trainmaster 0.1.0

data/test/controllers/trainmaster/sessions_controller_test.rb

@@ -0,0 +1,275 @@
+require 'test_helper'
+
+module Trainmaster
+  class SessionsControllerTest < ActionController::TestCase
+    setup do
+      Rails.cache.clear  # always clear cache first
+      @routes = Engine.routes
+      @session = trainmaster_sessions(:one)
+      @token = @session.token
+      @api_key = trainmaster_users(:one).api_key
+    end
+
+    test "public can see options" do
+      get :options
+      assert_response :success
+    end
+
+    test "user cannot list sessions with invalid token" do
+      get :index, params: { token: "invalidtoken" }
+      assert_response 401
+    end
+
+    test "user can list all his sessions" do
+      get :index, params: { token: @token }
+      assert_response :success
+      sessions = assigns(:sessions)
+      assert_not_nil sessions
+      all_his_sessions = Session.where(user: @session.user)
+      assert_equal sessions.length, all_his_sessions.length
+      sessions.each do |session|
+        assert session.user == @session.user
+      end
+    end
+
+    test "user can list all his sessions with api key" do
+      get :index, params: { api_key: @api_key }
+      assert_response :success
+      sessions = assigns(:sessions)
+      assert_not_nil sessions
+      all_his_sessions = Session.where(user: @session.user)
+      assert_equal sessions.length, all_his_sessions.length
+      sessions.each do |session|
+        assert session.user == @session.user
+      end
+    end
+
+    test "user can list all his sessions using user id in routing" do
+      get :index, params: { user_id: @session.user.uuid, token: @token }
+      assert_response :success
+      sessions = assigns(:sessions)
+      assert_not_nil sessions
+      all_his_sessions = Session.where(user: @session.user)
+      assert_equal sessions.length, all_his_sessions.length
+      sessions.each do |session|
+        assert session.user == @session.user
+      end
+    end
+
+    test "user cannot list expired session" do
+      session = Session.new(user: @session.user, seconds: -1)
+      session.save()
+      get :index, params: { user_id: session.user.uuid, token: @token }
+      assert_response :success
+      json = JSON.parse(@response.body)
+      assert_equal 1, json.length
+    end
+
+    test "user cannot list other's sessions" do
+      get :index, params: { user_id: trainmaster_users(:two), token: @token }
+      assert_response 401
+    end
+
+    test "user cannot list other's sessions with api key" do
+      get :index, params: { user_id: trainmaster_users(:two), api_key: @api_key }
+      assert_response 401
+    end
+
+    test "public cannot list sessions" do
+      get :index
+      assert_response 401
+    end
+
+    test "create a session" do
+      user = trainmaster_users(:one)
+      post :create, params: { username: user.username, password: "password" }
+      assert_response :success
+      session = assigns(:session)
+      assert_not_nil session
+      json = JSON.parse(@response.body)
+      assert json.has_key?("token")
+      assert !json.has_key?("secret")
+    end
+
+    test "cannot create a session if not verified" do
+      user = trainmaster_users(:one)
+      user.verified = false
+      user.save()
+      post :create, params: { username: user.username, password: "password" }
+      assert_response 401
+    end
+
+    test "cannot create a session with non-existent username" do
+      post :create, params: { username: 'idontexist', password: "secret" }
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "cannot create a session without username" do
+      post :create, params: { password: "secret" }
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "cannot create a session without a password" do
+      post :create, params: { username: trainmaster_users(:one).username }
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "cannot create a session with a wrong password" do
+      post :create, params: { username: trainmaster_users(:one).username, password: "notsecret" }
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "user can create session using existing auth" do
+      post :create, params: { token: @token }
+      assert_response 201
+    end
+
+    test "user can create session using oauth" do
+      auth_hash = OmniAuth::AuthHash.new()
+      auth_hash.provider = "someauthprovider"
+      auth_hash.uid = "someuniqueid"
+      auth_hash.info = OmniAuth::AuthHash::InfoHash.new()
+      auth_hash.info.name = "someusername"
+      Credentials = Struct.new("Credentials", :token, :expires_at)
+      auth_hash.credentials = Credentials.new("sometoken", Time.now.to_i)
+      @request.env["omniauth.auth"] = auth_hash
+      post :create
+      assert_response 302
+      user = User.find_by_oauth_provider_and_oauth_uid("someauthprovider", "someuniqueid")
+      session = Session.find_by_user_uuid(user.uuid)
+      assert_includes @response.location, session.token
+    end
+
+    test "user can show session" do
+      get :show, params: { id: 1, token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal @token, json["token"]
+      # Do a quick cache check
+      session = Cache.get(kind: :session, token: json["token"])
+      assert_not_nil session
+      assert_equal @token, session.token
+    end
+
+    test "user can show session using api key" do
+      get :show, params: { id: 1, api_key: @api_key }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal @token, json["token"]
+    end
+
+    test "user can show current session" do
+      get :show, params: { id: "current", token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal @token, json["token"]
+    end
+
+    test "user cannot show current session with api key" do
+      get :show, params: { id: "current", api_key: @api_key }
+      assert_response 404
+    end
+
+    test "user cannot show other's session" do
+      get :show, params: { id: 2, token: @token }
+      assert_response 401
+    end
+
+    test "user cannot show other's session with api key" do
+      get :show, params: { id: 2, api_key: @api_key }
+      assert_response 401
+    end
+
+    test "user cannot show expired session" do
+      session = Session.new(user: @session.user, seconds: -1)
+      session.save()
+      get :show, params: { id: session.uuid, token: @token }
+      assert_response 404
+    end
+
+    test "user cannot show expired session with api key" do
+      session = Session.new(user: @session.user, seconds: -1)
+      session.save()
+      get :show, params: { id: session.uuid, api_key: @api_key }
+      assert_response 404
+    end
+
+    test "public cannot show session" do
+      get :show, params: { id:1 }
+      assert_response 401
+    end
+
+    test "admin can show other's session" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      get :show, params: { id: 1, token: @token }
+      assert_response :success
+      json = JSON.parse(@response.body)
+      session = trainmaster_sessions(:one)
+      assert_equal session.token, json["token"]
+    end
+
+    test "admin can show other's session with api key" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      get :show, params: { id: 1, api_key: @api_key }
+      assert_response :success
+      json = JSON.parse(@response.body)
+      session = trainmaster_sessions(:one)
+      assert_equal session.token, json["token"]
+    end
+
+    test "user cannot show nonexisting session" do
+      get :show, params: { id: 999, token: @token }
+      assert_response 404
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "user can delete session" do
+      delete :destroy, params: { id: 1, token: @token }
+      assert_response 204
+    end
+
+    test "user can delete session with api key" do
+      delete :destroy, params: { id: 1, api_key: @api_key }
+      assert_response 204
+    end
+
+    test "user can delete a current session" do
+      delete :destroy, params: { id: "current", token: @token }
+      assert_response 204
+    end
+
+    test "user cannot delete a current session with api key" do
+      delete :destroy, params: { id: "current", api_key: @api_key }
+      assert_response 404
+    end
+
+    test "user cannot delete a non-existent session" do
+      delete :destroy, params: { id: 999, token: @token }
+      assert_response 404
+    end
+
+    test "user cannot delete other's session" do
+      delete :destroy, params: { id: 2, token: @token }
+      assert_response 401
+    end
+
+    test "admin can delete other's session" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      delete :destroy, params: { id: 1, token: @token }
+      assert_response :success
+    end
+
+  end
+end

data/test/controllers/trainmaster/users_controller_test.rb

@@ -0,0 +1,335 @@
+require 'json'
+require 'test_helper'
+
+module Trainmaster
+  class UsersControllerTest < ActionController::TestCase
+
+    setup do
+      Rails.cache.clear
+      @routes = Engine.routes
+      @session = trainmaster_sessions(:one)
+      @token = @session.token
+      @api_key = trainmaster_users(:one).api_key
+    end
+
+    test "public can see options" do
+      @request.headers["Access-Control-Request-Headers"] = "GET"
+      get :options
+      assert_response :success
+      assert_equal "GET", @response.headers["Access-Control-Allow-Headers"]
+    end
+
+    test "admin can list all users" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      get :index, params: { token: @token }
+      assert_response :success
+      users = assigns(:users)
+      assert_not_nil users
+      assert_equal Session.count, users.length
+    end
+
+    test "non-admin cannot list users" do
+      get :index, params: { token: @token }
+      assert_response 401
+    end
+
+    test "create a user" do
+      post :create, params: {
+          username: "foo@example.com", password: "secret",
+          password_confirmation: "secret"
+      }
+      assert_response :success
+      user = assigns(:user)
+      assert_not_nil user
+      assert user.username = "foo@example.com"
+      json = JSON.parse(@response.body)
+      assert_equal "foo@example.com", json["username"]
+      assert_not json.has_key?("password_digest")
+    end
+
+    test "user can create another user" do
+      post :create, params: {
+          username: "foo@example.com", password: "secret",
+          password_confirmation: "secret", token: @token
+      }
+      assert_response :success
+    end
+
+    test "user can create another user with api key" do
+      post :create, params: {
+          username: "foo@example.com", password: "secret",
+          password_confirmation: "secret", api_key: @api_key
+      }
+      assert_response :success
+    end
+
+    test "user cannot create an admin user" do
+      post :create, params: {
+          username: "foo@example.com", password: "secret",
+          password_confirmation: "secret", role: Roles::ADMIN
+      }
+      assert_response :success
+      user = assigns(:user)
+      assert_not_nil user
+      assert_equal Roles::USER, user.role
+    end
+
+    test "admin can create an admin user" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      post :create, params: {
+          username: "foo@example.com", password: "secret",
+          password_confirmation: "secret", role: Roles::ADMIN, token: @token
+      }
+      assert_response :success
+      user = assigns(:user)
+      assert_not_nil user
+      assert_equal Roles::ADMIN, user.role
+    end
+
+    test "cannot create a user without username" do
+      post :create, params: {
+          password: "secret",
+          password_confirmation: "secret"
+      }
+      assert_response 400
+      json = JSON.parse(@response.body)
+      assert 0 < json["errors"].length
+    end
+
+    test "cannot create a user without a password" do
+      post :create, params: { username: "foo@example.com" }
+      assert_response 400
+      json = JSON.parse(@response.body)
+      assert_equal 1, json["errors"].length
+    end
+
+    test "show a user" do
+      get :show, params: { id: 1, token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal trainmaster_users(:one).username, json["username"]
+    end
+
+    test "show a current user" do
+      get :show, params: { id: "current", token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal trainmaster_users(:one).username, json["username"]
+    end
+
+    test "cannot show other user" do
+      get :show, params: { id: 2, token: @token }
+      assert_response 401
+    end
+
+    test "public cannot show a user" do
+      get :show, params: { id: 1 }
+      assert_response 401
+    end
+
+    test "admin can show other user" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      get :show, params: { id: 1, token: @token }
+      assert_response :success
+    end
+
+    test "cannot show a nonexisting user" do
+      get :show, params: { id: 999, token: @token }
+      assert_response 404
+      json = JSON.parse(@response.body)
+      assert_equal 1, json["errors"].length
+    end
+
+    test "cannot show using well-formed but non-existing token" do
+      iat = Time.now.to_i
+      payload = {
+        user_uuid: @session.user_uuid,
+        session_uuid: @session.uuid,
+        role: @session.user.role,
+        iat: iat,
+        exp: iat + 60
+      }
+      secret = UUIDTools::UUID.random_create
+      token = JWT.encode(payload, secret, 'HS256')
+      get :show, params: { id: 1, token: token }
+      assert_response 401
+    end
+
+    test "cannot show using ill-formed" do
+      iat = Time.now.to_i
+      payload = {
+        session_uuid: @session.uuid,
+        role: @session.user.role,
+        iat: iat,
+        exp: iat + 60
+      }
+      secret = UUIDTools::UUID.random_create
+      token = JWT.encode(payload, secret, 'HS256')
+      get :show, params: { id: 1, token: token }
+      assert_response 401
+    end
+
+    test "cannot show using well-formed but bogus payload" do
+      iat = Time.now.to_i
+      payload = {
+        user_uuid: @session.user_uuid,
+        session_uuid: "doesnotexist",
+        role: @session.user.role,
+        iat: iat,
+        exp: iat + 60
+      }
+      secret = UUIDTools::UUID.random_create
+      token = JWT.encode(payload, secret, 'HS256')
+      get :show, params: { id: 1, token: token }
+      assert_response 401
+    end
+
+    test "cannot show using no token payload" do
+      secret = UUIDTools::UUID.random_create
+      token = JWT.encode({}, secret, 'HS256')
+      get :show, params: { id: 1, token: token }
+      assert_response 401
+    end
+
+    test "update a user" do
+      user = trainmaster_users(:one)
+      old_password_digest = user.password_digest
+      patch :update, params: { id: 1, username: 'foo@example.com', token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal "foo@example.com", json["username"]
+      user = trainmaster_users(:one)
+      assert_equal old_password_digest, user.password_digest
+    end
+
+    test "update a user with a new password using old password" do
+      user = trainmaster_users(:one)
+      old_password_digest = user.password_digest
+      patch :update, params: {
+          id: 1, old_password: "password", password: "newpassword", password_confirmation: "newpassword" , token: @token
+      }
+      assert_response 200
+      user = User.find_by_uuid(user.uuid)
+      assert_not_equal old_password_digest, user.password_digest
+    end
+
+    test "cannot update password with a invalid token" do
+      patch :update, params: {
+          id: 1, old_password: "wrongpassword", password: "newpassword", password_confirmation: "newpassword" , token: @token
+      }
+      assert_response 401
+    end
+
+    test "update current user" do
+      patch :update, params: {
+          id: "current", username: 'foo@example.com', token: @token
+      }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal "foo@example.com", json["username"]
+    end
+
+    test "update (issue) a new reset token" do
+      patch :update, params: { id: "current", issue_reset_token: true, username: @session.user.username }
+      assert_response 204
+      user = User.find_by_uuid(trainmaster_users(:one))
+      new_reset_token = user.reset_token
+      assert_not_nil new_reset_token
+      patch :update, params: { id: 1, username: "foo@example.com", token: @token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal "foo@example.com", json["username"]
+    end
+
+    test "cannot update (issue) a new reset token without username" do
+      patch :update, params: { id: "current", issue_reset_token: true }
+      assert_response 404
+    end
+
+    test "cannot update (issue) a new reset token with invalid username" do
+      patch :update, params: { id: "current", issue_reset_token: true, username: "doesnotexist@example.com" }
+      assert_response 404
+    end
+
+    test "update password using reset token" do
+      user = trainmaster_users(:one)
+      old_password_digest = user.password_digest
+      patch :update, params: { id: "current", issue_reset_token: true, username: @session.user.username }
+      user = User.find_by_uuid(user.uuid)
+      new_reset_token = user.reset_token
+      assert_not_nil new_reset_token
+
+      # use reset token to update password
+      patch :update, params: { id: 1, password: "newsecret", password_confirmation: "newsecret", token: new_reset_token }
+      assert_response 200
+
+      user = User.find_by_uuid(user.uuid)
+      assert_not_equal old_password_digest, user.password_digest
+    end
+
+    test "cannot update password with non-reset token" do
+      patch :update, params: { id: 1, password: "newsecret", password_confirmation: "newsecret", token: @token }
+      assert_response 401
+    end
+
+    test "update (reissue) a verification token" do
+      user = User.find_by_uuid(trainmaster_users(:one))
+      old_verification_token = user.verification_token
+      patch :update, params: { id: "current", issue_verification_token: true, username: @session.user.username }
+      assert_response 204
+      user = User.find_by_uuid(trainmaster_users(:one))
+      new_verification_token = user.verification_token
+      assert_not_equal old_verification_token, new_verification_token
+      patch :update, params: { id: "current", verified: true, token: new_verification_token }
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal true, json["verified"]
+    end
+
+    test "cannot update (reissue) a verification reset token without username" do
+      patch :update, params: { id: "current", issue_verification_token: true }
+      assert_response 404
+    end
+
+    test "cannot update (reissue) a verification token with invalid username" do
+      patch :update, params: { id: "current", issue_verification_token: true, username: "doesnotexist@example.com" }
+      assert_response 404
+    end
+
+    test "cannot update invalid email" do
+      patch :update, params: { id: 1, username: 'foobar', token: @token }
+      assert_response 400
+    end
+
+    test "cannot update another user" do
+      patch :update, params: { id: 2, username: 'foo@example.com', token: @token }
+      assert_response 401
+    end
+
+    test "delete a user" do
+      delete :destroy, params: { id: 1, token: @token }
+      assert_response 204
+    end
+
+    test "delete current user" do
+      delete :destroy, params: { id: "current", token: @token }
+      assert_response 204
+    end
+
+    test "cannot delete another user" do
+      delete :destroy, params: { id: 2, token: @token }
+      assert_response 401
+    end
+
+    test "admin can delete other user" do
+      @session = trainmaster_sessions(:admin_one)
+      @token = @session.token
+      delete :destroy, params: { id: 1, token: @token }
+      assert_response :success
+    end
+
+  end
+end