session_spec.rb 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. require 'rails_helper'
  2. RSpec.describe 'Sessions endpoints', type: :request do
  3. describe 'GET /signshow' do
  4. context 'user logged in' do
  5. subject(:user) { create(:agent, password: password) }
  6. let(:password) { SecureRandom.urlsafe_base64(20) }
  7. let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
  8. before do
  9. params = {
  10. fingerprint: fingerprint,
  11. username: user.login,
  12. password: password
  13. }
  14. post '/api/v1/signin', params: params, as: :json
  15. end
  16. it 'leaks no sensitive data' do
  17. params = { fingerprint: fingerprint }
  18. get '/api/v1/signshow', params: params, as: :json
  19. expect(json_response['session']).not_to include('password')
  20. end
  21. end
  22. end
  23. describe 'GET /auth/sso (single sign-on)' do
  24. before do
  25. Setting.set('auth_sso', true)
  26. end
  27. context 'when SSO is disabled' do
  28. before do
  29. Setting.set('auth_sso', false)
  30. end
  31. let(:headers) { { 'X-Forwarded-User' => login } }
  32. let(:login) { User.last.login }
  33. it 'returns a new user-session response' do
  34. get '/auth/sso', as: :json, headers: headers
  35. expect(response).to have_http_status(:unauthorized)
  36. end
  37. end
  38. context 'with invalid user login' do
  39. let(:login) { User.pluck(:login).max.next }
  40. context 'in "REMOTE_USER" request env var' do
  41. let(:env) { { 'REMOTE_USER' => login } }
  42. it 'returns unauthorized response' do
  43. get '/auth/sso', as: :json, env: env
  44. expect(response).to have_http_status(:unauthorized)
  45. end
  46. end
  47. context 'in "HTTP_REMOTE_USER" request env var' do
  48. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  49. it 'returns unauthorized response' do
  50. get '/auth/sso', as: :json, env: env
  51. expect(response).to have_http_status(:unauthorized)
  52. end
  53. end
  54. context 'in "X-Forwarded-User" request header' do
  55. let(:headers) { { 'X-Forwarded-User' => login } }
  56. it 'returns unauthorized response' do
  57. get '/auth/sso', as: :json, headers: headers
  58. expect(response).to have_http_status(:unauthorized)
  59. end
  60. end
  61. end
  62. context 'with valid user login' do
  63. let(:user) { User.last }
  64. let(:login) { user.login }
  65. context 'in Maintenance Mode' do
  66. before { Setting.set('maintenance_mode', true) }
  67. context 'in "REMOTE_USER" request env var' do
  68. let(:env) { { 'REMOTE_USER' => login } }
  69. it 'returns 401 unauthorized' do
  70. get '/auth/sso', as: :json, env: env
  71. expect(response).to have_http_status(:unauthorized)
  72. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  73. end
  74. end
  75. context 'in "HTTP_REMOTE_USER" request env var' do
  76. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  77. it 'returns 401 unauthorized' do
  78. get '/auth/sso', as: :json, env: env
  79. expect(response).to have_http_status(:unauthorized)
  80. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  81. end
  82. end
  83. context 'in "X-Forwarded-User" request header' do
  84. let(:headers) { { 'X-Forwarded-User' => login } }
  85. it 'returns 401 unauthorized' do
  86. get '/auth/sso', as: :json, headers: headers
  87. expect(response).to have_http_status(:unauthorized)
  88. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  89. end
  90. end
  91. end
  92. context 'in "REMOTE_USER" request env var' do
  93. let(:env) { { 'REMOTE_USER' => login } }
  94. it 'returns a new user-session response' do
  95. get '/auth/sso', as: :json, env: env
  96. expect(response).to redirect_to('/#')
  97. end
  98. it 'sets the :user_id session parameter' do
  99. expect { get '/auth/sso', as: :json, env: env }
  100. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  101. end
  102. end
  103. context 'in "HTTP_REMOTE_USER" request env var' do
  104. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  105. it 'returns a new user-session response' do
  106. get '/auth/sso', as: :json, env: env
  107. expect(response).to redirect_to('/#')
  108. end
  109. it 'sets the :user_id session parameter' do
  110. expect { get '/auth/sso', as: :json, env: env }
  111. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  112. end
  113. end
  114. context 'in "X-Forwarded-User" request header' do
  115. let(:headers) { { 'X-Forwarded-User' => login } }
  116. it 'returns a new user-session response' do
  117. get '/auth/sso', as: :json, headers: headers
  118. expect(response).to redirect_to('/#')
  119. end
  120. it 'sets the :user_id session parameter on the client' do
  121. expect { get '/auth/sso', as: :json, headers: headers }
  122. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  123. end
  124. end
  125. end
  126. end
  127. end