trabajo-afectivo/spec/requests/api_auth_on_behalf_of_spec.rb

# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

require 'rails_helper'

RSpec.describe 'Api Auth On Behalf Of', type: :request do

  let(:admin) do
    create(:admin, groups: Group.all)
  end
  let(:agent) do
    create(:agent)
  end
  let(:customer) do
    create(:customer, firstname: 'Behalf of')
  end

  describe 'request handling' do

    it 'does X-On-Behalf-Of auth - ticket create admin for customer by id' do
      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: customer.id)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:created)
      expect(json_response).to be_a_kind_of(Hash)
      expect(customer.id).to eq(json_response['created_by_id'])
    end

    it 'does X-On-Behalf-Of auth - ticket create admin for customer by login (upcase)' do
      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: customer.login.upcase)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:created)
      expect(json_response).to be_a_kind_of(Hash)
      expect(customer.id).to eq(json_response['created_by_id'])
    end

    it 'does X-On-Behalf-Of auth - ticket create admin for customer by login' do
      ActivityStream.cleanup(1.year)

      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: customer.login)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:created)
      json_response_ticket = json_response
      expect(json_response_ticket).to be_a_kind_of(Hash)
      expect(customer.id).to eq(json_response_ticket['created_by_id'])

      authenticated_as(admin)
      get '/api/v1/activity_stream?full=true', params: {}, as: :json
      expect(response).to have_http_status(:ok)
      json_response_activity = json_response
      expect(json_response_activity).to be_a_kind_of(Hash)

      ticket_created = nil
      json_response_activity['record_ids'].each do |record_id|
        activity_stream = ActivityStream.find(record_id)
        next if activity_stream.object.name != 'Ticket'
        next if activity_stream.o_id != json_response_ticket['id'].to_i

        ticket_created = activity_stream
      end

      expect(ticket_created).to be_truthy
      expect(customer.id).to eq(ticket_created.created_by_id)

      get '/api/v1/activity_stream', params: {}, as: :json
      expect(response).to have_http_status(:ok)
      json_response_activity = json_response
      expect(json_response_activity).to be_a_kind_of(Array)

      ticket_created = nil
      json_response_activity.each do |record|
        activity_stream = ActivityStream.find(record['id'])
        next if activity_stream.object.name != 'Ticket'
        next if activity_stream.o_id != json_response_ticket['id']

        ticket_created = activity_stream
      end

      expect(ticket_created).to be_truthy
      expect(customer.id).to eq(ticket_created.created_by_id)
    end

    it 'does X-On-Behalf-Of auth - ticket create admin for customer by email' do
      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: customer.email)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:created)
      expect(json_response).to be_a_kind_of(Hash)
      expect(customer.id).to eq(json_response['created_by_id'])
    end

    it 'does X-On-Behalf-Of auth - ticket create admin for unknown' do
      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: 99_449_494_949)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:forbidden)
      expect(@response.header).not_to be_key('Access-Control-Allow-Origin')
      expect(json_response).to be_a_kind_of(Hash)
      expect(json_response['error']).to eq("No such user '99449494949'")
    end

    it 'does X-On-Behalf-Of auth - ticket create customer for admin' do
      params = {
        title:       'a new ticket #3',
        group:       'Users',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(customer, on_behalf_of: admin.email)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:forbidden)
      expect(@response.header).not_to be_key('Access-Control-Allow-Origin')
      expect(json_response).to be_a_kind_of(Hash)
      expect(json_response['error']).to eq("Current user has no permission to use 'X-On-Behalf-Of'!")
    end

    it 'does X-On-Behalf-Of auth - ticket create admin for customer by email but no permitted action' do
      params = {
        title:       'a new ticket #3',
        group:       'secret1234',
        priority:    '2 normal',
        state:       'new',
        customer_id: customer.id,
        article:     {
          body: 'some test 123',
        },
      }
      authenticated_as(admin, on_behalf_of: customer.email)
      post '/api/v1/tickets', params: params, as: :json
      expect(response).to have_http_status(:unprocessable_entity)
      expect(@response.header).not_to be_key('Access-Control-Allow-Origin')
      expect(json_response).to be_a_kind_of(Hash)
      expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
    end

    context 'when Token Admin has no ticket.* permission' do

      let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }

      let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }

      let(:admin_user_role) do
        create(:role).tap { |role| role.permission_grant('admin.user') }
      end

      it 'creates Ticket because of behalf of user permission' do
        params = {
          title:       'a new ticket #3',
          group:       'Users',
          priority:    '2 normal',
          state:       'new',
          customer_id: customer.id,
          article:     {
            body: 'some test 123',
          },
        }
        authenticated_as(admin, on_behalf_of: customer.email, token: token)
        post '/api/v1/tickets', params: params, as: :json
        expect(response).to have_http_status(:created)
        expect(json_response).to be_a_kind_of(Hash)
        expect(customer.id).to eq(json_response['created_by_id'])
      end
    end
  end
end
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00			`# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/`

Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`require 'rails_helper'`

			`RSpec.describe 'Api Auth On Behalf Of', type: :request do`

Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`let(:admin) do`
			`create(:admin, groups: Group.all)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`let(:agent) do`
			`create(:agent)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`let(:customer) do`
Fixes #3468: Not authorized error using Im X-On-Behalf-Of. 2021-04-01 15:14:25 +00:00			`create(:customer, firstname: 'Behalf of')`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`

			`describe 'request handling' do`

			`it 'does X-On-Behalf-Of auth - ticket create admin for customer by id' do`
			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin, on_behalf_of: customer.id)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fixes #3316 - X-On-Behalf-Of does not downcase input. 2020-12-03 08:07:15 +00:00			`expect(response).to have_http_status(:created)`
			`expect(json_response).to be_a_kind_of(Hash)`
			`expect(customer.id).to eq(json_response['created_by_id'])`
			`end`

			`it 'does X-On-Behalf-Of auth - ticket create admin for customer by login (upcase)' do`
			`params = {`
			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
			`customer_id: customer.id,`
			`article: {`
			`body: 'some test 123',`
			`},`
			`}`
			`authenticated_as(admin, on_behalf_of: customer.login.upcase)`
			`post '/api/v1/tickets', params: params, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:created)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`expect(json_response).to be_a_kind_of(Hash)`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`expect(customer.id).to eq(json_response['created_by_id'])`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`

			`it 'does X-On-Behalf-Of auth - ticket create admin for customer by login' do`
			`ActivityStream.cleanup(1.year)`

			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin, on_behalf_of: customer.login)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:created)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`json_response_ticket = json_response`
			`expect(json_response_ticket).to be_a_kind_of(Hash)`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`expect(customer.id).to eq(json_response_ticket['created_by_id'])`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`get '/api/v1/activity_stream?full=true', params: {}, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:ok)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`json_response_activity = json_response`
			`expect(json_response_activity).to be_a_kind_of(Hash)`

			`ticket_created = nil`
			`json_response_activity['record_ids'].each do \|record_id\|`
			`activity_stream = ActivityStream.find(record_id)`
			`next if activity_stream.object.name != 'Ticket'`
			`next if activity_stream.o_id != json_response_ticket['id'].to_i`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`ticket_created = activity_stream`
			`end`

			`expect(ticket_created).to be_truthy`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`expect(customer.id).to eq(ticket_created.created_by_id)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00
			`get '/api/v1/activity_stream', params: {}, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:ok)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`json_response_activity = json_response`
			`expect(json_response_activity).to be_a_kind_of(Array)`

			`ticket_created = nil`
			`json_response_activity.each do \|record\|`
			`activity_stream = ActivityStream.find(record['id'])`
			`next if activity_stream.object.name != 'Ticket'`
			`next if activity_stream.o_id != json_response_ticket['id']`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`ticket_created = activity_stream`
			`end`

			`expect(ticket_created).to be_truthy`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`expect(customer.id).to eq(ticket_created.created_by_id)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`

			`it 'does X-On-Behalf-Of auth - ticket create admin for customer by email' do`
			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin, on_behalf_of: customer.email)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:created)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`expect(json_response).to be_a_kind_of(Hash)`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`expect(customer.id).to eq(json_response['created_by_id'])`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`

			`it 'does X-On-Behalf-Of auth - ticket create admin for unknown' do`
			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin, on_behalf_of: 99_449_494_949)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fixes issue #2983 - HTTP 401 responses causing issues with Basic Authentication. 2021-02-04 08:28:41 +00:00			`expect(response).to have_http_status(:forbidden)`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(@response.header).not_to be_key('Access-Control-Allow-Origin')`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`expect(json_response).to be_a_kind_of(Hash)`
			`expect(json_response['error']).to eq("No such user '99449494949'")`
			`end`

			`it 'does X-On-Behalf-Of auth - ticket create customer for admin' do`
			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(customer, on_behalf_of: admin.email)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fixes issue #2983 - HTTP 401 responses causing issues with Basic Authentication. 2021-02-04 08:28:41 +00:00			`expect(response).to have_http_status(:forbidden)`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(@response.header).not_to be_key('Access-Control-Allow-Origin')`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`expect(json_response).to be_a_kind_of(Hash)`
			`expect(json_response['error']).to eq("Current user has no permission to use 'X-On-Behalf-Of'!")`
			`end`

			`it 'does X-On-Behalf-Of auth - ticket create admin for customer by email but no permitted action' do`
			`params = {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`title: 'a new ticket #3',`
			`group: 'secret1234',`
			`priority: '2 normal',`
			`state: 'new',`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`customer_id: customer.id,`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`article: {`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`body: 'some test 123',`
			`},`
			`}`
Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`authenticated_as(admin, on_behalf_of: customer.email)`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`post '/api/v1/tickets', params: params, as: :json`
Fix auto-correctable rubocop offenses in test suite 2019-04-15 01:41:17 +00:00			`expect(response).to have_http_status(:unprocessable_entity)`
			`expect(@response.header).not_to be_key('Access-Control-Allow-Origin')`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`expect(json_response).to be_a_kind_of(Hash)`
			`expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')`
			`end`
Fixes #3468: Not authorized error using Im X-On-Behalf-Of. 2021-04-01 15:14:25 +00:00
			`context 'when Token Admin has no ticket.* permission' do`

			`let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }`

			`let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }`

			`let(:admin_user_role) do`
			`create(:role).tap { \|role\| role.permission_grant('admin.user') }`
			`end`

			`it 'creates Ticket because of behalf of user permission' do`
			`params = {`
			`title: 'a new ticket #3',`
			`group: 'Users',`
			`priority: '2 normal',`
			`state: 'new',`
			`customer_id: customer.id,`
			`article: {`
			`body: 'some test 123',`
			`},`
			`}`
			`authenticated_as(admin, on_behalf_of: customer.email, token: token)`
			`post '/api/v1/tickets', params: params, as: :json`
			`expect(response).to have_http_status(:created)`
			`expect(json_response).to be_a_kind_of(Hash)`
			`expect(customer.id).to eq(json_response['created_by_id'])`
			`end`
			`end`
Refactored all controller mini tests and migrated them to rspec request specs 2018-09-19 13:54:49 +00:00			`end`
			`end`