ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix auth_spec for reails 3 

* use 'HTTP_AUTHORIZATION' for header, not :authorization or
   'Authorization'
 * fix stubbing of forgery protection (in Rails 3, the instance method
   doesn't chain to the class method)
 * fix re-ordering of AuthLogic callback chain for rails 3

Change-Id: I6f190995cee7fd54076e786b17eba430ae03a1c0
Reviewed-on: https://gerrit.instructure.com/30796
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Derek DeVries <ddevries@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
This commit is contained in:
Cody Cutrer 2014-02-25 10:15:17 -07:00
parent 644b29d12f
commit 9d78ba9ab0
4 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/pseudonym_sessions_controller.rb
View File

@ -662,7 +662,7 @@ class PseudonymSessionsController < ApplicationController
if CANVAS_RAILS2
basic_user, basic_pass = ActionController::HttpAuthentication::Basic.user_name_and_password(request) if ActionController::HttpAuthentication::Basic.authorization(request)
else
basic_user, basic_pass = ActionController::HttpAuthentication::Basic.user_name_and_password(request) if ActionController::HttpAuthentication::Basic.authenticate(request)
basic_user, basic_pass = ActionController::HttpAuthentication::Basic.user_name_and_password(request) if request.authorization
end
client_id = params[:client_id].presence || basic_user

4
config/initializers/authlogic_mods.rb
View File

@ -13,12 +13,12 @@ callback_chain = CANVAS_RAILS2 ?
Authlogic::Session::Base._persist_callbacks
# we need http basic auth to take precedence over the session cookie, for the api.
cb = callback_chain.delete(:persist_by_http_auth)
cb = callback_chain.delete(CANVAS_RAILS2 ? :persist_by_http_auth : callback_chain.find { |cb| cb.filter == :persist_by_http_auth })
callback_chain.unshift(cb) if cb
# we also need the session cookie to take precendence over the "remember me" cookie,
# otherwise we'll use the "remember me" cookie every request, which triggers
# generating a new "remember me" cookie since they're one-time use.
cb = callback_chain.delete(:persist_by_cookie)
cb = callback_chain.delete(CANVAS_RAILS2 ? :persist_by_cookie : callback_chain.find { |cb| cb.filter == :persist_by_cookie })
callback_chain.push(cb) if cb
# be tolerant of using a slave

36
spec/apis/auth_spec.rb
View File

@ -49,11 +49,11 @@ describe "API Authentication", type: :request do
response.response_code.should == 401
get "/api/v1/courses.json?api_key=#{@key.api_key}"
response.response_code.should == 401
get "/api/v1/courses.json?api_key=#{@key.api_key}", {}, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'failboat') }
get "/api/v1/courses.json?api_key=#{@key.api_key}", {}, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'failboat') }
response.response_code.should == 401
get "/api/v1/courses.json", {}, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
get "/api/v1/courses.json", {}, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
get "/api/v1/courses.json?api_key=#{@key.api_key}", {}, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
get "/api/v1/courses.json?api_key=#{@key.api_key}", {}, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
end
end
@ -82,17 +82,17 @@ describe "API Authentication", type: :request do
get "/api/v1/courses.json"
response.should be_success
get "/api/v1/courses.json?api_key=#{@key.api_key}", {},
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'failboat') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'failboat') }
response.response_code.should == 401
get "/api/v1/courses.json", {},
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
end
it "should allow basic auth with api key" do
get "/api/v1/courses.json?api_key=#{@key.api_key}", {},
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
end
@ -117,14 +117,14 @@ describe "API Authentication", type: :request do
response.response_code.should == 401
post "/api/v1/courses/#{@course.id}/assignments.json",
{ :assignment => { :name => 'test assignment', :points_possible => '5.3', :grading_type => 'points' } },
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.response_code.should == 401
end
it "should allow post with api key and basic auth" do
post "/api/v1/courses/#{@course.id}/assignments.json?api_key=#{@key.api_key}",
{ :assignment => { :name => 'test assignment', :points_possible => '5.3', :grading_type => 'points' } },
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
@course.assignments.count.should == 1
@course.assignments.first.title.should == 'test assignment'
@ -156,11 +156,11 @@ describe "API Authentication", type: :request do
it "should allow replacing the authenticity token with api_key when basic auth is correct" do
post "/api/v1/courses/#{@course.id}/assignments.json?api_key=#{@key.api_key}",
{ :assignment => { :name => 'test assignment', :points_possible => '5.3', :grading_type => 'points' } },
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'badpass') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'badpass') }
response.response_code.should == 401
post "/api/v1/courses/#{@course.id}/assignments.json?api_key=#{@key.api_key}",
{ :assignment => { :name => 'test assignment', :points_possible => '5.3', :grading_type => 'points' } },
{ :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
{ 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
end
end
@ -191,7 +191,7 @@ describe "API Authentication", type: :request do
# we have the code, we can close the browser session
if opts[:basic_auth]
post "/login/oauth2/token", { :code => code }, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(@client_id, @client_secret) }
post "/login/oauth2/token", { :code => code }, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(@client_id, @client_secret) }
else
post "/login/oauth2/token", :client_id => @client_id, :client_secret => @client_secret, :code => code
end
@ -445,7 +445,7 @@ describe "API Authentication", type: :request do
code.should be_present
# exchange the code for the token
post "/login/oauth2/token", { :code => code }, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(@client_id, @client_secret) }
post "/login/oauth2/token", { :code => code }, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(@client_id, @client_secret) }
response.should be_success
response.header['content-type'].should == 'application/json; charset=utf-8'
json = JSON.parse(response.body)
@ -486,7 +486,7 @@ describe "API Authentication", type: :request do
end
it "should allow passing the access token in the authorization header" do
check_used { get "/api/v1/courses", nil, { 'Authorization' => "Bearer #{@token.full_token}" } }
check_used { get "/api/v1/courses", nil, { 'HTTP_AUTHORIZATION' => "Bearer #{@token.full_token}" } }
JSON.parse(response.body).size.should == 1
end
@ -505,18 +505,18 @@ describe "API Authentication", type: :request do
end
it "should error if the access token is expired or non-existent" do
get "/api/v1/courses", nil, { 'Authorization' => "Bearer blahblah" }
get "/api/v1/courses", nil, { 'HTTP_AUTHORIZATION' => "Bearer blahblah" }
assert_status(401)
response['WWW-Authenticate'].should == %{Bearer realm="canvas-lms"}
@token.update_attribute(:expires_at, 1.hour.ago)
get "/api/v1/courses", nil, { 'Authorization' => "Bearer #{@token.full_token}" }
get "/api/v1/courses", nil, { 'HTTP_AUTHORIZATION' => "Bearer #{@token.full_token}" }
assert_status(401)
response['WWW-Authenticate'].should == %{Bearer realm="canvas-lms"}
end
it "should require an active pseudonym for the access token user" do
@user.pseudonym.destroy
get "/api/v1/courses", nil, { 'Authorization' => "Bearer #{@token.full_token}" }
get "/api/v1/courses", nil, { 'HTTP_AUTHORIZATION' => "Bearer #{@token.full_token}" }
assert_status(401)
response['WWW-Authenticate'].should == %{Bearer realm="canvas-lms"}
json = JSON.parse(response.body)
@ -555,7 +555,7 @@ describe "API Authentication", type: :request do
end
LoadAccount.stubs(:default_domain_root_account).returns(@account)
check_used { get "/api/v1/courses", nil, { 'Authorization' => "Bearer #{@token.full_token}" } }
check_used { get "/api/v1/courses", nil, { 'HTTP_AUTHORIZATION' => "Bearer #{@token.full_token}" } }
JSON.parse(response.body).size.should == 1
end
end
@ -702,7 +702,7 @@ describe "API Authentication", type: :request do
it "should not prepend the CSRF protection to HTTP Basic API requests" do
user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test123')
get "/api/v1/users/self/profile", {}, { :authorization => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
get "/api/v1/users/self/profile", {}, { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test1@example.com', 'test123') }
response.should be_success
raw_json = response.body
raw_json.should_not match(%r{^while\(1\);})

6
spec/spec_helper.rb
View File

@ -1030,11 +1030,15 @@ end
def enable_forgery_protection(enable = true)
old_value = ActionController::Base.allow_forgery_protection
ActionController::Base.stubs(:allow_forgery_protection).returns(enable)
ActionController::Base.any_instance.stubs(:allow_forgery_protection).returns(enable)
yield if block_given?
ensure
ActionController::Base.stubs(:allow_forgery_protection).returns(old_value) if block_given?
if block_given?
ActionController::Base.stubs(:allow_forgery_protection).returns(old_value)
ActionController::Base.any_instance.stubs(:allow_forgery_protection).returns(old_value)
end
end
def start_test_http_server(requests=1)