user_device_controller_test.rb 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559
  1. require 'test_helper'
  2. class UserDeviceControllerTest < ActionDispatch::IntegrationTest
  3. self.test_order = :sorted
  4. self.use_transactional_tests = false
  5. setup do
  6. # set accept header
  7. @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }
  8. # create agent
  9. roles = Role.where(name: %w[Admin Agent])
  10. groups = Group.all
  11. UserInfo.current_user_id = 1
  12. @admin = User.create_or_update(
  13. login: 'user-device-admin',
  14. firstname: 'UserDevice',
  15. lastname: 'Admin',
  16. email: 'user-device-admin@example.com',
  17. password: 'adminpw',
  18. active: true,
  19. roles: roles,
  20. groups: groups,
  21. )
  22. # create agent
  23. roles = Role.where(name: 'Agent')
  24. @agent = User.create_or_update(
  25. login: 'user-device-agent',
  26. firstname: 'UserDevice',
  27. lastname: 'Agent',
  28. email: 'user-device-agent@example.com',
  29. password: 'agentpw',
  30. active: true,
  31. roles: roles,
  32. groups: groups,
  33. )
  34. ENV['TEST_REMOTE_IP'] = '5.9.62.170' # de
  35. ENV['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0'
  36. ENV['SWITCHED_FROM_USER_ID'] = nil
  37. UserDevice.destroy_all
  38. end
  39. test '01 - index with nobody' do
  40. get '/api/v1/signshow'
  41. assert_response(200)
  42. result = JSON.parse(@response.body)
  43. assert_equal(result.class, Hash)
  44. assert_equal(result['error'], 'no valid session')
  45. assert(result['config'])
  46. assert_not(controller.session[:user_device_fingerprint])
  47. Scheduler.worker(true)
  48. end
  49. test '02 - login index with admin without fingerprint' do
  50. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  51. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  52. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  53. params = { without_fingerprint: 'none', username: 'user-device-admin', password: 'adminpw' }
  54. post '/api/v1/signin', params: params.to_json, headers: @headers
  55. assert_response(422)
  56. result = JSON.parse(@response.body)
  57. assert_equal(result.class, Hash)
  58. assert_equal('Need fingerprint param!', result['error'])
  59. assert_not(result['config'])
  60. assert_not(controller.session[:user_device_fingerprint])
  61. Scheduler.worker(true)
  62. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  63. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  64. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  65. end
  66. test '03 - login index with admin with fingerprint - I' do
  67. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  68. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  69. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  70. params = { fingerprint: 'my_finger_print', username: 'user-device-admin', password: 'adminpw' }
  71. post '/api/v1/signin', params: params.to_json, headers: @headers
  72. assert_response(201)
  73. result = JSON.parse(@response.body)
  74. assert_equal(result.class, Hash)
  75. assert_not(result['error'])
  76. assert(result['config'])
  77. assert('my_finger_print', controller.session[:user_device_fingerprint])
  78. Scheduler.worker(true)
  79. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  80. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  81. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  82. user_device_first = UserDevice.last
  83. sleep 2
  84. params = {}
  85. get '/api/v1/users', params: params.to_json, headers: @headers
  86. assert_response(200)
  87. result = JSON.parse(@response.body)
  88. assert_equal(result.class, Array)
  89. assert('my_finger_print', controller.session[:user_device_fingerprint])
  90. Scheduler.worker(true)
  91. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  92. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  93. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  94. user_device_last = UserDevice.last
  95. assert_equal(user_device_last.updated_at.to_s, user_device_first.updated_at.to_s)
  96. params = { fingerprint: 'my_finger_print' }
  97. get '/api/v1/signshow', params: params, headers: @headers
  98. assert_response(200)
  99. result = JSON.parse(@response.body)
  100. assert_equal(result.class, Hash)
  101. assert(result['session'])
  102. assert_equal(result['session']['login'], 'user-device-admin')
  103. assert(result['config'])
  104. Scheduler.worker(true)
  105. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  106. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  107. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  108. user_device_last = UserDevice.last
  109. assert_equal(user_device_last.updated_at.to_s, user_device_first.updated_at.to_s)
  110. ENV['USER_DEVICE_UPDATED_AT'] = (Time.zone.now - 4.hours).to_s
  111. params = {}
  112. get '/api/v1/users', params: params.to_json, headers: @headers
  113. assert_response(200)
  114. result = JSON.parse(@response.body)
  115. assert_equal(result.class, Array)
  116. assert('my_finger_print', controller.session[:user_device_fingerprint])
  117. Scheduler.worker(true)
  118. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  119. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  120. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  121. user_device_last = UserDevice.last
  122. assert_not_equal(user_device_last.updated_at.to_s, user_device_first.updated_at.to_s)
  123. ENV['USER_DEVICE_UPDATED_AT'] = nil
  124. ENV['TEST_REMOTE_IP'] = '195.65.29.254' # ch
  125. params = {}
  126. get '/api/v1/users', params: params.to_json, headers: @headers
  127. assert_response(200)
  128. result = JSON.parse(@response.body)
  129. Scheduler.worker(true)
  130. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  131. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  132. assert_equal(1, email_notification_count('user_device_new_location', @admin.email))
  133. # ip reset
  134. ENV['TEST_REMOTE_IP'] = '5.9.62.170' # de
  135. end
  136. test '04 - login index with admin with fingerprint - II' do
  137. UserDevice.create!(
  138. user_id: @admin.id,
  139. name: 'test 1',
  140. location: 'some location',
  141. user_agent: 'some user agent',
  142. ip: '127.0.0.1',
  143. fingerprint: 'fingerprintI',
  144. )
  145. params = { fingerprint: 'my_finger_print_II', username: 'user-device-admin', password: 'adminpw' }
  146. post '/api/v1/signin', params: params.to_json, headers: @headers
  147. assert_response(201)
  148. result = JSON.parse(@response.body)
  149. Scheduler.worker(true)
  150. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  151. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  152. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  153. assert_equal(result.class, Hash)
  154. assert_not(result['error'])
  155. assert(result['config'])
  156. assert('my_finger_print_III', controller.session[:user_device_fingerprint])
  157. get '/api/v1/users', params: params.to_json, headers: @headers
  158. assert_response(200)
  159. result = JSON.parse(@response.body)
  160. assert_equal(result.class, Array)
  161. Scheduler.worker(true)
  162. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  163. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  164. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  165. params = { fingerprint: 'my_finger_print_II' }
  166. get '/api/v1/signshow', params: params, headers: @headers
  167. assert_response(200)
  168. result = JSON.parse(@response.body)
  169. assert_equal(result.class, Hash)
  170. assert(result['session'])
  171. assert_equal(result['session']['login'], 'user-device-admin')
  172. assert(result['config'])
  173. Scheduler.worker(true)
  174. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  175. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  176. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  177. ENV['TEST_REMOTE_IP'] = '195.65.29.254' # ch
  178. params = {}
  179. get '/api/v1/users', params: params.to_json, headers: @headers
  180. assert_response(200)
  181. result = JSON.parse(@response.body)
  182. Scheduler.worker(true)
  183. assert_equal(3, UserDevice.where(user_id: @admin.id).count)
  184. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  185. assert_equal(1, email_notification_count('user_device_new_location', @admin.email))
  186. # ip reset
  187. ENV['TEST_REMOTE_IP'] = '5.9.62.170' # de
  188. end
  189. test '05 - login index with admin with fingerprint - II' do
  190. UserDevice.add(
  191. ENV['HTTP_USER_AGENT'],
  192. ENV['TEST_REMOTE_IP'],
  193. @admin.id,
  194. 'my_finger_print_II',
  195. 'session', # session|basic_auth|token_auth|sso
  196. )
  197. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  198. params = { fingerprint: 'my_finger_print_II', username: 'user-device-admin', password: 'adminpw' }
  199. post '/api/v1/signin', params: params.to_json, headers: @headers
  200. assert_response(201)
  201. result = JSON.parse(@response.body)
  202. Scheduler.worker(true)
  203. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  204. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  205. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  206. assert_equal(result.class, Hash)
  207. assert_not(result['error'])
  208. assert(result['config'])
  209. assert('my_finger_print_II', controller.session[:user_device_fingerprint])
  210. end
  211. test '06 - login index with admin with basic auth' do
  212. ENV['HTTP_USER_AGENT'] = 'curl 1.0.0'
  213. UserDevice.add(
  214. ENV['HTTP_USER_AGENT'],
  215. '127.0.0.1',
  216. @admin.id,
  217. '',
  218. 'basic_auth', # session|basic_auth|token_auth|sso
  219. )
  220. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  221. credentials = ActionController::HttpAuthentication::Basic.encode_credentials('user-device-admin', 'adminpw')
  222. ENV['HTTP_USER_AGENT'] = 'curl 1.2.3'
  223. params = {}
  224. get '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  225. assert_response(200)
  226. result = JSON.parse(@response.body)
  227. Scheduler.worker(true)
  228. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  229. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  230. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  231. assert_equal(result.class, Array)
  232. user_device_first = UserDevice.last
  233. sleep 2
  234. params = {}
  235. get '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  236. assert_response(200)
  237. result = JSON.parse(@response.body)
  238. Scheduler.worker(true)
  239. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  240. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  241. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  242. assert_equal(result.class, Array)
  243. user_device_last = UserDevice.last
  244. assert_equal(user_device_last.id, user_device_first.id)
  245. assert_equal(user_device_last.updated_at.to_s, user_device_first.updated_at.to_s)
  246. user_device_last.updated_at = Time.zone.now - 4.hours
  247. user_device_last.save!
  248. params = {}
  249. get '/api/v1/users', params: params, headers: @headers.merge('Authorization' => credentials)
  250. assert_response(200)
  251. result = JSON.parse(@response.body)
  252. Scheduler.worker(true)
  253. assert_equal(2, UserDevice.where(user_id: @admin.id).count)
  254. assert_equal(1, email_notification_count('user_device_new', @admin.email))
  255. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  256. assert_equal(result.class, Array)
  257. user_device_last = UserDevice.last
  258. assert_equal(user_device_last.id, user_device_first.id)
  259. assert(user_device_last.updated_at > user_device_first.updated_at)
  260. end
  261. test '07 - login index with admin with basic auth' do
  262. ENV['HTTP_USER_AGENT'] = 'curl 1.2.3'
  263. UserDevice.add(
  264. ENV['HTTP_USER_AGENT'],
  265. ENV['TEST_REMOTE_IP'],
  266. @admin.id,
  267. '',
  268. 'basic_auth', # session|basic_auth|token_auth|sso
  269. )
  270. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  271. credentials = ActionController::HttpAuthentication::Basic.encode_credentials('user-device-admin', 'adminpw')
  272. params = {}
  273. get '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  274. assert_response(200)
  275. result = JSON.parse(@response.body)
  276. Scheduler.worker(true)
  277. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  278. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  279. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  280. assert_equal(result.class, Array)
  281. end
  282. test '08 - login index with agent with basic auth' do
  283. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  284. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  285. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  286. ENV['HTTP_USER_AGENT'] = 'curl 1.2.3'
  287. credentials = ActionController::HttpAuthentication::Basic.encode_credentials('user-device-agent', 'agentpw')
  288. params = {}
  289. get '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  290. assert_response(200)
  291. result = JSON.parse(@response.body)
  292. Scheduler.worker(true)
  293. assert_equal(1, UserDevice.where(user_id: @agent.id).count)
  294. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  295. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  296. assert_equal(result.class, Array)
  297. end
  298. test '09 - login index with agent with basic auth' do
  299. ENV['HTTP_USER_AGENT'] = 'curl 1.2.3'
  300. UserDevice.add(
  301. ENV['HTTP_USER_AGENT'],
  302. ENV['TEST_REMOTE_IP'],
  303. @agent.id,
  304. '',
  305. 'basic_auth', # session|basic_auth|token_auth|sso
  306. )
  307. assert_equal(1, UserDevice.where(user_id: @agent.id).count)
  308. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  309. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  310. credentials = ActionController::HttpAuthentication::Basic.encode_credentials('user-device-agent', 'agentpw')
  311. params = {}
  312. get '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  313. assert_response(200)
  314. result = JSON.parse(@response.body)
  315. Scheduler.worker(true)
  316. assert_equal(1, UserDevice.where(user_id: @agent.id).count)
  317. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  318. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  319. assert_equal(result.class, Array)
  320. end
  321. test '10 - login with switched_from_user_id' do
  322. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  323. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  324. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  325. ENV['SWITCHED_FROM_USER_ID'] = @admin.id.to_s
  326. params = { fingerprint: 'my_finger_print_II', username: 'user-device-agent', password: 'agentpw' }
  327. post '/api/v1/signin', params: params.to_json, headers: @headers
  328. assert_response(201)
  329. result = JSON.parse(@response.body)
  330. Scheduler.worker(true)
  331. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  332. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  333. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  334. assert_equal(result.class, Hash)
  335. assert_not(result['error'])
  336. assert(result['config'])
  337. assert('my_finger_print_II', controller.session[:user_device_fingerprint])
  338. Scheduler.worker(true)
  339. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  340. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  341. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  342. ENV['USER_DEVICE_UPDATED_AT'] = (Time.zone.now - 4.hours).to_s
  343. params = {}
  344. get '/api/v1/users', params: params.to_json, headers: @headers
  345. assert_response(200)
  346. result = JSON.parse(@response.body)
  347. assert_equal(result.class, Array)
  348. assert('my_finger_print_II', controller.session[:user_device_fingerprint])
  349. Scheduler.worker(true)
  350. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  351. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  352. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  353. ENV['USER_DEVICE_UPDATED_AT'] = nil
  354. ENV['TEST_REMOTE_IP'] = '195.65.29.254' # ch
  355. params = {}
  356. get '/api/v1/users', params: params.to_json, headers: @headers
  357. assert_response(200)
  358. result = JSON.parse(@response.body)
  359. Scheduler.worker(true)
  360. # ip reset
  361. ENV['TEST_REMOTE_IP'] = '5.9.62.170' # de
  362. assert_equal(0, UserDevice.where(user_id: @agent.id).count)
  363. assert_equal(0, email_notification_count('user_device_new', @agent.email))
  364. assert_equal(0, email_notification_count('user_device_new_location', @agent.email))
  365. end
  366. test '11 - login with invalid fingerprint' do
  367. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  368. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  369. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  370. params = { fingerprint: 'to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890to_long_1234567890', username: 'user-device-admin', password: 'adminpw' }
  371. post '/api/v1/signin', params: params.to_json, headers: @headers
  372. assert_response(422)
  373. result = JSON.parse(@response.body)
  374. assert_equal(result.class, Hash)
  375. assert_equal('fingerprint is 198 chars but can only be 160 chars!', result['error'])
  376. assert_not(result['config'])
  377. assert_not(controller.session[:user_device_fingerprint])
  378. Scheduler.worker(true)
  379. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  380. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  381. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  382. end
  383. test '12 - login with integer as fingerprint' do
  384. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  385. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  386. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  387. params = { fingerprint: 123_456_789, username: 'user-device-admin', password: 'adminpw' }
  388. post '/api/v1/signin', params: params.to_json, headers: @headers
  389. assert_response(201)
  390. result = JSON.parse(@response.body)
  391. assert(123_456_789, controller.session[:user_device_fingerprint])
  392. Scheduler.worker(true)
  393. assert_equal(1, UserDevice.where(user_id: @admin.id).count)
  394. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  395. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  396. assert_equal(result.class, Hash)
  397. assert_nil(result['error'])
  398. end
  399. test '13 - login form controller - check no user device logging' do
  400. Setting.set('form_ticket_create', true)
  401. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  402. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  403. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  404. credentials = ActionController::HttpAuthentication::Basic.encode_credentials('user-device-admin', 'adminpw')
  405. params = {
  406. fingerprint: 'long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890long_1234567890'
  407. }
  408. post '/api/v1/form_config', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
  409. assert_response(200)
  410. result = JSON.parse(@response.body)
  411. assert_equal(result.class, Hash)
  412. assert_not(result['error'])
  413. assert(result['endpoint'])
  414. assert_not(controller.session[:user_device_fingerprint])
  415. Scheduler.worker(true)
  416. assert_equal(0, UserDevice.where(user_id: @admin.id).count)
  417. assert_equal(0, email_notification_count('user_device_new', @admin.email))
  418. assert_equal(0, email_notification_count('user_device_new_location', @admin.email))
  419. end
  420. end