cartodb/CartoDB-SQL-API
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d23416cc60
CartoDB-SQL-API/test/acceptance/app.test.js
Sandro Santilli d23416cc60 Set X-Cache-Channel to NONE when the SQL may write to the database 
Note that "may write" allows for false positive, so there could be
less cache hits than possibly allowable. If this will be a problem
for any real use case we could still improve the regular expression
used to detect "writing" queries.

Automated tests are added to check for the X-Cache-Channel header
with both writing and read-only queries performed by authenticated
requests.

Closes #27
Closes #43
2012-10-15 13:23:17 +02:00

634 lines
23 KiB
JavaScript
Raw Blame History

/**
*
* Requires the database and tables setup in config/environments/test.js to exist
* Ensure the user is present in the pgbouncer auth file too
* TODO: Add OAuth tests.
*
* To run this test, ensure that cartodb_test_user_1_db metadata exists in Redis for the vizziality.cartodb.com domain
*
* SELECT 5
* HSET rails:users:vizzuality id 1
* HSET rails:users:vizzuality database_name cartodb_dev_user_1_db
*
*/
require('../helper');
require('../support/assert');
var app = require(global.settings.app_root + '/app/controllers/app')
, assert = require('assert')
, querystring = require('querystring')
, _ = require('underscore');
// allow lots of emitters to be set to silence warning
app.setMaxListeners(0);
suite('app.test', function() {
var expected_cache_control = 'no-cache,max-age=3600,must-revalidate,public';
// use dec_sep for internationalization
var checkDecimals = function(x, dec_sep){
var tmp='' + x;
if (tmp.indexOf(dec_sep)>-1)
return tmp.length-tmp.indexOf(dec_sep)-1;
else
return 0;
}
test('GET /api/v1/sql', function(done){
assert.response(app, {
url: '/api/v1/sql',
method: 'GET'
},{
status: 400
}, function(res) {
assert.deepEqual(JSON.parse(res.body), {"error":["You must indicate a sql query"]});
done();
});
});
test('GET /api/v1/sql with SQL parameter on SELECT only. No oAuth included ', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&database=cartodb_test_user_1_db',
method: 'GET'
},{ }, function(res) {
assert.equal(res.statusCode, 200, res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'cartodb_test_user_1_db:untitle_table_4');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
test('GET /api/v1/sql with SQL parameter on SELECT only. no database param, just id using headers', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res) {
assert.equal(res.statusCode, 200, res.body);
done();
});
});
test('GET /api/v1/sql with SQL parameter on SELECT only. no database param, just id using headers. Authenticated.',
function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20cartodb_id*2%20FROM%20untitle_table_4&api_key=1234',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res) {
assert.equal(res.statusCode, 200, res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'cartodb_test_user_1_db:untitle_table_4');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
test('POST /api/v1/sql with SQL parameter on SELECT only. no database param, just id using headers', function(done){
assert.response(app, {
url: '/api/v1/sql',
data: querystring.stringify({q: "SELECT * FROM untitle_table_4"}),
headers: {host: 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
method: 'POST'
},{ }, function(res) {
assert.equal(res.statusCode, 200, res.body);
done();
});
});
test('GET /api/v1/sql with SQL parameter on INSERT only. oAuth not used, so public user - should fail', function(){
assert.response(app, {
url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(id)%20VALUES%20(1)&database=cartodb_dev_user_1_db",
method: 'GET'
},{
status: 400
});
});
test('GET /api/v1/sql with SQL parameter on DROP DATABASE only. oAuth not used, so public user - should fail', function(){
assert.response(app, {
url: "/api/v1/sql?q=DROP%20TABLE%20untitle_table_4&database=cartodb_dev_user_1_db",
method: 'GET'
},{
status: 400
});
});
test('GET /api/v1/sql with SQL parameter on INSERT only. header based db - should fail', function(){
assert.response(app, {
url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(id)%20VALUES%20(1)",
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{
status: 400
});
});
// Check results from INSERT
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/13
test('INSERT returns affected rows', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"INSERT INTO private_table(name) VALUES('noret1') UNION VALUES('noret2')"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 2);
assert.equal(out.rows.length, 0);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
// Check results from UPDATE
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/13
test('UPDATE returns affected rows', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"UPDATE private_table SET name = upper(name) WHERE name in ('noret1', 'noret2')"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 2);
assert.equal(out.rows.length, 0);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
// Check results from DELETE
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/13
test('DELETE returns affected rows', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"DELETE FROM private_table WHERE name in ('NORET1', 'NORET2')"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 2);
assert.equal(out.rows.length, 0);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
// Check results from INSERT .. RETURNING
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/50
test('INSERT with RETURNING returns all results', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"INSERT INTO private_table(name) VALUES('test') RETURNING upper(name), reverse(name)"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 1);
assert.equal(out.rows.length, 1);
assert.equal(_.keys(out.rows[0]).length, 2);
assert.equal(out.rows[0].upper, 'TEST');
assert.equal(out.rows[0].reverse, 'tset');
done();
});
});
// Check results from UPDATE .. RETURNING
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/50
test('UPDATE with RETURNING returns all results', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"UPDATE private_table SET name = 'tost' WHERE name = 'test' RETURNING upper(name), reverse(name)"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 1);
assert.equal(out.rows.length, 1);
assert.equal(_.keys(out.rows[0]).length, 2);
assert.equal(out.rows[0].upper, 'TOST');
assert.equal(out.rows[0].reverse, 'tsot');
done();
});
});
// Check results from DELETE .. RETURNING
//
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/50
test('DELETE with RETURNING returns all results', function(done){
assert.response(app, {
// view prepare_db.sh to see where to set api_key
url: "/api/v1/sql?api_key=1234&"
+ querystring.stringify({q:
"DELETE FROM private_table WHERE name = 'tost' RETURNING name"
}),
headers: {host: 'vizzuality.localhost.lan:8080' },
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
var out = JSON.parse(res.body);
assert.ok(out.hasOwnProperty('time'));
assert.equal(out.total_rows, 1);
assert.equal(out.rows.length, 1);
assert.equal(_.keys(out.rows[0]).length, 1);
assert.equal(out.rows[0].name, 'tost');
done();
});
});
test('GET /api/v1/sql with SQL parameter on DROP DATABASE only.header based db - should fail', function(){
assert.response(app, {
url: "/api/v1/sql?q=DROP%20TABLE%20untitle_table_4",
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{
status: 400
});
});
test('CREATE TABLE with GET and auth', function(done){
assert.response(app, {
url: "/api/v1/sql?" + querystring.stringify({
q: 'CREATE TABLE create_table_test(a int)',
api_key: 1234
}),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
// TODO: test COPY
//test('COPY TABLE with GET and auth', function(done){
// assert.response(app, {
// url: "/api/v1/sql?" + querystring.stringify({
// q: 'COPY TABLE create_table_test FROM stdin; 1\n\\.\n',
// api_key: 1234
// }),
// headers: {host: 'vizzuality.cartodb.com'},
// method: 'GET'
// },{}, function(res) {
// assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
// // Check cache headers
// // See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
// assert.equal(res.headers['x-cache-channel'], 'NONE');
// assert.equal(res.headers['cache-control'], expected_cache_control);
// done();
// });
//});
test('DROP TABLE with GET and auth', function(done){
assert.response(app, {
url: "/api/v1/sql?" + querystring.stringify({
q: 'DROP TABLE create_table_test',
api_key: 1234
}),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
test('CREATE FUNCTION with GET and auth', function(done){
assert.response(app, {
url: "/api/v1/sql?" + querystring.stringify({
q: 'CREATE FUNCTION create_func_test(a int) RETURNS INT AS \'SELECT 1\' LANGUAGE \'sql\'',
api_key: 1234
}),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
test('DROP FUNCTION with GET and auth', function(done){
assert.response(app, {
url: "/api/v1/sql?" + querystring.stringify({
q: 'DROP FUNCTION create_func_test(a int)',
api_key: 1234
}),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body);
// Check cache headers
// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
assert.equal(res.headers['x-cache-channel'], 'NONE');
assert.equal(res.headers['cache-control'], expected_cache_control);
done();
});
});
test('GET /api/v1/sql with SQL parameter and geojson format, ensuring content-disposition set to geojson', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&format=geojson',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.equal(true, /filename=cartodb-query.geojson/gi.test(cd));
done();
});
});
test('uses the last format parameter when multiple are used', function(done){
assert.response(app, {
url: '/api/v1/sql?format=csv&q=SELECT%20*%20FROM%20untitle_table_4&format=geojson',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.equal(true, /filename=cartodb-query.geojson/gi.test(cd));
done();
});
});
test('sends a 400 when an unsupported format is requested', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&format=unknown',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 400, res.body);
assert.deepEqual(JSON.parse(res.body), {"error":[ "Invalid format: unknown" ]});
done();
});
});
test('GET /api/v1/sql with SVG format', function(done){
var query = querystring.stringify({
q: "SELECT 1 as cartodb_id, ST_MakeLine(ST_MakePoint(10, 10), ST_MakePoint(1034, 778)) AS the_geom ",
format: "svg"
});
assert.response(app, {
url: '/api/v1/sql?' + query,
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.ok(/filename=cartodb-query.svg/gi.test(cd), cd);
assert.equal(res.header('Content-Type'), 'image/svg+xml; charset=utf-8');
assert.ok( res.body.indexOf('<path d="M 0 768 L 1024 0" />') > 0, res.body );
// TODO: test viewBox
done();
});
});
test('GET /api/v1/sql with SVG format and centered point', function(done){
var query = querystring.stringify({
q: "SELECT 1 as cartodb_id, ST_MakePoint(5000, -54) AS the_geom ",
format: "svg"
});
assert.response(app, {
url: '/api/v1/sql?' + query,
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.ok(/filename=cartodb-query.svg/gi.test(cd), cd);
assert.equal(res.header('Content-Type'), 'image/svg+xml; charset=utf-8');
assert.ok( res.body.indexOf('cx="0" cy="0"') > 0, res.body );
// TODO: test viewBox
// TODO: test radius
done();
});
});
test('GET /api/v1/sql with SVG format and trimmed decimals', function(done){
var queryobj = {
q: "SELECT 1 as cartodb_id, 'LINESTRING(0 0, 1024 768, 500.123456 600.98765432)'::geometry AS the_geom ",
format: "svg",
dp: 2
};
assert.response(app, {
url: '/api/v1/sql?' + querystring.stringify(queryobj),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.ok(/filename=cartodb-query.svg/gi.test(cd), cd);
assert.equal(res.header('Content-Type'), 'image/svg+xml; charset=utf-8');
assert.ok( res.body.indexOf('<path d="M 0 768 L 1024 0 500.12 167.01" />') > 0, res.body );
// TODO: test viewBox
queryobj.dp = 3;
assert.response(app, {
url: '/api/v1/sql?' + querystring.stringify(queryobj),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res) {
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.ok(/filename=cartodb-query.svg/gi.test(cd), cd);
assert.equal(res.header('Content-Type'), 'image/svg+xml; charset=utf-8');
assert.ok( res.body.indexOf('<path d="M 0 768 L 1024 0 500.123 167.012" />') > 0, res.body );
// TODO: test viewBox
done();
});
});
});
test('GET /api/v1/sql with SQL parameter and no format, ensuring content-disposition set to json', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.equal(true, /filename=cartodb-query.json/gi.test(cd));
done();
});
});
test('GET /api/v1/sql ensure cross domain set on errors', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*gadfgadfg%20FROM%20untitle_table_4',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{
status: 400
}, function(res){
var cd = res.header('Access-Control-Allow-Origin');
assert.equal(cd, '*');
done();
});
});
test('GET /api/v1/sql as geojson limiting decimal places', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&format=geojson&dp=1',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var result = JSON.parse(res.body);
assert.equal(1, checkDecimals(result.features[0].geometry.coordinates[0], '.'));
done();
});
});
test('GET /api/v1/sql as geojson with default dp as 6', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&format=geojson',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var result = JSON.parse(res.body);
assert.equal(6, checkDecimals(result.features[0].geometry.coordinates[0], '.'));
done();
});
});
test('GET /api/v1/sql as csv', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20cartodb_id,ST_AsEWKT(the_geom)%20as%20geom%20FROM%20untitle_table_4%20LIMIT%201&format=csv',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var body = "cartodb_id,geom\r\n1,SRID=4326;POINT(-3.699732 40.423012)";
assert.equal(body, res.body);
done();
});
});
test('GET /api/v1/sql as csv, properly escaped', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20cartodb_id,%20address%20FROM%20untitle_table_4%20LIMIT%201&format=csv',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var body = 'cartodb_id,address\r\n1,"Calle de Pérez Galdós 9, Madrid, Spain"';
assert.equal(body, res.body);
done();
});
});
test('cannot GET system tables', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20pg_attribute',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{
status: 403
}, function() { done(); });
});
test('GET decent error if domain is incorrect', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&format=geojson',
headers: {host: 'vizzualinot.cartodb.com'},
method: 'GET'
},{
status: 404
}, function(res){
var result = JSON.parse(res.body);
assert.equal(result.error[0],"Sorry, we can't find this CartoDB. Please check that you have entered the correct domain.");
done();
});
});
test('GET decent error if SQL is broken', function(done){
assert.response(app, {
url: '/api/v1/sql?' + querystring.stringify({q:
'SELECT star FROM this and that'
}),
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{}, function(res){
assert.equal(res.statusCode, 400, res.statusCode + ': ' + res.body);
var result = JSON.parse(res.body);
// NOTE: actual error message may be slighly different, possibly worth a regexp here
assert.equal(result.error[0], 'syntax error at or near "and"');
done();
});
});
// CSV tests
test('CSV format', function(done){
assert.response(app, {
url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4%20LIMIT%201&format=csv',
headers: {host: 'vizzuality.cartodb.com'},
method: 'GET'
},{ }, function(res){
assert.equal(res.statusCode, 200, res.body);
var cd = res.header('Content-Disposition');
assert.equal(true, /filename=cartodb-query.csv/gi.test(cd));
done();
});
});
});
Reference in New Issue View Git Blame Copy Permalink