Add integration test for REST server API key security (hyperledger-ar…

…chives#3969) * Add integration test for REST server API key security Signed-off-by: Mark S. Lewis <[email protected]> * Add integration test for incorrect REST server API key Signed-off-by: Mark S. Lewis <[email protected]>
1018053166 · May 9, 2018 · 82ad8b2 · 82ad8b2
1 parent e866a16
commit 82ad8b2
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 0 deletions.
diff --git a/packages/composer-tests-integration/features/rest-apikey.feature b/packages/composer-tests-integration/features/rest-apikey.feature
@@ -0,0 +1,44 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+@rest @rest-apikey
+Feature: Rest steps
+
+    Background:
+        Given I have admin business cards available
+
+    Scenario: Using a secured REST API, requests are rejeted if the API key is not supplied
+        Given I have a secured REST API server for test-network using API key "conga"
+        And I have cleared the cookie jar
+        When I make a GET request to /api/system/ping
+        Then The response code should be 401
+
+    Scenario: Using a secured REST API, requests are rejeted if the wrong API key is supplied
+        When I make a GET request to /api/system/ping with API key "cOnGa"
+        Then The response code should be 401
+
+    Scenario: Using a secured REST API, requests are accepted if the correct API key is supplied
+        When I make a GET request to /api/system/ping with API key "conga"
+        Then The response code should be 200
+        And The response body should be JSON matching
+            """
+              {
+                "version": _.isString,
+                "participant": "org.hyperledger.composer.system.NetworkAdmin#admin",
+                "identity": _.isString
+              }
+            """
+
+    Scenario: Finally, shutdown the REST server
+        When I shutdown the REST server
diff --git a/packages/composer-tests-integration/lib/reststeps.js b/packages/composer-tests-integration/lib/reststeps.js
@@ -40,6 +40,11 @@ module.exports = function () {
         await startRestServer.apply(this, [name]);
     });
 
+    this.Given('I have a secured REST API server for {word} using API key {string}', {timeout: 240 * 1000}, async function (name, apiKey) {
+        delete process.env.COMPOSER_PROVIDERS;
+        await startRestServer.apply(this, [name, ['--apikey', apiKey]]);
+    });
+
     this.Given(/^I have an authenticated REST API server for (.+?)$/, {timeout: 240 * 1000}, async function (name) {
         const port = fs.readFileSync(path.resolve(__dirname, '..', 'ldap.port'));
         process.env.COMPOSER_PROVIDERS = JSON.stringify({
@@ -141,6 +146,15 @@ module.exports = function () {
         return this.composer.request('GET', `http://localhost:3000${urlPath}` + '?filter=' + encodeURIComponent(filter));
     });
 
+    this.When('I make a GET request to {word} with API key {string}', function (urlPath, apiKey) {
+        const requestOptions = {
+            headers: {
+                'x-api-key': apiKey
+            }
+        };
+        return this.composer.request('GET', `http://localhost:3000${urlPath}`, null, requestOptions);
+    });
+
     this.When('I shutdown the REST server', function() {
         return this.composer.killBackground('REST_SVR');
     });