PageRenderTime 56ms CodeModel.GetById 30ms RepoModel.GetById 1ms app.codeStats 0ms

/spec/tools/fix_auth/auth_model_spec.rb

https://gitlab.com/unofficial-mirrors/manageiq
Ruby | 184 lines | 153 code | 31 blank | 0 comment | 4 complexity | 6968b106000406baceed6c3485ed2f57 MD5 | raw file
    

  1. $LOAD_PATH << Rails.root.join("tools").to_s
    2. 

  2. 

  3. require "fix_auth/auth_model"
    4. 

  4. require "fix_auth/auth_config_model"
    5. 

  5. require "fix_auth/models"
    6. 

  6. 

  7. describe FixAuth::AuthModel do
    8. 

  8.   let(:v0_key)  { MiqPassword::Key.new("AES-128-CBC", Base64.encode64("9999999999999999"), Base64.encode64("5555555555555555")) }
    9. 

  9.   let(:v1_key)  { MiqPassword.generate_symmetric }
    10. 

  10.   let(:pass)    { "password" }
    11. 

  11.   let(:enc_v1)  { MiqPassword.new.encrypt(pass, "v1", v1_key) }
    12. 

  12.   let(:enc_v2)  { MiqPassword.new.encrypt(pass) }
    13. 

  13.   let(:bad_v2)  { "v2:{5555555555555555555555==}" }
    14. 

  14.   let(:enc_leg) { v0_key.encrypt64(pass) }
    15. 

  15. 

  16.   before do
    17. 

  17.     MiqPassword.add_legacy_key(v0_key, :v0)
    18. 

  18.     MiqPassword.add_legacy_key(v1_key, :v1)
    19. 

  19.   end
    20. 

  20. 

  21.   after do
    22. 

  22.     MiqPassword.clear_keys
    23. 

  23.   end
    24. 

  24. 

  25.   context "#authentications" do
    26. 

  26.     subject { FixAuth::FixAuthentication }
    27. 

  27.     let(:contenders) { subject.contenders.collect(&:name) }
    28. 

  28.     let(:v1_v2)  { subject.create(:name => "v2_v1", :password => enc_v2, :auth_key => enc_v1) }
    29. 

  29.     let(:v2_v1)  { subject.create(:name => "v1_v2", :password => enc_v1, :auth_key => enc_v2) }
    30. 

  30.     let(:v1)     { subject.create(:name => "v1", :password => enc_v1) }
    31. 

  31.     let(:v2)     { subject.create(:name => "v2", :password => enc_v2) }
    32. 

  32.     let(:badv2)  { subject.create(:name => "badv2", :password => bad_v2) }
    33. 

  33.     let(:leg)    { subject.create(:name => "lg", :password => enc_leg) }
    34. 

  34.     let(:nls)    { subject.create(:name => "nls") }
    35. 

  35.     let(:not_c)  { subject.create(:name => "notc", :password => "nope") }
    36. 

  36. 

  37.     it "should read column_names" do
    38. 

  38.       expect(subject.column_names).to include("id", "resource_id", "created_on")
    39. 

  39.     end
    40. 

  40. 

  41.     it "should determine available_columns" do
    42. 

  42.       expect(subject.available_columns).to eq(%w(password auth_key))
    43. 

  43.     end
    44. 

  44. 

  45.     it "should limit available_columns when not all columns are available" do
    46. 

  46.       allow(subject).to receive_messages(:column_names => %w(password id))
    47. 

  47.       expect(subject.available_columns).to eq(%w(password))
    48. 

  48.     end
    49. 

  49. 

  50.     it "should build selection criteria (non selects)" do
    51. 

  51.       expect(subject.selection_criteria).to match(/OR/)
    52. 

  52.       expect(subject.selection_criteria).to match(/password.*<>.*''.*OR.*auth_key.*<>.*''/)
    53. 

  53.     end
    54. 

  54. 

  55.     it "should not find empty records" do
    56. 

  56.       nls.save!
    57. 

  57.       expect(contenders).not_to include(nls.name)
    58. 

  58.     end
    59. 

  59. 

  60.     it "should find records with encrypted passwords" do
    61. 

  61.       [v1, v2, leg, nls].each(&:save!)
    62. 

  62.       expect(contenders).to include(v1.name, leg.name, v2.name)
    63. 

  63.       expect(contenders).not_to include(nls.name)
    64. 

  64.     end
    65. 

  65. 

  66.     it "should find viable records among mixed mode records" do
    67. 

  67.       [v1_v2, v2_v1].each(&:save!)
    68. 

  68.       expect(contenders).to include(v1_v2.name)
    69. 

  69.       expect(contenders).to include(v2_v1.name)
    70. 

  70.     end
    71. 

  71. 

  72.     context "#recrypt" do
    73. 

  73.       it "should not upgrade blank column" do
    74. 

  74.         subject.fix_passwords(nls)
    75. 

  75.         expect(nls).not_to be_password_changed
    76. 

  76.       end
    77. 

  77. 

  78.       it "should upgrade legacy columns" do
    79. 

  79.         subject.fix_passwords(leg)
    80. 

  80.         expect(leg).to be_password_changed
    81. 

  81.         expect(leg).not_to be_auth_key_changed
    82. 

  82.         expect(leg.password).to be_encrypted(pass)
    83. 

  83.         expect(leg.password).to be_encrypted_version(2)
    84. 

  84.       end
    85. 

  85. 

  86.       it "should upgrade v1 columns" do
    87. 

  87.         subject.fix_passwords(v1)
    88. 

  88.         expect(v1).to be_password_changed
    89. 

  89.         expect(v1.password).to be_encrypted_version(2)
    90. 

  90.       end
    91. 

  91. 

  92.       it "should skip over non-encrypted columns" do
    93. 

  93.         subject.fix_passwords(not_c)
    94. 

  94.         expect(not_c).not_to be_password_changed
    95. 

  95.       end
    96. 

  96. 

  97.       it "should raise exception for bad encryption" do
    98. 

  98.         expect { subject.fix_passwords(badv2) }.to raise_error(MiqPassword::MiqPasswordError)
    99. 

  99.       end
    100. 

  100. 

  101.       it "should replace for bad encryption" do
    102. 

  102.         subject.fix_passwords(badv2, :invalid => "other")
    103. 

  103.         expect(badv2.password).to be_encrypted("other")
    104. 

  104.       end
    105. 

  105.     end
    106. 

  106. 

  107.     context "#hardcode" do
    108. 

  108.       it "should upgrade legacy columns" do
    109. 

  109.         subject.fix_passwords(leg, :hardcode => "newpass")
    110. 

  110.         expect(leg.password).to be_encrypted("newpass")
    111. 

  111.         expect(leg.password).to be_encrypted_version(2)
    112. 

  112.         expect(leg.auth_key).to be_blank
    113. 

  113.       end
    114. 

  114. 

  115.       it "should upgrade v2 columns" do
    116. 

  116.         subject.fix_passwords(v2, :hardcode => "newpass")
    117. 

  117.         expect(v2.password).to be_encrypted("newpass")
    118. 

  118.         expect(v2.password).to be_encrypted_version(2)
    119. 

  119.         expect(v2.auth_key).to be_blank
    120. 

  120.       end
    121. 

  121.     end
    122. 

  122.   end
    123. 

  123. 

  124.   context "#miq_database" do
    125. 

  125.     subject { FixAuth::FixMiqDatabase }
    126. 

  126.     let(:v1)  { subject.create(:session_secret_token => enc_v1) }
    127. 

  127.     let(:v2)  { subject.create(:session_secret_token => enc_v2) }
    128. 

  128.     let(:bad) { subject.create(:session_secret_token => bad_v2) }
    129. 

  129. 

  130.     it "uses random numbers for hardcode" do
    131. 

  131.       subject.fix_passwords(v1, :hardcode => "newpass")
    132. 

  132.       expect(v1.session_secret_token).to be_encrypted_version(2)
    133. 

  133.       expect(v1.session_secret_token).not_to be_encrypted("newpass")
    134. 

  134.       expect(v1.session_secret_token).not_to eq(enc_v2)
    135. 

  135.     end
    136. 

  136. 

  137.     it "uses random numbers for invalid" do
    138. 

  138.       subject.fix_passwords(bad, :invalid => "newpass")
    139. 

  139.       expect(bad.session_secret_token).to be_encrypted_version(2)
    140. 

  140.       expect(bad.session_secret_token).not_to be_encrypted("newpass")
    141. 

  141.       expect(bad.session_secret_token).not_to eq(enc_v2)
    142. 

  142.     end
    143. 

  143. 

  144.     it "upgrades" do
    145. 

  145.       expect(subject.fix_passwords(v1).session_secret_token).to eq(enc_v2)
    146. 

  146.       expect(subject.fix_passwords(v2).session_secret_token).to eq(enc_v2)
    147. 

  147.     end
    148. 

  148.   end
    149. 

  149. 

  150.   context "#miq_ae_values" do
    151. 

  151.     subject { FixAuth::FixMiqAeValue }
    152. 

  152. 

  153.     let(:pass_field) { FixAuth::FixMiqAeField.new(:name => "pass", :datatype => "password") }
    154. 

  154.     let(:v1) { subject.create(:field => pass_field, :value => enc_v1) }
    155. 

  155. 

  156.     it "should update with complex contenders" do
    157. 

  157.       v1 # make sure record exists
    158. 

  158.       subject.run(:silent => true)
    159. 

  159.       expect(v1.reload.value).to be_encrypted_version(2)
    160. 

  160.     end
    161. 

  161.   end
    162. 

  162. 

  163.   context "#settings_change" do
    164. 

  164.     subject { FixAuth::FixSettingsChange }
    165. 

  165.     let(:v1)  { subject.create(:key => "/v1/password", :value => enc_v1) }
    166. 

  166.     let(:v2)  { subject.create(:key => "/v2/password", :value => enc_v2) }
    167. 

  167.     let(:bad) { subject.create(:key => "/bad/password", :value => bad_v2) }
    168. 

  168. 

  169.     it "with hardcode" do
    170. 

  170.       subject.fix_passwords(v1, :hardcode => pass)
    171. 

  171.       expect(v1.value).to eq(enc_v2)
    172. 

  172.     end
    173. 

  173. 

  174.     it "with invalid" do
    175. 

  175.       subject.fix_passwords(bad, :invalid => pass)
    176. 

  176.       expect(bad.value).to eq(enc_v2)
    177. 

  177.     end
    178. 

  178. 

  179.     it "upgrades" do
    180. 

  180.       expect(subject.fix_passwords(v1).value).to eq(enc_v2)
    181. 

  181.       expect(subject.fix_passwords(v2).value).to eq(enc_v2)
    182. 

  182.     end
    183. 

  183.   end
    184. 

  184. end
    185. 

  185.