2020-02-24 14:36:15 +01:00
|
|
|
using System;
|
|
|
|
|
using System.Linq;
|
|
|
|
|
using System.Net.Http;
|
|
|
|
|
using System.Net.Http.Headers;
|
|
|
|
|
using System.Threading.Tasks;
|
2020-03-02 16:50:28 +01:00
|
|
|
using BTCPayServer.Client;
|
2020-03-20 05:22:10 +01:00
|
|
|
using BTCPayServer.Client.Models;
|
2020-02-24 14:36:15 +01:00
|
|
|
using BTCPayServer.Data;
|
2020-03-27 04:55:21 +01:00
|
|
|
using BTCPayServer.Security.GreenField;
|
2020-02-24 14:36:15 +01:00
|
|
|
using BTCPayServer.Tests.Logging;
|
|
|
|
|
using BTCPayServer.Views.Manage;
|
|
|
|
|
using Newtonsoft.Json;
|
2020-09-17 11:37:49 +02:00
|
|
|
using Newtonsoft.Json.Linq;
|
2020-02-24 14:36:15 +01:00
|
|
|
using OpenQA.Selenium;
|
|
|
|
|
using Xunit;
|
|
|
|
|
using Xunit.Abstractions;
|
2020-03-24 16:18:43 +01:00
|
|
|
using StoreData = BTCPayServer.Data.StoreData;
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
namespace BTCPayServer.Tests
|
|
|
|
|
{
|
2021-11-22 09:16:08 +01:00
|
|
|
public class ApiKeysTests : UnitTestBase
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
public const int TestTimeout = TestUtils.TestTimeout;
|
|
|
|
|
|
|
|
|
|
public const string TestApiPath = "api/test/apikey";
|
2021-11-22 09:16:08 +01:00
|
|
|
public ApiKeysTests(ITestOutputHelper helper) : base(helper)
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact(Timeout = TestTimeout)]
|
|
|
|
|
[Trait("Selenium", "Selenium")]
|
|
|
|
|
public async Task CanCreateApiKeys()
|
|
|
|
|
{
|
|
|
|
|
//there are 2 ways to create api keys:
|
|
|
|
|
//as a user through your profile
|
|
|
|
|
//as an external application requesting an api key from a user
|
|
|
|
|
|
2021-11-22 09:16:08 +01:00
|
|
|
using (var s = CreateSeleniumTester())
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
await s.StartAsync();
|
|
|
|
|
var tester = s.Server;
|
|
|
|
|
|
|
|
|
|
var user = tester.NewAccount();
|
2021-12-11 04:32:23 +01:00
|
|
|
await user.GrantAccessAsync();
|
2020-03-19 11:11:15 +01:00
|
|
|
await user.MakeAdmin(false);
|
2020-02-24 14:36:15 +01:00
|
|
|
s.GoToLogin();
|
|
|
|
|
s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
|
|
|
|
|
s.GoToProfile(ManageNavPages.APIKeys);
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
//not an admin, so this permission should not show
|
|
|
|
|
Assert.DoesNotContain("btcpay.server.canmodifyserversettings", s.Driver.PageSource);
|
|
|
|
|
await user.MakeAdmin();
|
|
|
|
|
s.Logout();
|
|
|
|
|
s.GoToLogin();
|
|
|
|
|
s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
|
|
|
|
|
s.GoToProfile(ManageNavPages.APIKeys);
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
|
|
|
|
Assert.Contains("btcpay.server.canmodifyserversettings", s.Driver.PageSource);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
//server management should show now
|
2021-02-17 04:14:29 +01:00
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.server.canmodifyserversettings"), true);
|
|
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.store.canmodifystoresettings"), true);
|
|
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.user.canviewprofile"), true);
|
2020-02-24 14:36:15 +01:00
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var superApiKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
//this api key has access to everything
|
2020-06-28 10:55:27 +02:00
|
|
|
await TestApiAgainstAccessToken(superApiKey, tester, user, Policies.CanModifyServerSettings, Policies.CanModifyStoreSettings, Policies.CanViewProfile);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
2021-02-17 04:14:29 +01:00
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.server.canmodifyserversettings"), true);
|
2020-02-24 14:36:15 +01:00
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var serverOnlyApiKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-02-24 14:36:15 +01:00
|
|
|
await TestApiAgainstAccessToken(serverOnlyApiKey, tester, user,
|
2020-03-20 05:41:47 +01:00
|
|
|
Policies.CanModifyServerSettings);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
2021-02-17 04:14:29 +01:00
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.store.canmodifystoresettings"), true);
|
2020-02-24 14:36:15 +01:00
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var allStoreOnlyApiKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-02-24 14:36:15 +01:00
|
|
|
await TestApiAgainstAccessToken(allStoreOnlyApiKey, tester, user,
|
2020-03-20 05:41:47 +01:00
|
|
|
Policies.CanModifyStoreSettings);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
2020-03-23 14:17:17 +01:00
|
|
|
s.Driver.FindElement(By.CssSelector("button[value='btcpay.store.canmodifystoresettings:change-store-mode']")).Click();
|
2020-02-24 14:36:15 +01:00
|
|
|
//there should be a store already by default in the dropdown
|
2021-07-16 09:57:37 +02:00
|
|
|
var src = s.Driver.PageSource;
|
|
|
|
|
var getPermissionValueIndex =
|
|
|
|
|
s.Driver.FindElement(By.CssSelector("input[value='btcpay.store.canmodifystoresettings']"))
|
|
|
|
|
.GetAttribute("name")
|
|
|
|
|
.Replace(".Permission", ".SpecificStores[0]");
|
|
|
|
|
var dropdown = s.Driver.FindElement(By.Name(getPermissionValueIndex));
|
2020-02-24 14:36:15 +01:00
|
|
|
var option = dropdown.FindElement(By.TagName("option"));
|
|
|
|
|
var storeId = option.GetAttribute("value");
|
|
|
|
|
option.Click();
|
|
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var selectiveStoreApiKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-02-24 14:36:15 +01:00
|
|
|
await TestApiAgainstAccessToken(selectiveStoreApiKey, tester, user,
|
2020-03-20 05:41:47 +01:00
|
|
|
Permission.Create(Policies.CanModifyStoreSettings, storeId).ToString());
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
|
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var noPermissionsApiKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-04-02 08:59:20 +02:00
|
|
|
await TestApiAgainstAccessToken(noPermissionsApiKey, tester, user);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>("incorrect key", $"{TestApiPath}/me/id",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
//let's test the authorized screen now
|
|
|
|
|
//options for authorize are:
|
|
|
|
|
//applicationName
|
|
|
|
|
//redirect
|
|
|
|
|
//permissions
|
|
|
|
|
//strict
|
|
|
|
|
//selectiveStores
|
2020-08-04 13:10:48 +02:00
|
|
|
//redirect
|
|
|
|
|
//appidentifier
|
|
|
|
|
var appidentifier = "testapp";
|
2021-09-22 14:31:44 +02:00
|
|
|
var callbackUrl = s.ServerUri + "postredirect-callback-test";
|
|
|
|
|
var authUrl = BTCPayServerClient.GenerateAuthorizeUri(s.ServerUri,
|
2020-09-17 11:37:49 +02:00
|
|
|
new[] { Policies.CanModifyStoreSettings, Policies.CanModifyServerSettings }, applicationDetails: (appidentifier, new Uri(callbackUrl))).ToString();
|
2020-02-24 14:36:15 +01:00
|
|
|
s.Driver.Navigate().GoToUrl(authUrl);
|
2020-09-17 11:37:49 +02:00
|
|
|
Assert.Contains(appidentifier, s.Driver.PageSource);
|
2020-03-19 11:11:15 +01:00
|
|
|
Assert.Equal("hidden", s.Driver.FindElement(By.Id("btcpay.store.canmodifystoresettings")).GetAttribute("type").ToLowerInvariant());
|
|
|
|
|
Assert.Equal("true", s.Driver.FindElement(By.Id("btcpay.store.canmodifystoresettings")).GetAttribute("value").ToLowerInvariant());
|
|
|
|
|
Assert.Equal("hidden", s.Driver.FindElement(By.Id("btcpay.server.canmodifyserversettings")).GetAttribute("type").ToLowerInvariant());
|
2020-03-20 05:22:10 +01:00
|
|
|
Assert.Equal("true", s.Driver.FindElement(By.Id("btcpay.server.canmodifyserversettings")).GetAttribute("value").ToLowerInvariant());
|
2020-02-24 14:36:15 +01:00
|
|
|
Assert.DoesNotContain("change-store-mode", s.Driver.PageSource);
|
|
|
|
|
s.Driver.FindElement(By.Id("consent-yes")).Click();
|
2020-09-17 11:37:49 +02:00
|
|
|
Assert.Equal(callbackUrl, s.Driver.Url);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
|
|
|
|
var apiKeyRepo = s.Server.PayTester.GetService<APIKeyRepository>();
|
2020-09-17 11:37:49 +02:00
|
|
|
var accessToken = GetAccessTokenFromCallbackResult(s.Driver);
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-09-17 11:37:49 +02:00
|
|
|
await TestApiAgainstAccessToken(accessToken, tester, user,
|
|
|
|
|
(await apiKeyRepo.GetKey(accessToken)).GetBlob().Permissions);
|
2020-02-24 14:36:15 +01:00
|
|
|
|
2021-09-22 14:31:44 +02:00
|
|
|
authUrl = BTCPayServerClient.GenerateAuthorizeUri(s.ServerUri,
|
2021-12-31 08:59:02 +01:00
|
|
|
new[] { Policies.CanModifyStoreSettings, Policies.CanModifyServerSettings }, false, true, applicationDetails: (null, new Uri(callbackUrl))).ToString();
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-02-24 14:36:15 +01:00
|
|
|
s.Driver.Navigate().GoToUrl(authUrl);
|
|
|
|
|
Assert.DoesNotContain("kukksappname", s.Driver.PageSource);
|
|
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
Assert.Equal("checkbox", s.Driver.FindElement(By.Id("btcpay.store.canmodifystoresettings")).GetAttribute("type").ToLowerInvariant());
|
|
|
|
|
Assert.Equal("true", s.Driver.FindElement(By.Id("btcpay.store.canmodifystoresettings")).GetAttribute("value").ToLowerInvariant());
|
|
|
|
|
Assert.Equal("checkbox", s.Driver.FindElement(By.Id("btcpay.server.canmodifyserversettings")).GetAttribute("type").ToLowerInvariant());
|
2020-03-20 05:22:10 +01:00
|
|
|
Assert.Equal("true", s.Driver.FindElement(By.Id("btcpay.server.canmodifyserversettings")).GetAttribute("value").ToLowerInvariant());
|
2020-02-24 14:36:15 +01:00
|
|
|
|
2021-02-17 04:14:29 +01:00
|
|
|
s.Driver.SetCheckbox(By.Id("btcpay.server.canmodifyserversettings"), false);
|
2020-02-24 14:36:15 +01:00
|
|
|
Assert.Contains("change-store-mode", s.Driver.PageSource);
|
|
|
|
|
s.Driver.FindElement(By.Id("consent-yes")).Click();
|
2020-09-17 11:37:49 +02:00
|
|
|
Assert.Equal(callbackUrl, s.Driver.Url);
|
|
|
|
|
|
|
|
|
|
accessToken = GetAccessTokenFromCallbackResult(s.Driver);
|
|
|
|
|
await TestApiAgainstAccessToken(accessToken, tester, user,
|
|
|
|
|
(await apiKeyRepo.GetKey(accessToken)).GetBlob().Permissions);
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-08-04 13:10:48 +02:00
|
|
|
//let's test the app identifier system
|
2021-09-22 14:31:44 +02:00
|
|
|
authUrl = BTCPayServerClient.GenerateAuthorizeUri(s.ServerUri,
|
2020-09-17 11:37:49 +02:00
|
|
|
new[] { Policies.CanModifyStoreSettings, Policies.CanModifyServerSettings }, false, true, (appidentifier, new Uri(callbackUrl))).ToString();
|
2020-08-04 13:10:48 +02:00
|
|
|
|
|
|
|
|
//if it's the same, go to the confirm page
|
|
|
|
|
s.Driver.Navigate().GoToUrl(authUrl);
|
|
|
|
|
s.Driver.FindElement(By.Id("continue")).Click();
|
2020-09-17 11:37:49 +02:00
|
|
|
Assert.Equal(callbackUrl, s.Driver.Url);
|
2021-12-31 08:59:02 +01:00
|
|
|
|
2020-08-04 13:10:48 +02:00
|
|
|
//same app but different redirect = nono
|
2021-09-22 14:31:44 +02:00
|
|
|
authUrl = BTCPayServerClient.GenerateAuthorizeUri(s.ServerUri,
|
2020-08-04 13:10:48 +02:00
|
|
|
new[] { Policies.CanModifyStoreSettings, Policies.CanModifyServerSettings }, false, true, (appidentifier, new Uri("https://international.local/callback"))).ToString();
|
2021-12-31 08:59:02 +01:00
|
|
|
|
2020-08-04 13:10:48 +02:00
|
|
|
s.Driver.Navigate().GoToUrl(authUrl);
|
2020-09-17 11:37:49 +02:00
|
|
|
Assert.False(s.Driver.Url.StartsWith("https://international.com/callback"));
|
2020-12-08 07:20:59 +01:00
|
|
|
|
|
|
|
|
// Make sure we can check all permissions when not an admin
|
|
|
|
|
await user.MakeAdmin(false);
|
|
|
|
|
s.Logout();
|
|
|
|
|
s.GoToLogin();
|
|
|
|
|
s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
|
|
|
|
|
s.GoToProfile(ManageNavPages.APIKeys);
|
|
|
|
|
s.Driver.FindElement(By.Id("AddApiKey")).Click();
|
|
|
|
|
int checkedPermissionCount = 0;
|
|
|
|
|
foreach (var checkbox in s.Driver.FindElements(By.ClassName("form-check-input")))
|
|
|
|
|
{
|
|
|
|
|
checkedPermissionCount++;
|
|
|
|
|
checkbox.Click();
|
|
|
|
|
}
|
|
|
|
|
s.Driver.FindElement(By.Id("Generate")).Click();
|
2021-01-22 17:49:26 +01:00
|
|
|
var allAPIKey = s.FindAlertMessage().FindElement(By.TagName("code")).Text;
|
2020-12-08 07:20:59 +01:00
|
|
|
var apikeydata = await TestApiAgainstAccessToken<ApiKeyData>(allAPIKey, $"api/v1/api-keys/current", tester.PayTester.HttpClient);
|
|
|
|
|
Assert.Equal(checkedPermissionCount, apikeydata.Permissions.Length);
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
async Task TestApiAgainstAccessToken(string accessToken, ServerTester tester, TestAccount testAccount,
|
2020-04-02 08:59:20 +02:00
|
|
|
params string[] expectedPermissionsArr)
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
2020-04-02 08:59:20 +02:00
|
|
|
var expectedPermissions = Permission.ToPermissions(expectedPermissionsArr).ToArray();
|
2020-03-20 05:22:10 +01:00
|
|
|
expectedPermissions ??= new Permission[0];
|
|
|
|
|
var apikeydata = await TestApiAgainstAccessToken<ApiKeyData>(accessToken, $"api/v1/api-keys/current", tester.PayTester.HttpClient);
|
2020-03-20 06:01:51 +01:00
|
|
|
var permissions = apikeydata.Permissions;
|
2020-03-20 05:22:10 +01:00
|
|
|
Assert.Equal(expectedPermissions.Length, permissions.Length);
|
|
|
|
|
foreach (var expectPermission in expectedPermissions)
|
|
|
|
|
{
|
|
|
|
|
Assert.True(permissions.Any(p => p == expectPermission), $"Missing expected permission {expectPermission}");
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
|
2020-03-20 05:41:47 +01:00
|
|
|
if (permissions.Contains(Permission.Create(Policies.CanViewProfile)))
|
2020-03-20 05:22:10 +01:00
|
|
|
{
|
|
|
|
|
var resultUser = await TestApiAgainstAccessToken<string>(accessToken, $"{TestApiPath}/me/id", tester.PayTester.HttpClient);
|
|
|
|
|
Assert.Equal(testAccount.UserId, resultUser);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<string>(accessToken, $"{TestApiPath}/me/id", tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
//create a second user to see if any of its data gets messed upin our results.
|
|
|
|
|
var secondUser = tester.NewAccount();
|
|
|
|
|
secondUser.GrantAccess();
|
|
|
|
|
|
2020-03-20 05:41:47 +01:00
|
|
|
var canModifyAllStores = Permission.Create(Policies.CanModifyStoreSettings, null);
|
|
|
|
|
var canModifyServer = Permission.Create(Policies.CanModifyServerSettings, null);
|
|
|
|
|
var unrestricted = Permission.Create(Policies.Unrestricted, null);
|
2020-06-07 16:17:48 +02:00
|
|
|
var selectiveStorePermissions = permissions.Where(p => p.Scope != null && p.Policy == Policies.CanModifyStoreSettings);
|
2020-03-19 11:11:15 +01:00
|
|
|
if (permissions.Contains(canModifyAllStores) || selectiveStorePermissions.Any())
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
var resultStores =
|
|
|
|
|
await TestApiAgainstAccessToken<StoreData[]>(accessToken, $"{TestApiPath}/me/stores",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
foreach (var selectiveStorePermission in selectiveStorePermissions)
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
Assert.True(await TestApiAgainstAccessToken<bool>(accessToken,
|
2020-06-07 16:17:48 +02:00
|
|
|
$"{TestApiPath}/me/stores/{selectiveStorePermission.Scope}/can-edit",
|
2020-02-24 14:36:15 +01:00
|
|
|
tester.PayTester.HttpClient));
|
|
|
|
|
|
|
|
|
|
Assert.Contains(resultStores,
|
2020-06-07 16:17:48 +02:00
|
|
|
data => data.Id.Equals(selectiveStorePermission.Scope, StringComparison.InvariantCultureIgnoreCase));
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
|
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
bool shouldBeAuthorized = false;
|
2020-03-20 05:41:47 +01:00
|
|
|
if (permissions.Contains(canModifyAllStores) || selectiveStorePermissions.Contains(Permission.Create(Policies.CanViewStoreSettings, testAccount.StoreId)))
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
Assert.True(await TestApiAgainstAccessToken<bool>(accessToken,
|
2020-03-19 11:11:15 +01:00
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-view",
|
|
|
|
|
tester.PayTester.HttpClient));
|
|
|
|
|
Assert.Contains(resultStores,
|
|
|
|
|
data => data.Id.Equals(testAccount.StoreId, StringComparison.InvariantCultureIgnoreCase));
|
|
|
|
|
shouldBeAuthorized = true;
|
|
|
|
|
}
|
2020-03-20 05:41:47 +01:00
|
|
|
if (permissions.Contains(canModifyAllStores) || selectiveStorePermissions.Contains(Permission.Create(Policies.CanModifyStoreSettings, testAccount.StoreId)))
|
2020-03-19 11:11:15 +01:00
|
|
|
{
|
|
|
|
|
Assert.True(await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-view",
|
2020-02-24 14:36:15 +01:00
|
|
|
tester.PayTester.HttpClient));
|
|
|
|
|
Assert.True(await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient));
|
|
|
|
|
Assert.Contains(resultStores,
|
|
|
|
|
data => data.Id.Equals(testAccount.StoreId, StringComparison.InvariantCultureIgnoreCase));
|
2020-03-19 11:11:15 +01:00
|
|
|
shouldBeAuthorized = true;
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
if (!shouldBeAuthorized)
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken,
|
2020-03-19 11:11:15 +01:00
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-view",
|
|
|
|
|
tester.PayTester.HttpClient);
|
2020-02-24 14:36:15 +01:00
|
|
|
});
|
2020-03-19 11:11:15 +01:00
|
|
|
Assert.DoesNotContain(resultStores,
|
|
|
|
|
data => data.Id.Equals(testAccount.StoreId, StringComparison.InvariantCultureIgnoreCase));
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
|
|
|
|
}
|
2020-03-20 05:22:10 +01:00
|
|
|
else if (!permissions.Contains(unrestricted))
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
2020-03-20 05:22:10 +01:00
|
|
|
|
2020-02-24 14:36:15 +01:00
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-03-16 08:13:44 +01:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/stores/{testAccount.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
if (!permissions.Contains(unrestricted))
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
2020-03-13 07:58:09 +01:00
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken, $"{TestApiPath}/me/stores/{secondUser.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-03-16 08:13:44 +01:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken, $"{TestApiPath}/me/stores/{secondUser.StoreId}/can-edit",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
|
2020-03-19 11:11:15 +01:00
|
|
|
if (permissions.Contains(canModifyServer))
|
2020-02-24 14:36:15 +01:00
|
|
|
{
|
|
|
|
|
Assert.True(await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/is-admin",
|
|
|
|
|
tester.PayTester.HttpClient));
|
|
|
|
|
}
|
2020-03-16 08:13:44 +01:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
await Assert.ThrowsAnyAsync<HttpRequestException>(async () =>
|
|
|
|
|
{
|
|
|
|
|
await TestApiAgainstAccessToken<bool>(accessToken,
|
|
|
|
|
$"{TestApiPath}/me/is-admin",
|
|
|
|
|
tester.PayTester.HttpClient);
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public async Task<T> TestApiAgainstAccessToken<T>(string apikey, string url, HttpClient client)
|
|
|
|
|
{
|
|
|
|
|
var httpRequest = new HttpRequestMessage(HttpMethod.Get,
|
|
|
|
|
new Uri(client.BaseAddress, url));
|
|
|
|
|
httpRequest.Headers.Authorization = new AuthenticationHeaderValue("token", apikey);
|
|
|
|
|
var result = await client.SendAsync(httpRequest);
|
|
|
|
|
result.EnsureSuccessStatusCode();
|
|
|
|
|
|
|
|
|
|
var rawJson = await result.Content.ReadAsStringAsync();
|
|
|
|
|
if (typeof(T).IsPrimitive || typeof(T) == typeof(string))
|
|
|
|
|
{
|
|
|
|
|
return (T)Convert.ChangeType(rawJson, typeof(T));
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-20 10:56:30 +01:00
|
|
|
return JsonConvert.DeserializeObject<T>(rawJson);
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
2020-09-17 11:37:49 +02:00
|
|
|
|
|
|
|
|
private string GetAccessTokenFromCallbackResult(IWebDriver driver)
|
|
|
|
|
{
|
|
|
|
|
var source = driver.FindElement(By.TagName("body")).Text;
|
|
|
|
|
var json = JObject.Parse(source);
|
|
|
|
|
return json.GetValue("apiKey")!.Value<string>();
|
|
|
|
|
}
|
2020-02-24 14:36:15 +01:00
|
|
|
}
|
|
|
|
|
}
|
