rosa-build/spec/integration/api_defender_spec.rb

require 'spec_helper'

describe ApiDefender, type: :request do
  def get_basic_auth user = @user, by_token = false, by_email = false
    u,pass = if by_token
               [user.authentication_token, '']
             elsif by_email
               [user.email, @password]
             else
               [user.uname, @password]
             end
    ActionController::HttpAuthentication::Basic.encode_credentials u, pass
  end

  def get_request auth_user = nil, by_token = false, by_email = false
    auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}
    get "/api/v1/users/#{@user.id}.json", {}, auth
  end

  def get_request2 auth_user = nil, by_token = false, by_email = false
    auth_user = FactoryGirl.create(:user) if !auth_user && APP_CONFIG['anonymous_access'] == false
    get_request auth_user, by_token, by_email
  end

  before do
    stub_symlink_methods
    @redis = Redis.new
    @password = '123456'
    @rate_limit = 3 # dont forget change in max_per_window

    ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")
  end

  before(:each) do
    @user = FactoryGirl.create :user, password: @password
    @system_user = FactoryGirl.create :user, role: 'system'
  end

  if APP_CONFIG['anonymous_access'] == true
    context 'for anonymous user' do
      it "should return the total limit" do
        get_request
        expect(response.headers['X-RateLimit-Limit']).to eq @rate_limit.to_s
      end

      it "should return the correct limit usage for anonymous user" do
        get_request
        expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
      end

      it "should return the correct limit usage for anonymous user after authenticated access" do
        get_request @user
        get_request
        expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-2).to_s
      end

      it "should forbidden anonymous user after exceeding limit rate" do
        (@rate_limit+1).times {get_request}
        expect(response.status).to eq 403
      end
    end
  else
    it "should forbidden anonymous access" do
      get_request
      expect(response.status).to eq 401
    end
  end

  context 'for user' do
    it "should return the correct limit usage for auth user" do
      get_request @user
      expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
    end

    it "should allow auth by uname and password" do
      (@rate_limit+1).times {get_request2}
      get_request @user
      expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
    end

    it "should allow auth by email and password" do
      (@rate_limit+1).times {get_request2}
      get_request @user, false, true
      expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
    end

    it "should allow auth by token" do
      (@rate_limit+1).times {get_request2}
      get_request @user, true
      expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
    end

    it "should return the correct limit usage for auth user after other user" do
      get_request2
      get_request @user
      expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s
    end

    it "should forbidden user after exceeding limit rate" do
      (@rate_limit+1).times {get_request @user}
      expect(response.status).to eq 403
    end

    it "should not forbidden user after exceeding limit rate of the other user" do
      (@rate_limit+1).times {get_request2}
      get_request @user
      expect(response.status).to eq 200
    end
  end

  context 'for system user' do
    it "should not return the limit usage for system user" do
      get_request @system_user, true
      expect(response.headers['X-RateLimit-Limit']).to_not eq @rate_limit.to_s
    end

    it "should not forbidden system user" do
      (@rate_limit+1).times {get_request @system_user, true}
      expect(response.status).to eq 200
    end
  end

  context 'for allowed addresses' do
    let(:remote_addr) { APP_CONFIG['allowed_addresses'].first }
    it 'should not return the limit usage for allowed address' do
      get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' =>  remote_addr }
      expect(response.headers['X-RateLimit-Limit']).to_not eq @rate_limit.to_s
    end

    it 'should not forbidden allowed address' do
      (@rate_limit+1).times { get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' =>  remote_addr } }
      expect(response.status).to eq 200
    end
  end

end
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`require 'spec_helper'`

updated specs 2015-02-19 01:53:47 +00:00			`describe ApiDefender, type: :request do`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`def get_basic_auth user = @user, by_token = false, by_email = false`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`u,pass = if by_token`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00			`[user.authentication_token, '']`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`elsif by_email`
			`[user.email, @password]`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`else`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`[user.uname, @password]`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`
			`ActionController::HttpAuthentication::Basic.encode_credentials u, pass`
			`end`

[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`def get_request auth_user = nil, by_token = false, by_email = false`
			`auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get "/api/v1/users/#{@user.id}.json", {}, auth`
			`end`

[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`def get_request2 auth_user = nil, by_token = false, by_email = false`
			`auth_user = FactoryGirl.create(:user) if !auth_user && APP_CONFIG['anonymous_access'] == false`
			`get_request auth_user, by_token, by_email`
			`end`

[refs #796] add specs 2012-12-24 19:11:57 +00:00			`before do`
[#345] add global stub redis 2014-03-18 13:54:16 +00:00			`stub_symlink_methods`
[refs #796] use MockRedis in specs 2012-12-26 13:07:54 +00:00			`@redis = Redis.new`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`@password = '123456'`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00			`@rate_limit = 3 # dont forget change in max_per_window`
[refs #796] use MockRedis in specs 2012-12-26 13:07:54 +00:00
[refs #796] add more specs 2012-12-26 14:30:05 +00:00			`ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`

			`before(:each) do`
[#343] use new ruby hash syntax 2014-01-21 04:51:49 +00:00			`@user = FactoryGirl.create :user, password: @password`
			`@system_user = FactoryGirl.create :user, role: 'system'`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`

[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`if APP_CONFIG['anonymous_access'] == true`
			`context 'for anonymous user' do`
			`it "should return the total limit" do`
			`get_request`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Limit']).to eq @rate_limit.to_s`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`end`

			`it "should return the correct limit usage for anonymous user" do`
			`get_request`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`end`

			`it "should return the correct limit usage for anonymous user after authenticated access" do`
			`get_request @user`
			`get_request`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-2).to_s`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`end`

			`it "should forbidden anonymous user after exceeding limit rate" do`
			`(@rate_limit+1).times {get_request}`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 403`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`end`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`else`
			`it "should forbidden anonymous access" do`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get_request`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 401`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`

[refs #796] group specs 2012-12-26 14:35:15 +00:00			`context 'for user' do`
			`it "should return the correct limit usage for auth user" do`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get_request @user`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`end`

			`it "should allow auth by uname and password" do`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`(@rate_limit+1).times {get_request2}`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`get_request @user`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`end`

			`it "should allow auth by email and password" do`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`(@rate_limit+1).times {get_request2}`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`get_request @user, false, true`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`end`

			`it "should allow auth by token" do`
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`(@rate_limit+1).times {get_request2}`
[refs #796] small refactoring & add some specs 2012-12-26 15:13:08 +00:00			`get_request @user, true`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`it "should return the correct limit usage for auth user after other user" do`
			`get_request2`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get_request @user`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Remaining']).to eq (@rate_limit-1).to_s`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`it "should forbidden user after exceeding limit rate" do`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`(@rate_limit+1).times {get_request @user}`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 403`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00
[refs #796] fix specs for disabled anonymous access 2012-12-26 16:46:32 +00:00			`it "should not forbidden user after exceeding limit rate of the other user" do`
			`(@rate_limit+1).times {get_request2}`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get_request @user`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 200`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00			`end`

[refs #796] group specs 2012-12-26 14:35:15 +00:00			`context 'for system user' do`
			`it "should not return the limit usage for system user" do`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`get_request @system_user, true`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Limit']).to_not eq @rate_limit.to_s`
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`end`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00
[refs #796] group specs 2012-12-26 14:35:15 +00:00			`it "should not forbidden system user" do`
[refs #796] refactoring specs 2012-12-26 14:42:07 +00:00			`(@rate_limit+1).times {get_request @system_user, true}`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 200`
[refs #796] add more specs 2012-12-26 14:30:05 +00:00			`end`
[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00
#192: refactoring of specs 2013-07-04 13:44:48 +01:00			`context 'for allowed addresses' do`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00			`let(:remote_addr) { APP_CONFIG['allowed_addresses'].first }`
#192: refactoring of specs 2013-07-04 13:44:48 +01:00			`it 'should not return the limit usage for allowed address' do`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00			`get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr }`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.headers['X-RateLimit-Limit']).to_not eq @rate_limit.to_s`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00			`end`

#192: refactoring of specs 2013-07-04 13:44:48 +01:00			`it 'should not forbidden allowed address' do`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00			`(@rate_limit+1).times { get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr } }`
Fixed: DEPRECATION WARNING 2015-06-05 19:56:39 +01:00			`expect(response.status).to eq 200`
#192: added specs for allowed_addresses to api defender 2013-07-04 13:43:35 +01:00			`end`
			`end`

[refs #796] add specs 2012-12-24 19:11:57 +00:00			`end`