rosa-build/spec/integration/api_defender_spec.rb

123 lines
3.9 KiB
Ruby

require 'spec_helper'
describe ApiDefender do
def get_basic_auth user = @user, by_token = false, by_email = false
u,pass = if by_token
[user.authentication_token, '']
elsif by_email
[user.email, @password]
else
[user.uname, @password]
end
ActionController::HttpAuthentication::Basic.encode_credentials u, pass
end
def get_request auth_user = nil, by_token = false, by_email = false
auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}
get "/api/v1/users/#{@user.id}.json", {}, auth
end
def get_request2 auth_user = nil, by_token = false, by_email = false
auth_user = FactoryGirl.create(:user) if !auth_user && APP_CONFIG['anonymous_access'] == false
get_request auth_user, by_token, by_email
end
before do
stub_symlink_methods && stub_redis
@redis = Redis.new
@password = '123456'
@rate_limit = 3 # dont forget change in max_per_window
ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")
end
before(:each) do
@user = FactoryGirl.create :user, :password => @password
@system_user = FactoryGirl.create :user, :role => 'system'
end
if APP_CONFIG['anonymous_access'] == true
context 'for anonymous user' do
it "should return the total limit" do
get_request
response.headers['X-RateLimit-Limit'].should == @rate_limit.to_s
end
it "should return the correct limit usage for anonymous user" do
get_request
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should return the correct limit usage for anonymous user after authenticated access" do
get_request @user
get_request
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-2).to_s
end
it "should forbidden anonymous user after exceeding limit rate" do
(@rate_limit+1).times {get_request}
response.status.should == 403
end
end
else
it "should forbidden anonymous access" do
get_request
response.status.should == 401
end
end
context 'for user' do
it "should return the correct limit usage for auth user" do
get_request @user
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by uname and password" do
(@rate_limit+1).times {get_request2}
get_request @user
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by email and password" do
(@rate_limit+1).times {get_request2}
get_request @user, false, true
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should allow auth by token" do
(@rate_limit+1).times {get_request2}
get_request @user, true
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should return the correct limit usage for auth user after other user" do
get_request2
get_request @user
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
end
it "should forbidden user after exceeding limit rate" do
(@rate_limit+1).times {get_request @user}
response.status.should == 403
end
it "should not forbidden user after exceeding limit rate of the other user" do
(@rate_limit+1).times {get_request2}
get_request @user
response.status.should == 200
end
end
context 'for system user' do
it "should not return the limit usage for system user" do
get_request @system_user, true
response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
end
it "should not forbidden system user" do
(@rate_limit+1).times {get_request @system_user, true}
response.status.should == 200
end
end
end