cloud_controller_ng/spec/unit/controllers/v3/application_controller_spec.rb at 27a3fbf490262ecf3fecf66ef6c568c8bb2ed33e · cloudfoundry/cloud_controller_ng · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
require 'spec_helper'
require 'rails_helper'

## NOTICE: Prefer request specs over controller specs as per ADR #0003 ##

RSpec.describe ApplicationController, type: :controller do
  RSpec::Matchers.define_negated_matcher :not_change, :change

  controller do
    def index
      render 200, json: { request_id: VCAP::Request.current_id }
    end

    def show
      head :no_content
    end

    def create
      head :created
    end

    def api_explode
      raise CloudController::Errors::ApiError.new_from_details('InvalidRequest', 'omg no!')
    end

    def compound_error
      raise CloudController::Errors::CompoundError.new [
        CloudController::Errors::ApiError.new_from_details('InvalidRequest', 'error1'),
        CloudController::Errors::ApiError.new_from_details('InvalidRequest', 'error2')
      ]
    end

    def blobstore_error
      raise CloudController::Blobstore::BlobstoreError.new('it broke!')
    end

    def not_found
      raise CloudController::Errors::NotFound.new_from_details('NotFound')
    end

    def key_derivation_error
      raise VCAP::CloudController::Encryptor::EncryptorError
    end

    def db_disconnect_error
      raise Sequel::DatabaseDisconnectError.new
    end

    def db_connection_error
      raise Sequel::DatabaseConnectionError.new
    end

    def warnings_is_nil
      add_warning_headers(nil)
      render status: :ok, json: {}
    end

    def multiple_warnings
      add_warning_headers(['warning,a', 'wa,rning b', '!@#$%^&*(),:|{}+=-<>'])
      render status: :ok, json: {}
    end

    def warnings_incorrect_type
      add_warning_headers('value of incorrect type')
      render status: :ok, json: {}
    end
  end

  describe '#check_read_permissions' do
    before do
      set_current_user(VCAP::CloudController::User.make, scopes: [])
    end

    it 'is required on index' do
      get :index

      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end

    it 'is required on show' do
      get :show, params: { id: 1 }

      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end

    context 'cloud_controller.read' do
      before do
        set_current_user_as_reader
      end

      it 'grants reading access' do
        get :index
        expect(response).to have_http_status(:ok)
      end

      it 'shows a specific item' do
        get :show, params: { id: 1 }
        expect(response).to have_http_status(:no_content)
      end
    end

    context 'cloud_controller.admin_read_only' do
      before do
        set_current_user_as_admin_read_only
      end

      it 'grants reading access' do
        get :index
        expect(response).to have_http_status(:ok)
      end

      it 'shows a specific item' do
        get :show, params: { id: 1 }
        expect(response).to have_http_status(:no_content)
      end
    end

    context 'cloud_controller.global_auditor' do
      before do
        set_current_user_as_global_auditor
      end

      it 'grants reading access' do
        get :index
        expect(response).to have_http_status(:ok)
      end

      it 'shows a specific item' do
        get :show, params: { id: 1 }
        expect(response).to have_http_status(:no_content)
      end
    end

    it 'admin can read all' do
      set_current_user_as_admin

      get :show, params: { id: 1 }
      expect(response).to have_http_status(:no_content)

      get :index
      expect(response).to have_http_status(:ok)
    end

    context 'post' do
      before do
        set_current_user_as_writer
      end

      it 'is not required on other actions' do
        post :create

        expect(response).to have_http_status(:created)
      end
    end
  end

  describe 'when a user has the cloud_controller_service_permissions.read scope' do
    before do
      set_current_user_as_service_permissions_reader
    end

    it 'cannot index' do
      get :index
      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end

    it 'cannot show' do
      get :show, params: { id: 1 }
      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end

    it 'cannot create' do
      post :create
      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end
  end

  describe 'when a user does not have cloud_controller.write scope' do
    before do
      set_current_user_as_reader
    end

    it 'is not required on index' do
      get :index
      expect(response).to have_http_status(:ok)
    end

    it 'is not required on show' do
      get :show, params: { id: 1 }
      expect(response).to have_http_status(:no_content)
    end

    it 'is required on other actions' do
      post :create
      expect(response).to have_http_status(:forbidden)
      expect(response).to have_error_message('You are not authorized to perform the requested action')
    end

    it 'is not required for admin' do
      set_current_user_as_admin

      post :create
      expect(response).to have_http_status(:created)
    end
  end

  describe 'auth token validation' do
    context 'when the token contains a valid user' do
      before do
        set_current_user_as_admin
      end

      it 'allows the operation' do
        get :index
        expect(response).to have_http_status(:ok)
      end
    end

    context 'when there is no token' do
      it 'raises NotAuthenticated' do
        get :index
        expect(response).to have_http_status(:unauthorized)
        expect(response).to have_error_message('Authentication error')
      end
    end

    context 'when the token is invalid' do
      before do
        VCAP::CloudController::SecurityContext.set(nil, :invalid_token, nil)
      end

      it 'raises InvalidAuthToken' do
        get :index
        expect(response).to have_http_status(:unauthorized)
        expect(response).to have_error_message('Invalid Auth Token')
      end
    end

    context 'when there is a token but no matching user' do
      before do
        user = nil
        VCAP::CloudController::SecurityContext.set(user, 'valid_token', nil)
      end

      it 'raises InvalidAuthToken' do
        get :index
        expect(response).to have_http_status(:unauthorized)
        expect(response).to have_error_message('Invalid Auth Token')
      end
    end
  end

  describe '#handle_blobstore_error' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    it 'rescues from ApiError and renders an error presenter' do
      allow_any_instance_of(ErrorPresenter).to receive(:raise_500?).and_return(false)
      routes.draw { get 'blobstore_error' => 'anonymous#blobstore_error' }
      get :blobstore_error
      expect(response).to have_http_status(:internal_server_error)
      expect(response).to have_error_message(/three retries/)
    end
  end

  describe '#handle_api_error' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    it 'rescues from ApiError and renders an error presenter' do
      routes.draw { get 'api_explode' => 'anonymous#api_explode' }
      get :api_explode
      expect(response).to have_http_status(:bad_request)
      expect(response).to have_error_message('The request is invalid')
    end
  end

  describe '#handle_compound_error' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    it 'rescues from CompoundErrors and renders an error presenter' do
      routes.draw { get 'compound_error' => 'anonymous#compound_error' }
      get :compound_error
      expect(response).to have_http_status(:bad_request)
      expect(parsed_body['errors'].length).to eq 2
    end
  end

  describe '#handle_not_found' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    it 'rescues from NotFound error and renders an error presenter' do
      routes.draw { get 'not_found' => 'anonymous#not_found' }
      get :not_found
      expect(response).to have_http_status(:not_found)
      expect(response).to have_error_message('Unknown request')
    end
  end

  describe '#handle_db_connection_error' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    before do
      allow_any_instance_of(ErrorPresenter).to receive(:raise_500?).and_return(false)
      routes.draw do
        get 'db_connection_error' => 'anonymous#db_connection_error'
        get 'db_disconnect_error' => 'anonymous#db_disconnect_error'
      end
    end

    it 'rescues from Sequel::DatabaseConnectionError and renders an error presenter' do
      get :db_connection_error
      expect(response).to have_http_status(:service_unavailable)
      expect(response).to have_error_message(/Database connection failure/)
    end

    it 'rescues from Sequel::DatabaseDisconnectError and renders an error presenter' do
      get :db_disconnect_error
      expect(response).to have_http_status(:service_unavailable)
      expect(response).to have_error_message(/Database connection failure/)
    end
  end

  describe '#handle_key_derivation_error' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    before do
      allow_any_instance_of(ErrorPresenter).to receive(:raise_500?).and_return(false)
      routes.draw do
        get 'key_derivation_error' => 'anonymous#key_derivation_error'
      end
    end

    it 'rescues from EncryptorError and renders an error presenter' do
      get :key_derivation_error
      expect(response).to have_http_status(:internal_server_error)
      expect(response).to have_error_message(/Error while processing encrypted data/)
    end
  end

  describe '#add_warning_headers' do
    let!(:user) { set_current_user(VCAP::CloudController::User.make) }

    it 'does nothing when warnings is nil' do
      routes.draw { get 'warnings_is_nil' => 'anonymous#warnings_is_nil' }
      get :warnings_is_nil
      expect(response).to have_http_status(:ok)
      expect(response.headers['X-Cf-Warnings']).to be_nil
    end

    it 'throws argument error when warnings is not an array' do
      routes.draw { get 'warnings_incorrect_type' => 'anonymous#warnings_incorrect_type' }
      expect do
        get :warnings_incorrect_type
      end.to raise_error(ArgumentError)
    end

    it 'does nothing when warnings is nil' do
      routes.draw { get 'multiple_warnings' => 'anonymous#multiple_warnings' }
      get :multiple_warnings
      expect(response).to have_http_status(:ok)
      warnings = response.headers['X-Cf-Warnings'].split(',').map { |w| CGI.unescape(w) }
      expect(warnings).to eq([
        'warning,a',
        'wa,rning b',
        '!@#$%^&*(),:|{}+=-<>'
      ])
    end
  end
end