).to have_http_status(:forbidden)
  43. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  44. expect(json_response).to be_a(Hash)
  45. expect(json_response['error']).to eq('API password access disabled!')
  46. Setting.set('api_password_access', true)
  47. get '/api/v1/tickets', params: {}, as: :json
  48. expect(response).to have_http_status(:ok)
  49. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  50. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  51. expect(json_response).to be_a(Array)
  52. expect(json_response).to be_truthy
  53. end
  54. it 'does basic auth - customer' do
  55. Setting.set('api_password_access', false)
  56. authenticated_as(customer)
  57. get '/api/v1/tickets', params: {}, as: :json
  58. expect(response).to have_http_status(:forbidden)
  59. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  60. expect(json_response).to be_a(Hash)
  61. expect(json_response['error']).to eq('API password access disabled!')
  62. Setting.set('api_password_access', true)
  63. get '/api/v1/tickets', params: {}, as: :json
  64. expect(response).to have_http_status(:ok)
  65. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  66. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  67. expect(json_response).to be_a(Array)
  68. expect(json_response).to be_truthy
  69. end
  70. context 'when using BasicAuth with TwoFactor' do
  71. let!(:two_factor_pref) { create(:user_two_factor_preference, :authenticator_app, user: admin) }
  72. it 'rejects the log-in' do
  73. two_factor_pref
  74. authenticated_as(admin)
  75. Setting.set('api_password_access', true)
  76. get '/api/v1/sessions', params: {}, as: :json
  77. expect(response).to have_http_status(:unauthorized)
  78. end
  79. end
  80. it 'does token auth - admin', last_admin_check: false do
  81. admin_token = create(
  82. :token,
  83. action: 'api',
  84. persistent: true,
  85. user_id: admin.id,
  86. preferences: {
  87. permission: ['admin.session'],
  88. },
  89. )
  90. authenticated_as(admin, token: admin_token)
  91. Setting.set('api_token_access', false)
  92. get '/api/v1/sessions', params: {}, as: :json
  93. expect(response).to have_http_status(:forbidden)
  94. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  95. expect(json_response).to be_a(Hash)
  96. expect(json_response['error']).to eq('API token access disabled!')
  97. Setting.set('api_token_access', true)
  98. get '/api/v1/sessions', params: {}, as: :json
  99. expect(response).to have_http_status(:ok)
  100. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  101. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  102. expect(json_response).to be_a(Hash)
  103. expect(json_response).to be_truthy
  104. admin_token.preferences[:permission] = ['admin.session_not_existing']
  105. admin_token.save!
  106. get '/api/v1/sessions', params: {}, as: :json
  107. expect(response).to have_http_status(:forbidden)
  108. expect(json_response).to be_a(Hash)
  109. expect(json_response['error']).to eq('Token authorization failed.')
  110. admin_token.preferences[:permission] = []
  111. admin_token.save!
  112. get '/api/v1/sessions', params: {}, as: :json
  113. expect(response).to have_http_status(:forbidden)
  114. expect(json_response).to be_a(Hash)
  115. expect(json_response['error']).to eq('Token authorization failed.')
  116. admin.active = false
  117. admin.save!
  118. get '/api/v1/sessions', params: {}, as: :json
  119. expect(response).to have_http_status(:unauthorized)
  120. expect(json_response).to be_a(Hash)
  121. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  122. admin_token.preferences[:permission] = ['admin.session']
  123. admin_token.save!
  124. get '/api/v1/sessions', params: {}, as: :json
  125. expect(response).to have_http_status(:unauthorized)
  126. expect(json_response).to be_a(Hash)
  127. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  128. admin.active = true
  129. admin.save!
  130. get '/api/v1/sessions', params: {}, as: :json
  131. expect(response).to have_http_status(:ok)
  132. expect(json_response).to be_a(Hash)
  133. expect(json_response).to be_truthy
  134. get '/api/v1/roles', params: {}, as: :json
  135. expect(response).to have_http_status(:forbidden)
  136. expect(json_response).to be_a(Hash)
  137. expect(json_response['error']).to eq('Token authorization failed.')
  138. admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
  139. admin_token.save!
  140. get '/api/v1/roles', params: {}, as: :json
  141. expect(response).to have_http_status(:ok)
  142. expect(json_response).to be_a(Array)
  143. expect(json_response).to be_truthy
  144. admin_token.preferences[:permission] = ['ticket.agent']
  145. admin_token.save!
  146. get '/api/v1/organizations', params: {}, as: :json
  147. expect(response).to have_http_status(:ok)
  148. expect(json_response).to be_a(Array)
  149. expect(json_response).to be_truthy
  150. name = "some org name #{SecureRandom.uuid}"
  151. post '/api/v1/organizations', params: { name: name }, as: :json
  152. expect(response).to have_http_status(:created)
  153. expect(json_response).to be_a(Hash)
  154. expect(json_response['name']).to eq(name)
  155. expect(json_response).to be_truthy
  156. name = "some org name #{SecureRandom.uuid} - 2"
  157. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  158. expect(response).to have_http_status(:ok)
  159. expect(json_response).to be_a(Hash)
  160. expect(json_response['name']).to eq(name)
  161. expect(json_response).to be_truthy
  162. admin_token.preferences[:permission] = ['admin.organization']
  163. admin_token.save!
  164. get '/api/v1/organizations', params: {}, as: :json
  165. expect(response).to have_http_status(:ok)
  166. expect(json_response).to be_a(Array)
  167. expect(json_response).to be_truthy
  168. name = "some org name #{SecureRandom.uuid}"
  169. post '/api/v1/organizations', params: { name: name }, as: :json
  170. expect(response).to have_http_status(:created)
  171. expect(json_response).to be_a(Hash)
  172. expect(json_response['name']).to eq(name)
  173. expect(json_response).to be_truthy
  174. name = "some org name #{SecureRandom.uuid} - 2"
  175. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  176. expect(response).to have_http_status(:ok)
  177. expect(json_response).to be_a(Hash)
  178. expect(json_response['name']).to eq(name)
  179. expect(json_response).to be_truthy
  180. admin_token.preferences[:permission] = ['admin']
  181. admin_token.save!
  182. get '/api/v1/organizations', params: {}, as: :json
  183. expect(response).to have_http_status(:ok)
  184. expect(json_response).to be_a(Array)
  185. expect(json_response).to be_truthy
  186. name = "some org name #{SecureRandom.uuid}"
  187. post '/api/v1/organizations', params: { name: name }, as: :json
  188. expect(response).to have_http_status(:created)
  189. expect(json_response).to be_a(Hash)
  190. expect(json_response['name']).to eq(name)
  191. expect(json_response).to be_truthy
  192. name = "some org name #{SecureRandom.uuid} - 2"
  193. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  194. expect(response).to have_http_status(:ok)
  195. expect(json_response).to be_a(Hash)
  196. expect(json_response['name']).to eq(name)
  197. expect(json_response).to be_truthy
  198. end
  199. it 'does token auth - agent' do
  200. agent_token = create(
  201. :token,
  202. action: 'api',
  203. persistent: true,
  204. user_id: agent.id,
  205. )
  206. authenticated_as(agent, token: agent_token)
  207. Setting.set('api_token_access', false)
  208. get '/api/v1/tickets', params: {}, as: :json
  209. expect(response).to have_http_status(:forbidden)
  210. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  211. expect(json_response).to be_a(Hash)
  212. expect(json_response['error']).to eq('API token access disabled!')
  213. Setting.set('api_token_access', true)
  214. get '/api/v1/tickets', params: {}, as: :json
  215. expect(response).to have_http_status(:ok)
  216. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  217. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  218. expect(json_response).to be_a(Array)
  219. expect(json_response).to be_truthy
  220. get '/api/v1/organizations', params: {}, as: :json
  221. expect(response).to have_http_status(:ok)
  222. expect(json_response).to be_a(Array)
  223. expect(json_response).to be_truthy
  224. name = "some org name #{SecureRandom.uuid}"
  225. post '/api/v1/organizations', params: { name: name }, as: :json
  226. expect(response).to have_http_status(:forbidden)
  227. end
  228. it 'does token auth - customer' do
  229. customer_token = create(
  230. :token,
  231. action: 'api',
  232. persistent: true,
  233. user_id: customer.id,
  234. )
  235. authenticated_as(customer, token: customer_token)
  236. Setting.set('api_token_access', false)
  237. get '/api/v1/tickets', params: {}, as: :json
  238. expect(response).to have_http_status(:forbidden)
  239. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  240. expect(json_response).to be_a(Hash)
  241. expect(json_response['error']).to eq('API token access disabled!')
  242. Setting.set('api_token_access', true)
  243. get '/api/v1/tickets', params: {}, as: :json
  244. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  245. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  246. expect(response).to have_http_status(:ok)
  247. expect(json_response).to be_a(Array)
  248. expect(json_response).to be_truthy
  249. get '/api/v1/organizations', params: {}, as: :json
  250. expect(response).to have_http_status(:ok)
  251. expect(json_response).to be_a(Array)
  252. expect(json_response).to be_truthy
  253. name = "some org name #{SecureRandom.uuid}"
  254. post '/api/v1/organizations', params: { name: name }, as: :json
  255. expect(response).to have_http_status(:forbidden)
  256. end
  257. it 'does token auth - invalid user - admin', last_admin_check: false do
  258. admin_token = create(
  259. :token,
  260. action: 'api',
  261. persistent: true,
  262. user_id: admin.id,
  263. )
  264. authenticated_as(admin, token: admin_token)
  265. admin.active = false
  266. admin.save!
  267. Setting.set('api_token_access', false)
  268. get '/api/v1/sessions', params: {}, as: :json
  269. expect(response).to have_http_status(:forbidden)
  270. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  271. expect(json_response).to be_a(Hash)
  272. expect(json_response['error']).to eq('API token access disabled!')
  273. Setting.set('api_token_access', true)
  274. get '/api/v1/sessions', params: {}, as: :json
  275. expect(response).to have_http_status(:unauthorized)
  276. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  277. expect(json_response).to be_a(Hash)
  278. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  279. end
  280. it 'does token auth - expired' do
  281. Setting.set('api_token_access', true)
  282. admin_token = create(
  283. :token,
  284. action: 'api',
  285. persistent: true,
  286. user_id: admin.id,
  287. expires_at: Time.zone.today
  288. )
  289. authenticated_as(admin, token: admin_token)
  290. get '/api/v1/tickets', params: {}, as: :json
  291. expect(response).to have_http_status(:unauthorized)
  292. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  293. expect(json_response).to be_a(Hash)
  294. expect(json_response['error']).to eq('Not authorized (token expired)!')
  295. admin_token.reload
  296. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  297. end
  298. it 'does token auth - not expired' do
  299. Setting.set('api_token_access', true)
  300. admin_token = create(
  301. :token,
  302. action: 'api',
  303. persistent: true,
  304. user_id: admin.id,
  305. expires_at: Time.zone.tomorrow
  306. )
  307. authenticated_as(admin, token: admin_token)
  308. get '/api/v1/tickets', params: {}, as: :json
  309. expect(response).to have_http_status(:ok)
  310. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  311. expect(response.header['Cache-Control']).to eq('max-age=0, private, must-revalidate')
  312. expect(json_response).to be_a(Array)
  313. expect(json_response).to be_truthy
  314. admin_token.reload
  315. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  316. end
  317. it 'does session auth - admin' do
  318. admin = create(:admin)
  319. post '/api/v1/signshow', params: {}, as: :json
  320. token = response.headers['CSRF-TOKEN']
  321. post '/api/v1/signin', params: { username: admin.login, password: admin.password, fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
  322. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  323. expect(response).to have_http_status(:created)
  324. get '/api/v1/sessions', params: {}
  325. expect(response).to have_http_status(:ok)
  326. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  327. expect(json_response).to be_a(Hash)
  328. expect(json_response).to be_truthy
  329. end
  330. context 'when using session auth with TwoFactor' do
  331. let(:admin) { create(:admin) }
  332. let(:two_factor_method) { nil }
  333. let(:two_factor_payload) { nil }
  334. let(:code) { two_factor_pref.configuration[:code] }
  335. let!(:two_factor_pref) { create(:user_two_factor_preference, :authenticator_app, user: admin) }
  336. before do
  337. post '/api/v1/signshow', params: {}, as: :json
  338. token = response.headers['CSRF-TOKEN']
  339. post '/api/v1/signin', params: { username: admin.login, password: admin.password, two_factor_method: two_factor_method, two_factor_payload: two_factor_payload, fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
  340. end
  341. context 'without two factor token' do
  342. it 'rejects the log-in' do
  343. expect(response).to have_http_status(:unprocessable_entity)
  344. end
  345. end
  346. context 'with wrong two factor token' do
  347. let(:two_factor_payload) { 'wrong' }
  348. let(:two_factor_method) { 'authenticator_app' }
  349. it 'rejects the log-in' do
  350. expect(response).to have_http_status(:unauthorized)
  351. end
  352. end
  353. context 'with correct two factor token' do
  354. let(:two_factor_payload) { code }
  355. let(:two_factor_method) { 'authenticator_app' }
  356. it 'accepts the log-in' do
  357. expect(response).to have_http_status(:created)
  358. end
  359. context 'with disabled authenticator method' do
  360. let(:two_factor_method_enabled) { false }
  361. it 'accepts the log-in' do
  362. expect(response).to have_http_status(:created)
  363. end
  364. end
  365. end
  366. end
  367. it 'does session auth - admin - only with valid CSRF token' do
  368. create(:admin, login: 'api-admin@example.com', password: 'adminpw')
  369. post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
  370. expect(response).to have_http_status(:unauthorized)
  371. end
  372. end
  373. end