dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

StandardRB fixes
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2026-01-01 13:29:44 +11:00
parent 7d3af2bcec
commit 93a0edb0a2
79 changed files with 779 additions and 786 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
test/application_system_test_case.rb
View File

@@ -1,5 +1,5 @@
require "test_helper"
class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
driven_by :selenium, using: :headless_chrome, screen_size: [ 1400, 1400 ]
driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400]
end

88
test/controllers/api/forward_auth_controller_test.rb
View File

@@ -13,7 +13,7 @@ module Api
# Authentication Tests
test "should redirect to login when no session cookie" do
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 302
assert_match %r{/signin}, response.location
@@ -23,7 +23,7 @@ module Api
test "should redirect when user is inactive" do
sign_in_as(@inactive_user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 302
assert_equal "User account is not active", response.headers["x-auth-reason"]
@@ -32,7 +32,7 @@ module Api
test "should return 200 when user is authenticated" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
end
@@ -41,7 +41,7 @@ module Api
test "should return 200 when matching rule exists" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
end
@@ -49,7 +49,7 @@ module Api
test "should return 403 when no rule matches (fail-closed security)" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "unknown.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "unknown.example.com"}
assert_response 403
assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
@@ -58,7 +58,7 @@ module Api
test "should return 403 when rule exists but is inactive" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "inactive.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "inactive.example.com"}
assert_response 403
assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
@@ -68,7 +68,7 @@ module Api
@rule.allowed_groups << @group
sign_in_as(@user) # User not in group
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 403
assert_match %r{permission to access this domain}, response.headers["x-auth-reason"]
@@ -79,35 +79,35 @@ module Api
@user.groups << @group
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
end
# Domain Pattern Tests
test "should match wildcard domains correctly" do
wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
assert_response 200
get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "api.example.com"}
assert_response 200
get "/api/verify", headers: { "X-Forwarded-Host" => "other.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "other.com"}
assert_response 403 # No rule configured - fail-closed
assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
end
test "should match exact domains correctly" do
exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "api.example.com"}
assert_response 200
get "/api/verify", headers: { "X-Forwarded-Host" => "app.api.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app.api.example.com"}
assert_response 403 # No rule configured - fail-closed
assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
end
@@ -116,7 +116,7 @@ module Api
test "should return default headers when rule has no custom config" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
@@ -126,7 +126,7 @@ module Api
end
test "should return custom headers when configured" do
custom_rule = Application.create!(
Application.create!(
name: "Custom App",
slug: "custom-app",
app_type: "forward_auth",
@@ -140,7 +140,7 @@ module Api
)
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "custom.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "custom.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-webauth-user"]
@@ -151,17 +151,17 @@ module Api
end
test "should return no headers when all headers disabled" do
no_headers_rule = Application.create!(
Application.create!(
name: "No Headers App",
slug: "no-headers-app",
app_type: "forward_auth",
domain_pattern: "noheaders.example.com",
active: true,
headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
headers_config: {user: "", email: "", name: "", groups: "", admin: ""}
)
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "noheaders.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "noheaders.example.com"}
assert_response 200
# Check that auth-specific headers are not present (exclude Rails security headers)
@@ -173,7 +173,7 @@ module Api
@user.groups << @group
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
groups_header = response.headers["x-remote-groups"]
@@ -186,7 +186,7 @@ module Api
@user.groups.clear # Remove fixture groups
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_nil response.headers["x-remote-groups"]
@@ -195,7 +195,7 @@ module Api
test "should include admin header correctly" do
sign_in_as(@admin_user) # Assuming users(:two) is admin
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_equal "true", response.headers["x-remote-admin"]
@@ -207,7 +207,7 @@ module Api
@user.groups << group2
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
groups_header = response.headers["x-remote-groups"]
@@ -219,7 +219,7 @@ module Api
test "should fall back to Host header when X-Forwarded-Host is missing" do
sign_in_as(@user)
get "/api/verify", headers: { "Host" => "test.example.com" }
get "/api/verify", headers: {"Host" => "test.example.com"}
assert_response 200
end
@@ -239,7 +239,7 @@ module Api
long_domain = "a" * 250 + ".example.com"
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => long_domain }
get "/api/verify", headers: {"X-Forwarded-Host" => long_domain}
assert_response 403 # No rule configured - fail-closed
assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
@@ -248,7 +248,7 @@ module Api
test "should handle case insensitive domain matching" do
sign_in_as(@user)
get "/api/verify", headers: { "X-Forwarded-Host" => "TEST.Example.COM" }
get "/api/verify", headers: {"X-Forwarded-Host" => "TEST.Example.COM"}
assert_response 200
end
@@ -262,7 +262,7 @@ module Api
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"X-Forwarded-Uri" => "/admin"
}, params: { rd: evil_url }
}, params: {rd: evil_url}
assert_response 302
assert_match %r{/signin}, response.location
@@ -292,8 +292,8 @@ module Api
# This should be allowed (domain has ForwardAuthRule)
allowed_url = "https://test.example.com/dashboard"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: allowed_url }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"},
params: {rd: allowed_url}
assert_response 302
assert_match allowed_url, response.location
@@ -305,8 +305,8 @@ module Api
# This should be rejected (no ForwardAuthRule for evil-site.com)
evil_url = "https://evil-site.com/steal-credentials"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: evil_url }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"},
params: {rd: evil_url}
assert_response 302
# Should redirect to login page or default URL, NOT to evil_url
@@ -320,8 +320,8 @@ module Api
# This should be rejected (HTTP not HTTPS)
http_url = "http://test.example.com/dashboard"
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: http_url }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"},
params: {rd: http_url}
assert_response 302
# Should redirect to login page or default URL, NOT to HTTP URL
@@ -340,8 +340,8 @@ module Api
]
dangerous_schemes.each do |dangerous_url|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
params: { rd: dangerous_url }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"},
params: {rd: dangerous_url}
assert_response 302, "Should reject dangerous URL: #{dangerous_url}"
# Should redirect to login page or default URL, NOT to dangerous URL
@@ -355,7 +355,7 @@ module Api
sign_in_as(@user)
# Authenticated GET requests should return 200
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
end
@@ -461,11 +461,11 @@ module Api
sign_in_as(@user)
# First request
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
# Second request with same session
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
# Should maintain user identity across requests
@@ -481,8 +481,8 @@ module Api
5.times do |i|
threads << Thread.new do
get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
results << { status: response.status }
get "/api/verify", headers: {"X-Forwarded-Host" => "app#{i}.example.com"}
results << {status: response.status}
end
end
@@ -524,7 +524,7 @@ module Api
request_count = 10
request_count.times do |i|
get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app#{i}.example.com"}
assert_response 403 # No rules configured for these domains
end
@@ -535,4 +535,4 @@ module Api
assert average_time < 0.1, "Average request time too slow: #{average_time}s"
end
end
end
end

10
test/controllers/concerns/authentication_test.rb
View File

@@ -10,10 +10,14 @@ class AuthenticationTest < ActiveSupport::TestCase
return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
# Strip port number for domain parsing
host_without_port = host.split(':').first
host_without_port = host.split(":").first
# Check if it's an IP address (IPv4 or IPv6) - if so, don't set domain cookie
return nil if IPAddr.new(host_without_port) rescue false
begin
return nil if IPAddr.new(host_without_port)
rescue
false
end
# Use Public Suffix List for accurate domain parsing
domain = PublicSuffix.parse(host_without_port)
@@ -214,4 +218,4 @@ class AuthenticationTest < ActiveSupport::TestCase
assert_equal domain, extract_root_domain("api.example.com")
assert_equal domain, extract_root_domain("sub.example.com")
end
end
end

12
test/controllers/input_validation_test.rb
View File

@@ -31,7 +31,7 @@ class InputValidationTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "xss_test@example.com", password: "password123", name: xss_payload)
# Sign in
post signin_path, params: { email_address: "xss_test@example.com", password: "password123" }
post signin_path, params: {email_address: "xss_test@example.com", password: "password123"}
assert_response :redirect
# Get a page that displays user name
@@ -59,7 +59,7 @@ class InputValidationTest < ActionDispatch::IntegrationTest
)
# Sign in
post signin_path, params: { email_address: "oauth_tamper_test@example.com", password: "password123" }
post signin_path, params: {email_address: "oauth_tamper_test@example.com", password: "password123"}
assert_response :redirect
# Try to tamper with OAuth authorization parameters
@@ -112,7 +112,7 @@ class InputValidationTest < ActionDispatch::IntegrationTest
test "JSON input validation prevents malicious payloads" do
# Try to send malformed JSON
post "/oauth/token", params: '{"grant_type":"authorization_code",}'.to_json,
headers: { "CONTENT_TYPE" => "application/json" }
headers: {"CONTENT_TYPE" => "application/json"}
# Should handle malformed JSON gracefully
assert_includes [400, 422], response.status
@@ -124,9 +124,9 @@ class InputValidationTest < ActionDispatch::IntegrationTest
grant_type: "authorization_code",
code: "test_code",
redirect_uri: "http://localhost:4000/callback",
nested: { __proto__: "tampered", constructor: { prototype: "tampered" } }
nested: {__proto__: "tampered", constructor: {prototype: "tampered"}}
}.to_json,
headers: { "CONTENT_TYPE" => "application/json" }
headers: {"CONTENT_TYPE" => "application/json"}
# Should sanitize or reject prototype pollution attempts
# The request should be handled (either accept or reject, not crash)
@@ -165,7 +165,7 @@ class InputValidationTest < ActionDispatch::IntegrationTest
malicious_paths.each do |malicious_path|
# Try to access files with path traversal
get root_path, params: { file: malicious_path }
get root_path, params: {file: malicious_path}
# Should prevent access to files outside public directory
assert_response :redirect, "Should reject path traversal attempt"

4
test/controllers/invitations_controller_test.rb
View File

@@ -100,7 +100,7 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
test "should destroy existing sessions when accepting invitation" do
# Create an existing session for the user
existing_session = @user.sessions.create!
@user.sessions.create!
put invitation_path(@token), params: {
password: "newpassword123",
@@ -145,4 +145,4 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
get invitation_path(@token)
assert_response :success
end
end
end

40
test/controllers/oidc_authorization_code_security_test.rb
View File

@@ -35,7 +35,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "prevents authorization code reuse - sequential attempts" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -81,7 +81,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "revokes existing tokens when authorization code is reused" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -135,7 +135,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects already used authorization code" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -171,7 +171,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects expired authorization code" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -206,7 +206,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects authorization code with mismatched redirect_uri" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -256,7 +256,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects authorization code for different application" do
# Create consent for the first application
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -308,7 +308,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects invalid client_id in Basic auth" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -341,7 +341,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects invalid client_secret in Basic auth" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -374,7 +374,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "accepts client credentials in POST body" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -408,7 +408,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects request with no client authentication" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -474,7 +474,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "client authentication uses constant-time comparison" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -546,7 +546,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
)
# Sign in first
post signin_path, params: { email_address: "security_test@example.com", password: "password123" }
post signin_path, params: {email_address: "security_test@example.com", password: "password123"}
# Test authorization with state parameter
get "/oauth/authorize", params: {
@@ -573,7 +573,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
)
# Sign in first
post signin_path, params: { email_address: "security_test@example.com", password: "password123" }
post signin_path, params: {email_address: "security_test@example.com", password: "password123"}
# Test authorization without state parameter
get "/oauth/authorize", params: {
@@ -593,7 +593,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "nonce parameter is included in ID token" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -637,7 +637,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "access tokens are not exposed in referer header" do
# Create consent and authorization code
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -664,7 +664,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
assert_response :success
response_body = JSON.parse(@response.body)
access_token = response_body["access_token"]
response_body["access_token"]
# Verify token is not in response headers (especially Referer)
assert_nil response.headers["Referer"], "Access token should not leak in Referer header"
@@ -677,7 +677,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE code_verifier is required when code_challenge was provided" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -716,7 +716,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE with S256 method validates correctly" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -755,7 +755,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE rejects invalid code_verifier" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -798,7 +798,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "refresh token rotation is enforced" do
# Create consent for the refresh token endpoint
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",

11
test/controllers/oidc_pkce_controller_test.rb
View File

@@ -38,7 +38,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
end
test "authorization endpoint accepts PKCE parameters (S256)" do
code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
code_challenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
auth_params = {
@@ -56,7 +55,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Should show consent page (user is already authenticated)
assert_response :success
assert_match /consent/, @response.body.downcase
assert_match(/consent/, @response.body.downcase)
end
test "authorization endpoint accepts PKCE parameters (plain)" do
@@ -77,7 +76,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Should show consent page (user is already authenticated)
assert_response :success
assert_match /consent/, @response.body.downcase
assert_match(/consent/, @response.body.downcase)
end
test "authorization endpoint rejects invalid code_challenge_method" do
@@ -478,7 +477,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
assert_response :bad_request
error = JSON.parse(@response.body)
assert_equal "invalid_request", error["error"]
assert_match /PKCE is required for public clients/, error["error_description"]
assert_match(/PKCE is required for public clients/, error["error_description"])
# Cleanup
OidcRefreshToken.where(application: public_app).delete_all
@@ -525,7 +524,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
assert_response :bad_request
error = JSON.parse(@response.body)
assert_equal "invalid_request", error["error"]
assert_match /PKCE is required/, error["error_description"]
assert_match(/PKCE is required/, error["error_description"])
end
# ====================
@@ -697,4 +696,4 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
expected_hash = Base64.urlsafe_encode64(Digest::SHA256.digest(access_token)[0..15], padding: false)
assert_equal expected_hash, decoded["at_hash"], "at_hash should match SHA-256 hash of access token"
end
end
end

17
test/controllers/passwords_controller_test.rb
View File

@@ -9,8 +9,8 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
end
test "create" do
post passwords_path, params: { email_address: @user.email_address }
assert_enqueued_email_with PasswordsMailer, :reset, args: [ @user ]
post passwords_path, params: {email_address: @user.email_address}
assert_enqueued_email_with PasswordsMailer, :reset, args: [@user]
assert_redirected_to signin_path
follow_redirect!
@@ -18,7 +18,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
end
test "create for an unknown user redirects but sends no mail" do
post passwords_path, params: { email_address: "missing-user@example.com" }
post passwords_path, params: {email_address: "missing-user@example.com"}
assert_enqueued_emails 0
assert_redirected_to signin_path
@@ -41,7 +41,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
test "update" do
assert_changes -> { @user.reload.password_digest } do
put password_path(@user.generate_token_for(:password_reset)), params: { password: "newpassword", password_confirmation: "newpassword" }
put password_path(@user.generate_token_for(:password_reset)), params: {password: "newpassword", password_confirmation: "newpassword"}
assert_redirected_to signin_path
end
@@ -52,7 +52,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
test "update with non matching passwords" do
token = @user.password_reset_token
assert_no_changes -> { @user.reload.password_digest } do
put password_path(token), params: { password: "no", password_confirmation: "match" }
put password_path(token), params: {password: "no", password_confirmation: "match"}
assert_redirected_to edit_password_path(token)
end
@@ -61,7 +61,8 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
end
private
def assert_notice(text)
assert_select "div", /#{text}/
end
def assert_notice(text)
assert_select "div", /#{text}/
end
end

4
test/controllers/sessions_controller_test.rb
View File

@@ -9,14 +9,14 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
end
test "create with valid credentials" do
post session_path, params: { email_address: @user.email_address, password: "password" }
post session_path, params: {email_address: @user.email_address, password: "password"}
assert_redirected_to root_path
assert cookies[:session_id]
end
test "create with invalid credentials" do
post session_path, params: { email_address: @user.email_address, password: "wrong" }
post session_path, params: {email_address: @user.email_address, password: "wrong"}
assert_redirected_to signin_path
assert_nil cookies[:session_id]

36
test/controllers/totp_security_test.rb
View File

@@ -14,11 +14,11 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
valid_code = totp.now
# Set up pending TOTP session
post signin_path, params: { email_address: "totp_replay_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_replay_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# First use of the code should succeed
post totp_verification_path, params: { code: valid_code }
post totp_verification_path, params: {code: valid_code}
assert_response :redirect
assert_redirected_to root_path
@@ -50,12 +50,12 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
original_codes = user.reload.backup_codes
# Set up pending TOTP session
post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" }
post signin_path, params: {email_address: "backup_code_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Use a backup code
backup_code = backup_codes.first
post totp_verification_path, params: { code: backup_code }
post totp_verification_path, params: {code: backup_code}
# Should successfully sign in
assert_response :redirect
@@ -70,11 +70,11 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
assert_response :redirect
# Sign in again
post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" }
post signin_path, params: {email_address: "backup_code_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Try the same backup code
post totp_verification_path, params: { code: backup_code }
post totp_verification_path, params: {code: backup_code}
# Should fail - backup code already used
assert_response :redirect
@@ -91,13 +91,13 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
# Generate backup codes
user.totp_secret = ROTP::Base32.random
backup_codes = user.send(:generate_backup_codes) # Call private method
user.send(:generate_backup_codes) # Call private method
user.save!
# Check that stored codes are BCrypt hashes (start with $2a$)
# backup_codes is already an Array (JSON column), no need to parse
user.backup_codes.each do |code|
assert_match /^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed"
assert_match(/^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed")
end
user.destroy
@@ -116,7 +116,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
user.save!
# Set up pending TOTP session
post signin_path, params: { email_address: "totp_time_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_time_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Generate a TOTP code for a time far in the future (outside valid window)
@@ -124,7 +124,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
future_code = totp.at(Time.now.to_i + 300) # 5 minutes in the future
# Try to use the future code
post totp_verification_path, params: { code: future_code }
post totp_verification_path, params: {code: future_code}
# Should fail - code is outside valid time window
assert_response :redirect
@@ -145,16 +145,16 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
# Verify the TOTP secret exists (sanity check)
assert user.totp_secret.present?
totp_secret = user.totp_secret
user.totp_secret
# Sign in with TOTP
post signin_path, params: { email_address: "totp_secret_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_secret_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Complete TOTP verification
totp = ROTP::TOTP.new(user.totp_secret)
valid_code = totp.now
post totp_verification_path, params: { code: valid_code }
post totp_verification_path, params: {code: valid_code}
assert_response :redirect
# The TOTP secret should never be exposed in the response body or headers
@@ -210,7 +210,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
user.update!(totp_required: true, totp_secret: nil)
# Sign in
post signin_path, params: { email_address: "totp_setup_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_setup_test@example.com", password: "password123"}
# Should redirect to TOTP setup, not verification
assert_response :redirect
@@ -232,7 +232,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
user.save!
# Set up pending TOTP session
post signin_path, params: { email_address: "totp_format_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_format_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Try invalid formats
@@ -245,7 +245,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
]
invalid_codes.each do |invalid_code|
post totp_verification_path, params: { code: invalid_code }
post totp_verification_path, params: {code: invalid_code}
assert_response :redirect
assert_redirected_to totp_verification_path
end
@@ -266,11 +266,11 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
user.save!
# Sign in
post signin_path, params: { email_address: "totp_recovery_test@example.com", password: "password123" }
post signin_path, params: {email_address: "totp_recovery_test@example.com", password: "password123"}
assert_redirected_to totp_verification_path
# Use backup code instead of TOTP
post totp_verification_path, params: { code: backup_codes.first }
post totp_verification_path, params: {code: backup_codes.first}
# Should successfully sign in
assert_response :redirect

71
test/integration/forward_auth_integration_test.rb
View File

@@ -20,27 +20,27 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Basic Authentication Flow Tests
test "complete authentication flow: unauthenticated to authenticated" do
# Step 1: Unauthenticated request should redirect
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 302
assert_match %r{/signin}, response.location
assert_equal "No session cookie", response.headers["x-auth-reason"]
# Step 2: Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
# Signin now redirects back with fa_token parameter
assert_match(/\?fa_token=/, response.location)
assert cookies[:session_id]
# Step 3: Authenticated request should succeed
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
end
test "session expiration handling" do
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Manually expire the session (get the most recent session for this user)
session = Session.where(user: @user).order(created_at: :desc).first
@@ -48,7 +48,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
session.update!(expires_at: 1.hour.ago)
# Request should fail and redirect to login
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 302
assert_equal "Session expired", response.headers["x-auth-reason"]
end
@@ -56,24 +56,24 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Domain and Rule Integration Tests
test "different domain patterns with same session" do
# Create test rules
wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Test wildcard domain
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
# Test exact domain
get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "api.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
# Test non-matching domain (should use defaults)
get "/api/verify", headers: { "X-Forwarded-Host" => "other.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "other.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
end
@@ -84,10 +84,10 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
restricted_rule.allowed_groups << @group
# Sign in user without group
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Should be denied access
get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "restricted.example.com"}
assert_response 403
assert_match %r{permission to access this domain}, response.headers["x-auth-reason"]
@@ -95,7 +95,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
@user.groups << @group
# Should now be allowed
get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "restricted.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
end
@@ -103,18 +103,18 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Header Configuration Integration Tests
test "different header configurations with same user" do
# Create applications with different configs
default_rule = Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
custom_rule = Application.create!(
Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
Application.create!(
name: "Custom App", slug: "custom-app", app_type: "forward_auth",
domain_pattern: "custom.example.com",
active: true,
headers_config: { user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES" }
headers_config: {user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES"}
)
no_headers_rule = Application.create!(
Application.create!(
name: "No Headers App", slug: "no-headers-app", app_type: "forward_auth",
domain_pattern: "noheaders.example.com",
active: true,
headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
headers_config: {user: "", email: "", name: "", groups: "", admin: ""}
)
# Add user to groups
@@ -122,10 +122,10 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
@user.groups << @group2
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Test default headers
get "/api/verify", headers: { "X-Forwarded-Host" => "default.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "default.example.com"}
assert_response 200
# Rails normalizes header keys to lowercase
assert_equal @user.email_address, response.headers["x-remote-user"]
@@ -133,7 +133,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
assert_equal "Group Two,Group One", response.headers["x-remote-groups"]
# Test custom headers
get "/api/verify", headers: { "X-Forwarded-Host" => "custom.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "custom.example.com"}
assert_response 200
# Custom headers are also normalized to lowercase
assert_equal @user.email_address, response.headers["x-webauth-user"]
@@ -141,7 +141,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
assert_equal "Group Two,Group One", response.headers["x-webauth-roles"]
# Test no headers
get "/api/verify", headers: { "X-Forwarded-Host" => "noheaders.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "noheaders.example.com"}
assert_response 200
# Check that no auth-related headers are present (excluding security headers)
auth_headers = response.headers.select { |k, v| k.match?(/^x-remote-|^x-webauth-|^x-admin-/i) }
@@ -174,7 +174,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
get "/api/verify", headers: {
"X-Forwarded-Host" => "app.example.com",
"X-Forwarded-Uri" => "/admin"
}, params: { rd: "https://app.example.com/admin" }
}, params: {rd: "https://app.example.com/admin"}
assert_response 302
location = response.location
@@ -194,16 +194,16 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
admin_user = users(:two)
# Create restricted rule
admin_rule = Application.create!(
Application.create!(
name: "Admin App", slug: "admin-app", app_type: "forward_auth",
domain_pattern: "admin.example.com",
active: true,
headers_config: { user: "X-Admin-User", admin: "X-Admin-Flag" }
headers_config: {user: "X-Admin-User", admin: "X-Admin-Flag"}
)
# Test regular user
post "/signin", params: { email_address: regular_user.email_address, password: "password" }
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
post "/signin", params: {email_address: regular_user.email_address, password: "password"}
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
assert_response 200
assert_equal regular_user.email_address, response.headers["x-admin-user"]
@@ -211,8 +211,8 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
delete "/session"
# Test admin user
post "/signin", params: { email_address: admin_user.email_address, password: "password" }
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
post "/signin", params: {email_address: admin_user.email_address, password: "password"}
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
assert_response 200
assert_equal admin_user.email_address, response.headers["x-admin-user"]
assert_equal "true", response.headers["x-admin-flag"]
@@ -221,10 +221,10 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Security Integration Tests
test "session hijacking prevention" do
# User A signs in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Verify User A can access protected resources
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
user_a_session_id = Session.where(user: @user).last.id
@@ -233,10 +233,10 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
reset!
# User B signs in (creates a new session)
post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
post "/signin", params: {email_address: @admin_user.email_address, password: "password"}
# Verify User B can access protected resources
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
assert_equal @admin_user.email_address, response.headers["x-remote-user"]
user_b_session_id = Session.where(user: @admin_user).last.id
@@ -245,5 +245,4 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
assert Session.exists?(user_a_session_id), "User A's session should still exist"
assert Session.exists?(user_b_session_id), "User B's session should still exist"
end
end
end

4
test/integration/invitation_flow_test.rb
View File

@@ -94,7 +94,7 @@ class InvitationFlowTest < ActionDispatch::IntegrationTest
end
test "expired invitation token flow" do
user = User.create!(
User.create!(
email_address: "expired@example.com",
password: "temppassword",
status: :pending_invitation
@@ -178,4 +178,4 @@ class InvitationFlowTest < ActionDispatch::IntegrationTest
assert_not_equal old_session1.id, user.sessions.first.id
assert_not_equal old_session2.id, user.sessions.first.id
end
end
end

26
test/integration/session_security_test.rb
View File

@@ -9,7 +9,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "session_test@example.com", password: "password123")
# Sign in
post signin_path, params: { email_address: "session_test@example.com", password: "password123" }
post signin_path, params: {email_address: "session_test@example.com", password: "password123"}
assert_response :redirect
follow_redirect!
assert_response :success
@@ -75,7 +75,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "session_fixation_test@example.com", password: "password123")
# Sign in creates a new session
post signin_path, params: { email_address: "session_fixation_test@example.com", password: "password123" }
post signin_path, params: {email_address: "session_fixation_test@example.com", password: "password123"}
assert_response :redirect
# User should be authenticated after sign in
@@ -92,21 +92,21 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "concurrent_session_test@example.com", password: "password123")
# Create multiple sessions from different devices
session1 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.1",
user_agent: "Mozilla/5.0 (Windows)",
device_name: "Windows PC",
last_activity_at: Time.current
)
session2 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.2",
user_agent: "Mozilla/5.0 (iPhone)",
device_name: "iPhone",
last_activity_at: Time.current
)
session3 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.3",
user_agent: "Mozilla/5.0 (Macintosh)",
device_name: "MacBook",
@@ -157,14 +157,14 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "logout_test@example.com", password: "password123")
# Create multiple sessions
session1 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.1",
user_agent: "Mozilla/5.0 (Windows)",
device_name: "Windows PC",
last_activity_at: Time.current
)
session2 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.2",
user_agent: "Mozilla/5.0 (iPhone)",
device_name: "iPhone",
@@ -172,7 +172,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
)
# Sign in (creates a new session via the sign-in flow)
post signin_path, params: { email_address: "logout_test@example.com", password: "password123" }
post signin_path, params: {email_address: "logout_test@example.com", password: "password123"}
assert_response :redirect
# Should have 3 sessions now
@@ -204,7 +204,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
)
# Create consent with backchannel logout enabled
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: user,
application: application,
scopes_granted: "openid profile",
@@ -212,7 +212,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
)
# Sign in
post signin_path, params: { email_address: "logout_notification_test@example.com", password: "password123" }
post signin_path, params: {email_address: "logout_notification_test@example.com", password: "password123"}
assert_response :redirect
# Sign out
@@ -237,8 +237,8 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "hijacking_test@example.com", password: "password123")
# Sign in
post signin_path, params: { email_address: "hijacking_test@example.com", password: "password123" },
headers: { "HTTP_USER_AGENT" => "TestBrowser/1.0" }
post signin_path, params: {email_address: "hijacking_test@example.com", password: "password123"},
headers: {"HTTP_USER_AGENT" => "TestBrowser/1.0"}
assert_response :redirect
# Check that session includes IP and user agent
@@ -295,7 +295,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
# Test forward auth endpoint with valid session
get api_verify_path(rd: "https://test.example.com/protected"),
headers: { cookie: "_session_id=#{user_session.id}" }
headers: {cookie: "_session_id=#{user_session.id}"}
# Should accept the request and redirect back
assert_response :redirect

6
test/integration/webauthn_credential_enumeration_test.rb
View File

@@ -10,7 +10,7 @@ class WebauthnCredentialEnumerationTest < ActionDispatch::IntegrationTest
user2 = User.create!(email_address: "user2@example.com", password: "password123")
# Create a credential for user1
credential1 = user1.webauthn_credentials.create!(
user1.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("user1_credential"),
public_key: Base64.urlsafe_encode64("public_key_1"),
sign_count: 0,
@@ -28,7 +28,7 @@ class WebauthnCredentialEnumerationTest < ActionDispatch::IntegrationTest
)
# Sign in as user1
post signin_path, params: { email_address: "user1@example.com", password: "password123" }
post signin_path, params: {email_address: "user1@example.com", password: "password123"}
assert_response :redirect
follow_redirect!
@@ -66,7 +66,7 @@ class WebauthnCredentialEnumerationTest < ActionDispatch::IntegrationTest
)
# Sign in
post signin_path, params: { email_address: "user@example.com", password: "password123" }
post signin_path, params: {email_address: "user@example.com", password: "password123"}
assert_response :redirect
follow_redirect!

6
test/jobs/application_job_test.rb
View File

@@ -37,7 +37,7 @@ class ApplicationJobTest < ActiveJob::TestCase
end
assert_enqueued_jobs 1 do
test_job.perform_later("arg1", "arg2", { "key" => "value" })
test_job.perform_later("arg1", "arg2", {"key" => "value"})
end
# ActiveJob serializes all hash keys as strings
@@ -77,7 +77,7 @@ class ApplicationJobTest < ActiveJob::TestCase
args = enqueued_jobs.last[:args]
if args.is_a?(Array) && args.first.is_a?(Hash)
# GlobalID serialization format
assert_equal user.to_global_id.to_s, args.first['_aj_globalid']
assert_equal user.to_global_id.to_s, args.first["_aj_globalid"]
else
# Direct object serialization
assert_equal user.id, args.first.id
@@ -90,4 +90,4 @@ class ApplicationJobTest < ActiveJob::TestCase
assert_respond_to ApplicationJob, :retry_on
assert_respond_to ApplicationJob, :discard_on
end
end
end

2
test/jobs/invitations_mailer_test.rb
View File

@@ -118,4 +118,4 @@ class InvitationsMailerTest < ActionMailer::TestCase
assert_includes email.content_type, "multipart"
assert email.html_part || email.text_part, "Should have html or text part"
end
end
end

4
test/jobs/passwords_mailer_test.rb
View File

@@ -166,7 +166,7 @@ class PasswordsMailerTest < ActionMailer::TestCase
# Should not include sensitive data in headers (except Subject which legitimately mentions password)
email.header.fields.each do |field|
next if field.name =~ /^subject$/i
next if /^subject$/i.match?(field.name)
# Check for actual tokens (not just the word "token" which is common in emails)
refute_includes field.value.to_s.downcase, "password"
end
@@ -197,4 +197,4 @@ class PasswordsMailerTest < ActionMailer::TestCase
assert_equal [email_address], email.to
end
end
end
end

12
test/models/application_user_claim_test.rb
View File

@@ -10,7 +10,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "admin" }
custom_claims: {role: "admin"}
)
assert claim.valid?
assert claim.save
@@ -20,13 +20,13 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
ApplicationUserClaim.create!(
user: @user,
application: @application,
custom_claims: { "role": "admin" }
custom_claims: {role: "admin"}
)
duplicate = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "user" }
custom_claims: {role: "user"}
)
assert_not duplicate.valid?
@@ -37,7 +37,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "admin", "level": 5 }
custom_claims: {role: "admin", level: 5}
)
parsed = claim.parsed_custom_claims
@@ -59,7 +59,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "groups": ["admin"], "role": "user" }
custom_claims: {groups: ["admin"], role: "user"}
)
assert_not claim.valid?
@@ -70,7 +70,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "kavita_groups": ["admin"], "role": "user" }
custom_claims: {kavita_groups: ["admin"], role: "user"}
)
assert claim.valid?

8
test/models/oidc_access_token_test.rb
View File

@@ -27,7 +27,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
assert_nil new_token.plaintext_token
assert new_token.save
assert_not_nil new_token.plaintext_token
assert_match /^[A-Za-z0-9_-]+$/, new_token.plaintext_token
assert_match(/^[A-Za-z0-9_-]+$/, new_token.plaintext_token)
end
test "should set expiry before validation on create" do
@@ -144,7 +144,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
# All tokens should match the expected pattern
tokens.each do |token|
assert_match /^[A-Za-z0-9_-]+$/, token
assert_match(/^[A-Za-z0-9_-]+$/, token)
# Base64 token length may vary due to padding, just ensure it's reasonable
assert token.length >= 43, "Token should be at least 43 characters"
assert token.length <= 64, "Token should not exceed 64 characters"
@@ -164,7 +164,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
)
assert access_token.plaintext_token.length > auth_code.plaintext_code.length,
"Access tokens should be longer than authorization codes"
"Access tokens should be longer than authorization codes"
end
test "should have appropriate expiry times" do
@@ -181,7 +181,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
# Authorization codes expire in 10 minutes, access tokens in 1 hour
assert access_token.expires_at > auth_code.expires_at,
"Access tokens should have longer expiry than authorization codes"
"Access tokens should have longer expiry than authorization codes"
end
test "revoked tokens should not appear in valid scope" do

4
test/models/oidc_authorization_code_test.rb
View File

@@ -28,7 +28,7 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
assert_nil new_code.code_hmac
assert new_code.save
assert_not_nil new_code.code_hmac
assert_match /^[a-f0-9]{64}$/, new_code.code_hmac # SHA256 hex digest
assert_match(/^[a-f0-9]{64}$/, new_code.code_hmac) # SHA256 hex digest
end
test "should set expiry before validation on create" do
@@ -186,7 +186,7 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
# All codes should be SHA256 hex digests
codes.each do |code|
assert_match /^[a-f0-9]{64}$/, code
assert_match(/^[a-f0-9]{64}$/, code)
assert_equal 64, code.length # SHA256 hex digest
end
end

2
test/models/oidc_user_consent_test.rb
View File

@@ -218,7 +218,7 @@ class OidcUserConsentTest < ActiveSupport::TestCase
# Application requests more than granted
assert_not @consent.covers_scopes?(["openid", "profile", "groups"]),
"Should not cover scopes not granted"
"Should not cover scopes not granted"
# Application requests subset
assert @consent.covers_scopes?(["email"]), "Should cover subset of granted scopes"

2
test/models/pkce_authorization_code_test.rb
View File

@@ -165,4 +165,4 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
# Should be valid even without code_challenge
assert auth_code.valid?
end
end
end

6
test/models/user_password_management_test.rb
View File

@@ -73,7 +73,7 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
assert_not authenticated_user.authenticate("WrongPassword"), "Should not authenticate with wrong password"
# Test password changes invalidate old sessions
old_password_digest = @user.password_digest
@user.password_digest
@user.password = "NewPassword123!"
@user.save!
@@ -102,7 +102,7 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
assert new_user.password_digest.length > 50, "Password digest should be substantial"
# Test digest format (bcrypt hashes start with $2a$)
assert_match /^\$2a\$/, new_user.password_digest, "Password digest should be bcrypt format"
assert_match(/^\$2a\$/, new_user.password_digest, "Password digest should be bcrypt format")
# Test authentication against digest
authenticated_user = User.find(new_user.id)
@@ -250,4 +250,4 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
assert_not_nil @user.last_sign_in_at, "last_sign_in_at should be set after update"
assert @user.last_sign_in_at > 1.minute.ago, "last_sign_in_at should be recent"
end
end
end

6
test/models/user_test.rb
View File

@@ -33,7 +33,7 @@ class UserTest < ActiveSupport::TestCase
end
test "does not find user with invalid invitation token" do
user = User.create!(
User.create!(
email_address: "test@example.com",
password: "password123",
status: :pending_invitation
@@ -222,7 +222,7 @@ class UserTest < ActiveSupport::TestCase
# Should store 10 BCrypt hashes
assert_equal 10, stored_hashes.length
stored_hashes.each do |hash|
assert hash.start_with?('$2a$'), "Should be BCrypt hash"
assert hash.start_with?("$2a$"), "Should be BCrypt hash"
end
# Verify each plain code matches its corresponding hash
@@ -298,7 +298,7 @@ class UserTest < ActiveSupport::TestCase
# Make 5 failed attempts to trigger rate limit
5.times do |i|
result = user.verify_backup_code("INVALID123")
assert_not result, "Failed attempt #{i+1} should return false"
assert_not result, "Failed attempt #{i + 1} should return false"
end
# Check that the cache is tracking attempts

82
test/services/oidc_jwt_service_test.rb
View File

@@ -61,18 +61,18 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
assert_not_nil token, "Should generate token"
assert token.length > 100, "Token should be substantial"
assert token.include?('.')
assert token.include?(".")
# Decode without verification for testing the payload
decoded = JWT.decode(token, nil, false).first
assert_equal @application.client_id, decoded['aud'], "Should have correct audience"
assert_equal @user.id.to_s, decoded['sub'], "Should have correct subject"
assert_equal @user.email_address, decoded['email'], "Should have correct email"
assert_equal true, decoded['email_verified'], "Should have email verified"
assert_equal @user.email_address, decoded['preferred_username'], "Should have preferred username"
assert_equal @user.email_address, decoded['name'], "Should have name"
assert_equal @service.issuer_url, decoded['iss'], "Should have correct issuer"
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration"
assert_equal @application.client_id, decoded["aud"], "Should have correct audience"
assert_equal @user.id.to_s, decoded["sub"], "Should have correct subject"
assert_equal @user.email_address, decoded["email"], "Should have correct email"
assert_equal true, decoded["email_verified"], "Should have email verified"
assert_equal @user.email_address, decoded["preferred_username"], "Should have preferred username"
assert_equal @user.email_address, decoded["name"], "Should have name"
assert_equal @service.issuer_url, decoded["iss"], "Should have correct issuer"
assert_in_delta Time.current.to_i + 3600, decoded["exp"], 5, "Should have correct expiration"
end
test "should handle nonce in id token" do
@@ -80,8 +80,8 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
token = @service.generate_id_token(@user, @application, nonce: nonce)
decoded = JWT.decode(token, nil, false).first
assert_equal nonce, decoded['nonce'], "Should preserve nonce in token"
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration with nonce"
assert_equal nonce, decoded["nonce"], "Should preserve nonce in token"
assert_in_delta Time.current.to_i + 3600, decoded["exp"], 5, "Should have correct expiration with nonce"
end
test "should include groups in token when user has groups" do
@@ -91,7 +91,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
assert_includes decoded['groups'], "Administrators", "Should include user's groups"
assert_includes decoded["groups"], "Administrators", "Should include user's groups"
end
test "admin claim should not be included in token" do
@@ -100,14 +100,14 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute decoded.key?('admin'), "Admin claim should not be included in ID tokens (use groups instead)"
refute decoded.key?("admin"), "Admin claim should not be included in ID tokens (use groups instead)"
end
test "should handle missing roles gracefully" do
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute_includes decoded, 'roles', "Should not have roles when not configured"
refute_includes decoded, "roles", "Should not have roles when not configured"
end
test "should load RSA private key from environment with escaped newlines" do
@@ -168,7 +168,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
OidcJwtService.send(:private_key)
end
assert_match /Invalid OIDC private key format/, error.message
assert_match(/Invalid OIDC private key format/, error.message)
ensure
# Restore original value and clear cached key
ENV["OIDC_PRIVATE_KEY"] = original_value
@@ -193,7 +193,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
OidcJwtService.send(:private_key)
end
assert_match /OIDC private key not configured/, error.message
assert_match(/OIDC private key not configured/, error.message)
ensure
# Restore original environment and clear cached key
ENV["OIDC_PRIVATE_KEY"] = original_value if original_value
@@ -214,9 +214,9 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
assert_not_nil decoded_array, "Should decode valid token"
decoded = decoded_array.first # JWT.decode returns an array
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
assert decoded['exp'] > Time.current.to_i, "Token should not be expired"
assert_equal @user.id.to_s, decoded["sub"], "Should decode subject correctly"
assert_equal @application.client_id, decoded["aud"], "Should decode audience correctly"
assert decoded["exp"] > Time.current.to_i, "Token should not be expired"
end
test "should reject invalid id tokens" do
@@ -252,9 +252,9 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
decoded = JWT.decode(token, nil, false).first
# ID tokens always include email_verified
assert_includes decoded.keys, 'email_verified'
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
assert_includes decoded.keys, "email_verified"
assert_equal @user.id.to_s, decoded["sub"], "Should decode subject correctly"
assert_equal @application.client_id, decoded["aud"], "Should decode audience correctly"
end
test "should validate JWT configuration" do
@@ -275,7 +275,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
ApplicationUserClaim.create!(
user: user,
application: app,
custom_claims: { "app_groups": ["admin"], "library_access": "all" }
custom_claims: {app_groups: ["admin"], library_access: "all"}
)
token = @service.generate_id_token(user, app)
@@ -292,17 +292,17 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Add user to group with claims
group = groups(:admin_group)
group.update!(custom_claims: { "role": "viewer", "max_items": 10 })
group.update!(custom_claims: {role: "viewer", max_items: 10})
user.groups << group
# Add user custom claims
user.update!(custom_claims: { "role": "editor", "theme": "dark" })
user.update!(custom_claims: {role: "editor", theme: "dark"})
# Add app-specific claims (should override both)
ApplicationUserClaim.create!(
user: user,
application: app,
custom_claims: { "role": "admin", "app_specific": true }
custom_claims: {role: "admin", app_specific: true}
)
token = @service.generate_id_token(user, app)
@@ -324,11 +324,11 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Group has roles: ["user"]
group = groups(:admin_group)
group.update!(custom_claims: { "roles" => ["user"], "permissions" => ["read"] })
group.update!(custom_claims: {"roles" => ["user"], "permissions" => ["read"]})
user.groups << group
# User adds roles: ["admin"]
user.update!(custom_claims: { "roles" => ["admin"], "permissions" => ["write"] })
user.update!(custom_claims: {"roles" => ["admin"], "permissions" => ["write"]})
token = @service.generate_id_token(user, app)
decoded = JWT.decode(token, nil, false).first
@@ -349,16 +349,16 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# First group has roles: ["user"]
group1 = groups(:admin_group)
group1.update!(custom_claims: { "roles" => ["user"] })
group1.update!(custom_claims: {"roles" => ["user"]})
user.groups << group1
# Second group has roles: ["moderator"]
group2 = Group.create!(name: "moderators", description: "Moderators group")
group2.update!(custom_claims: { "roles" => ["moderator"] })
group2.update!(custom_claims: {"roles" => ["moderator"]})
user.groups << group2
# User adds roles: ["admin"]
user.update!(custom_claims: { "roles" => ["admin"] })
user.update!(custom_claims: {"roles" => ["admin"]})
token = @service.generate_id_token(user, app)
decoded = JWT.decode(token, nil, false).first
@@ -376,11 +376,11 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Group has roles: ["user", "reader"]
group = groups(:admin_group)
group.update!(custom_claims: { "roles" => ["user", "reader"] })
group.update!(custom_claims: {"roles" => ["user", "reader"]})
user.groups << group
# User also has "user" role (duplicate)
user.update!(custom_claims: { "roles" => ["user", "admin"] })
user.update!(custom_claims: {"roles" => ["user", "admin"]})
token = @service.generate_id_token(user, app)
decoded = JWT.decode(token, nil, false).first
@@ -398,11 +398,11 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Group has roles array and max_items scalar
group = groups(:admin_group)
group.update!(custom_claims: { "roles" => ["user"], "max_items" => 10, "theme" => "light" })
group.update!(custom_claims: {"roles" => ["user"], "max_items" => 10, "theme" => "light"})
user.groups << group
# User overrides max_items and theme, adds to roles
user.update!(custom_claims: { "roles" => ["admin"], "max_items" => 100, "theme" => "dark" })
user.update!(custom_claims: {"roles" => ["admin"], "max_items" => 100, "theme" => "dark"})
token = @service.generate_id_token(user, app)
decoded = JWT.decode(token, nil, false).first
@@ -425,7 +425,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
group.update!(custom_claims: {
"config" => {
"theme" => "light",
"notifications" => { "email" => true }
"notifications" => {"email" => true}
}
})
user.groups << group
@@ -434,7 +434,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
user.update!(custom_claims: {
"config" => {
"language" => "en",
"notifications" => { "sms" => true }
"notifications" => {"sms" => true}
}
})
@@ -454,17 +454,17 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Group has roles: ["user"]
group = groups(:admin_group)
group.update!(custom_claims: { "roles" => ["user"] })
group.update!(custom_claims: {"roles" => ["user"]})
user.groups << group
# User has roles: ["moderator"]
user.update!(custom_claims: { "roles" => ["moderator"] })
user.update!(custom_claims: {"roles" => ["moderator"]})
# App-specific has roles: ["app_admin"]
ApplicationUserClaim.create!(
user: user,
application: app,
custom_claims: { "roles" => ["app_admin"] }
custom_claims: {"roles" => ["app_admin"]}
)
token = @service.generate_id_token(user, app)
@@ -562,4 +562,4 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
assert_includes decoded.keys, "azp", "Should include azp claim"
assert_equal @application.client_id, decoded["azp"], "azp should be the application's client_id"
end
end
end

92
test/system/forward_auth_system_test.rb
View File

@@ -13,13 +13,13 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# End-to-End Authentication Flow Tests
test "complete forward auth flow with default headers" do
# Create an application with default headers
rule = Application.create!(name: "App", slug: "app-system-test", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
Application.create!(name: "App", slug: "app-system-test", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
# Step 1: Unauthenticated request to protected resource
get "/api/verify", headers: {
"X-Forwarded-Host" => "app.example.com",
"X-Forwarded-Uri" => "/dashboard"
}, params: { rd: "https://app.example.com/dashboard" }
}, params: {rd: "https://app.example.com/dashboard"}
assert_response 302
location = response.location
@@ -30,13 +30,13 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
assert_equal "https://app.example.com/dashboard", session[:return_to_after_authenticating]
# Step 3: Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_redirected_to "https://app.example.com/dashboard"
# Step 4: Authenticated request to protected resource
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
@@ -46,38 +46,38 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "multiple domain access with single session" do
# Create applications for different domains
app_rule = Application.create!(name: "App Domain", slug: "app-domain", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
grafana_rule = Application.create!(
Application.create!(name: "App Domain", slug: "app-domain", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
Application.create!(
name: "Grafana", slug: "grafana-system-test", app_type: "forward_auth",
domain_pattern: "grafana.example.com",
active: true,
headers_config: { user: "X-WEBAUTH-USER", email: "X-WEBAUTH-EMAIL" }
headers_config: {user: "X-WEBAUTH-USER", email: "X-WEBAUTH-EMAIL"}
)
metube_rule = Application.create!(
Application.create!(
name: "Metube", slug: "metube-system-test", app_type: "forward_auth",
domain_pattern: "metube.example.com",
active: true,
headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
headers_config: {user: "", email: "", name: "", groups: "", admin: ""}
)
# Sign in once
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_redirected_to "/"
# Test access to different applications
# App with default headers
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
assert_response 200
assert response.headers.key?("x-remote-user")
# Grafana with custom headers
get "/api/verify", headers: { "X-Forwarded-Host" => "grafana.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "grafana.example.com"}
assert_response 200
assert response.headers.key?("x-webauth-user")
# Metube with no headers
get "/api/verify", headers: { "X-Forwarded-Host" => "metube.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "metube.example.com"}
assert_response 200
auth_headers = response.headers.select { |k, v| k.match?(/^x-remote-|^x-webauth-|^x-admin-/i) }
assert_empty auth_headers
@@ -98,11 +98,11 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
@user.groups << @group
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
# Should have access (in allowed group)
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
assert_response 200
assert_equal @group.name, response.headers["x-remote-groups"]
@@ -110,7 +110,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
@user.groups << @group2
# Should show multiple groups
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
assert_response 200
groups_header = response.headers["x-remote-groups"]
assert_includes groups_header, @group.name
@@ -120,13 +120,13 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
@user.groups.clear
# Should be denied
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
assert_response 403
end
test "bypass mode when no groups assigned to rule" do
# Create bypass application (no groups)
bypass_rule = Application.create!(
Application.create!(
name: "Public", slug: "public-system-test", app_type: "forward_auth",
domain_pattern: "public.example.com",
active: true
@@ -136,11 +136,11 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
@user.groups.clear
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
# Should have access (bypass mode)
get "/api/verify", headers: { "X-Forwarded-Host" => "public.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "public.example.com"}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
end
@@ -148,12 +148,12 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# Security System Tests
test "session security and isolation" do
# User A signs in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
user_a_session = cookies[:session_id]
# User B signs in
delete "/session"
post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
post "/signin", params: {email_address: @admin_user.email_address, password: "password"}
user_b_session = cookies[:session_id]
# User A should still be able to access resources
@@ -178,11 +178,11 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "session expiration and cleanup" do
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_id = cookies[:session_id]
# Should work initially
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
# Manually expire session
@@ -190,7 +190,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
session.update!(expires_at: 1.hour.ago)
# Should redirect to login
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 302
assert_equal "Session expired", response.headers["x-auth-reason"]
@@ -200,7 +200,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "concurrent access with rate limiting considerations" do
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_cookie = cookies[:session_id]
# Simulate multiple concurrent requests from different IPs
@@ -244,23 +244,23 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
apps = [
{
domain: "dashboard.example.com",
headers_config: { user: "X-DASHBOARD-USER", groups: "X-DASHBOARD-GROUPS" },
headers_config: {user: "X-DASHBOARD-USER", groups: "X-DASHBOARD-GROUPS"},
groups: [@group]
},
{
domain: "api.example.com",
headers_config: { user: "X-API-USER", email: "X-API-EMAIL" },
headers_config: {user: "X-API-USER", email: "X-API-EMAIL"},
groups: []
},
{
domain: "logs.example.com",
headers_config: { user: "", email: "", name: "", groups: "", admin: "" },
headers_config: {user: "", email: "", name: "", groups: "", admin: ""},
groups: []
}
]
# Create applications for each app
rules = apps.map.with_index do |app, idx|
apps.map.with_index do |app, idx|
rule = Application.create!(
name: "Multi App #{idx}", slug: "multi-app-#{idx}", app_type: "forward_auth",
domain_pattern: app[:domain],
@@ -275,19 +275,19 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
@user.groups << @group
# Sign in once
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
# Test access to each application
apps.each do |app|
get "/api/verify", headers: { "X-Forwarded-Host" => app[:domain] }
get "/api/verify", headers: {"X-Forwarded-Host" => app[:domain]}
assert_response 200, "Failed for #{app[:domain]}"
# Verify headers are correct
if app[:headers_config][:user].present?
assert_equal app[:headers_config][:user],
response.headers.keys.find { |k| k.include?("USER") },
"Wrong user header for #{app[:domain]}"
response.headers.keys.find { |k| k.include?("USER") },
"Wrong user header for #{app[:domain]}"
assert_equal @user.email_address, response.headers[app[:headers_config][:user]]
else
# Should have no auth headers
@@ -300,24 +300,24 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "domain pattern edge cases" do
# Test various domain patterns
patterns = [
{ pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "sub.app.example.com"] },
{ pattern: "api.*.com", domains: ["api.example.com", "api.test.com"] },
{ pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"] }
{pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "sub.app.example.com"]},
{pattern: "api.*.com", domains: ["api.example.com", "api.test.com"]},
{pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"]}
]
patterns.each_with_index do |pattern_config, idx|
rule = Application.create!(
Application.create!(
name: "Pattern Test #{idx}", slug: "pattern-test-#{idx}", app_type: "forward_auth",
domain_pattern: pattern_config[:pattern],
active: true
)
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
# Test each domain
pattern_config[:domains].each do |domain|
get "/api/verify", headers: { "X-Forwarded-Host" => domain }
get "/api/verify", headers: {"X-Forwarded-Host" => domain}
assert_response 200, "Failed for pattern #{pattern_config[:pattern]} with domain #{domain}"
assert_equal @user.email_address, response.headers["x-remote-user"]
end
@@ -330,10 +330,10 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# Performance System Tests
test "system performance under load" do
# Create test application
rule = Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "loadtest.example.com", active: true)
Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "loadtest.example.com", active: true)
# Sign in
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_cookie = cookies[:session_id]
# Performance test
@@ -374,7 +374,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# Error Recovery System Tests
test "graceful degradation with database issues" do
# Sign in first
post "/signin", params: { email_address: @user.email_address, password: "password" }
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
# Simulate database connection issue by mocking
@@ -387,7 +387,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
begin
# Request should handle the error gracefully
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
# Should return 302 (redirect to login) rather than 500 error
assert_response 302, "Should gracefully handle database issues"
@@ -398,7 +398,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
end
# Normal operation should still work
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
assert_response 200
end
end
end

30
test/system/webauthn_security_test.rb
View File

@@ -78,7 +78,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_handle_auth_test@example.com", password: "password123")
user_handle = SecureRandom.uuid
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -99,7 +99,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn request validates origin" do
user = User.create!(email_address: "webauthn_origin_test@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -107,14 +107,14 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
)
# Test WebAuthn challenge from valid origin
post webauthn_challenge_path, params: { email: "webauthn_origin_test@example.com" },
headers: { "HTTP_ORIGIN": "http://localhost:3000" }
post webauthn_challenge_path, params: {email: "webauthn_origin_test@example.com"},
headers: {HTTP_ORIGIN: "http://localhost:3000"}
# Should succeed for valid origin
# Test WebAuthn challenge from invalid origin
post webauthn_challenge_path, params: { email: "webauthn_origin_test@example.com" },
headers: { "HTTP_ORIGIN": "http://evil.com" }
post webauthn_challenge_path, params: {email: "webauthn_origin_test@example.com"},
headers: {HTTP_ORIGIN: "http://evil.com"}
# Should reject invalid origin
@@ -125,7 +125,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_verify_origin_test@example.com", password: "password123")
user.update!(webauthn_id: SecureRandom.uuid)
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -133,10 +133,10 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
)
# Sign in with WebAuthn
post webauthn_challenge_path, params: { email: "webauthn_verify_origin_test@example.com" }
post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"}
assert_response :success
challenge = JSON.parse(@response.body)["challenge"]
JSON.parse(@response.body)["challenge"]
# Simulate WebAuthn verification with wrong origin
# This should fail
@@ -155,7 +155,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
# Standard attestation formats: none, packed, tpm, android-key, android-safetynet, fido-u2f, etc.
# Test with 'none' attestation (most common for privacy)
attestation_object = {
{
fmt: "none",
attStmt: {},
authData: Base64.strict_encode64("fake_auth_data")
@@ -170,7 +170,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_invalid_attestation_test@example.com", password: "password123")
# Try to register with invalid attestation format
invalid_attestation = {
{
fmt: "invalid_format",
attStmt: {},
authData: Base64.strict_encode64("fake_auth_data")
@@ -263,7 +263,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn requires user presence for authentication" do
user = User.create!(email_address: "webauthn_presence_test@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -291,7 +291,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
nickname: "USB Key"
)
credential2 = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("credential_2"),
public_key: Base64.urlsafe_encode64("public_key_2"),
sign_count: 0,
@@ -317,7 +317,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user.update!(webauthn_enabled: true)
# Sign in with password should still work
post signin_path, params: { email_address: "webauthn_required_test@example.com", password: "password123" }
post signin_path, params: {email_address: "webauthn_required_test@example.com", password: "password123"}
# If WebAuthn is enabled, should offer WebAuthn as an option
# Implementation should handle password + WebAuthn or passwordless flow
@@ -329,7 +329,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_passwordless_test@example.com", password: "password123")
user.update!(webauthn_enabled: true)
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("passwordless_credential"),
public_key: Base64.urlsafe_encode64("public_key"),
sign_count: 0,