Example #1
0
        public async Task AuthorizationTests()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.Login("Admin");

                (await fixture.Client.GetAsync("/api/users")).ShouldBeOk();
                fixture.Logout();

                await fixture.Login("Hans");

                (await fixture.Client.GetAsync("/api/users")).ShouldBeForbidden();
                fixture.Logout();
            }
        }
Example #2
0
        public async Task GetExpensesAccessTest()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.Login("Hans");

                await fixture.ExpectGetAsync("/api/account/Hans/export/tsv", HttpStatusCode.OK);

                await fixture.ExpectGetAsync("/api/account/Shared/export/tsv", HttpStatusCode.OK);

                await fixture.ExpectGetAsync("/api/account/Petra/expenses", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Unknown/expenses", HttpStatusCode.Unauthorized);

                fixture.Logout();

                await fixture.ExpectGetAsync("/api/account/Hans/export/tsv", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Shared/export/tsv", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Petra/expenses", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Unknown/expenses", HttpStatusCode.Unauthorized);
            }
        }
Example #3
0
        public async Task UsersShouldNotHaveAccessToForeignAccountsTest()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.Login("Hans");

                (await fixture.GetExpensesAsync("Hans")).Should().HaveCount(0);

                // Create.
                var cmd = new Expense(-100, "Ausgabe", "Essen", "Pizza").AsCommand("Hans");
                (await fixture.Client.PostAsync("/api/account/Hans/expenses", cmd.AsContent())).ShouldBeOk();
                var exp = (await fixture.GetExpensesAsync("Hans")).Single();

                // Switch user.
                fixture.Logout();
                await fixture.Login("Petra");

                // Check foreign user actions.
                (await fixture.GetExpensesAsync("Petra")).Should().HaveCount(0);
                (await fixture.Client.GetAsync("/api/account/Hans/expenses")).StatusCode.Should().Be(HttpStatusCode.Unauthorized);
                (await fixture.Client.GetAsync($"/api/account/Hans/expense/{exp.Id}")).IsUnauthorized();
                (await fixture.Client.PostAsync($"/api/account/Hans/expenses", exp.AsContent())).IsUnauthorized();
                (await fixture.Client.PutAsync($"/api/account/Hans/expense/{exp.Id}", exp.AsContent())).IsUnauthorized();
                (await fixture.Client.DeleteAsync($"/api/account/Hans/expense/{exp.Id}")).IsUnauthorized();
            }
        }
Example #4
0
        public async Task EnsureThatExpensesFromOtherAccountsDoNotLeak()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.Login("Hans");

                // Import.
                var csv = File.ReadAllBytes("Import/dkb-import-test.csv");
                await fixture.PostFileAsync("/api/account/Hans/import/csv", "csvFile", "file.csv", csv);

                var hansImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Hans/imports/unhandled")).Single();

                // Add some expenses.
                await fixture.AddExpenseAsync("Hans", -12.34M, "Correct", "Subcategory", ex => ex.Date = hansImportedExpense.BookingDay.AddDays(-2).Date);

                // Get related expenses.
                var relatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id);

                relatedExpenses.Should().HaveCount(1);
                relatedExpenses.Single().CategoryName.Should().Be("Correct");

                // Login as different user.
                fixture.Logout();
                await fixture.Login("Petra");

                // Simple leak.
                await fixture.ExpectGetAsync("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id, HttpStatusCode.Unauthorized);

                // Leak via related expenses.
                await fixture.PostFileAsync("/api/account/Petra/import/csv", "csvFile", "file.csv", csv);

                var petraImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Petra/imports/unhandled")).Single();
                var petraRelatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Petra/expenses?relatedToImportedExpense=" + petraImportedExpense.Id);

                petraRelatedExpenses.Should().BeEmpty();

                // Leak via linking.
                await fixture.ExpectPostAsync($"/api/account/Hans/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.Unauthorized);

                await fixture.ExpectPostAsync($"/api/account/Petra/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.NotFound);

                // Leak via creating.
                await fixture.ExpectAddExpenseAsync("Hans", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.Unauthorized);

                await fixture.ExpectAddExpenseAsync("Petra", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.NotFound);
            }
        }
Example #5
0
        public async Task GetExpensesAccessTest()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.Login("Hans");

                await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.OK);

                fixture.Logout();

                await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.Unauthorized);

                await fixture.Login("Petra");

                await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.Unauthorized);
            }
        }
Example #6
0
        public async Task EnsureAccessIsVerifiedTest()
        {
            using (var fixture = new GeldAppFixture())
            {
                var testCmd = new CreateCategoryCommand("Hans", "Einnahmen");

                // Test authenticated.
                await fixture.Login("Petra");

                await fixture.ExpectGetAsync("/api/account/Hans/categories", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/categories/predict", HttpStatusCode.Unauthorized);

                (await fixture.Client.PostAsync("/api/account/Hans/categories", testCmd.AsContent())).IsUnauthorized();
                (await fixture.Client.PostAsync("/api/account/Teal'C/categories", testCmd.AsContent())).IsUnauthorized();
                (await fixture.Client.PutAsync("/api/account/Hans/category/Einnahmen/Aktien", null)).IsUnauthorized();
                (await fixture.Client.PutAsync("/api/account/SamCarter/category/Einnahmen/Aktien", null)).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen/Aktien")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Schwarzgeld")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/JackONeil/category/Schwarzgeld")).IsUnauthorized();

                // Test unauthenticated.
                fixture.Logout();
                await fixture.ExpectGetAsync("/api/account/Hans/categories", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/categories/predict", HttpStatusCode.Unauthorized);

                (await fixture.Client.PostAsync("/api/account/Hans/categories", testCmd.AsContent())).IsUnauthorized();
                (await fixture.Client.PostAsync("/api/account/Teal'C/categories", testCmd.AsContent())).IsUnauthorized();
                (await fixture.Client.PutAsync("/api/account/Hans/category/Einnahmen/Aktien", null)).IsUnauthorized();
                (await fixture.Client.PutAsync("/api/account/SamCarter/category/Einnahmen/Aktien", null)).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen/Aktien")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/Hans/category/Schwarzgeld")).IsUnauthorized();
                (await fixture.Client.DeleteAsync("/api/account/JackONeil/category/Schwarzgeld")).IsUnauthorized();
            }
        }
Example #7
0
        public async Task EnsureAccessIsVerifiedTest()
        {
            using (var fixture = new GeldAppFixture())
            {
                await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.Unauthorized);

                await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.Unauthorized);

                await fixture.Login("Hans");

                await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.OK);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.OK);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.OK);

                await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.OK);

                fixture.Logout();

                await fixture.Login("Petra");

                await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.Unauthorized);

                await fixture.ExpectGetAsync("/api/account/ColonelHogan/charts/revenue-history", HttpStatusCode.Unauthorized);

                await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.Unauthorized);
            }
        }