From: Jon Langseth Date: Fri, 20 Jan 2012 13:46:59 +0000 (+0100) Subject: Added formal tests for api/auth X-Git-Url: https://git.defcon.no/?a=commitdiff_plain;h=c2f99e5e48ac8d3be1f3140b696bd307a4adb9d0;p=hermes Added formal tests for api/auth --- diff --git a/api/t/auth.t b/api/t/auth.t new file mode 100644 index 0000000..5ff2e74 --- /dev/null +++ b/api/t/auth.t @@ -0,0 +1,237 @@ +#!/usr/bin/perl + +use Test::More 'no_plan'; + +use strict; +use LWP; +use Data::Dumper; +use JSON; + +my $api_base = "http://10.0.2.5/hermes/api/"; +my $api_key = "4hErgw3QFJLeuXGW"; +my $invalid_key = "invalidkey" . int(rand(255)); + +my $test_username = "testauth-" . int(rand(255)); +my $test_password = "foobarbaz"; +my $invalid_username = "failauth-" . int(rand(255)); + +my ($g_ua, $session, $auth_key, $response, $data, $temp); + +$g_ua = LWP::UserAgent->new; +isa_ok( $g_ua, 'LWP::UserAgent', '$g_ua'); +$g_ua->cookie_jar({}); # In-memory jar, look at HTTP::Cookies for persistant +isa_ok( $g_ua->cookie_jar, 'HTTP::Cookies', '$g_ua->cookies'); + +##################################################################################### +login_apikey(); + +$response = $g_ua->get( $api_base . "auth/new_apikey" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&host_ip=10.0.3.86" . + "&access=full_read"); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/new_apikey ok'); +ok( $data->{'key'}, 'auth/new_apikey new key'); +$temp = $data->{'key'} if ( $data->{'response'} eq 'ok' ); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/list_apikeys" . + "?session=" . $session . + "&auth_key=" . $auth_key); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/list_apikeys ok'); +ok( $data->{'list'}, 'auth/list_apikeys list'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/remove_apikey" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&api_key=" . $temp ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/remove_apikey ok'); +ok( $data->{'key'}, 'auth/remove_apikey key'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/authorize_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username . + "&access=read_write"); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/authorize_user ok'); +ok( $data->{'user'}, 'auth/authorize_user user set'); +is( $data->{'user'}, $test_username, 'auth/authorize_user user is ' . $test_username); +ok( $data->{'access'}, 'auth/authorize_user access set'); +isnt( $data->{'access'}, 'no_access', 'auth/authorize_user level'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/list_users" . + "?session=" . $session . + "&auth_key=" . $auth_key); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/list_users ok'); +ok( $data->{'list'}, 'auth/list_users list'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/ping" . + "?session=" . $session . + "&auth_key=" . $auth_key ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'pong', 'auth/ping PONG!'); +ok( $data->{'auth_key'}, 'auth/ping key set'); +ok( not ($data->{'auth_key'} eq $auth_key), 'auth/ping key changed'); +$auth_key = $data->{'auth_key'}; +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/list_apikeys" . + "?session=" . $session . + "&auth_key=" . $auth_key); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/ping new key accepted.'); +undef $data; undef $response; + + +logout(); +ok( !$session, 'logged out, session cleared'); +login_user(); + +$response = $g_ua->get( $api_base . "auth/authorize_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username . + "&access=full_read"); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/authorize_user as user ok'); +is( $data->{'user'}, $test_username, 'auth/authorize_user user is ' . $test_username); +ok( $data->{'access'}, 'auth/authorize_user access set'); +isnt( $data->{'access'}, 'no_access', 'auth/authorize_user level'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/remove_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'failed', 'auth/remove_user as nonpriv user fails'); +is( $data->{'cause'}, 'unauthorized', 'auth/remove_user cause correct'); +undef $data; undef $response; + + +$response = $g_ua->get( $api_base . "auth/add_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'notimplemented', 'auth/add_user TODO: notimplemented.'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/update_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'notimplemented', 'auth/update_user TODO: notimplemented.'); +undef $data; undef $response; + +logout(); +ok( !$session, 'logged out, session cleared'); +login_apikey(); + +$response = $g_ua->get( $api_base . "auth/remove_user" . + "?session=" . $session . + "&auth_key=" . $auth_key . + "&username=" . $test_username ); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'ok', 'auth/remove_user as user ok'); +is( $data->{'user'}, $test_username, 'auth/remove_user removed ' . $test_username); +undef $data; undef $response; + +logout(); +ok( !$session, 'logged out, session cleared'); + +$response = $g_ua->get( $api_base . "auth/list_apikeys" . + "?session=" . $session . + "&auth_key=" . $auth_key); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'failed', 'auth/list_apikeys denied after logout'); +is( $data->{'cause'}, 'unauthorized', 'auth/list_apikeys cause correct'); +undef $data; undef $response; + +$response = $g_ua->get( $api_base . "auth/list_users" . + "?session=" . $session . + "&auth_key=" . $auth_key); +$data = decode_json( $response->content) if $response->is_success; +is( $data->{'response'}, 'failed', 'auth/list_users denied after logout'); +is( $data->{'cause'}, 'unauthorized', 'auth/list_users cause correct'); +undef $data; undef $response; + + + + +##################################################################################### +##################################################################################### +##################################################################################### +##################################################################################### +sub login_apikey +{ + $response = $g_ua->get( $api_base . "auth/login" . + "?api_key=" . $api_key ); + ok ($response->is_success, 'login_apikey request is_success'); + $data = decode_json( $response->content) if $response->is_success; + die("HTTP error") unless $response->is_success; + + is( $data->{'response'}, 'ok', 'login_apikey logged in'); + ok( $data->{'session'}, 'login_apikey session set'); + ok( $data->{'auth_key'}, 'login_apikey auth_key set'); + if ( $data->{'response'} eq "ok" ) + { + $session = $data->{'session'}; + $auth_key = $data->{'auth_key'}; + } + else + { + exit; + } + undef $data; undef $response; +} +sub login_user +{ + $response = $g_ua->get( $api_base . "auth/login" . + "?username=" . $test_username . + "&password=" . $test_password ); + + ok ($response->is_success, 'login_user request is_success'); + $data = decode_json( $response->content) if $response->is_success; + die("HTTP error") unless $response->is_success; + + is( $data->{'response'}, 'ok', 'login_user logged in'); + ok( $data->{'session'}, 'login_user session set'); + ok( $data->{'auth_key'}, 'login_user auth_key set'); + if ( $data->{'response'} eq "ok" ) + { + $session = $data->{'session'}; + $auth_key = $data->{'auth_key'}; + } + else + { + exit; + } + undef $data; undef $response; +} +sub logout +{ + undef $data; undef $response; + $response = $g_ua->get( $api_base . "auth/logout" . + "?session=" . $session ); + + ok ($response->is_success, 'logout request is_success'); + die("HTTP error") unless $response->is_success; + + $data = decode_json( $response->content) if $response->is_success; + is( $data->{'response'}, 'ok', 'logout ok'); + + undef $session; + undef $auth_key; +} +