gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-09-06 09:51:24 +00:00
Code Issues Actions 24 Packages Projects Releases Wiki Activity

add example rspec request tests for /magic endpoint

Browse Source
This commit is contained in:
Pascal Deklerck 2023-05-15 21:10:30 +02:00
parent 4115548f1b
commit 0895cf9e2d
2 changed files with 105 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app/controllers/magic_controller.rb
View File

@ -49,14 +49,16 @@ class MagicController < ApplicationController
# returns Net::HTTPResponse object # returns Net::HTTPResponse object
res = Net::HTTP.post(owapath, data, signed_headers) res = Net::HTTP.post(owapath, data, signed_headers)
debug("Response: #{res}")
debug("Status result: #{res.code}") debug("Status result: #{res.code}")
redirect_fallthrough and return unless res.code == '200' redirect_fallthrough and return unless res.is_a? Net::HTTPSuccess
body = JSON.parse(res.body) body = JSON.parse(res.body)
redirect_fallthrough and return unless body.key?('encrypted_token') && body.key?('success') && body['success'] != 'true' debug("Response body: #{body}")
redirect_fallthrough and return unless body.key?('encrypted_token') && body.key?('success') && body['success'] == true
encrypted_token = body['encrypted_token'] encrypted_token = body['encrypted_token']
debug('Success returned!') debug("Success returned! Encrypted token = #{encrypted_token}")
# decrypt encrypted token # decrypt encrypted token
token = privkey.private_decrypt(Base64.urlsafe_decode64(encrypted_token)) token = privkey.private_decrypt(Base64.urlsafe_decode64(encrypted_token))
@ -66,9 +68,12 @@ class MagicController < ApplicationController
redirectdest = @dest + args redirectdest = @dest + args
log("Magic - Redirecting to #{redirectdest} now") log("Magic - Redirecting to #{redirectdest} now")
redirect_to redirectdest redirect_to redirectdest
rescue OpenSSL::PKey::RSAError => e
log("Magic - RSA error: #{e.message}")
redirect_fallthrough
rescue URI::InvalidURIError rescue URI::InvalidURIError
log('Magic - Could not parse destination') log("Magic - Could not parse destination: #{@dest}")
render status: 404 redirect_fallthrough
end end
private private

95
spec/requests/magic_spec.rb Normal file
View File

@ -0,0 +1,95 @@
# frozen_string_literal: true
require 'rails_helper'
dest_nok = 'https://invalid.owas.testing.net'
dest_ok = 'https://valid.owas.testing.net'
# mock an encrypted token that can be decrypted by the user
def encrypt_token
public_key = OpenSSL::PKey.read(user.account.public_key)
Base64.urlsafe_encode64(public_key.public_encrypt(token))
end
def generate_args
"?f=&owt=#{token}"
end
RSpec.configure do |config|
config.before do
stub_request(:post, "#{dest_nok}/owa").
# run1: no HTTP OK status
to_return({ status: 404 }).then.
# run2: success = false
to_return({ body: { 'success' => false }.to_json.to_s }).
# run3: success = true, but no token provided
to_return({ body: { 'success' => true }.to_json.to_s }).
# run4: success = true, wrong token provided
to_return({ body: { 'success' => true, 'encrypted_token' => 'LALA' }.to_json.to_s })
# HTTP OK response, success = true, correct token provided
stub_request(:post, "#{dest_ok}/owa")
.to_return({ body: { 'success' => true, 'encrypted_token' => encrypted_token }.to_json.to_s })
end
config.include Devise::Test::IntegrationHelpers, type: :request
end
RSpec.describe 'GET /magic' do
let(:user) { Fabricate(:user) }
let(:token) { SecureRandom.hex(32) }
let(:encrypted_token) { encrypt_token }
endp = '/magic'
owa_endp = "#{endp}?owa=1"
owa_dest_nok_endp = "#{owa_endp}&dest=#{dest_nok}"
bdest_nok = dest_nok.unpack1('H*')
owa_bdest_nok_endp = "#{owa_endp}&bdest=#{bdest_nok}"
it 'redirects to sign in when no user is signed in' do
get owa_dest_nok_endp
expect(response).to redirect_to('/auth/sign_in')
end
it 'falls through to destination in case of invalid response received from OpenWebAuth server' do
sign_in user
# run1: no HTTP OK status
get owa_dest_nok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to(dest_nok)
# run2: success = false
get owa_dest_nok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to(dest_nok)
# run3: success = true, but no token provided
get owa_bdest_nok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to(dest_nok)
# run4: success = true, invalid token provided
get owa_bdest_nok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to(dest_nok)
end
# Happy case testing - destination is a working OpenWebAuth server
owa_dest_ok_endp = "#{owa_endp}&dest=#{dest_ok}"
bdest_ok = dest_ok.unpack1('H*')
owa_bdest_ok_endp = "#{owa_endp}&bdest=#{bdest_ok}"
it 'returns a remotely authenticated redirect to the destination when using dest parameter' do
sign_in user
get owa_dest_ok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to("#{dest_ok}#{generate_args}")
end
it 'returns a remotely authenticated redirect to the destination when using hex encoded dest parameter' do
sign_in user
get owa_bdest_ok_endp
expect(response).to have_http_status(302)
expect(response).to redirect_to("#{dest_ok}#{generate_args}")
end
end