canvas-lms/spec/controllers/jwts_controller_spec.rb at master · csseditor/canvas-lms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#
# Copyright (C) 2015 - present Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.

require_relative '../spec_helper'

describe JwtsController do
  include_context "JWT setup"
  let(:token_user){ user_factory(active_user: true) }
  let(:other_user){ user_factory(active_user: true) }
  let(:translate_token) do
    ->(resp){
      un_csrfd_body = resp.body.gsub("while(1);", "")
      utf8_token_string = JSON.parse(un_csrfd_body)['token']
      decoded_crypted_token = Canvas::Security.base64_decode(utf8_token_string)
      return Canvas::Security.decrypt_services_jwt(decoded_crypted_token)
    }
  end

  describe "#generate" do
    it "requires being logged in" do
      post 'create'
      expect(response).to be_redirect
      expect(response.status).to eq(302)
    end

    context "with valid user session" do
      before(:each){ user_session(token_user) }
      let(:translate_token) do
        ->(resp){
          un_csrfd_body = resp.body.gsub("while(1);", "")
          utf8_token_string = JSON.parse(un_csrfd_body)['token']
          decoded_crypted_token = Canvas::Security.base64_decode(utf8_token_string)
          return Canvas::Security.decrypt_services_jwt(decoded_crypted_token)
        }
      end

      it "generates a base64 encoded token for a user session with env var secrets" do
        post 'create', format: 'json'
        decrypted_token_body = translate_token.call(response)
        expect(decrypted_token_body[:sub]).to eq(token_user.global_id)
      end

      it "has the users domain in the token" do
        post 'create', format: 'json'
        decrypted_token_body = translate_token.call(response)
        expect(decrypted_token_body[:domain]).to eq("test.host")
      end
    end

    it "doesn't allow using a token to gen a token" do
      token = Canvas::Security::ServicesJwt.generate({ sub: token_user.global_id })
      get 'create', {format: 'json'}, {'Authorization' => "Bearer #{token}"}
      expect(response.status).to_not eq(200)
    end
  end

  describe "#refresh" do
    it "requires being logged in" do
      post 'refresh'
      expect(response).to be_redirect
      expect(response.status).to eq(302)
    end

    it "doesn't allow using a token to gen a token" do
      token = Canvas::Security::ServicesJwt.generate({ sub: token_user.global_id })
      get 'refresh', {format: 'json'}, {'Authorization' => "Bearer #{token}"}
      expect(response.status).to_not eq(200)
    end

    context "with valid user session" do
      before(:each) do
        user_session(token_user)
        request.env['HTTP_HOST'] = 'testhost'
      end

      it "requires a jwt param" do
        post 'refresh'
        expect(response.status).to_not eq(200)
      end

      it "returns a refreshed token for user" do
        real_user = site_admin_user(active_user: true)
        user_with_pseudonym(:user => other_user, :username => "other@example.com")
        user_session(real_user)
        services_jwt = class_double(Canvas::Security::ServicesJwt).as_stubbed_const
        expect(services_jwt).to receive(:refresh_for_user)
          .with('testjwt', 'testhost', other_user, real_user: real_user)
          .and_return('refreshedjwt')
        post 'refresh', format: 'json', jwt: 'testjwt', as_user_id: other_user.id
        token = JSON.parse(response.body)['token']
        expect(token).to eq('refreshedjwt')
      end

      it "returns a different jwt when refresh is called" do
        course = course_factory
        original_jwt = Canvas::Security::ServicesJwt.for_user(
          request.env['HTTP_HOST'],
          token_user
        )
        post 'refresh', jwt: original_jwt
        refreshed_jwt = JSON.parse(response.body)['token']
        expect(refreshed_jwt).to_not eq(original_jwt)
      end

      it "returns an error if jwt is invalid for refresh" do
        services_jwt = class_double(Canvas::Security::ServicesJwt)
          .as_stubbed_const(transfer_nested_constants: true)
        expect(services_jwt).to receive(:refresh_for_user)
          .and_raise(Canvas::Security::ServicesJwt::InvalidRefresh)
        post 'refresh', format: 'json', jwt: 'testjwt'
        expect(response.status).to eq(400)
      end
    end
  end
end