api_auth_spec.rb 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Api Auth', type: :request do
  4. around do |example|
  5. orig = ActionController::Base.allow_forgery_protection
  6. begin
  7. ActionController::Base.allow_forgery_protection = true
  8. example.run
  9. ensure
  10. ActionController::Base.allow_forgery_protection = orig
  11. end
  12. end
  13. let(:admin) do
  14. create(:admin)
  15. end
  16. let(:agent) do
  17. create(:agent)
  18. end
  19. let(:customer) do
  20. create(:customer)
  21. end
  22. describe 'request handling' do
  23. it 'does basic auth - admin' do
  24. Setting.set('api_password_access', false)
  25. authenticated_as(admin)
  26. get '/api/v1/sessions', params: {}, as: :json
  27. expect(response).to have_http_status(:forbidden)
  28. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  29. expect(json_response).to be_a(Hash)
  30. expect(json_response['error']).to eq('API password access disabled!')
  31. Setting.set('api_password_access', true)
  32. get '/api/v1/sessions', params: {}, as: :json
  33. expect(response).to have_http_status(:ok)
  34. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  35. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  36. expect(response.header['Pragma']).to eq('no-cache')
  37. expect(response.header['Expires']).to eq('-1')
  38. expect(json_response).to be_a(Hash)
  39. expect(json_response).to be_truthy
  40. end
  41. it 'does basic auth - agent' do
  42. Setting.set('api_password_access', false)
  43. authenticated_as(agent)
  44. get '/api/v1/tickets', params: {}, as: :json
  45. expect(response).to have_http_status(:forbidden)
  46. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  47. expect(json_response).to be_a(Hash)
  48. expect(json_response['error']).to eq('API password access disabled!')
  49. Setting.set('api_password_access', true)
  50. get '/api/v1/tickets', params: {}, as: :json
  51. expect(response).to have_http_status(:ok)
  52. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  53. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  54. expect(response.header['Pragma']).to eq('no-cache')
  55. expect(response.header['Expires']).to eq('-1')
  56. expect(json_response).to be_a(Array)
  57. expect(json_response).to be_truthy
  58. end
  59. it 'does basic auth - customer' do
  60. Setting.set('api_password_access', false)
  61. authenticated_as(customer)
  62. get '/api/v1/tickets', params: {}, as: :json
  63. expect(response).to have_http_status(:forbidden)
  64. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  65. expect(json_response).to be_a(Hash)
  66. expect(json_response['error']).to eq('API password access disabled!')
  67. Setting.set('api_password_access', true)
  68. get '/api/v1/tickets', params: {}, as: :json
  69. expect(response).to have_http_status(:ok)
  70. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  71. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  72. expect(response.header['Pragma']).to eq('no-cache')
  73. expect(response.header['Expires']).to eq('-1')
  74. expect(json_response).to be_a(Array)
  75. expect(json_response).to be_truthy
  76. end
  77. it 'does token auth - admin', last_admin_check: false do
  78. admin_token = create(
  79. :token,
  80. action: 'api',
  81. persistent: true,
  82. user_id: admin.id,
  83. preferences: {
  84. permission: ['admin.session'],
  85. },
  86. )
  87. authenticated_as(admin, token: admin_token)
  88. Setting.set('api_token_access', false)
  89. get '/api/v1/sessions', params: {}, as: :json
  90. expect(response).to have_http_status(:forbidden)
  91. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  92. expect(json_response).to be_a(Hash)
  93. expect(json_response['error']).to eq('API token access disabled!')
  94. Setting.set('api_token_access', true)
  95. get '/api/v1/sessions', params: {}, as: :json
  96. expect(response).to have_http_status(:ok)
  97. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  98. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  99. expect(response.header['Pragma']).to eq('no-cache')
  100. expect(response.header['Expires']).to eq('-1')
  101. expect(json_response).to be_a(Hash)
  102. expect(json_response).to be_truthy
  103. admin_token.preferences[:permission] = ['admin.session_not_existing']
  104. admin_token.save!
  105. get '/api/v1/sessions', params: {}, as: :json
  106. expect(response).to have_http_status(:forbidden)
  107. expect(json_response).to be_a(Hash)
  108. expect(json_response['error']).to eq('Not authorized (token)!')
  109. admin_token.preferences[:permission] = []
  110. admin_token.save!
  111. get '/api/v1/sessions', params: {}, as: :json
  112. expect(response).to have_http_status(:forbidden)
  113. expect(json_response).to be_a(Hash)
  114. expect(json_response['error']).to eq('Not authorized (token)!')
  115. admin.active = false
  116. admin.save!
  117. get '/api/v1/sessions', params: {}, as: :json
  118. expect(response).to have_http_status(:unauthorized)
  119. expect(json_response).to be_a(Hash)
  120. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  121. admin_token.preferences[:permission] = ['admin.session']
  122. admin_token.save!
  123. get '/api/v1/sessions', params: {}, as: :json
  124. expect(response).to have_http_status(:unauthorized)
  125. expect(json_response).to be_a(Hash)
  126. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  127. admin.active = true
  128. admin.save!
  129. get '/api/v1/sessions', params: {}, as: :json
  130. expect(response).to have_http_status(:ok)
  131. expect(json_response).to be_a(Hash)
  132. expect(json_response).to be_truthy
  133. get '/api/v1/roles', params: {}, as: :json
  134. expect(response).to have_http_status(:forbidden)
  135. expect(json_response).to be_a(Hash)
  136. expect(json_response['error']).to eq('Not authorized (token)!')
  137. admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
  138. admin_token.save!
  139. get '/api/v1/roles', params: {}, as: :json
  140. expect(response).to have_http_status(:ok)
  141. expect(json_response).to be_a(Array)
  142. expect(json_response).to be_truthy
  143. admin_token.preferences[:permission] = ['ticket.agent']
  144. admin_token.save!
  145. get '/api/v1/organizations', params: {}, as: :json
  146. expect(response).to have_http_status(:ok)
  147. expect(json_response).to be_a(Array)
  148. expect(json_response).to be_truthy
  149. name = "some org name #{SecureRandom.uuid}"
  150. post '/api/v1/organizations', params: { name: name }, as: :json
  151. expect(response).to have_http_status(:created)
  152. expect(json_response).to be_a(Hash)
  153. expect(json_response['name']).to eq(name)
  154. expect(json_response).to be_truthy
  155. name = "some org name #{SecureRandom.uuid} - 2"
  156. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  157. expect(response).to have_http_status(:ok)
  158. expect(json_response).to be_a(Hash)
  159. expect(json_response['name']).to eq(name)
  160. expect(json_response).to be_truthy
  161. admin_token.preferences[:permission] = ['admin.organization']
  162. admin_token.save!
  163. get '/api/v1/organizations', params: {}, as: :json
  164. expect(response).to have_http_status(:ok)
  165. expect(json_response).to be_a(Array)
  166. expect(json_response).to be_truthy
  167. name = "some org name #{SecureRandom.uuid}"
  168. post '/api/v1/organizations', params: { name: name }, as: :json
  169. expect(response).to have_http_status(:created)
  170. expect(json_response).to be_a(Hash)
  171. expect(json_response['name']).to eq(name)
  172. expect(json_response).to be_truthy
  173. name = "some org name #{SecureRandom.uuid} - 2"
  174. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  175. expect(response).to have_http_status(:ok)
  176. expect(json_response).to be_a(Hash)
  177. expect(json_response['name']).to eq(name)
  178. expect(json_response).to be_truthy
  179. admin_token.preferences[:permission] = ['admin']
  180. admin_token.save!
  181. get '/api/v1/organizations', params: {}, as: :json
  182. expect(response).to have_http_status(:ok)
  183. expect(json_response).to be_a(Array)
  184. expect(json_response).to be_truthy
  185. name = "some org name #{SecureRandom.uuid}"
  186. post '/api/v1/organizations', params: { name: name }, as: :json
  187. expect(response).to have_http_status(:created)
  188. expect(json_response).to be_a(Hash)
  189. expect(json_response['name']).to eq(name)
  190. expect(json_response).to be_truthy
  191. name = "some org name #{SecureRandom.uuid} - 2"
  192. put "/api/v1/organizations/#{json_response['id']}", params: { name: name }, as: :json
  193. expect(response).to have_http_status(:ok)
  194. expect(json_response).to be_a(Hash)
  195. expect(json_response['name']).to eq(name)
  196. expect(json_response).to be_truthy
  197. end
  198. it 'does token auth - agent' do
  199. agent_token = create(
  200. :token,
  201. action: 'api',
  202. persistent: true,
  203. user_id: agent.id,
  204. )
  205. authenticated_as(agent, token: agent_token)
  206. Setting.set('api_token_access', false)
  207. get '/api/v1/tickets', params: {}, as: :json
  208. expect(response).to have_http_status(:forbidden)
  209. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  210. expect(json_response).to be_a(Hash)
  211. expect(json_response['error']).to eq('API token access disabled!')
  212. Setting.set('api_token_access', true)
  213. get '/api/v1/tickets', params: {}, as: :json
  214. expect(response).to have_http_status(:ok)
  215. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  216. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  217. expect(response.header['Pragma']).to eq('no-cache')
  218. expect(response.header['Expires']).to eq('-1')
  219. expect(json_response).to be_a(Array)
  220. expect(json_response).to be_truthy
  221. get '/api/v1/organizations', params: {}, as: :json
  222. expect(response).to have_http_status(:ok)
  223. expect(json_response).to be_a(Array)
  224. expect(json_response).to be_truthy
  225. name = "some org name #{SecureRandom.uuid}"
  226. post '/api/v1/organizations', params: { name: name }, as: :json
  227. expect(response).to have_http_status(:forbidden)
  228. end
  229. it 'does token auth - customer' do
  230. customer_token = create(
  231. :token,
  232. action: 'api',
  233. persistent: true,
  234. user_id: customer.id,
  235. )
  236. authenticated_as(customer, token: customer_token)
  237. Setting.set('api_token_access', false)
  238. get '/api/v1/tickets', params: {}, as: :json
  239. expect(response).to have_http_status(:forbidden)
  240. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  241. expect(json_response).to be_a(Hash)
  242. expect(json_response['error']).to eq('API token access disabled!')
  243. Setting.set('api_token_access', true)
  244. get '/api/v1/tickets', params: {}, as: :json
  245. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  246. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  247. expect(response.header['Pragma']).to eq('no-cache')
  248. expect(response.header['Expires']).to eq('-1')
  249. expect(response).to have_http_status(:ok)
  250. expect(json_response).to be_a(Array)
  251. expect(json_response).to be_truthy
  252. get '/api/v1/organizations', params: {}, as: :json
  253. expect(response).to have_http_status(:ok)
  254. expect(json_response).to be_a(Array)
  255. expect(json_response).to be_truthy
  256. name = "some org name #{SecureRandom.uuid}"
  257. post '/api/v1/organizations', params: { name: name }, as: :json
  258. expect(response).to have_http_status(:forbidden)
  259. end
  260. it 'does token auth - invalid user - admin', last_admin_check: false do
  261. admin_token = create(
  262. :token,
  263. action: 'api',
  264. persistent: true,
  265. user_id: admin.id,
  266. )
  267. authenticated_as(admin, token: admin_token)
  268. admin.active = false
  269. admin.save!
  270. Setting.set('api_token_access', false)
  271. get '/api/v1/sessions', params: {}, as: :json
  272. expect(response).to have_http_status(:forbidden)
  273. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  274. expect(json_response).to be_a(Hash)
  275. expect(json_response['error']).to eq('API token access disabled!')
  276. Setting.set('api_token_access', true)
  277. get '/api/v1/sessions', params: {}, as: :json
  278. expect(response).to have_http_status(:unauthorized)
  279. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  280. expect(json_response).to be_a(Hash)
  281. expect(json_response['error']).to eq('Login failed. Have you double-checked your credentials and completed the email verification step?')
  282. end
  283. it 'does token auth - expired' do
  284. Setting.set('api_token_access', true)
  285. admin_token = create(
  286. :token,
  287. action: 'api',
  288. persistent: true,
  289. user_id: admin.id,
  290. expires_at: Time.zone.today
  291. )
  292. authenticated_as(admin, token: admin_token)
  293. get '/api/v1/tickets', params: {}, as: :json
  294. expect(response).to have_http_status(:unauthorized)
  295. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  296. expect(json_response).to be_a(Hash)
  297. expect(json_response['error']).to eq('Not authorized (token expired)!')
  298. admin_token.reload
  299. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  300. end
  301. it 'does token auth - not expired' do
  302. Setting.set('api_token_access', true)
  303. admin_token = create(
  304. :token,
  305. action: 'api',
  306. persistent: true,
  307. user_id: admin.id,
  308. expires_at: Time.zone.tomorrow
  309. )
  310. authenticated_as(admin, token: admin_token)
  311. get '/api/v1/tickets', params: {}, as: :json
  312. expect(response).to have_http_status(:ok)
  313. expect(response.header['Access-Control-Allow-Origin']).to eq('*')
  314. expect(response.header['Cache-Control']).to match(%r{no-cache, no-store})
  315. expect(response.header['Pragma']).to eq('no-cache')
  316. expect(response.header['Expires']).to eq('-1')
  317. expect(json_response).to be_a(Array)
  318. expect(json_response).to be_truthy
  319. admin_token.reload
  320. expect(admin_token.last_used_at).to be_within(1.second).of(Time.zone.now)
  321. end
  322. it 'does session auth - admin' do
  323. create(:admin, login: 'api-admin@example.com', password: 'adminpw')
  324. get '/'
  325. token = response.headers['CSRF-TOKEN']
  326. post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
  327. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  328. expect(response).to have_http_status(:created)
  329. get '/api/v1/sessions', params: {}
  330. expect(response).to have_http_status(:ok)
  331. expect(response.header).not_to be_key('Access-Control-Allow-Origin')
  332. expect(json_response).to be_a(Hash)
  333. expect(json_response).to be_truthy
  334. end
  335. it 'does session auth - admin - only with valid CSRF token' do
  336. create(:admin, login: 'api-admin@example.com', password: 'adminpw')
  337. post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
  338. expect(response).to have_http_status(:unauthorized)
  339. end
  340. end
  341. end