From 516b2180cab76a28b8552a4c8a132b9df9bd29a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karl=20Erik=20=C3=95unapuu?= Date: Tue, 20 Oct 2020 17:00:25 +0300 Subject: [PATCH] REPP: Extend V1 base test --- app/controllers/repp/v1/base_controller.rb | 16 ++++------ test/integration/repp/v1/base_test.rb | 37 ++++++++++++++++++++++ 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb index 68cc8d225..678ae0a22 100644 --- a/app/controllers/repp/v1/base_controller.rb +++ b/app/controllers/repp/v1/base_controller.rb @@ -69,10 +69,6 @@ module Repp ) end - def ip_whitelisted? - return false unless current_user.registrar.api_ip_white?(request.ip) - end - def basic_token pattern = /^Basic / header = request.headers['Authorization'] @@ -95,16 +91,16 @@ module Repp end def check_ip_restriction - ip_restriction = Authorization::RestrictedIP.new(request.ip) - allowed = ip_restriction.can_access_registrar_area?(@current_user.registrar) + allowed = @current_user.registrar.api_ip_white?(request.ip) return if allowed render( - status: :unauthorized, - json: { errors: [ - { base: [I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip)] }, - ] } + json: { + code: 2202, + message: I18n.t('registrar.authorization.ip_not_allowed', ip: request.ip), + }, + status: :unauthorized ) end diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb index 63255dd24..d0baed30e 100644 --- a/test/integration/repp/v1/base_test.rb +++ b/test/integration/repp/v1/base_test.rb @@ -15,6 +15,15 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest assert_response :unauthorized assert_equal 'Invalid authorization information', response_json[:message] + + invalid_token = Base64.encode64("nonexistant:user") + headers = { 'Authorization' => "Basic #{invalid_token}" } + + get repp_v1_contacts_path, headers: headers + response_json = JSON.parse(response.body, symbolize_names: true) + + assert_response :unauthorized + assert_equal 'Invalid authorization information', response_json[:message] end def test_authenticates_valid_user @@ -23,4 +32,32 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest assert_response :ok end + + def test_processes_invalid_base64_token_format_properly + token = '??as8d9sf kjsdjh klsdfjjf' + headers = { 'Authorization' => "Basic #{token}"} + get repp_v1_contacts_path, headers: headers + response_json = JSON.parse(response.body, symbolize_names: true) + + assert_response :unauthorized + assert_equal 'Invalid authorization information', response_json[:message] + end + + def test_takes_ip_whitelist_into_account + Setting.api_ip_whitelist_enabled = true + Setting.registrar_ip_whitelist_enabled = true + + whiteip = white_ips(:one) + whiteip.update(ipv4: '1.1.1.1') + + get repp_v1_contacts_path, headers: @auth_headers + response_json = JSON.parse(response.body, symbolize_names: true) + + assert_response :unauthorized + assert_equal 2202, response_json[:code] + assert response_json[:message].include? 'Access denied from IP' + + Setting.api_ip_whitelist_enabled = false + Setting.registrar_ip_whitelist_enabled = false + end end