From 13625fe61f8cb1452742ca54201598b14aed7395 Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Thu, 28 Feb 2019 15:34:53 +0545 Subject: [PATCH] move auth tests into separate behat suite --- .drone.yml | 11 ++ tests/acceptance/config/behat.yml | 6 + .../features/apiAuth/filesAppAuth.feature | 39 ++++ .../features/apiAuth/ocsDELETEAuth.feature | 45 +++++ .../ocsGETAuth.feature} | 175 ------------------ .../features/apiAuth/ocsPOSTAuth.feature | 51 +++++ .../features/apiAuth/ocsPUTAuth.feature | 36 ++++ .../{apiMain => apiAuth}/tokenAuth.feature | 0 .../features/apiAuth/webDavAuth.feature | 28 +++ 9 files changed, 216 insertions(+), 175 deletions(-) create mode 100644 tests/acceptance/features/apiAuth/filesAppAuth.feature create mode 100644 tests/acceptance/features/apiAuth/ocsDELETEAuth.feature rename tests/acceptance/features/{apiMain/auth.feature => apiAuth/ocsGETAuth.feature} (64%) create mode 100644 tests/acceptance/features/apiAuth/ocsPOSTAuth.feature create mode 100644 tests/acceptance/features/apiAuth/ocsPUTAuth.feature rename tests/acceptance/features/{apiMain => apiAuth}/tokenAuth.feature (100%) create mode 100644 tests/acceptance/features/apiAuth/webDavAuth.feature diff --git a/.drone.yml b/.drone.yml index 45c0e3c6e8dd..3cc495cc44a3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -805,6 +805,17 @@ matrix: OWNCLOUD_LOG: true INSTALL_TESTING_APP: true + - PHP_VERSION: 7.1 + TEST_SUITE: api + BEHAT_SUITE: apiAuth + DB_TYPE: mariadb + USE_SERVER: true + SERVER_PROTOCOL: https + INSTALL_SERVER: true + CHOWN_SERVER: true + OWNCLOUD_LOG: true + INSTALL_TESTING_APP: true + - PHP_VERSION: 7.1 TEST_SUITE: api BEHAT_SUITE: apiCapabilities diff --git a/tests/acceptance/config/behat.yml b/tests/acceptance/config/behat.yml index 62b7a42591bf..2eb7761e3af1 100644 --- a/tests/acceptance/config/behat.yml +++ b/tests/acceptance/config/behat.yml @@ -20,6 +20,12 @@ default: - OccContext: - TransferOwnershipContext: + apiAuth: + paths: + - '%paths.base%/../features/apiAuth' + contexts: + - FeatureContext: *common_feature_context_params + apiCapabilities: paths: - '%paths.base%/../features/apiCapabilities' diff --git a/tests/acceptance/features/apiAuth/filesAppAuth.feature b/tests/acceptance/features/apiAuth/filesAppAuth.feature new file mode 100644 index 000000000000..421574c5307a --- /dev/null +++ b/tests/acceptance/features/apiAuth/filesAppAuth.feature @@ -0,0 +1,39 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @smokeTest + Scenario: access files app anonymously + When a user requests "/index.php/apps/files" with "GET" and no authentication + Then the HTTP status code should be "401" + + @smokeTest + Scenario: access files app with basic auth + When user "user0" requests "/index.php/apps/files" with "GET" using basic auth + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with basic token auth + When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with a client token + When the user requests "/index.php/apps/files" with "GET" using the generated client token + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with browser session + Given a new browser session for "user0" has been started + When the user requests "/index.php/apps/files" with "GET" using the browser session + Then the HTTP status code should be "200" + + @smokeTest + Scenario: access files app with an app password + Given a new browser session for "user0" has been started + And the user has generated a new app password named "my-client" + When the user requests "/index.php/apps/files" with "GET" using the generated app password + Then the HTTP status code should be "200" diff --git a/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature b/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature new file mode 100644 index 000000000000..c2b2b2fad71c --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature @@ -0,0 +1,45 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + And group "group1" has been created + When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups/group1 | 997 | 401 | + | 2 |/cloud/groups/group1 | 997 | 401 | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | + + #merge into previous scenario when fixed + @issue-34626 + Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" + Then the HTTP status code should be "200" + And the body of the response should be empty + #And the OCS status code should be "997" + Examples: + | ocs_api_version | endpoint | + | 1 | /apps/files_sharing/api/v1/shares/123 | + | 2 | /apps/files_sharing/api/v1/shares/123 | + | 1 | /apps/files_sharing/api/v1/shares/pending/123 | + | 2 | /apps/files_sharing/api/v1/shares/pending/123 | diff --git a/tests/acceptance/features/apiMain/auth.feature b/tests/acceptance/features/apiAuth/ocsGETAuth.feature similarity index 64% rename from tests/acceptance/features/apiMain/auth.feature rename to tests/acceptance/features/apiAuth/ocsGETAuth.feature index 9341f5912fea..c13f2828e060 100644 --- a/tests/acceptance/features/apiMain/auth.feature +++ b/tests/acceptance/features/apiAuth/ocsGETAuth.feature @@ -1,70 +1,9 @@ @api @TestAlsoOnExternalUserBackend Feature: auth - Background: Given user "user0" has been created with default attributes And a new client token for "user0" has been generated - # FILES APP - @smokeTest - Scenario: access files app anonymously - When a user requests "/index.php/apps/files" with "GET" and no authentication - Then the HTTP status code should be "401" - - @smokeTest - Scenario: access files app with basic auth - When user "user0" requests "/index.php/apps/files" with "GET" using basic auth - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with basic token auth - When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with a client token - When the user requests "/index.php/apps/files" with "GET" using the generated client token - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with browser session - Given a new browser session for "user0" has been started - When the user requests "/index.php/apps/files" with "GET" using the browser session - Then the HTTP status code should be "200" - - @smokeTest - Scenario: access files app with an app password - Given a new browser session for "user0" has been started - And the user has generated a new app password named "my-client" - When the user requests "/index.php/apps/files" with "GET" using the generated app password - Then the HTTP status code should be "200" - - # WebDAV - - Scenario: using WebDAV anonymously - When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication - Then the HTTP status code should be "401" - - Scenario: using WebDAV with basic auth - When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth - Then the HTTP status code should be "207" - - Scenario: using WebDAV with token auth - When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth - Then the HTTP status code should be "207" - - # DAV token auth is not possible yet - #Scenario: using WebDAV with a client token - # When requesting "/remote.php/webdav" with "PROPFIND" using a client token - # Then the HTTP status code should be "207" - - Scenario: using WebDAV with browser session - Given a new browser session for "user0" has been started - When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session - Then the HTTP status code should be "207" - - - # OCS @issue-32068 Scenario Outline: using OCS anonymously When a user requests "" with "GET" and no authentication @@ -161,51 +100,6 @@ Feature: auth | 1 | | 2 | - @issue-32068 - Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password - Given using OCS API version "" - And user "user1" has been created with default attributes - When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" - | data | doesnotmatter | - Then the OCS status code should be "" - And the HTTP status code should be "" - Examples: - | ocs_api_version |endpoint | ocs-code | http-code | - | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | - | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | - | 1 |/cloud/apps/testing | 997 | 401 | - | 2 |/cloud/apps/testing | 997 | 401 | - | 1 |/cloud/groups | 997 | 401 | - | 2 |/cloud/groups | 997 | 401 | - | 1 |/cloud/users | 997 | 401 | - | 2 |/cloud/users | 997 | 401 | - | 1 |/cloud/users/user0/groups | 997 | 401 | - | 2 |/cloud/users/user0/groups | 997 | 401 | - | 1 |/cloud/users/user0/subadmins | 997 | 401 | - | 2 |/cloud/users/user0/subadmins | 997 | 401 | - | 1 |/person/check | 101 | 200 | - | 2 |/person/check | 400 | 400 | - | 1 |/privatedata/deleteattribute/testing/test | 997 | 401 | - | 2 |/privatedata/deleteattribute/testing/test | 997 | 401 | - | 1 |/privatedata/setattribute/testing/test | 997 | 401 | - | 2 |/privatedata/setattribute/testing/test | 997 | 401 | - - #merge into previous scenario when fixed - @issue-34626 - Scenario Outline: using OCS as normal user with wrong password - Given using OCS API version "" - When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" - | data | doesnotmatter | - Then the HTTP status code should be "200" - And the body of the response should be empty - #And the OCS status code should be "997" - Examples: - | ocs_api_version | endpoint | - | 1 | /apps/files_sharing/api/v1/shares | - | 2 | /apps/files_sharing/api/v1/shares | - | 1 | /apps/files_sharing/api/v1/shares/pending/123 | - | 2 | /apps/files_sharing/api/v1/shares/pending/123 | - Scenario Outline: using OCS with admin basic auth When the administrator requests "" with "GET" using basic auth Then the OCS status code should be "" @@ -254,75 +148,6 @@ Feature: auth | 1 | | 2 | - @issue-32068 - Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password - Given using OCS API version "" - When the administrator sends HTTP method "PUT" to OCS API endpoint "" with body using password "invalid" - | data | doesnotmatter | - Then the OCS status code should be "" - And the HTTP status code should be "" - Examples: - | ocs_api_version |endpoint | ocs-code | http-code | - | 1 |/cloud/users/user0 | 997 | 401 | - | 2 |/cloud/users/user0 | 997 | 401 | - | 1 |/cloud/users/user0/disable | 997 | 401 | - | 2 |/cloud/users/user0/disable | 997 | 401 | - | 1 |/cloud/users/user0/enable | 997 | 401 | - | 2 |/cloud/users/user0/enable | 997 | 401 | - - #merge into previous scenario when fixed - @issue-34626 - Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password - Given using OCS API version "" - When the administrator sends HTTP method "PUT" to OCS API endpoint "/apps/files_sharing/api/v1/shares/123" with body using password "invalid" - | data | doesnotmatter | - Then the HTTP status code should be "200" - And the body of the response should be empty - #And the OCS status code should be "997" - Examples: - | ocs_api_version | - | 1 | - | 2 | - - @issue-32068 - Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password - Given using OCS API version "" - And group "group1" has been created - When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" - Then the OCS status code should be "" - And the HTTP status code should be "" - Examples: - | ocs_api_version |endpoint | ocs-code | http-code | - | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | - | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | - | 1 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | - | 2 |/apps/files_sharing/api/v1/remote_shares/123 | 997 | 401 | - | 1 |/cloud/apps/testing | 997 | 401 | - | 2 |/cloud/apps/testing | 997 | 401 | - | 1 |/cloud/groups/group1 | 997 | 401 | - | 2 |/cloud/groups/group1 | 997 | 401 | - | 1 |/cloud/users/user0 | 997 | 401 | - | 2 |/cloud/users/user0 | 997 | 401 | - | 1 |/cloud/users/user0/groups | 997 | 401 | - | 2 |/cloud/users/user0/groups | 997 | 401 | - | 1 |/cloud/users/user0/subadmins | 997 | 401 | - | 2 |/cloud/users/user0/subadmins | 997 | 401 | - - #merge into previous scenario when fixed - @issue-34626 - Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password - Given using OCS API version "" - When the administrator sends HTTP method "DELETE" to OCS API endpoint "" using password "invalid" - Then the HTTP status code should be "200" - And the body of the response should be empty - #And the OCS status code should be "997" - Examples: - | ocs_api_version | endpoint | - | 1 | /apps/files_sharing/api/v1/shares/123 | - | 2 | /apps/files_sharing/api/v1/shares/123 | - | 1 | /apps/files_sharing/api/v1/shares/pending/123 | - | 2 | /apps/files_sharing/api/v1/shares/pending/123 | - Scenario Outline: using OCS with token auth of a normal user When user "user0" requests "" with "GET" using basic token auth Then the OCS status code should be "" diff --git a/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature b/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature new file mode 100644 index 000000000000..550f006f3394 --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature @@ -0,0 +1,51 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password + Given using OCS API version "" + And user "user1" has been created with default attributes + When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 2 |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997 | 401 | + | 1 |/cloud/apps/testing | 997 | 401 | + | 2 |/cloud/apps/testing | 997 | 401 | + | 1 |/cloud/groups | 997 | 401 | + | 2 |/cloud/groups | 997 | 401 | + | 1 |/cloud/users | 997 | 401 | + | 2 |/cloud/users | 997 | 401 | + | 1 |/cloud/users/user0/groups | 997 | 401 | + | 2 |/cloud/users/user0/groups | 997 | 401 | + | 1 |/cloud/users/user0/subadmins | 997 | 401 | + | 2 |/cloud/users/user0/subadmins | 997 | 401 | + | 1 |/person/check | 101 | 200 | + | 2 |/person/check | 400 | 400 | + | 1 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 2 |/privatedata/deleteattribute/testing/test | 997 | 401 | + | 1 |/privatedata/setattribute/testing/test | 997 | 401 | + | 2 |/privatedata/setattribute/testing/test | 997 | 401 | + + #merge into previous scenario when fixed + @issue-34626 + Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password + Given using OCS API version "" + When user "user0" sends HTTP method "POST" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the HTTP status code should be "200" + And the body of the response should be empty + #And the OCS status code should be "997" + Examples: + | ocs_api_version | endpoint | + | 1 | /apps/files_sharing/api/v1/shares | + | 2 | /apps/files_sharing/api/v1/shares | + | 1 | /apps/files_sharing/api/v1/shares/pending/123 | + | 2 | /apps/files_sharing/api/v1/shares/pending/123 | diff --git a/tests/acceptance/features/apiAuth/ocsPUTAuth.feature b/tests/acceptance/features/apiAuth/ocsPUTAuth.feature new file mode 100644 index 000000000000..f73dc6c5b5e1 --- /dev/null +++ b/tests/acceptance/features/apiAuth/ocsPUTAuth.feature @@ -0,0 +1,36 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + @issue-32068 + Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "PUT" to OCS API endpoint "" with body using password "invalid" + | data | doesnotmatter | + Then the OCS status code should be "" + And the HTTP status code should be "" + Examples: + | ocs_api_version |endpoint | ocs-code | http-code | + | 1 |/cloud/users/user0 | 997 | 401 | + | 2 |/cloud/users/user0 | 997 | 401 | + | 1 |/cloud/users/user0/disable | 997 | 401 | + | 2 |/cloud/users/user0/disable | 997 | 401 | + | 1 |/cloud/users/user0/enable | 997 | 401 | + | 2 |/cloud/users/user0/enable | 997 | 401 | + + #merge into previous scenario when fixed + @issue-34626 + Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password + Given using OCS API version "" + When the administrator sends HTTP method "PUT" to OCS API endpoint "/apps/files_sharing/api/v1/shares/123" with body using password "invalid" + | data | doesnotmatter | + Then the HTTP status code should be "200" + And the body of the response should be empty + #And the OCS status code should be "997" + Examples: + | ocs_api_version | + | 1 | + | 2 | diff --git a/tests/acceptance/features/apiMain/tokenAuth.feature b/tests/acceptance/features/apiAuth/tokenAuth.feature similarity index 100% rename from tests/acceptance/features/apiMain/tokenAuth.feature rename to tests/acceptance/features/apiAuth/tokenAuth.feature diff --git a/tests/acceptance/features/apiAuth/webDavAuth.feature b/tests/acceptance/features/apiAuth/webDavAuth.feature new file mode 100644 index 000000000000..387a5c485082 --- /dev/null +++ b/tests/acceptance/features/apiAuth/webDavAuth.feature @@ -0,0 +1,28 @@ +@api @TestAlsoOnExternalUserBackend +Feature: auth + + Background: + Given user "user0" has been created with default attributes + And a new client token for "user0" has been generated + + Scenario: using WebDAV anonymously + When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication + Then the HTTP status code should be "401" + + Scenario: using WebDAV with basic auth + When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth + Then the HTTP status code should be "207" + + Scenario: using WebDAV with token auth + When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth + Then the HTTP status code should be "207" + + # DAV token auth is not possible yet + #Scenario: using WebDAV with a client token + # When requesting "/remote.php/webdav" with "PROPFIND" using a client token + # Then the HTTP status code should be "207" + + Scenario: using WebDAV with browser session + Given a new browser session for "user0" has been started + When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session + Then the HTTP status code should be "207"