blob: b211eabb0761bee0018ca8fc9980b78d80aad1e2 [file] [log] [blame]
Akron33f5c672019-06-24 19:40:47 +02001use Mojo::Base -strict;
2use Test::More;
Akroncdfd9d52019-07-23 11:35:00 +02003use Test::Mojo::WithRoles 'Session';
Akron33f5c672019-06-24 19:40:47 +02004use Mojo::File qw/path/;
5use Data::Dumper;
6
7
8#####################
9# Start Fake server #
10#####################
Akron63d963b2019-07-05 15:35:51 +020011my $mount_point = '/realapi/';
Akron33f5c672019-06-24 19:40:47 +020012$ENV{KALAMAR_API} = $mount_point;
13
Akroncdfd9d52019-07-23 11:35:00 +020014my $t = Test::Mojo::WithRoles->new('Kalamar' => {
Akron33f5c672019-06-24 19:40:47 +020015 Kalamar => {
16 plugins => ['Auth']
17 },
18 'Kalamar-Auth' => {
19 client_id => 2,
20 client_secret => 'k414m4r-s3cr3t',
Akron59992122019-10-29 11:28:45 +010021 oauth2 => 1,
22 experimental_client_registration => 1
Akron33f5c672019-06-24 19:40:47 +020023 }
24});
25
26# Mount fake backend
27# Get the fixture path
28my $fixtures_path = path(Mojo::File->new(__FILE__)->dirname, '..', 'server');
29my $fake_backend = $t->app->plugin(
30 Mount => {
31 $mount_point =>
32 $fixtures_path->child('mock.pl')
33 }
34);
35# Configure fake backend
Akroncdfd9d52019-07-23 11:35:00 +020036my $fake_backend_app = $fake_backend->pattern->defaults->{app};
37
38# Set general app logger for simplicity
39$fake_backend_app->log($t->app->log);
40
41my $access_token = $fake_backend_app->get_token('access_token');
42my $refresh_token = $fake_backend_app->get_token('refresh_token');
43my $access_token_2 = $fake_backend_app->get_token('access_token_2');
44my $refresh_token_2 = $fake_backend_app->get_token('refresh_token_2');
45
46# Some routes to modify the session
47# This expires the session
48$t->app->routes->get('/x/expire')->to(
49 cb => sub {
50 my $c = shift;
51 $c->session(auth_exp => 0);
52 return $c->render(text => 'okay')
53 }
54);
55
56# This expires the session and removes the refresh token
57$t->app->routes->get('/x/expire-no-refresh')->to(
58 cb => sub {
59 my $c = shift;
60 $c->session(auth_exp => 0);
61 delete $c->session->{auth_r};
62 return $c->render(text => 'okay')
63 }
64);
65
66# This sets an invalid token
67$t->app->routes->get('/x/invalid')->to(
68 cb => sub {
69 my $c = shift;
70 $c->session(auth_exp => time + 1000);
71 $c->session(auth_r => $refresh_token_2);
72 $c->session(auth => 'Bearer inv4lid');
73 return $c->render(text => 'okay')
74 }
75);
76
77
78# This sets an invalid token
79$t->app->routes->get('/x/invalid-no-refresh')->to(
80 cb => sub {
81 my $c = shift;
82 $c->session(auth_exp => time + 1000);
83 delete $c->session->{auth_r};
84 $c->session(auth => 'Bearer inv4lid');
85 return $c->render(text => 'okay')
86 }
87);
88
89# This sets an invalid refresh token
90$t->app->routes->get('/x/expired-with-wrong-refresh')->to(
91 cb => sub {
92 my $c = shift;
93 $c->session(auth_exp => 0);
94 $c->session(auth => 'Bearer inv4lid');
95 $c->session(auth_r => 'inv4lid');
96 return $c->render(text => 'okay')
97 }
98);
99
Akron33f5c672019-06-24 19:40:47 +0200100
Akron63d963b2019-07-05 15:35:51 +0200101$t->get_ok('/realapi/v1.0')
Akron33f5c672019-06-24 19:40:47 +0200102 ->status_is(200)
103 ->content_is('Fake server available');
104
105$t->get_ok('/?q=Baum')
106 ->status_is(200)
107 ->text_like('h1 span', qr/KorAP: Find .Baum./i)
108 ->text_like('#total-results', qr/\d+$/)
109 ->content_like(qr/\"authorized\"\:null/)
110 ->element_exists_not('div.button.top a')
111 ->element_exists_not('aside.active')
112 ->element_exists_not('aside.off')
113 ;
114
115$t->get_ok('/')
116 ->status_is(200)
117 ->element_exists('form[action=/user/login] input[name=handle_or_email]')
118 ->element_exists('aside.active')
119 ->element_exists_not('aside.off')
120 ;
121
122$t->post_ok('/user/login' => form => { handle_or_email => 'test', pwd => 'fail' })
123 ->status_is(302)
124 ->header_is('Location' => '/');
125
126$t->get_ok('/')
127 ->status_is(200)
128 ->element_exists('div.notify-error')
129 ->text_is('div.notify-error', 'Bad CSRF token')
130 ->element_exists('input[name=handle_or_email][value=test]')
131 ->element_exists_not('div.button.top a')
132 ;
133
134$t->post_ok('/user/login' => form => { handle_or_email => 'test', pwd => 'pass' })
135 ->status_is(302)
136 ->header_is('Location' => '/');
137
138my $csrf = $t->get_ok('/')
139 ->status_is(200)
140 ->element_exists('div.notify-error')
141 ->text_is('div.notify-error', 'Bad CSRF token')
142 ->element_exists_not('div.button.top a')
143 ->tx->res->dom->at('input[name=csrf_token]')->attr('value')
144 ;
145
146$t->post_ok('/user/login' => form => {
147 handle_or_email => 'test',
148 pwd => 'ldaperr',
149 csrf_token => $csrf
150})
151 ->status_is(302)
152 ->content_is('')
153 ->header_is('Location' => '/');
154
155$csrf = $t->get_ok('/')
156 ->status_is(200)
157 ->element_exists('div.notify-error')
158 ->text_is('div.notify-error', '2022: LDAP Authentication failed due to unknown user or password!')
159 ->element_exists('input[name=handle_or_email][value=test]')
160 ->element_exists_not('div.button.top a')
161 ->tx->res->dom->at('input[name=csrf_token]')->attr('value')
162 ;
163
164$t->post_ok('/user/login' => form => {
165 handle_or_email => 'test',
166 pwd => 'unknown',
167 csrf_token => $csrf
168})
169 ->status_is(302)
170 ->content_is('')
171 ->header_is('Location' => '/');
172
173$csrf = $t->get_ok('/')
174 ->status_is(200)
175 ->element_exists('div.notify-error')
Akron8bbbecf2019-07-01 18:57:30 +0200176 ->text_is('div.notify-error', '2022: LDAP Authentication failed due to unknown user or password!')
Akron33f5c672019-06-24 19:40:47 +0200177 ->element_exists('input[name=handle_or_email][value=test]')
178 ->element_exists_not('div.button.top a')
179 ->tx->res->dom->at('input[name=csrf_token]')->attr('value')
180 ;
181
182$t->post_ok('/user/login' => form => {
183 handle_or_email => 'test',
184 pwd => 'pass',
185 csrf_token => $csrf
186})
187 ->status_is(302)
188 ->content_is('')
189 ->header_is('Location' => '/');
190
191$t->get_ok('/')
192 ->status_is(200)
193 ->element_exists_not('div.notify-error')
194 ->element_exists('div.notify-success')
195 ->text_is('div.notify-success', 'Login successful')
196 ->element_exists('aside.off')
197 ->element_exists_not('aside.active')
198 ;
199
Akron33f5c672019-06-24 19:40:47 +0200200# Now the user is logged in and should be able to
201# search with authorization
202$t->get_ok('/?q=Baum')
203 ->status_is(200)
Akron4cefe1f2019-09-04 10:11:28 +0200204 ->session_has('/auth')
205 ->session_is('/auth', 'Bearer ' . $access_token)
206 ->session_is('/auth_r', $refresh_token)
207 ->session_is('/user', 'test')
Akron33f5c672019-06-24 19:40:47 +0200208 ->text_like('h1 span', qr/KorAP: Find .Baum./i)
209 ->text_like('#total-results', qr/\d+$/)
210 ->element_exists_not('div.notify-error')
211 ->content_like(qr/\"authorized\"\:\"yes\"/)
212 ->element_exists('div.button.top a')
213 ->element_exists('div.button.top a.logout[title~="test"]')
214 ;
215
216# Logout
217$t->get_ok('/user/logout')
218 ->status_is(302)
Akron4cefe1f2019-09-04 10:11:28 +0200219 ->session_hasnt('/auth')
220 ->session_hasnt('/auth_r')
221 ->session_hasnt('/user')
Akron33f5c672019-06-24 19:40:47 +0200222 ->header_is('Location' => '/');
223
224$t->get_ok('/')
225 ->status_is(200)
226 ->element_exists_not('div.notify-error')
227 ->element_exists('div.notify-success')
228 ->text_is('div.notify-success', 'Logout successful')
Akron4cefe1f2019-09-04 10:11:28 +0200229 ->element_exists("input[name=handle_or_email]")
230 ->element_exists("input[name=handle_or_email][value=test]")
Akron33f5c672019-06-24 19:40:47 +0200231 ;
232
233$t->get_ok('/?q=Baum')
234 ->status_is(200)
235 ->text_like('h1 span', qr/KorAP: Find .Baum./i)
236 ->text_like('#total-results', qr/\d+$/)
237 ->content_like(qr/\"authorized\"\:null/)
238 ;
239
240# Get redirect
241my $fwd = $t->get_ok('/?q=Baum&ql=poliqarp')
242 ->status_is(200)
243 ->element_exists_not('div.notify-error')
244 ->tx->res->dom->at('input[name=fwd]')->attr('value')
245 ;
246
247is($fwd, '/?q=Baum&ql=poliqarp', 'Redirect is valid');
248
249$t->post_ok('/user/login' => form => {
250 handle_or_email => 'test',
251 pwd => 'pass',
252 csrf_token => $csrf,
253 fwd => 'http://bad.example.com/test'
254})
255 ->status_is(302)
256 ->header_is('Location' => '/');
257
258$t->get_ok('/')
259 ->status_is(200)
260 ->element_exists('div.notify-error')
261 ->element_exists_not('div.notify-success')
262 ->text_is('div.notify-error', 'Redirect failure')
263 ;
264
265$t->post_ok('/user/login' => form => {
266 handle_or_email => 'test',
267 pwd => 'pass',
268 csrf_token => $csrf,
269 fwd => $fwd
270})
271 ->status_is(302)
272 ->header_is('Location' => '/?q=Baum&ql=poliqarp');
273
Akron8bbbecf2019-07-01 18:57:30 +0200274$t->get_ok('/?q=Baum&ql=poliqarp')
275 ->status_is(200)
276 ->element_exists_not('div.notify-error')
277 ->element_exists('div.notify-success')
278 ->text_is('div.notify-success', 'Login successful')
Akroncdfd9d52019-07-23 11:35:00 +0200279 ->session_has('/auth')
280 ->session_is('/auth', 'Bearer ' . $access_token)
281 ->session_is('/auth_r', $refresh_token)
282 ->header_isnt('X-Kalamar-Cache', 'true')
Akron8bbbecf2019-07-01 18:57:30 +0200283 ;
284
Akroncdfd9d52019-07-23 11:35:00 +0200285# Expire the session
286# (makes the token be marked as expired - though it isn't serverside)
287$t->get_ok('/x/expire')
Akron8bbbecf2019-07-01 18:57:30 +0200288 ->status_is(200)
Akroncdfd9d52019-07-23 11:35:00 +0200289 ->content_is('okay')
290 ;
291
292## It may be a problem, but the cache is still valid
293$t->get_ok('/?q=Baum')
294 ->status_is(200)
295 ->text_like('h1 span', qr/KorAP: Find .Baum./i)
296 ->text_like('#total-results', qr/\d+$/)
297 ->content_like(qr/\"authorized\"\:\"yes\"/)
298 ->header_is('X-Kalamar-Cache', 'true')
299 ;
300
301# Query without partial cache (unfortunately) (but no total results)
302$t->get_ok('/?q=baum&cutoff=true')
303 ->status_is(200)
304 ->session_is('/auth', 'Bearer ' . $access_token_2)
305 ->session_is('/auth_r', $refresh_token_2)
306 ->text_is('#error','')
307 ->text_is('title', 'KorAP: Find »baum« with Poliqarp')
308 ->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
309 ->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
310 ->content_like(qr/\"authorized\"\:\"yes\"/)
311 ->header_isnt('X-Kalamar-Cache', 'true')
312 ->content_like(qr!\"cutOff":true!)
313 ->element_exists_not('#total-results')
314 ;
315
316# Expire the session and remove the refresh option
317$t->get_ok('/x/expire-no-refresh')
318 ->status_is(200)
319 ->content_is('okay')
320 ;
321
322$t->app->defaults(no_cache => 1);
323
324
325$t->get_ok('/x/invalid-no-refresh')
326 ->status_is(200)
327 ->content_is('okay')
328 ;
329
330# Query without cache
331# The token is invalid and can't be refreshed!
332$t->get_ok('/?q=baum&cutoff=true')
Akron3c390c42020-03-30 09:06:21 +0200333 ->status_is(400)
Akroncdfd9d52019-07-23 11:35:00 +0200334 ->session_hasnt('/auth')
335 ->session_hasnt('/auth_r')
336 ->text_is('#error','')
337 ->text_is('div.notify-error','Access token invalid')
338 ->text_is('title', 'KorAP: Find »baum« with Poliqarp')
339 ->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
340 ->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
341 ->content_unlike(qr/\"authorized\"\:\"yes\"/)
342 ->header_isnt('X-Kalamar-Cache', 'true')
343 ->element_exists('p.no-results')
344 ;
345
346$t->get_ok('/x/invalid')
347 ->status_is(200)
348 ->content_is('okay')
349 ;
350
351# Query without cache
352# The token is invalid and can't be refreshed!
353$t->get_ok('/?q=baum&cutoff=true')
354 ->status_is(200)
355 ->session_is('/auth', 'Bearer ' . $access_token_2)
356 ->session_is('/auth_r', $refresh_token_2)
357 ->text_is('#error','')
358 ->element_exists_not('div.notify-error','Access token invalid')
359 ->text_is('title', 'KorAP: Find »baum« with Poliqarp')
360 ->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
361 ->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
362 ->content_like(qr/\"authorized\"\:\"yes\"/)
363 ->header_isnt('X-Kalamar-Cache', 'true')
364 ->element_exists_not('p.no-results')
Akron8bbbecf2019-07-01 18:57:30 +0200365 ;
366
Akron33f5c672019-06-24 19:40:47 +0200367
Akroncdfd9d52019-07-23 11:35:00 +0200368$t->get_ok('/x/expired-with-wrong-refresh')
369 ->status_is(200)
370 ->content_is('okay')
371 ;
Akron4796e002019-07-05 10:13:15 +0200372
Akron4796e002019-07-05 10:13:15 +0200373
Akroncdfd9d52019-07-23 11:35:00 +0200374# The token is invalid and can't be refreshed!
Akron59992122019-10-29 11:28:45 +0100375$csrf = $t->get_ok('/?q=baum&cutoff=true')
Akron3c390c42020-03-30 09:06:21 +0200376 ->status_is(400)
Akroncdfd9d52019-07-23 11:35:00 +0200377 ->session_hasnt('/auth')
378 ->session_hasnt('/auth_r')
379 ->text_is('#error','')
380 ->text_is('div.notify-error','Refresh token is expired')
381 ->text_is('title', 'KorAP: Find »baum« with Poliqarp')
382 ->content_unlike(qr/\"authorized\"\:\"yes\"/)
383 ->element_exists('p.no-results')
Akron59992122019-10-29 11:28:45 +0100384 ->tx->res->dom->at('input[name="csrf_token"]')
385 ->attr('value')
Akroncdfd9d52019-07-23 11:35:00 +0200386 ;
Akron4796e002019-07-05 10:13:15 +0200387
Akron59992122019-10-29 11:28:45 +0100388# Login:
389$t->post_ok('/user/login' => form => {
390 handle_or_email => 'test',
391 pwd => 'pass',
392 csrf_token => $csrf
393})
394 ->status_is(302)
395 ->content_is('')
396 ->header_is('Location' => '/');
397
398$t->get_ok('/')
399 ->status_is(200)
400 ->element_exists_not('div.notify-error')
401 ->element_exists('div.notify-success')
402 ->text_is('div.notify-success', 'Login successful')
403 ->element_exists('aside.off')
404 ->element_exists_not('aside.active')
405 ;
406
407$t->get_ok('/settings/oauth')
408 ->text_is('form.form-table legend', 'Register new client application')
409 ->attr_is('form.oauth-register','action', '/settings/oauth/register')
Akron1a9d5be2020-03-19 17:28:33 +0100410 ->element_exists('ul.client-list')
411 ->element_exists_not('ul.client-list > li')
412# ->text_is('ul.client-list > li > span.client-name', 'R statistical computing tool ')
413# ->text_is('ul.client-list > li > span.client-desc', 'R is a free software environment for statistical computing and graphics.')
414# ->text_is('ul.client-list > li > span.client-url a', 'https://www.r-project.org/')
415# ->text_is('ul.client-list > li a.client-unregister', 'Unregister')
416# ->attr_is('ul.client-list > li a.client-unregister', 'href', '/settings/oauth/unregister/9aHsGW6QflV13ixNpez?name=R+statistical+computing+tool')
Akron59992122019-10-29 11:28:45 +0100417 ;
Akron59992122019-10-29 11:28:45 +0100418$csrf = $t->post_ok('/settings/oauth/register' => form => {
419 name => 'MyApp',
420 type => 'PUBLIC',
421 desc => 'This is my application'
422})
423 ->text_is('div.notify-error', 'Bad CSRF token')
424 ->tx->res->dom->at('input[name="csrf_token"]')
425 ->attr('value')
426 ;
427
428$t->post_ok('/settings/oauth/register' => form => {
429 name => 'MyApp',
430 type => 'CONFIDENTIAL',
431 desc => 'This is my application',
432 csrf_token => $csrf
433})
434 ->status_is(200)
435 ->element_exists('div.notify-success')
436 ->text_is('legend', 'Client Credentials')
437 ->text_is('label[for=client_id]', 'ID of the client application')
438 ->element_exists('input[name=client_id][readonly][value]')
439 ->element_exists('input[name=client_secret][readonly][value]')
440 ;
Akron4796e002019-07-05 10:13:15 +0200441
Akron1a9d5be2020-03-19 17:28:33 +0100442$t->get_ok('/settings/oauth')
443 ->text_is('form.form-table legend', 'Register new client application')
444 ->attr_is('form.oauth-register','action', '/settings/oauth/register')
Akron17de86e2020-04-16 16:03:40 +0200445 ->text_is('ul.client-list > li > span.client-name a', 'MyApp')
Akron1a9d5be2020-03-19 17:28:33 +0100446 ->text_is('ul.client-list > li > span.client-desc', 'This is my application')
447 ->text_is('ul.client-list > li > span.client-url a', '')
Akron17de86e2020-04-16 16:03:40 +0200448 ;
449
450$t->get_ok('/settings/oauth/client/fCBbQkA2NDA3MzM1Yw==')
451 ->status_is(200)
452 ->text_is('form ul.client-list > li.client > span.client-name', 'MyApp')
453 ->text_is('form ul.client-list > li.client > span.client-desc', 'This is my application')
454 ->text_is('a.client-unregister', 'Unregister')
455 ->attr_is('a.client-unregister', 'href', '/settings/oauth/unregister/fCBbQkA2NDA3MzM1Yw==?name=MyApp')
Akron1a9d5be2020-03-19 17:28:33 +0100456 ;
457
458$csrf = $t->get_ok('/settings/oauth/unregister/fCBbQkA2NDA3MzM1Yw==?name=MyApp')
459 ->content_like(qr!Do you really want to unregister \<span class="client-name"\>MyApp\<\/span\>?!)
460 ->attr_is('form.form-table input[name=client-id]', 'value', 'fCBbQkA2NDA3MzM1Yw==')
461 ->attr_is('form.form-table input[name=client-name]', 'value', 'MyApp')
462 ->tx->res->dom->at('input[name="csrf_token"]')
463 ->attr('value')
464 ;
465
466$t->post_ok('/settings/oauth/unregister' => form => {
467 'client-name' => 'MyApp',
468 'client-id' => 'xxxx==',
469 'csrf_token' => $csrf
470})->status_is(302)
471 ->content_is('')
472 ->header_is('Location' => '/settings/oauth')
473 ;
474
475$t->get_ok('/settings/oauth')
476 ->text_is('form.form-table legend', 'Register new client application')
477 ->attr_is('form.oauth-register','action', '/settings/oauth/register')
478 ->element_exists('ul.client-list > li')
479 ->text_is('div.notify', 'Unknown client with xxxx==.')
480 ;
481
482$t->post_ok('/settings/oauth/unregister' => form => {
483 'client-name' => 'MyApp',
484 'client-id' => 'fCBbQkA2NDA3MzM1Yw==',
485 'csrf_token' => $csrf
486})->status_is(302)
487 ->content_is('')
488 ->header_is('Location' => '/settings/oauth')
489 ;
490
491$t->get_ok('/settings/oauth')
492 ->text_is('form.form-table legend', 'Register new client application')
493 ->attr_is('form.oauth-register','action', '/settings/oauth/register')
494 ->element_exists_not('ul.client-list > li')
495 ->text_is('div.notify-success', 'Successfully deleted MyApp')
496 ;
497
Akron33f5c672019-06-24 19:40:47 +0200498done_testing;
499__END__