123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239 |
- # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- RSpec.describe 'Sessions endpoints', type: :request do
- describe 'GET /' do
- let(:headers) { {} }
- let(:session_key) { Zammad::Application::Initializer::SessionStore::SESSION_KEY }
- before do
- Setting.set('http_type', http_type)
- get '/', headers: headers
- end
- context "when Setting 'http_type' is set to 'https'" do
- let(:http_type) { 'https' }
- context "when it's not an HTTPS request" do
- it 'sets no Cookie' do
- expect(response.header['Set-Cookie']).to be_nil
- end
- end
- context "when it's an HTTPS request" do
- let(:headers) do
- {
- 'X-Forwarded-Proto' => 'https'
- }
- end
- it "sets Cookie with 'secure' flag" do
- expect(response.header['Set-Cookie']).to include(session_key).and include('; secure;')
- end
- end
- end
- context "when Setting 'http_type' is set to 'http'" do
- let(:http_type) { 'http' }
- context "when it's not an HTTPS request" do
- it 'sets Cookie' do
- expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
- end
- end
- context "when it's an HTTPS request" do
- let(:headers) do
- {
- 'X-Forwarded-Proto' => 'https'
- }
- end
- it "sets Cookie without 'secure' flag" do
- expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
- end
- end
- end
- end
- describe 'GET /signshow' do
- context 'user logged in' do
- subject(:user) { create(:agent, password: password) }
- let(:password) { SecureRandom.urlsafe_base64(20) }
- let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
- before do
- params = {
- fingerprint: fingerprint,
- username: user.login,
- password: password
- }
- post '/api/v1/signin', params: params, as: :json
- end
- it 'leaks no sensitive data' do
- params = { fingerprint: fingerprint }
- get '/api/v1/signshow', params: params, as: :json
- expect(json_response['session']).not_to include('password')
- end
- end
- end
- describe 'GET /auth/sso (single sign-on)' do
- before do
- Setting.set('auth_sso', true)
- end
- context 'when SSO is disabled' do
- before do
- Setting.set('auth_sso', false)
- end
- let(:headers) { { 'X-Forwarded-User' => login } }
- let(:login) { User.last.login }
- it 'returns a new user-session response' do
- get '/auth/sso', as: :json, headers: headers
- expect(response).to have_http_status(:forbidden)
- end
- end
- context 'with invalid user login' do
- let(:login) { User.pluck(:login).max.next }
- context 'in "REMOTE_USER" request env var' do
- let(:env) { { 'REMOTE_USER' => login } }
- it 'returns unauthorized response' do
- get '/auth/sso', as: :json, env: env
- expect(response).to have_http_status(:unauthorized)
- end
- end
- context 'in "HTTP_REMOTE_USER" request env var' do
- let(:env) { { 'HTTP_REMOTE_USER' => login } }
- it 'returns unauthorized response' do
- get '/auth/sso', as: :json, env: env
- expect(response).to have_http_status(:unauthorized)
- end
- end
- context 'in "X-Forwarded-User" request header' do
- let(:headers) { { 'X-Forwarded-User' => login } }
- it 'returns unauthorized response' do
- get '/auth/sso', as: :json, headers: headers
- expect(response).to have_http_status(:unauthorized)
- end
- end
- end
- context 'with valid user login' do
- let(:user) { create(:agent) }
- let(:login) { user.login }
- context 'in Maintenance Mode' do
- before { Setting.set('maintenance_mode', true) }
- context 'in "REMOTE_USER" request env var' do
- let(:env) { { 'REMOTE_USER' => login } }
- it 'returns 403 Forbidden' do
- get '/auth/sso', as: :json, env: env
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to include('error' => 'Maintenance mode enabled!')
- end
- end
- context 'in "HTTP_REMOTE_USER" request env var' do
- let(:env) { { 'HTTP_REMOTE_USER' => login } }
- it 'returns 403 Forbidden' do
- get '/auth/sso', as: :json, env: env
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to include('error' => 'Maintenance mode enabled!')
- end
- end
- context 'in "X-Forwarded-User" request header' do
- let(:headers) { { 'X-Forwarded-User' => login } }
- it 'returns 403 Forbidden' do
- get '/auth/sso', as: :json, headers: headers
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to include('error' => 'Maintenance mode enabled!')
- end
- end
- end
- context 'in "REMOTE_USER" request env var' do
- let(:env) { { 'REMOTE_USER' => login } }
- it 'returns a new user-session response' do
- get '/auth/sso', as: :json, env: env
- expect(response).to redirect_to('/#')
- end
- it 'sets the :user_id session parameter' do
- expect { get '/auth/sso', as: :json, env: env }
- .to change { request&.session&.fetch(:user_id) }.to(user.id)
- end
- end
- context 'in "HTTP_REMOTE_USER" request env var' do
- let(:env) { { 'HTTP_REMOTE_USER' => login } }
- it 'returns a new user-session response' do
- get '/auth/sso', as: :json, env: env
- expect(response).to redirect_to('/#')
- end
- it 'sets the :user_id session parameter' do
- expect { get '/auth/sso', as: :json, env: env }
- .to change { request&.session&.fetch(:user_id) }.to(user.id)
- end
- end
- context 'in "X-Forwarded-User" request header' do
- let(:headers) { { 'X-Forwarded-User' => login } }
- it 'returns a new user-session response' do
- get '/auth/sso', as: :json, headers: headers
- expect(response).to redirect_to('/#')
- end
- it 'sets the :user_id session parameter on the client' do
- expect { get '/auth/sso', as: :json, headers: headers }
- .to change { request&.session&.fetch(:user_id) }.to(user.id)
- end
- end
- end
- end
- end
|