Add tests to properly test permissions throughout the application

9 files changed, 209 insertions, 15 deletions

diff --git a/test/fixtures/glsas.yml b/test/fixtures/glsas.yml
index be4ea3b..e5e93e3 100644
--- a/test/fixtures/glsas.yml
+++ b/test/fixtures/glsas.yml
@@ -4,4 +4,19 @@ glsa_one:
   
 glsa_two:
   id: 2
-  glsa_id: GLSA-200901-02
\ No newline at end of file
+  glsa_id: GLSA-200901-02
+
+restricted_glsa:
+  id: 3
+  glsa_id: GLSA-201101-01
+  restricted: true
+  status: draft
+  requester: 1
+  submitter: 1
+
+contributor_draft:
+  id: 4
+  glsa_id: deadbabe
+  status: draft
+  requester: 4
+  submitter: 4
\ No newline at end of file
diff --git a/test/fixtures/revisions.yml b/test/fixtures/revisions.yml
index dafe454..26e97ad 100644
--- a/test/fixtures/revisions.yml
+++ b/test/fixtures/revisions.yml
@@ -28,4 +28,24 @@ revision_three:
   title: GLSA 2
   access: remote
   severity: high
+  description: blah
+
+revision_four:
+  id: 4
+  glsa_id: 3
+  revid: 0
+  user_id: 1
+  title: GLSA 3 (restricted)
+  access: remote
+  severity: high
+  description: blah
+
+revision_five:
+  id: 5
+  glsa_id: 4
+  revid: 0
+  user_id: 1
+  title: GLSA 4 (contributor draft)
+  access: remote
+  severity: high
   description: blah
\ No newline at end of file
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index a4ba4de..6292256 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -1,12 +1,47 @@
 test_user:
   id: 1
   login: test
-  name: foo
-  email: foo@bar.org
+  name: Tim Est
+  email: user@localhost.invalid
 
 test_admin:
   id: 2
   login: admin
-  name: Admin
-  email: ad@min.invalid
-  jefe: true
\ No newline at end of file
+  name: Alex Dmin
+  email: admin@localhost.invalid
+  jefe: true
+
+test_locked:
+  id: 3
+  login: locked
+  name: Leroy Ocked
+  email: locked@localhost.invalid
+  disabled: true
+
+test_contributor:
+  id: 4
+  login: contributor
+  name: Carl Ontributor
+  email: contributor@localhost.invalid
+  access: 0
+
+test_padawan:
+  id: 5
+  login: padawan
+  name: Peter Adawan
+  email: padawan@localhost.invalid
+  access: 1
+
+test_member:
+  id: 6
+  login: member
+  name: Mike Ember
+  email: member@localhost.invalid
+  access: 2
+
+test_confidential_member:
+  id: 7
+  login: confidential_member
+  name: James Bond
+  email: confidential_member@localhost.invalid
+  access: 3
\ No newline at end of file
diff --git a/test/functional/admin/index_controller_test.rb b/test/functional/admin/index_controller_test.rb
index b6d0cd1..443aec6 100644
--- a/test/functional/admin/index_controller_test.rb
+++ b/test/functional/admin/index_controller_test.rb
@@ -2,13 +2,13 @@ require 'test_helper'
 
 class Admin::IndexControllerTest < ActionController::TestCase
   test "should work for admins" do
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('admin', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :admin
     get :index
     assert_response :success
   end
 
   test "should not grant access to regular users" do
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('test', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :user
     get :index
     assert_redirected_to :controller => '/index', :action => 'error', :type => 'access'
   end
diff --git a/test/functional/admin/templates_controller_test.rb b/test/functional/admin/templates_controller_test.rb
index 37b8680..38c972b 100644
--- a/test/functional/admin/templates_controller_test.rb
+++ b/test/functional/admin/templates_controller_test.rb
@@ -3,11 +3,11 @@ require 'test_helper'
 class Admin::TemplatesControllerTest < ActionController::TestCase
   setup do
     @template = templates(:one)
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('admin', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :admin
   end
 
   test "should not grant access to regular users" do
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('test', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :user
     get :index
     assert_redirected_to :controller => '/index', :action => 'error', :type => 'access'
   end
diff --git a/test/functional/admin/users_controller_test.rb b/test/functional/admin/users_controller_test.rb
index ea0a0c1..03976e7 100644
--- a/test/functional/admin/users_controller_test.rb
+++ b/test/functional/admin/users_controller_test.rb
@@ -2,13 +2,13 @@ require 'test_helper'
 
 class Admin::UsersControllerTest < ActionController::TestCase
   test "should work for admins" do
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('admin', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :admin
     get :index
     assert_response :success
   end
 
   test "should not grant access to regular users" do
-    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds('test', GLSAMAKER_DEVEL_PASSWORD)
+    log_in_as :user
     get :index
     assert_redirected_to :controller => '/index', :action => 'error', :type => 'access'
   end
diff --git a/test/functional/glsa_controller_test.rb b/test/functional/glsa_controller_test.rb
index bc0900b..e68c570 100644
--- a/test/functional/glsa_controller_test.rb
+++ b/test/functional/glsa_controller_test.rb
@@ -1,8 +1,83 @@
 require 'test_helper'
 
 class GlsaControllerTest < ActionController::TestCase
-  # Replace this with your real tests.
-  test "the truth" do
-    assert true
+  fixtures :glsas
+
+  def setup
+    @actions = [:show, :edit, :update, :diff, :prepare_release, :release, :import_references]
+  end
+
+  # Basic tests for the four permission groups
+  test "should apply contributor permissions for restricted advisories correctly" do
+    @actions.each do |action|
+      log_in_as :contributor
+      get action, :id => glsas(:restricted_glsa).id
+      assert_access_denied "Failed action: #{action.to_s}"
+    end
+  end
+
+  test "should apply padawan permissions for restricted advisories correctly" do
+    @actions.each do |action|
+      log_in_as :padawan
+      get action, :id => glsas(:restricted_glsa).id
+      assert_access_denied "Failed action: #{action.to_s}"
+    end
+  end
+
+  test "should apply regular member permissions for restricted advisories correctly" do
+    @actions.each do |action|
+      log_in_as :full_member
+      get action, :id => glsas(:restricted_glsa).id
+      assert_access_denied "Failed action: #{action.to_s}"
+    end
+  end
+
+  test "should apply confidential member permissions for restricted advisories correctly" do
+    @actions.each do |action|
+      next if action == :update # TODO
+      next if action == :diff # TODO
+
+      next if action == :prepare_release # Confidential drafts cannot be released
+      next if action == :release         # ditto
+      
+      log_in_as :confidential_member
+      get action, :id => glsas(:restricted_glsa).id
+      assert_response :success, "Failed action: #{action.to_s}"
+    end
   end
+
+  # Specific tests for contributors
+  test "should apply contributor permissions for their own drafts correctly" do
+    @actions.each do |action|
+      next if action == :update # TODO
+      next if action == :diff # TODO
+
+      next if action == :prepare_release # Off-limits for contributors
+      next if action == :release         # ditto
+
+      log_in_as :contributor
+      get action, :id => glsas(:contributor_draft).id
+      assert_response :success, "Failed action: #{action.to_s}"
+    end
+  end
+
+  test "should apply contributor permissions for other drafts correctly" do
+    @actions.each do |action|
+      log_in_as :contributor
+      get action, :id => glsas(:glsa_one).id
+      assert_access_denied "Failed action #{action.to_s}"
+    end
+  end
+
+  test "should not allow padawans to release advisories" do
+    log_in_as :padawan
+    get :prepare_release, :id => glsas(:glsa_one).id
+    assert_access_denied "Prepare release test failed"
+
+    log_in_as :padawan
+    get :release, :id => glsas(:glsa_one).id
+    assert_access_denied "Release tes failed"
+  end
+
+  # TODO: listing pages
 end
diff --git a/test/integration/authentication_test.rb b/test/integration/authentication_test.rb
new file mode 100644
index 0000000..9ace8f8
--- /dev/null
+++ b/test/integration/authentication_test.rb
@@ -0,0 +1,20 @@
+require 'test_helper'
+
+class AuthenticationTest < ActionDispatch::IntegrationTest
+  fixtures :all
+
+  test "successful login" do
+    get '/', {}, { 'HTTP_AUTHORIZATION' => basic_auth_creds(users(:test_member).login, GLSAMAKER_DEVEL_PASSWORD) }
+    assert_response :success
+  end
+
+  test "unknown user login" do
+    get '/', {}, { 'HTTP_AUTHORIZATION' => basic_auth_creds("doesnotexist", "invalidpassword") }
+    assert_response 401
+  end
+
+  test "locked user login" do
+    get '/', {}, { 'HTTP_AUTHORIZATION' => basic_auth_creds(users(:test_locked).login, GLSAMAKER_DEVEL_PASSWORD) }
+    assert_response 401
+  end
+end
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 250533d..cef2b00 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -16,4 +16,33 @@ class ActiveSupport::TestCase
   def basic_auth_creds(user, password)
     ActionController::HttpAuthentication::Basic.encode_credentials(user, password)
   end
+
+  # Logs in as a user. Available users are
+  # :user, :admin, :contributor, :padawan, :full_member, :confidential_member, :locked_user
+  def log_in_as(who)
+    user = nil
+    case who
+      when :user
+        user = users(:test_user).login
+      when :locked_user
+        user = users(:test_locked).login
+      when :admin
+        user = users(:test_admin).login
+      when :contributor
+        user = users(:test_contributor).login
+      when :padawan
+        user = users(:test_padawan).login
+      when :full_member
+        user = users(:test_member).login
+      when :confidential_member
+        user = users(:test_confidential_member).login
+    end
+
+    raise "Invalid user" if user.nil?
+    @request.env['HTTP_AUTHORIZATION'] = basic_auth_creds(user, GLSAMAKER_DEVEL_PASSWORD)
+  end
+
+  def assert_access_denied(message = nil)
+    assert_redirected_to({:controller => '/index', :action => 'error', :type => 'access'}, message)
+  end
 end
\ No newline at end of file