remove fallback tests and refactor some http errors 403 -> 401
This commit is contained in:
parent
751745cb5d
commit
e85994293b
@ -18,13 +18,8 @@ describe('app.auth', function() {
|
||||
},
|
||||
{
|
||||
desc: 'invalid api key should NOT allow insert in protected tables',
|
||||
url: "/api/v1/sql?api_key=RAMBO&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
|
||||
statusCode: 403
|
||||
},
|
||||
{
|
||||
desc: 'invalid api key (old redis location) should NOT allow insert in protected tables',
|
||||
url: "/api/v1/sql?api_key=1235&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
|
||||
statusCode: 403
|
||||
url: "/api/v1/sql?api_key=THIS_API_KEY_NOT_EXIST&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('R')",
|
||||
statusCode: 401
|
||||
},
|
||||
{
|
||||
desc: 'no api key should NOT allow insert in protected tables',
|
||||
|
@ -18,33 +18,18 @@ describe('Auth API', function () {
|
||||
});
|
||||
});
|
||||
|
||||
// TODO: this is obviously a really dangerous sceneario, but in order to not break
|
||||
// some uses cases (i.e: new carto.js examples) and keep backwards compatiblity we will keep it during some time.
|
||||
// It should be fixed as soon as possible
|
||||
it('should get result from query using a wrong API key', function (done) {
|
||||
this.testClient = new TestClient({ apiKey: 'wrong' });
|
||||
it('should fail when using a wrong API key', function (done) {
|
||||
this.testClient = new TestClient({ apiKey: 'THIS_API_KEY_DOES_NOT_EXIST' });
|
||||
|
||||
this.testClient.getResult(publicSQL, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.length, 6);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
// TODO: this is obviously a really dangerous sceneario, but in order to not break
|
||||
// some uses cases (i.e: new carto.js examples) and keep backwards compatiblity we will keep it during some time.
|
||||
// It should be fixed as soon as possible
|
||||
it('should fail while fetching data (private dataset) and using a wrong API key', function (done) {
|
||||
this.testClient = new TestClient({ apiKey: 'wrong' });
|
||||
const expectedResponse = {
|
||||
response: {
|
||||
status: 403
|
||||
status: 401
|
||||
}
|
||||
};
|
||||
|
||||
this.testClient.getResult(privateSQL, expectedResponse, (err, result) => {
|
||||
this.testClient.getResult(publicSQL, expectedResponse, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.error, 'permission denied for relation private_table');
|
||||
assert.equal(result.error, 'Unauthorized');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@ -106,60 +91,6 @@ describe('Auth API', function () {
|
||||
});
|
||||
});
|
||||
|
||||
describe('Fallback', function () {
|
||||
it('should get result from query using master apikey (fallback) and a granted dataset', function (done) {
|
||||
this.testClient = new TestClient({ apiKey: '4321', host: 'cartofante.cartodb.com' });
|
||||
this.testClient.getResult(scopedSQL, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.length, 4);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should fail while getting result from query using metadata and scoped dataset', function (done) {
|
||||
this.testClient = new TestClient({ host: 'cartofante.cartodb.com' });
|
||||
|
||||
const expectedResponse = {
|
||||
response: {
|
||||
status: 403
|
||||
},
|
||||
anonymous: true
|
||||
};
|
||||
|
||||
this.testClient.getResult(privateSQL, expectedResponse, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.error, 'permission denied for relation private_table');
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should insert and delete values on scoped datase using the master apikey', function (done) {
|
||||
this.testClient = new TestClient({ apiKey: 4321, host: 'cartofante.cartodb.com' });
|
||||
|
||||
const insertSql = "INSERT INTO scoped_table_1(name) VALUES('wadus1')";
|
||||
|
||||
this.testClient.getResult(insertSql, (err, rows, body) => {
|
||||
assert.ifError(err);
|
||||
|
||||
assert.ok(body.hasOwnProperty('time'));
|
||||
assert.equal(body.total_rows, 1);
|
||||
assert.equal(rows.length, 0);
|
||||
|
||||
const deleteSql = "DELETE FROM scoped_table_1 WHERE name = 'wadus1'";
|
||||
|
||||
this.testClient.getResult(deleteSql, (err, rows, body) => {
|
||||
assert.ifError(err);
|
||||
|
||||
assert.ok(body.hasOwnProperty('time'));
|
||||
assert.equal(body.total_rows, 1);
|
||||
assert.equal(rows.length, 0);
|
||||
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('Batch API', function () {
|
||||
it('should create a job with regular api key and get it done', function (done) {
|
||||
this.testClient = new BatchTestClient({ apiKey: 'regular1' });
|
||||
@ -267,34 +198,19 @@ describe('Auth API', function () {
|
||||
});
|
||||
});
|
||||
|
||||
// TODO: this is obviously a really dangerous sceneario, but in order to not break
|
||||
// some uses cases (i.e: new carto.js examples) and to keep backwards compatiblity
|
||||
// we will keep it during some time. It should be fixed as soon as possible
|
||||
it('should get result from query using a wrong API key and quering to public dataset', function (done) {
|
||||
this.testClient = new TestClient({ authorization: 'vizzuality:wrong' });
|
||||
it('should fail when querying using a wrong API key', function (done) {
|
||||
this.testClient = new TestClient({ authorization: 'vizzuality:THIS_API_KEY_DOES_NOT_EXIST' });
|
||||
|
||||
this.testClient.getResult(publicSQL, { anonymous: true }, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.length, 6);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
// TODO: this is obviously a really dangerous sceneario, but in order to not break
|
||||
// some uses cases (i.e: new carto.js examples) and to keep backwards compatiblity
|
||||
// we will keep it during some time. It should be fixed as soon as possible
|
||||
it('should fail while fetching data (private dataset) and using a wrong API key', function (done) {
|
||||
this.testClient = new TestClient({ authorization: 'vizzuality:wrong' });
|
||||
const expectedResponse = {
|
||||
response: {
|
||||
status: 403
|
||||
status: 401
|
||||
},
|
||||
anonymous: true
|
||||
};
|
||||
|
||||
this.testClient.getResult(privateSQL, expectedResponse, (err, result) => {
|
||||
this.testClient.getResult(publicSQL, expectedResponse, (err, result) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(result.error, 'permission denied for relation private_table');
|
||||
assert.equal(result.error, 'Unauthorized');
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
@ -79,7 +79,7 @@ describe('job module', function() {
|
||||
});
|
||||
});
|
||||
|
||||
it('POST /api/v2/sql/job with wrong api key should respond with 403 permission denied', function (done){
|
||||
it('POST /api/v2/sql/job with wrong api key should respond with 401 permission denied', function (done){
|
||||
assert.response(server, {
|
||||
url: '/api/v2/sql/job?api_key=wrong',
|
||||
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||
@ -88,10 +88,10 @@ describe('job module', function() {
|
||||
query: "SELECT * FROM untitle_table_4"
|
||||
})
|
||||
}, {
|
||||
status: 403
|
||||
status: 401
|
||||
}, function(err, res) {
|
||||
var error = JSON.parse(res.body);
|
||||
assert.deepEqual(error, { error: [ 'permission denied' ] });
|
||||
assert.deepEqual(error, { error: [ 'Unauthorized' ] });
|
||||
done();
|
||||
});
|
||||
});
|
||||
@ -134,16 +134,16 @@ describe('job module', function() {
|
||||
});
|
||||
});
|
||||
|
||||
it('GET /api/v2/sql/job/:job_id with wrong api key should respond with 403 permission denied', function (done){
|
||||
it('GET /api/v2/sql/job/:job_id with wrong api key should respond with 401 permission denied', function (done){
|
||||
assert.response(server, {
|
||||
url: '/api/v2/sql/job/' + job.job_id + '?api_key=wrong',
|
||||
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||
method: 'GET'
|
||||
}, {
|
||||
status: 403
|
||||
status: 401
|
||||
}, function(err, res) {
|
||||
var error = JSON.parse(res.body);
|
||||
assert.deepEqual(error, { error: [ 'permission denied' ] });
|
||||
assert.deepEqual(error, { error: ['Unauthorized'] });
|
||||
done();
|
||||
});
|
||||
});
|
||||
@ -182,16 +182,16 @@ describe('job module', function() {
|
||||
});
|
||||
});
|
||||
|
||||
it('DELETE /api/v2/sql/job/:job_id with wrong api key should respond with 403 permission denied', function (done){
|
||||
it('DELETE /api/v2/sql/job/:job_id with wrong api key should respond with 401 permission denied', function (done){
|
||||
assert.response(server, {
|
||||
url: '/api/v2/sql/job/' + job.job_id + '?api_key=wrong',
|
||||
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
|
||||
method: 'DELETE'
|
||||
}, {
|
||||
status: 403
|
||||
status: 401
|
||||
}, function(err, res) {
|
||||
var error = JSON.parse(res.body);
|
||||
assert.deepEqual(error, { error: [ 'permission denied' ] });
|
||||
assert.deepEqual(error, { error: ['Unauthorized'] });
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user