session_spec.rb 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Sessions endpoints', type: :request do
  4. describe 'GET /' do
  5. let(:headers) { {} }
  6. let(:session_key) { Zammad::Application::Initializer::SessionStore::SESSION_KEY }
  7. before do
  8. Setting.set('http_type', http_type)
  9. get '/', headers: headers
  10. end
  11. context "when Setting 'http_type' is set to 'https'" do
  12. let(:http_type) { 'https' }
  13. context "when it's not an HTTPS request" do
  14. it 'sets no Cookie' do
  15. expect(response.header['Set-Cookie']).to be_nil
  16. end
  17. end
  18. context "when it's an HTTPS request" do
  19. let(:headers) do
  20. {
  21. 'X-Forwarded-Proto' => 'https'
  22. }
  23. end
  24. it "sets Cookie with 'secure' flag" do
  25. expect(response.header['Set-Cookie']).to include(session_key).and include('; secure;')
  26. end
  27. end
  28. end
  29. context "when Setting 'http_type' is set to 'http'" do
  30. let(:http_type) { 'http' }
  31. context "when it's not an HTTPS request" do
  32. it 'sets Cookie' do
  33. expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
  34. end
  35. end
  36. context "when it's an HTTPS request" do
  37. let(:headers) do
  38. {
  39. 'X-Forwarded-Proto' => 'https'
  40. }
  41. end
  42. it "sets Cookie without 'secure' flag" do
  43. expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
  44. end
  45. end
  46. end
  47. end
  48. describe 'GET /signshow' do
  49. context 'user logged in' do
  50. subject(:user) { create(:agent, password: password) }
  51. let(:password) { SecureRandom.urlsafe_base64(20) }
  52. let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
  53. before do
  54. params = {
  55. fingerprint: fingerprint,
  56. username: user.login,
  57. password: password
  58. }
  59. post '/api/v1/signin', params: params, as: :json
  60. end
  61. it 'leaks no sensitive data' do
  62. params = { fingerprint: fingerprint }
  63. get '/api/v1/signshow', params: params, as: :json
  64. expect(json_response['session']).not_to include('password')
  65. end
  66. end
  67. end
  68. describe 'GET /auth/sso (single sign-on)' do
  69. before do
  70. Setting.set('auth_sso', true)
  71. end
  72. context 'when SSO is disabled' do
  73. before do
  74. Setting.set('auth_sso', false)
  75. end
  76. let(:headers) { { 'X-Forwarded-User' => login } }
  77. let(:login) { User.last.login }
  78. it 'returns a new user-session response' do
  79. get '/auth/sso', as: :json, headers: headers
  80. expect(response).to have_http_status(:forbidden)
  81. end
  82. end
  83. context 'with invalid user login' do
  84. let(:login) { User.pluck(:login).max.next }
  85. context 'in "REMOTE_USER" request env var' do
  86. let(:env) { { 'REMOTE_USER' => login } }
  87. it 'returns unauthorized response' do
  88. get '/auth/sso', as: :json, env: env
  89. expect(response).to have_http_status(:unauthorized)
  90. end
  91. end
  92. context 'in "HTTP_REMOTE_USER" request env var' do
  93. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  94. it 'returns unauthorized response' do
  95. get '/auth/sso', as: :json, env: env
  96. expect(response).to have_http_status(:unauthorized)
  97. end
  98. end
  99. context 'in "X-Forwarded-User" request header' do
  100. let(:headers) { { 'X-Forwarded-User' => login } }
  101. it 'returns unauthorized response' do
  102. get '/auth/sso', as: :json, headers: headers
  103. expect(response).to have_http_status(:unauthorized)
  104. end
  105. end
  106. end
  107. context 'with valid user login' do
  108. let(:user) { create(:agent) }
  109. let(:login) { user.login }
  110. context 'in Maintenance Mode' do
  111. before { Setting.set('maintenance_mode', true) }
  112. context 'in "REMOTE_USER" request env var' do
  113. let(:env) { { 'REMOTE_USER' => login } }
  114. it 'returns 403 Forbidden' do
  115. get '/auth/sso', as: :json, env: env
  116. expect(response).to have_http_status(:forbidden)
  117. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  118. end
  119. end
  120. context 'in "HTTP_REMOTE_USER" request env var' do
  121. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  122. it 'returns 403 Forbidden' do
  123. get '/auth/sso', as: :json, env: env
  124. expect(response).to have_http_status(:forbidden)
  125. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  126. end
  127. end
  128. context 'in "X-Forwarded-User" request header' do
  129. let(:headers) { { 'X-Forwarded-User' => login } }
  130. it 'returns 403 Forbidden' do
  131. get '/auth/sso', as: :json, headers: headers
  132. expect(response).to have_http_status(:forbidden)
  133. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  134. end
  135. end
  136. end
  137. context 'in "REMOTE_USER" request env var' do
  138. let(:env) { { 'REMOTE_USER' => login } }
  139. it 'returns a new user-session response' do
  140. get '/auth/sso', as: :json, env: env
  141. expect(response).to redirect_to('/#')
  142. end
  143. it 'sets the :user_id session parameter' do
  144. expect { get '/auth/sso', as: :json, env: env }
  145. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  146. end
  147. end
  148. context 'in "HTTP_REMOTE_USER" request env var' do
  149. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  150. it 'returns a new user-session response' do
  151. get '/auth/sso', as: :json, env: env
  152. expect(response).to redirect_to('/#')
  153. end
  154. it 'sets the :user_id session parameter' do
  155. expect { get '/auth/sso', as: :json, env: env }
  156. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  157. end
  158. end
  159. context 'in "X-Forwarded-User" request header' do
  160. let(:headers) { { 'X-Forwarded-User' => login } }
  161. it 'returns a new user-session response' do
  162. get '/auth/sso', as: :json, headers: headers
  163. expect(response).to redirect_to('/#')
  164. end
  165. it 'sets the :user_id session parameter on the client' do
  166. expect { get '/auth/sso', as: :json, headers: headers }
  167. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  168. end
  169. end
  170. end
  171. end
  172. end