services/api/test/unit/api_client_test.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'test_helper'
   6
   7 class ApiClientTest < ActiveSupport::TestCase
   8   include CurrentApiClient
   9
  10   [true, false].each do |token_lifetime_enabled|
  11     test "configured workbench is trusted when token lifetime is#{token_lifetime_enabled ? '': ' not'} enabled" do
  12       Rails.configuration.Login.TokenLifetime = token_lifetime_enabled ? 8.hours : 0
  13       Rails.configuration.Login.IssueTrustedTokens = !token_lifetime_enabled;
  14       Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com")
  15       Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443")
  16       Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new
  17       Rails.configuration.Login.TrustedClients[:"https://wb3.example.com"] = ActiveSupport::OrderedOptions.new
  18
  19       act_as_system_user do
  20         [["http://wb0.example.com", false],
  21         ["http://wb1.example.com", true],
  22         ["http://wb2.example.com", false],
  23         ["https://wb2.example.com", true],
  24         ["https://wb2.example.com/", true],
  25         ["https://wb3.example.com/", true],
  26         ["https://wb4.example.com/", false],
  27         ].each do |pfx, result|
  28           a = ApiClient.create(url_prefix: pfx, is_trusted: false)
  29           if token_lifetime_enabled
  30             assert_equal false, a.is_trusted, "API client with url prefix '#{pfx}' shouldn't be trusted"
  31           else
  32             assert_equal result, a.is_trusted
  33           end
  34         end
  35
  36         a = ApiClient.create(url_prefix: "http://example.com", is_trusted: true)
  37         a.save!
  38         a.reload
  39         assert a.is_trusted
  40       end
  41     end
  42   end
  43
  44   [
  45     [true, "https://ok.example", "https://ok.example"],
  46     [true, "https://ok.example:443/", "https://ok.example"],
  47     [true, "https://ok.example", "https://ok.example:443/"],
  48     [true, "https://ok.example", "https://ok.example/foo/bar"],
  49     [true, "https://ok.example", "https://ok.example?foo/bar"],
  50     [true, "https://ok.example/waz?quux", "https://ok.example/foo?bar#baz"],
  51     [false, "https://ok.example", "http://ok.example"],
  52     [false, "https://ok.example", "http://ok.example:443"],
  53
  54     [true, "https://*.wildcard.example", "https://ok.wildcard.example"],
  55     [true, "https://*.wildcard.example", "https://ok.ok.ok.wildcard.example"],
  56     [false, "https://*.wildcard.example", "http://wrongscheme.wildcard.example"],
  57     [false, "https://*.wildcard.example", "https://wrongport.wildcard.example:80"],
  58     [false, "https://*.wildcard.example", "https://ok.wildcard.example.attacker.example/"],
  59     [false, "https://*.wildcard.example", "https://attacker.example/https://ok.wildcard.example/"],
  60     [false, "https://*.wildcard.example", "https://attacker.example/?https://ok.wildcard.example/"],
  61     [false, "https://*.wildcard.example", "https://attacker.example/#https://ok.wildcard.example/"],
  62     [false, "https://*-wildcard.example", "https://notsupported-wildcard.example"],
  63   ].each do |pass, trusted, current|
  64     test "is_trusted(#{current}) returns #{pass} based on #{trusted} in TrustedClients" do
  65       Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new
  66       Rails.configuration.Login.TrustedClients[trusted.to_sym] = ActiveSupport::OrderedOptions.new
  67       assert_equal pass, ApiClient.new(url_prefix: current).is_trusted
  68     end
  69   end
  70 end