dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
enes/e2e-mail
ubicloud/spec/routes/api/project/firewall_rule_spec.rb
Jeremy Evans 5b0738dfbc Remove old login-based API authentication 
This makes personal access token the only possible authentication for
the API.

For API requests without a personal access token, they get a specific
error that the credentials are missing.  I chose to use 401 for this,
because that seemed more appropriate than 400.

In the specs, `login_api` now takes no arguments.  It just sets to use
personal access tokens for requests.  This was chosen over removing the
method completely, because there are a significant number of specs that
want to test for unauthenticated access.  I'm not sure whether such
specs are actually useful, since they all hit the same condition at the
top of the main route block.  We should consider changing the specs in
the future to provide an access token that is valid, but does not grant
access to the objects, in order to test for specific authorization. We
already do this in some cases, but not in others.

With this change, the only error that Rodauth can generate for API
requests is for invalid credentials, so simplify the json_response_body
method, and generate the response body up front so we don't need to
generate it per-request.

Also remove /login from openapi.yml, as it is no longer valid.
2025-04-10 13:10:23 -07:00

98 lines
3.4 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require_relative "../spec_helper"
RSpec.describe Clover, "firewall" do
let(:user) { create_account }
let(:project) { project_with_default_policy(user) }
let(:firewall) { Firewall.create_with_id(name: "default-firewall", location_id: Location::HETZNER_FSN1_ID, project_id: project.id) }
let(:firewall_rule) { FirewallRule.create_with_id(firewall_id: firewall.id, cidr: "0.0.0.0/0", port_range: Sequel.pg_range(80..5432)) }
describe "unauthenticated" do
it "not post" do
post "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule"
expect(last_response).to have_api_error(401, "must include personal access token in Authorization header")
end
it "not delete" do
delete "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/#{firewall_rule.ubid}"
expect(last_response).to have_api_error(401, "must include personal access token in Authorization header")
end
it "not get" do
get "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/#{firewall_rule.ubid}"
expect(last_response).to have_api_error(401, "must include personal access token in Authorization header")
end
end
describe "authenticated" do
before do
login_api
end
it "create firewall rule" do
post "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule", {
cidr: "0.0.0.0/0",
port_range: "100..101"
}.to_json
expect(last_response.status).to eq(200)
end
it "can not create same firewall rule" do
post "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule", {
cidr: firewall_rule.cidr,
port_range: "80..5432"
}.to_json
expect(last_response).to have_api_error(400, "cidr and port_range and firewall_id is already taken")
end
it "firewall rule no port range" do
post "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule", {
cidr: "0.0.0.0/1"
}.to_json
expect(last_response.status).to eq(200)
end
it "firewall rule single port" do
post "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule", {
cidr: "0.0.0.0/1",
port_range: "11111"
}.to_json
expect(last_response.status).to eq(200)
end
it "firewall rule delete" do
delete "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/#{firewall_rule.ubid}"
expect(last_response.status).to eq(204)
end
it "firewall rule delete does not exist" do
delete "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/fr000000000000000000000000"
expect(last_response.status).to eq(204)
end
it "success get firewall rule" do
get "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/#{firewall_rule.ubid}"
expect(last_response.status).to eq(200)
end
it "get does not exist" do
get "/project/#{project.ubid}/location/#{TEST_LOCATION}/firewall/#{firewall.ubid}/firewall-rule/fr000000000000000000000000"
expect(last_response.content_type).to eq("application/json")
expect(last_response).to have_api_error(404)
end
end
end
Reference in New Issue View Git Blame Copy Permalink