[refs #796] add more specs

spec/integration/api_defender_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe ApiDefender do
   def get_basic_auth user = @user, by_token = false
     u,pass = if by_token
-               [user.authenticate_token, '']
+               [user.authentication_token, '']
              else
                [user.uname, '123456']
              end
@@ -14,8 +14,9 @@ describe ApiDefender do
     stub_symlink_methods && stub_redis
     @redis = Redis.new
     @password = '123456'
+    @rate_limit = 3 # dont forget change in max_per_window
 
-    ApiDefender.class_eval { def cache; Redis.new; end }
+    ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")
   end
 
   before(:each) do
@@ -28,30 +29,56 @@ describe ApiDefender do
 
   it "should return the total limit" do
     get "/api/v1/users/#{@user.id}.json"
-    response.headers['X-RateLimit-Limit'].should == '500'
+    response.headers['X-RateLimit-Limit'].should == @rate_limit.to_s
-
   end
 
-  it "should return the correct limit usage" do
+  it "should return the correct limit usage for anonymous user" do
     get "/api/v1/users/#{@user.id}.json"
-    response.headers['X-RateLimit-Remaining'].should == '499'
+    response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
   end
 
   it "should return the correct limit usage for auth user" do
-   # get "/api/v1/users/#{@user.id}.json"
     get("/api/v1/users/#{@user.id}.json", {'HTTP_AUTHORIZATION' => get_basic_auth})
-    response.headers['X-RateLimit-Remaining'].should == '499'
+    response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
   end
 
   it "should return the correct limit usage for auth user after anonymous access" do
     get "/api/v1/users/#{@user.id}.json"
     get("/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth})
-    response.headers['X-RateLimit-Remaining'].should == '499'
+    response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
   end
 
   it "should return the correct limit usage for anonymous user after authenticated access" do
     get("/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth})
     get "/api/v1/users/#{@user.id}.json"
-    response.headers['X-RateLimit-Remaining'].should == '498'
+    response.headers['X-RateLimit-Remaining'].should == (@rate_limit-2).to_s
+  end
+
+  it "should forbidden anonymous user after exceeding limit rate" do
+    (@rate_limit+1).times {get "/api/v1/users/#{@user.id}.json"}
+    response.status.should == 403
+  end
+
+  it "should forbidden user after exceeding limit rate" do
+    (@rate_limit+1).times {get "/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth}}
+    response.status.should == 403
+  end
+
+  it "should not forbidden user after exceeding limit rate of the anonymous" do
+    (@rate_limit+1).times {get "/api/v1/users/#{@user.id}.json"}
+    get("/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth})
+    response.status.should == 200
+  end
+
+  it "should not return the limit usage for system user" do
+    get("/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth(@system_user, true)})
+    response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
+  end
+
+  it "should not forbidden system user" do
+    (@rate_limit+1).times do
+      get "/api/v1/users/#{@user.id}.json", {}, {'HTTP_AUTHORIZATION' => get_basic_auth(@system_user, true)}
+    end
+    response.status.should == 200
   end
 end