Merge branch 'login-captcha' into staging

Leandro Santos
2 parents f709f891 7684f638
Showing 10 changed files with 217 additions and 1 deletions Show diff stats
lib/noosfero/api/captcha_session_store.rb
lib/noosfero/api/helpers.rb
lib/noosfero/api/session.rb
lib/noosfero/api/v1/articles.rb
plugins/serpro_captcha/lib/serpro_captcha_plugin.rb
plugins/serpro_captcha/lib/serpro_captcha_plugin/api.rb
plugins/serpro_captcha/test/test_helper.rb
plugins/serpro_captcha/test/unit/api_test.rb
test/unit/api/login_captcha_test.rb
test/unit/api/test_helper.rb
@@ -0,0 +1,30 @@
+class Noosfero::API::CaptchaSessionStore
+
+  attr_accessor :data
+  attr_reader :private_token
+
+  def self.create
+    key = SecureRandom.hex
+    store = Noosfero::API::CaptchaSessionStore.new(key)
+    Rails.cache.write(store.private_token, store, expires_in: 300)
+    return store
+  end
+
+  def initialize(key)
+    @private_token = key
+  end
+
+  def self.get(key)
+    Rails.cache.fetch(key)
+  end
+
+  def store
+    Rails.cache.write(@private_token, self)
+  end
+
+  def destroy
+    Rails.cache.delete(@private_token)
+  end
+
+
+end
@@ -21,6 +21,16 @@ require &#39;grape&#39;
         plugins
       end
+      def current_tmp_user
+        private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
+        @current_tmp_user = Noosfero::API::CaptchaSessionStore.get(private_token)
+        @current_tmp_user
+      end
+
+      def logout_tmp_user
+        @current_tmp_user = nil
+      end      
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
@@ -257,6 +267,13 @@ require &#39;grape&#39;
         unauthorized! unless current_user
       end
+      # Allows the anonymous captcha user authentication 
+      # to pass the check. Used by the articles/vote to allow
+      # the vote without login
+      def authenticate_allow_captcha!
+        unauthorized! unless current_tmp_user || current_user
+      end
+
       # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
       # or a Bad Request error is invoked.
       #
@@ -331,6 +348,8 @@ require &#39;grape&#39;
       def set_session_cookie
         cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
+        # Set also the private_token for the current_tmp_user
+        cookies['_noosfero_api_session'] = { value: @current_tmp_user.private_token, httponly: true } if @current_tmp_user.present?
       end
       def setup_multitenancy
@@ -4,6 +4,22 @@ module Noosfero
   module API
     class Session < Grape::API
+      ################################
+      # => Login with captcha only
+      # This method will attempt to login the user using only the captcha.
+      # To do this, we generate a temporary in-memory user and generate a private
+      # token to it.
+      ################################
+      post "/login-captcha" do
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        # test_captcha will render_api_error! and exit in case of any problem
+        # this return is just to improve the clarity of the execution path
+        return unless test_captcha(remote_ip, params, environment)
+        ## Creates and caches a captcha session store
+        store = Noosfero::API::CaptchaSessionStore.create
+        { "private_token" => "#{store.private_token}" }
+      end
+
       # Login to get token
       #
       # Parameters:
@@ -133,7 +133,8 @@ module Noosfero
             named 'ArticleVote'
           end
           post ':id/vote' do
-            authenticate!
+            ## The vote api should allow regular login or with captcha
+            authenticate_allow_captcha!
             value = (params[:value] || 1).to_i
             # FIXME verify allowed values
             render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
@@ -0,0 +1,15 @@
+class SerproCaptchaPlugin < Noosfero::Plugin
+
+  def self.plugin_name
+    _('Serpro captcha plugin')
+  end
+
+  def self.plugin_description
+    _("Provide a plugin to Serpro's captcha infrastructure.")
+  end
+
+  def self.api_mount_points
+    [SerproCaptchaPlugin::API ]
+  end
+
+end
@@ -0,0 +1,16 @@
+class SerproCaptchaPlugin::API < Grape::API
+
+  # resource :dialoga_plugin do
+      # get 'random_topics/:discussion_id' do
+      #     discussion = ProposalsDiscussionPlugin::Discussion.find(params[:discussion_id])
+      #
+      #     # render articles using Entity Article
+      #     present discussion.random_topics_one_by_category, :with => Noosfero::API::Entities::Article, :fields => params[:fields]
+      # end
+
+      get 'test_captcha' do
+        present 'chegou no test_captcha do SerproCaptchaPlugin'
+      end
+  # end
+
+end
@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '/../../../test/test_helper'
@@ -0,0 +1,13 @@
+require_relative '../test_helper'
+require_relative '../../../../test/unit/api/test_helper'
+
+class APITest <  ActiveSupport::TestCase
+
+  def setup
+#    login_api
+  end
+
+  should 'return something' do
+  end
+
+end
@@ -0,0 +1,73 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class LoginCaptchaTest < ActiveSupport::TestCase
+
+  def setup()
+    @environment = Environment.default
+    @environment.api_captcha_settings = {
+        enabled: true,
+        provider: 'serpro',
+        serpro_client_id:  '0000000000000000',
+        verify_uri:  'http://captcha.serpro.gov.br/validate',
+    }
+    @environment.save!
+  	@url = "/api/v1/login-captcha?"
+  end
+
+  def create_article(name)
+    person = fast_create(Person, :environment_id => @environment.id)
+    fast_create(Article, :profile_id => person.id, :name => name)    
+  end
+
+  should 'not perform a vote without authentication' do
+    article = create_article('Article 1')
+    params = {}
+    params[:value] = 1
+
+    post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 401, last_response.status
+  end
+
+  should 'perform login from helpers' do
+    login_with_captcha
+    assert_not_nil @private_token
+  end
+
+
+  should 'perform a vote in an article identified by id' do
+    login_with_captcha
+    article = create_article('Article 1')
+    params[:value] = 1
+
+    post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    
+    assert_not_equal 401, last_response.status
+    assert_equal true, json['vote']
+  end
+
+  should 'not follow any article' do
+    login_with_captcha
+    article = create_article('Article 1')
+    post "/api/v1/articles/#{article.id}/follow?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+
+    assert_equal 401, last_response.status
+  end
+
+  should 'not generate private token when login without captcha' do
+    params = {}
+    post "#{@url}#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json["private_token"].blank?
+  end
+
+  should 'generate private token when login with captcha' do
+    json = login_with_captcha
+    ret = json["private_token"]
+    assert !ret.blank?
+    assert ret == @private_token
+  end
+
+end
 \ No newline at end of file
@@ -8,6 +8,38 @@ class ActiveSupport::TestCase
     Noosfero::API::API
   end
+  def login_with_captcha
+    json = do_login_captcha_from_api
+    @private_token = json["private_token"]
+    @params = { "private_token" => @private_token}
+    json
+  end
+
+  ## Performs a login using the session.rb but mocking the
+  ## real HTTP request to validate the captcha.
+  def do_login_captcha_from_api
+    # Request mocking
+    #Net::HTTP::Post Mock
+    request = mock
+    #Net::HTTP Mock
+    http = mock
+    uri = URI(environment.api_captcha_settings[:verify_uri])
+    Net::HTTP.expects(:new).with(uri.host, uri.port).returns(http)
+    Net::HTTP::Post.expects(:new).with(uri.path).returns(request)
+
+    # Captcha required codes
+    request.stubs(:body=).with("0000000000000000&4324343&4030320")
+    http.stubs(:request).with(request).returns(http)
+
+    # Captcha validation success !!
+    http.stubs(:body).returns("1")
+
+    params = {:txtToken_captcha_serpro_gov_br => '4324343', :captcha_text => '4030320'}   
+    post "#{@url}#{params.to_query}"
+    json = JSON.parse(last_response.body)    
+    json
+  end
+
   def login_api
     @environment = Environment.default
     @user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)
@@ -0,0 +1,30 @@		@@ -0,0 +1,30 @@
	1	+class Noosfero::API::CaptchaSessionStore
	2	+
	3	+ attr_accessor :data
	4	+ attr_reader :private_token
	5	+
	6	+ def self.create
	7	+ key = SecureRandom.hex
	8	+ store = Noosfero::API::CaptchaSessionStore.new(key)
	9	+ Rails.cache.write(store.private_token, store, expires_in: 300)
	10	+ return store
	11	+ end
	12	+
	13	+ def initialize(key)
	14	+ @private_token = key
	15	+ end
	16	+
	17	+ def self.get(key)
	18	+ Rails.cache.fetch(key)
	19	+ end
	20	+
	21	+ def store
	22	+ Rails.cache.write(@private_token, self)
	23	+ end
	24	+
	25	+ def destroy
	26	+ Rails.cache.delete(@private_token)
	27	+ end
	28	+
	29	+
	30	+end
	@@ -21,6 +21,16 @@ require 'grape'		@@ -21,6 +21,16 @@ require 'grape'
21	plugins	21	plugins
22	end	22	end
23		23
		24	+ def current_tmp_user
		25	+ private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
		26	+ @current_tmp_user = Noosfero::API::CaptchaSessionStore.get(private_token)
		27	+ @current_tmp_user
		28	+ end
		29	+
		30	+ def logout_tmp_user
		31	+ @current_tmp_user = nil
		32	+ end
		33	+
24	def current_user	34	def current_user
25	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s	35	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
26	@current_user \|\|= User.find_by_private_token(private_token)	36	@current_user \|\|= User.find_by_private_token(private_token)
	@@ -257,6 +267,13 @@ require 'grape'		@@ -257,6 +267,13 @@ require 'grape'
257	unauthorized! unless current_user	267	unauthorized! unless current_user
258	end	268	end
259		269
		270	+ # Allows the anonymous captcha user authentication
		271	+ # to pass the check. Used by the articles/vote to allow
		272	+ # the vote without login
		273	+ def authenticate_allow_captcha!
		274	+ unauthorized! unless current_tmp_user \|\| current_user
		275	+ end
		276	+
260	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash	277	# Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
261	# or a Bad Request error is invoked.	278	# or a Bad Request error is invoked.
262	#	279	#
	@@ -331,6 +348,8 @@ require 'grape'		@@ -331,6 +348,8 @@ require 'grape'
331		348
332	def set_session_cookie	349	def set_session_cookie
333	cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?	350	cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
		351	+ # Set also the private_token for the current_tmp_user
		352	+ cookies['_noosfero_api_session'] = { value: @current_tmp_user.private_token, httponly: true } if @current_tmp_user.present?
334	end	353	end
335		354
336	def setup_multitenancy	355	def setup_multitenancy
	@@ -4,6 +4,22 @@ module Noosfero		@@ -4,6 +4,22 @@ module Noosfero
4	module API	4	module API
5	class Session < Grape::API	5	class Session < Grape::API
6		6
		7	+ ################################
		8	+ # => Login with captcha only
		9	+ # This method will attempt to login the user using only the captcha.
		10	+ # To do this, we generate a temporary in-memory user and generate a private
		11	+ # token to it.
		12	+ ################################
		13	+ post "/login-captcha" do
		14	+ remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) \|\| (env && env['REMOTE_ADDR'])
		15	+ # test_captcha will render_api_error! and exit in case of any problem
		16	+ # this return is just to improve the clarity of the execution path
		17	+ return unless test_captcha(remote_ip, params, environment)
		18	+ ## Creates and caches a captcha session store
		19	+ store = Noosfero::API::CaptchaSessionStore.create
		20	+ { "private_token" => "#{store.private_token}" }
		21	+ end
		22	+
7	# Login to get token	23	# Login to get token
8	#	24	#
9	# Parameters:	25	# Parameters:
@@ -0,0 +1,15 @@		@@ -0,0 +1,15 @@
	1	+class SerproCaptchaPlugin < Noosfero::Plugin
	2	+
	3	+ def self.plugin_name
	4	+ _('Serpro captcha plugin')
	5	+ end
	6	+
	7	+ def self.plugin_description
	8	+ _("Provide a plugin to Serpro's captcha infrastructure.")
	9	+ end
	10	+
	11	+ def self.api_mount_points
	12	+ [SerproCaptchaPlugin::API ]
	13	+ end
	14	+
	15	+end
@@ -0,0 +1,16 @@		@@ -0,0 +1,16 @@
	1	+class SerproCaptchaPlugin::API < Grape::API
	2	+
	3	+ # resource :dialoga_plugin do
	4	+ # get 'random_topics/:discussion_id' do
	5	+ # discussion = ProposalsDiscussionPlugin::Discussion.find(params[:discussion_id])
	6	+ #
	7	+ # # render articles using Entity Article
	8	+ # present discussion.random_topics_one_by_category, :with => Noosfero::API::Entities::Article, :fields => params[:fields]
	9	+ # end
	10	+
	11	+ get 'test_captcha' do
	12	+ present 'chegou no test_captcha do SerproCaptchaPlugin'
	13	+ end
	14	+ # end
	15	+
	16	+end
	@@ -0,0 +1 @@		@@ -0,0 +1 @@
		1	+require File.dirname(__FILE__) + '/../../../test/test_helper'
@@ -0,0 +1,13 @@		@@ -0,0 +1,13 @@
	1	+require_relative '../test_helper'
	2	+require_relative '../../../../test/unit/api/test_helper'
	3	+
	4	+class APITest < ActiveSupport::TestCase
	5	+
	6	+ def setup
	7	+# login_api
	8	+ end
	9	+
	10	+ should 'return something' do
	11	+ end
	12	+
	13	+end
	@@ -0,0 +1,73 @@		@@ -0,0 +1,73 @@
		1	+require File.dirname(__FILE__) + '/test_helper'
		2	+
		3	+class LoginCaptchaTest < ActiveSupport::TestCase
		4	+
		5	+ def setup()
		6	+ @environment = Environment.default
		7	+ @environment.api_captcha_settings = {
		8	+ enabled: true,
		9	+ provider: 'serpro',
		10	+ serpro_client_id: '0000000000000000',
		11	+ verify_uri: 'http://captcha.serpro.gov.br/validate',
		12	+ }
		13	+ @environment.save!
		14	+ @url = "/api/v1/login-captcha?"
		15	+ end
		16	+
		17	+ def create_article(name)
		18	+ person = fast_create(Person, :environment_id => @environment.id)
		19	+ fast_create(Article, :profile_id => person.id, :name => name)
		20	+ end
		21	+
		22	+ should 'not perform a vote without authentication' do
		23	+ article = create_article('Article 1')
		24	+ params = {}
		25	+ params[:value] = 1
		26	+
		27	+ post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
		28	+ json = JSON.parse(last_response.body)
		29	+ assert_equal 401, last_response.status
		30	+ end
		31	+
		32	+ should 'perform login from helpers' do
		33	+ login_with_captcha
		34	+ assert_not_nil @private_token
		35	+ end
		36	+
		37	+
		38	+ should 'perform a vote in an article identified by id' do
		39	+ login_with_captcha
		40	+ article = create_article('Article 1')
		41	+ params[:value] = 1
		42	+
		43	+ post "/api/v1/articles/#{article.id}/vote?#{params.to_query}"
		44	+ json = JSON.parse(last_response.body)
		45	+
		46	+ assert_not_equal 401, last_response.status
		47	+ assert_equal true, json['vote']
		48	+ end
		49	+
		50	+ should 'not follow any article' do
		51	+ login_with_captcha
		52	+ article = create_article('Article 1')
		53	+ post "/api/v1/articles/#{article.id}/follow?#{params.to_query}"
		54	+ json = JSON.parse(last_response.body)
		55	+
		56	+ assert_equal 401, last_response.status
		57	+ end
		58	+
		59	+ should 'not generate private token when login without captcha' do
		60	+ params = {}
		61	+ post "#{@url}#{params.to_query}"
		62	+ json = JSON.parse(last_response.body)
		63	+ assert json["private_token"].blank?
		64	+ end
		65	+
		66	+ should 'generate private token when login with captcha' do
		67	+ json = login_with_captcha
		68	+ ret = json["private_token"]
		69	+ assert !ret.blank?
		70	+ assert ret == @private_token
		71	+ end
		72	+
		73	+end
0	\ No newline at end of file	74	\ No newline at end of file
	@@ -8,6 +8,38 @@ class ActiveSupport::TestCase		@@ -8,6 +8,38 @@ class ActiveSupport::TestCase
8	Noosfero::API::API	8	Noosfero::API::API
9	end	9	end
10		10
		11	+ def login_with_captcha
		12	+ json = do_login_captcha_from_api
		13	+ @private_token = json["private_token"]
		14	+ @params = { "private_token" => @private_token}
		15	+ json
		16	+ end
		17	+
		18	+ ## Performs a login using the session.rb but mocking the
		19	+ ## real HTTP request to validate the captcha.
		20	+ def do_login_captcha_from_api
		21	+ # Request mocking
		22	+ #Net::HTTP::Post Mock
		23	+ request = mock
		24	+ #Net::HTTP Mock
		25	+ http = mock
		26	+ uri = URI(environment.api_captcha_settings[:verify_uri])
		27	+ Net::HTTP.expects(:new).with(uri.host, uri.port).returns(http)
		28	+ Net::HTTP::Post.expects(:new).with(uri.path).returns(request)
		29	+
		30	+ # Captcha required codes
		31	+ request.stubs(:body=).with("0000000000000000&4324343&4030320")
		32	+ http.stubs(:request).with(request).returns(http)
		33	+
		34	+ # Captcha validation success !!
		35	+ http.stubs(:body).returns("1")
		36	+
		37	+ params = {:txtToken_captcha_serpro_gov_br => '4324343', :captcha_text => '4030320'}
		38	+ post "#{@url}#{params.to_query}"
		39	+ json = JSON.parse(last_response.body)
		40	+ json
		41	+ end
		42	+
11	def login_api	43	def login_api
12	@environment = Environment.default	44	@environment = Environment.default
13	@user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)	45	@user = User.create!(:login => 'testapi', :password => 'testapi', :password_confirmation => 'testapi', :email => 'test@test.org', :environment => @environment)