api_auth_spec.rb 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425
  1. require 'rails_helper'
  2. RSpec.describe 'Api Auth', type: :request do
  3. around do |example|
  4. orig = ActionController::Base.allow_forgery_protection
  5. begin
  6. ActionController::Base.allow_forgery_protection = true
  7. example.run
  8. ensure
  9. ActionController::Base.allow_forgery_protection = orig
  10. end
  11. end
  12. let(:admin) do
  13. create(:admin)
  14. end
  15. let(:agent) do
  16. create(:agent)
  17. end
  18. let(:customer) do
  19. create(:customer)
  20. end
  21. describe 'request handling' do
  22. it 'does basic auth - admin' do
  23. Setting.set('api_password_access', false)
  24. authenticated_as(admin)
  25. get '/api/v1/sessions', params: {}, as: :json
  26. expect(response).to have_http_status(:unauthorized)
  27. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  28. expect(json_response).to be_a_kind_of(Hash)
  29. expect(json_response['error']).to eq('API password access disabled!')
  30. Setting.set('api_password_access', true)
  31. get '/api/v1/sessions', params: {}, as: :json
  32. expect(response).to have_http_status(:ok)
  33. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  34. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  35. expect(response.header['Pragma']).to eq('no-cache')
  36. expect(response.header['Expires']).to eq('-1')
  37. expect(json_response).to be_a_kind_of(Hash)
  38. expect(json_response).to be_truthy
  39. end
  40. it 'does basic auth - agent' do
  41. Setting.set('api_password_access', false)
  42. authenticated_as(agent)
  43. get '/api/v1/tickets', params: {}, as: :json
  44. expect(response).to have_http_status(:unauthorized)
  45. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  46. expect(json_response).to be_a_kind_of(Hash)
  47. expect(json_response['error']).to eq('API password access disabled!')
  48. Setting.set('api_password_access', true)
  49. get '/api/v1/tickets', params: {}, as: :json
  50. expect(response).to have_http_status(:ok)
  51. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  52. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  53. expect(response.header['Pragma']).to eq('no-cache')
  54. expect(response.header['Expires']).to eq('-1')
  55. expect(json_response).to be_a_kind_of(Array)
  56. expect(json_response).to be_truthy
  57. end
  58. it 'does basic auth - customer' do
  59. Setting.set('api_password_access', false)
  60. authenticated_as(customer)
  61. get '/api/v1/tickets', params: {}, as: :json
  62. expect(response).to have_http_status(:unauthorized)
  63. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  64. expect(json_response).to be_a_kind_of(Hash)
  65. expect(json_response['error']).to eq('API password access disabled!')
  66. Setting.set('api_password_access', true)
  67. get '/api/v1/tickets', params: {}, as: :json
  68. expect(response).to have_http_status(:ok)
  69. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  70. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  71. expect(response.header['Pragma']).to eq('no-cache')
  72. expect(response.header['Expires']).to eq('-1')
  73. expect(json_response).to be_a_kind_of(Array)
  74. expect(json_response).to be_truthy
  75. end
  76. it 'does token auth - admin', last_admin_check: false do
  77. admin_token = create(
  78. :token,
  79. action: 'api',
  80. persistent: true,
  81. user_id: admin.id,
  82. preferences: {
  83. permission: ['admin.session'],
  84. },
  85. )
  86. authenticated_as(admin, token: admin_token)
  87. Setting.set('api_token_access', false)
  88. get '/api/v1/sessions', params: {}, as: :json
  89. expect(response).to have_http_status(:unauthorized)
  90. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  91. expect(json_response).to be_a_kind_of(Hash)
  92. expect(json_response['error']).to eq('API token access disabled!')
  93. Setting.set('api_token_access', true)
  94. get '/api/v1/sessions', params: {}, as: :json
  95. expect(response).to have_http_status(:ok)
  96. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  97. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  98. expect(response.header['Pragma']).to eq('no-cache')
  99. expect(response.header['Expires']).to eq('-1')
  100. expect(json_response).to be_a_kind_of(Hash)
  101. expect(json_response).to be_truthy
  102. admin_token.preferences[:permission] = ['admin.session_not_existing']
  103. admin_token.save!
  104. get '/api/v1/sessions', params: {}, as: :json
  105. expect(response).to have_http_status(:unauthorized)
  106. expect(json_response).to be_a_kind_of(Hash)
  107. expect(json_response['error']).to eq('Not authorized (token)!')
  108. admin_token.preferences[:permission] = []
  109. admin_token.save!
  110. get '/api/v1/sessions', params: {}, as: :json
  111. expect(response).to have_http_status(:unauthorized)
  112. expect(json_response).to be_a_kind_of(Hash)
  113. expect(json_response['error']).to eq('Not authorized (token)!')
  114. admin.active = false
  115. admin.save!
  116. get '/api/v1/sessions', params: {}, as: :json
  117. expect(response).to have_http_status(:unauthorized)
  118. expect(json_response).to be_a_kind_of(Hash)
  119. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  120. admin_token.preferences[:permission] = ['admin.session']
  121. admin_token.save!
  122. get '/api/v1/sessions', params: {}, as: :json
  123. expect(response).to have_http_status(:unauthorized)
  124. expect(json_response).to be_a_kind_of(Hash)
  125. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  126. admin.active = true
  127. admin.save!
  128. get '/api/v1/sessions', params: {}, as: :json
  129. expect(response).to have_http_status(:ok)
  130. expect(json_response).to be_a_kind_of(Hash)
  131. expect(json_response).to be_truthy
  132. get '/api/v1/roles', params: {}, as: :json
  133. expect(response).to have_http_status(:unauthorized)
  134. expect(json_response).to be_a_kind_of(Hash)
  135. expect(json_response['error']).to eq('Not authorized (token)!')
  136. admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
  137. admin_token.save!
  138. get '/api/v1/roles', params: {}, as: :json
  139. expect(response).to have_http_status(:ok)
  140. expect(json_response).to be_a_kind_of(Array)
  141. expect(json_response).to be_truthy
  142. admin_token.preferences[:permission] = ['ticket.agent']
  143. admin_token.save!
  144. get '/api/v1/organizations', params: {}, as: :json
  145. expect(response).to have_http_status(:ok)
  146. expect(json_response).to be_a_kind_of(Array)
  147. expect(json_response).to be_truthy
  148. name = "some org name #{rand(999_999_999)}"
  149. post '/api/v1/organizations', params: { name: name }, as: :json
  150. expect(response).to have_http_status(:created)
  151. expect(json_response).to be_a_kind_of(Hash)
  152. expect(json_response['name']).to eq(name)
  153. expect(json_response).to be_truthy
  154. name = "some org name #{rand(999_999_999)} - 2"
  155. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  156. expect(response).to have_http_status(:ok)
  157. expect(json_response).to be_a_kind_of(Hash)
  158. expect(json_response['name']).to eq(name)
  159. expect(json_response).to be_truthy
  160. admin_token.preferences[:permission] = ['admin.organization']
  161. admin_token.save!
  162. get '/api/v1/organizations', params: {}, as: :json
  163. expect(response).to have_http_status(:ok)
  164. expect(json_response).to be_a_kind_of(Array)
  165. expect(json_response).to be_truthy
  166. name = "some org name #{rand(999_999_999)}"
  167. post '/api/v1/organizations', params: { name: name }, as: :json
  168. expect(response).to have_http_status(:created)
  169. expect(json_response).to be_a_kind_of(Hash)
  170. expect(json_response['name']).to eq(name)
  171. expect(json_response).to be_truthy
  172. name = "some org name #{rand(999_999_999)} - 2"
  173. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  174. expect(response).to have_http_status(:ok)
  175. expect(json_response).to be_a_kind_of(Hash)
  176. expect(json_response['name']).to eq(name)
  177. expect(json_response).to be_truthy
  178. admin_token.preferences[:permission] = ['admin']
  179. admin_token.save!
  180. get '/api/v1/organizations', params: {}, as: :json
  181. expect(response).to have_http_status(:ok)
  182. expect(json_response).to be_a_kind_of(Array)
  183. expect(json_response).to be_truthy
  184. name = "some org name #{rand(999_999_999)}"
  185. post '/api/v1/organizations', params: { name: name }, as: :json
  186. expect(response).to have_http_status(:created)
  187. expect(json_response).to be_a_kind_of(Hash)
  188. expect(json_response['name']).to eq(name)
  189. expect(json_response).to be_truthy
  190. name = "some org name #{rand(999_999_999)} - 2"
  191. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  192. expect(response).to have_http_status(:ok)
  193. expect(json_response).to be_a_kind_of(Hash)
  194. expect(json_response['name']).to eq(name)
  195. expect(json_response).to be_truthy
  196. end
  197. it 'does token auth - agent' do
  198. agent_token = create(
  199. :token,
  200. action: 'api',
  201. persistent: true,
  202. user_id: agent.id,
  203. )
  204. authenticated_as(agent, token: agent_token)
  205. Setting.set('api_token_access', false)
  206. get '/api/v1/tickets', params: {}, as: :json
  207. expect(response).to have_http_status(:unauthorized)
  208. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  209. expect(json_response).to be_a_kind_of(Hash)
  210. expect(json_response['error']).to eq('API token access disabled!')
  211. Setting.set('api_token_access', true)
  212. get '/api/v1/tickets', params: {}, as: :json
  213. expect(response).to have_http_status(:ok)
  214. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  215. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  216. expect(response.header['Pragma']).to eq('no-cache')
  217. expect(response.header['Expires']).to eq('-1')
  218. expect(json_response).to be_a_kind_of(Array)
  219. expect(json_response).to be_truthy
  220. get '/api/v1/organizations', params: {}, as: :json
  221. expect(response).to have_http_status(:ok)
  222. expect(json_response).to be_a_kind_of(Array)
  223. expect(json_response).to be_truthy
  224. name = "some org name #{rand(999_999_999)}"
  225. post '/api/v1/organizations', params: { name: name }, as: :json
  226. expect(response).to have_http_status(:unauthorized)
  227. end
  228. it 'does token auth - customer' do
  229. customer_token = create(
  230. :token,
  231. action: 'api',
  232. persistent: true,
  233. user_id: customer.id,
  234. )
  235. authenticated_as(customer, token: customer_token)
  236. Setting.set('api_token_access', false)
  237. get '/api/v1/tickets', params: {}, as: :json
  238. expect(response).to have_http_status(:unauthorized)
  239. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  240. expect(json_response).to be_a_kind_of(Hash)
  241. expect(json_response['error']).to eq('API token access disabled!')
  242. Setting.set('api_token_access', true)
  243. get '/api/v1/tickets', params: {}, as: :json
  244. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  245. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  246. expect(response.header['Pragma']).to eq('no-cache')
  247. expect(response.header['Expires']).to eq('-1')
  248. expect(response).to have_http_status(:ok)
  249. expect(json_response).to be_a_kind_of(Array)
  250. expect(json_response).to be_truthy
  251. get '/api/v1/organizations', params: {}, as: :json
  252. expect(response).to have_http_status(:ok)
  253. expect(json_response).to be_a_kind_of(Array)
  254. expect(json_response).to be_truthy
  255. name = "some org name #{rand(999_999_999)}"
  256. post '/api/v1/organizations', params: { name: name }, as: :json
  257. expect(response).to have_http_status(:unauthorized)
  258. end
  259. it 'does token auth - invalid user - admin', last_admin_check: false do
  260. admin_token = create(
  261. :token,
  262. action: 'api',
  263. persistent: true,
  264. user_id: admin.id,
  265. )
  266. authenticated_as(admin, token: admin_token)
  267. admin.active = false
  268. admin.save!
  269. Setting.set('api_token_access', false)
  270. get '/api/v1/sessions', params: {}, as: :json
  271. expect(response).to have_http_status(:unauthorized)
  272. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  273. expect(json_response).to be_a_kind_of(Hash)
  274. expect(json_response['error']).to eq('API token access disabled!')
  275. Setting.set('api_token_access', true)
  276. get '/api/v1/sessions', params: {}, as: :json
  277. expect(response).to have_http_status(:unauthorized)
  278. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  279. expect(json_response).to be_a_kind_of(Hash)
  280. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  281. end
  282. it 'does token auth - expired' do
  283. Setting.set('api_token_access', true)
  284. admin_token = create(
  285. :token,
  286. action: 'api',
  287. persistent: true,
  288. user_id: admin.id,
  289. expires_at: Time.zone.today
  290. )
  291. authenticated_as(admin, token: admin_token)
  292. get '/api/v1/tickets', params: {}, as: :json
  293. expect(response).to have_http_status(:unauthorized)
  294. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  295. expect(json_response).to be_a_kind_of(Hash)
  296. expect(json_response['error']).to eq('Not authorized (token expired)!')
  297. admin_token.reload
  298. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  299. end
  300. it 'does token auth - not expired' do
  301. Setting.set('api_token_access', true)
  302. admin_token = create(
  303. :token,
  304. action: 'api',
  305. persistent: true,
  306. user_id: admin.id,
  307. expires_at: Time.zone.tomorrow
  308. )
  309. authenticated_as(admin, token: admin_token)
  310. get '/api/v1/tickets', params: {}, as: :json
  311. expect(response).to have_http_status(:ok)
  312. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  313. expect(response.header['Cache-Control']).to match(/no-cache, no-store/)
  314. expect(response.header['Pragma']).to eq('no-cache')
  315. expect(response.header['Expires']).to eq('-1')
  316. expect(json_response).to be_a_kind_of(Array)
  317. expect(json_response).to be_truthy
  318. admin_token.reload
  319. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  320. end
  321. it 'does session auth - admin' do
  322. create(:admin, login: 'api-admin@example.com', password: 'adminpw')
  323. get '/'
  324. token = response.headers['CSRF-TOKEN']
  325. post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
  326. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  327. expect(response).to have_http_status(:created)
  328. get '/api/v1/sessions', params: {}
  329. expect(response).to have_http_status(:ok)
  330. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  331. expect(json_response).to be_a_kind_of(Hash)
  332. expect(json_response).to be_truthy
  333. end
  334. it 'does session auth - admin - only with valid CSRF token' do
  335. create(:admin, login: 'api-admin@example.com', password: 'adminpw')
  336. post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
  337. expect(response).to have_http_status(:unauthorized)
  338. end
  339. end
  340. end