Added integration tests for user certificate validation

2025-07-27 21:16:12 +02:00 · 2023-07-13 13:03:10 +03:00 · 2023-07-13 13:03:10 +03:00 · 52b3b3a6cf
commit 52b3b3a6cf
parent 684f80891a
2 changed files with 46 additions and 4 deletions
--- a/app/controllers/repp/v1/base_controller.rb
+++ b/app/controllers/repp/v1/base_controller.rb
@ -162,10 +162,7 @@ module Repp
      end

      def skip_webclient_user_cert_validation?
-        Rails.env.development? ||
-          Rails.env.test? ||
-          !webclient_request? ||
-          request.headers['Requester'] == 'tara'
+        !webclient_request? || request.headers['Requester'] == 'tara'
      end

      def auth_values_to_data(registrar:)
--- a/test/integration/repp/v1/base_test.rb
+++ b/test/integration/repp/v1/base_test.rb
@ -77,6 +77,43 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest
    Setting.registrar_ip_whitelist_enabled = false
  end

+  def test_validates_webclient_user_certificate_ok
+    cert = certificates(:registrar)
+    @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name })
+
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_response :ok
+  end
+
+  def test_validates_webclient_user_certificate_if_missing
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_unauthorized_user_cert
+  end
+
+  def test_validates_webclient_user_certificate_if_revoked
+    cert = certificates(:registrar)
+    cert.update(revoked: true)
+    @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name })
+
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_unauthorized_user_cert
+  end
+
  private

  def assert_unauthorized_ip
@ -86,4 +123,12 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest
    assert_equal 2202, response_json[:code]
    assert response_json[:message].include? 'Access denied from IP'
  end
+
+  def assert_unauthorized_user_cert
+    response_json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :unauthorized
+    assert_equal 2202, response_json[:code]
+    assert response_json[:message].include? 'Invalid user certificate'
+  end
 end