From db4b1d3822daf0a0da0ba6e838231251950f3f2e Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 19 Nov 2017 18:11:34 +0100 Subject: Add: scenario for testing unauthorized access --- yarns/100-projects.yarn | 5 ++- yarns/300-workers.yarn | 5 ++- yarns/400-build.yarn | 25 ++++++------ yarns/500-build-fail.yarn | 13 ++++--- yarns/600-unauthz.yarn | 97 +++++++++++++++++++++++++++++++++++++++++++++++ yarns/900-implements.yarn | 48 +++++++++++++++++++++-- 6 files changed, 168 insertions(+), 25 deletions(-) create mode 100644 yarns/600-unauthz.yarn diff --git a/yarns/100-projects.yarn b/yarns/100-projects.yarn index a4793b3..0aa57b0 100644 --- a/yarns/100-projects.yarn +++ b/yarns/100-projects.yarn @@ -75,7 +75,7 @@ building them. We start by starting an instance of the controller. THEN result has status code 200 AND body matches { "projects": [] } - WHEN user makes request POST /projects + WHEN user makes request POST /projects with a valid token and body ... { ... "project": "website", ... "pipelines": [ @@ -146,7 +146,8 @@ building them. We start by starting an instance of the controller. ... ] ... } - WHEN user makes request PUT /projects/website + WHEN user makes request PUT /projects/website with a valid token + ... and body ... { ... "project": "website", ... "pipelines": [ diff --git a/yarns/300-workers.yarn b/yarns/300-workers.yarn index 16bd108..c94f47c 100644 --- a/yarns/300-workers.yarn +++ b/yarns/300-workers.yarn @@ -66,7 +66,7 @@ controller API. It doesn't actually talk to the worker itself. THEN result has status code 200 AND body matches { "workers": [] } - WHEN user makes request POST /workers + WHEN user makes request POST /workers with a valid token and body ... { ... "worker": "obelix", ... "protocol": "ssh", @@ -121,7 +121,8 @@ controller API. It doesn't actually talk to the worker itself. ... } ... } - WHEN user makes request PUT /workers/obelix + WHEN user makes request PUT /workers/obelix with a valid token + ... and body ... { ... "worker": "obelix", ... "protocol": "local", diff --git a/yarns/400-build.yarn b/yarns/400-build.yarn index 07ae2f7..30dbc5b 100644 --- a/yarns/400-build.yarn +++ b/yarns/400-build.yarn @@ -29,8 +29,8 @@ Set up the controller. AND controller config uses statedir at the state directory AND an access token for user with scopes ... uapi_projects_post - ... uapi_projects_id_pipeline_id_put - ... uapi_projects_id_pipeline_id_get + ... uapi_projects_id_pipelines_id_put + ... uapi_projects_id_pipelines_id_get ... uapi_projects_id_builds_get ... uapi_workers_id_get ... uapi_builds_get @@ -40,7 +40,7 @@ Set up the controller. Add up a project. - WHEN user makes request POST /projects + WHEN user makes request POST /projects with a valid token and body ... { ... "project": "rome", ... "pipelines": [ @@ -70,7 +70,8 @@ Register a worker. GIVEN an access token for worker-manager with scopes ... uapi_workers_post ... uapi_work_post - WHEN worker-manager makes request POST /workers + ... uapi_work_id_get + WHEN worker-manager makes request POST /workers with a valid token and body ... { ... "worker": "obelix" ... } @@ -79,11 +80,11 @@ Register a worker. Trigger build. First with an invalid status, then a real one. WHEN user makes request PUT /projects/rome/pipelines/construct - ... { "status": "VANDALS!" } + ... with a valid token and body { "status": "VANDALS!" } THEN result has status code 400 WHEN user makes request PUT /projects/rome/pipelines/construct - ... { "status": "triggered" } + ... with a valid token and body { "status": "triggered" } THEN result has status code 200 Worker wants work and gets the first step to run. If the worker asks @@ -171,7 +172,7 @@ User can now see pipeline is running and which worker is building it. Worker reports some build output. Note the null exit code. - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 1, ... "worker": "obelix", @@ -210,7 +211,7 @@ The build log is immediately accessible. Report the step is done, and successfully. - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 1, ... "worker": "obelix", @@ -267,7 +268,7 @@ User sees changed status. Report it done. - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 1, ... "worker": "obelix", @@ -332,7 +333,7 @@ Also, there's a build with a log. Start build again. This should become build number 2. WHEN user makes request PUT /projects/rome/pipelines/construct - ... { "status": "triggered" } + ... with a valid token and body { "status": "triggered" } THEN result has status code 200 WHEN worker-manager makes request GET /work/obelix @@ -374,7 +375,7 @@ Start build again. This should become build number 2. ... ] ... } - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 2, ... "worker": "obelix", @@ -390,7 +391,7 @@ Start build again. This should become build number 2. WHEN worker-manager makes request GET /work/obelix THEN result has status code 200 - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 2, ... "worker": "obelix", diff --git a/yarns/500-build-fail.yarn b/yarns/500-build-fail.yarn index cfa1a12..e0c35b0 100644 --- a/yarns/500-build-fail.yarn +++ b/yarns/500-build-fail.yarn @@ -30,8 +30,8 @@ Set up the controller. AND controller config uses statedir at the state directory AND an access token for user with scopes ... uapi_projects_post - ... uapi_projects_id_pipeline_id_put - ... uapi_projects_id_pipeline_id_get + ... uapi_projects_id_pipelines_id_put + ... uapi_projects_id_pipelines_id_get ... uapi_projects_id_builds_get ... uapi_workers_id_get ... uapi_builds_get @@ -41,7 +41,7 @@ Set up the controller. Add up a project. - WHEN user makes request POST /projects + WHEN user makes request POST /projects with a valid token and body ... { ... "project": "rome", ... "pipelines": [ @@ -61,7 +61,8 @@ Register a worker. GIVEN an access token for worker-manager with scopes ... uapi_workers_post ... uapi_work_post - WHEN worker-manager makes request POST /workers + ... uapi_work_id_get + WHEN worker-manager makes request POST /workers with a valid token and body ... { ... "worker": "obelix" ... } @@ -70,7 +71,7 @@ Register a worker. Trigger build. First with an invalid status, then a real one. WHEN user makes request PUT /projects/rome/pipelines/construct - ... { "status": "triggered" } + ... with a valid token and body { "status": "triggered" } THEN result has status code 200 Worker wants work and gets the first step to run. @@ -93,7 +94,7 @@ Worker wants work and gets the first step to run. Worker reports some build output. Note the exit code indicating failure. - WHEN worker-manager makes request POST /work + WHEN worker-manager makes request POST /work with a valid token and body ... { ... "build_id": 1, ... "worker": "obelix", diff --git a/yarns/600-unauthz.yarn b/yarns/600-unauthz.yarn new file mode 100644 index 0000000..7eaf902 --- /dev/null +++ b/yarns/600-unauthz.yarn @@ -0,0 +1,97 @@ + + +# Unauthorized requests + +This scenario make unauthorized requests and checks the right error is +returned. + + SCENARIO unauthorized requests + +Set up the controller. + + GIVEN an RSA key pair for token signing + AND controller config uses statedir at the state directory + AND an access token for user with scopes + ... uapi_projects_post + ... uapi_projects_id_pipelines_id_put + ... uapi_projects_id_pipelines_id_get + ... uapi_projects_id_builds_get + ... uapi_workers_id_get + ... uapi_builds_get + ... uapi_builds_id_get + ... uapi_logs_id_get + AND a running ick controller + + WHEN user makes request POST /projects with a valid token and body + ... { + ... "project": "rome", + ... "pipelines": [ + ... { + ... "name": "construct", + ... "actions": [ + ... { "shell": "day 1" }, + ... { "shell": "day 2" } + ... ] + ... } + ... ] + ... } + THEN result has status code 201 + + GIVEN an access token for outsider with scopes + ... uapi_version_get + WHEN outsider makes request POST /projects + ... with an invalid token and body {} + THEN result has status code 401 + + WHEN outsider makes request + ... GET /projects/rome/pipelines/construct + ... with an invalid token + THEN result has status code 401 + + WHEN outsider makes request GET /builds with an invalid token + THEN result has status code 401 + + WHEN outsider makes request + ... POST /workers with an invalid token and body [} + THEN result has status code 401 + + WHEN outsider makes request + ... PUT /projects/rome/pipelines/construct with an invalid token + THEN result has status code 401 + + WHEN outsider makes request + ... GET /work/obelix with an invalid token + THEN result has status code 401 + + WHEN outsider makes request + ... GET /workers/obelix with an invalid token + THEN result has status code 401 + + WHEN outsider makes request + ... GET /builds with an invalid token + THEN result has status code 401 + + WHEN outsider makes request GET /logs/1 with an invalid token + THEN result has status code 401 + + WHEN outsider makes request POST /work with an invalid token and body {} + THEN result has status code 401 + + FINALLY stop ick controller diff --git a/yarns/900-implements.yarn b/yarns/900-implements.yarn index 5fb476c..d08cbc9 100644 --- a/yarns/900-implements.yarn +++ b/yarns/900-implements.yarn @@ -32,7 +32,18 @@ along with this program. If not, see . vars['headers'] = headers vars['body'] = body - IMPLEMENTS WHEN (\S+) makes request POST (\S+) (.+) + IMPLEMENTS WHEN (\S+) makes request GET (\S+) with an invalid token + user = get_next_match() + path = get_next_match() + token = get_token(user) + url = vars['url'] + status, content_type, headers, body = get(url + path, 'invalid') + vars['status_code'] = status + vars['content_type'] = content_type + vars['headers'] = headers + vars['body'] = body + + IMPLEMENTS WHEN (\S+) makes request POST (\S+) with a valid token and body (.+) user = get_next_match() path = get_next_match() body_text = get_next_match() @@ -46,12 +57,28 @@ along with this program. If not, see . vars['headers'] = headers vars['body'] = body - IMPLEMENTS WHEN user makes request PUT (\S+) (.+) + IMPLEMENTS WHEN (\S+) makes request POST (\S+) with an invalid token and body (.+) + user = get_next_match() + path = get_next_match() + body_text = get_next_match() + print('path', path) + print('body', body_text) + token = get_token(user) + url = vars['url'] + status, content_type, headers, body = post(url + path, body_text, 'invalid') + vars['status_code'] = status + vars['content_type'] = content_type + vars['headers'] = headers + vars['body'] = body + + IMPLEMENTS WHEN (\S+) makes request PUT (\S+) with a valid token and body (.+) + user = get_next_match() path = get_next_match() body_text = get_next_match() + print('user', user) print('path', path) print('body', body_text) - token = get_token('user') + token = get_token(user) url = vars['url'] status, content_type, headers, body = put(url + path, body_text, token) vars['status_code'] = status @@ -59,6 +86,21 @@ along with this program. If not, see . vars['headers'] = headers vars['body'] = body + IMPLEMENTS WHEN (\S+) makes request PUT (\S+) with an invalid token + user = get_next_match() + path = get_next_match() + body_text = '{}' + print('user', user) + print('path', path) + print('body', body_text) + token = get_token(user) + url = vars['url'] + status, content_type, headers, body = put(url + path, body_text, 'invalid') + vars['status_code'] = status + vars['content_type'] = content_type + vars['headers'] = headers + vars['body'] = body + IMPLEMENTS WHEN (\S+) makes request DELETE (\S+) user = get_next_match() path = get_next_match() -- cgit v1.2.1