Refactor email delivery and background jobs system
- Switch from SolidQueue to async job processor for simpler background job handling - Remove SolidQueue gem and related configuration files - Add letter_opener gem for development email preview - Fix invitation email template issues (invitation_login_token method and route helper) - Configure SMTP settings via environment variables in application.rb - Add email delivery configuration banner on admin users page - Improve admin users page with inline action buttons and SMTP configuration warnings - Update development and production environments to use async processor - Add helper methods to detect SMTP configuration and filter out localhost settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Milne
398
test/system/forward_auth_system_test.rb
Normal file
398
test/system/forward_auth_system_test.rb
Normal file
@@ -0,0 +1,398 @@
|
||||
require "test_helper"
|
||||
|
||||
class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
|
||||
driven_by :rack_test
|
||||
|
||||
setup do
|
||||
@user = users(:one)
|
||||
@admin_user = users(:two)
|
||||
@group = groups(:one)
|
||||
@group2 = groups(:two)
|
||||
end
|
||||
|
||||
# End-to-End Authentication Flow Tests
|
||||
test "complete forward auth flow with default headers" do
|
||||
# Create a rule with default headers
|
||||
rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
|
||||
|
||||
# Step 1: Unauthenticated request to protected resource
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "app.example.com",
|
||||
"X-Forwarded-Uri" => "/dashboard"
|
||||
}, params: { rd: "https://app.example.com/dashboard" }
|
||||
|
||||
assert_response 302
|
||||
location = response.location
|
||||
assert_match %r{/signin}, location
|
||||
assert_match %r{rd=https://app.example.com/dashboard}, location
|
||||
|
||||
# Step 2: Extract return URL from session
|
||||
assert_equal "https://app.example.com/dashboard", session[:return_to_after_authenticating]
|
||||
|
||||
# Step 3: Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
|
||||
assert_response 302
|
||||
assert_redirected_to "https://app.example.com/dashboard"
|
||||
|
||||
# Step 4: Authenticated request to protected resource
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
|
||||
|
||||
assert_response 200
|
||||
assert_equal @user.email_address, response.headers["X-Remote-User"]
|
||||
assert_equal @user.email_address, response.headers["X-Remote-Email"]
|
||||
assert_equal "false", response.headers["X-Remote-Admin"] unless @user.admin?
|
||||
end
|
||||
|
||||
test "multiple domain access with single session" do
|
||||
# Create rules for different applications
|
||||
app_rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
|
||||
grafana_rule = ForwardAuthRule.create!(
|
||||
domain_pattern: "grafana.example.com",
|
||||
active: true,
|
||||
headers_config: { user: "X-WEBAUTH-USER", email: "X-WEBAUTH-EMAIL" }
|
||||
)
|
||||
metube_rule = ForwardAuthRule.create!(
|
||||
domain_pattern: "metube.example.com",
|
||||
active: true,
|
||||
headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
|
||||
)
|
||||
|
||||
# Sign in once
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
assert_response 302
|
||||
assert_redirected_to "/"
|
||||
|
||||
# Test access to different applications
|
||||
# App with default headers
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
|
||||
assert_response 200
|
||||
assert_equal "X-Remote-User", response.headers.keys.find { |k| k.include?("User") }
|
||||
|
||||
# Grafana with custom headers
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "grafana.example.com" }
|
||||
assert_response 200
|
||||
assert_equal "X-WEBAUTH-USER", response.headers.keys.find { |k| k.include?("USER") }
|
||||
|
||||
# Metube with no headers
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "metube.example.com" }
|
||||
assert_response 200
|
||||
auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
|
||||
assert_empty auth_headers
|
||||
end
|
||||
|
||||
# Group-Based Access Control System Tests
|
||||
test "group-based access control with multiple groups" do
|
||||
# Create restricted rule
|
||||
restricted_rule = ForwardAuthRule.create!(
|
||||
domain_pattern: "admin.example.com",
|
||||
active: true
|
||||
)
|
||||
restricted_rule.allowed_groups << @group
|
||||
restricted_rule.allowed_groups << @group2
|
||||
|
||||
# Add user to first group only
|
||||
@user.groups << @group
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
assert_response 302
|
||||
|
||||
# Should have access (in allowed group)
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
|
||||
assert_response 200
|
||||
assert_equal @group.name, response.headers["X-Remote-Groups"]
|
||||
|
||||
# Add user to second group
|
||||
@user.groups << @group2
|
||||
|
||||
# Should show multiple groups
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
|
||||
assert_response 200
|
||||
groups_header = response.headers["X-Remote-Groups"]
|
||||
assert_includes groups_header, @group.name
|
||||
assert_includes groups_header, @group2.name
|
||||
|
||||
# Remove user from all groups
|
||||
@user.groups.clear
|
||||
|
||||
# Should be denied
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
|
||||
assert_response 403
|
||||
end
|
||||
|
||||
test "bypass mode when no groups assigned to rule" do
|
||||
# Create bypass rule (no groups)
|
||||
bypass_rule = ForwardAuthRule.create!(
|
||||
domain_pattern: "public.example.com",
|
||||
active: true
|
||||
)
|
||||
|
||||
# Create user with no groups
|
||||
@user.groups.clear
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
assert_response 302
|
||||
|
||||
# Should have access (bypass mode)
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "public.example.com" }
|
||||
assert_response 200
|
||||
assert_equal @user.email_address, response.headers["X-Remote-User"]
|
||||
end
|
||||
|
||||
# Security System Tests
|
||||
test "session security and isolation" do
|
||||
# User A signs in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
user_a_session = cookies[:session_id]
|
||||
|
||||
# User B signs in
|
||||
delete "/session"
|
||||
post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
|
||||
user_b_session = cookies[:session_id]
|
||||
|
||||
# User A should still be able to access resources
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "test.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{user_a_session}"
|
||||
}
|
||||
assert_response 200
|
||||
assert_equal @user.email_address, response.headers["X-Remote-User"]
|
||||
|
||||
# User B should be able to access resources
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "test.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{user_b_session}"
|
||||
}
|
||||
assert_response 200
|
||||
assert_equal @admin_user.email_address, response.headers["X-Remote-User"]
|
||||
|
||||
# Sessions should be independent
|
||||
assert_not_equal user_a_session, user_b_session
|
||||
end
|
||||
|
||||
test "session expiration and cleanup" do
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
session_id = cookies[:session_id]
|
||||
|
||||
# Should work initially
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
||||
assert_response 200
|
||||
|
||||
# Manually expire session
|
||||
session = Session.find(session_id)
|
||||
session.update!(created_at: 1.year.ago)
|
||||
|
||||
# Should redirect to login
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
||||
assert_response 302
|
||||
assert_equal "Session expired", response.headers["X-Auth-Reason"]
|
||||
|
||||
# Session should be cleaned up
|
||||
assert_nil Session.find_by(id: session_id)
|
||||
end
|
||||
|
||||
test "concurrent access with rate limiting considerations" do
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
session_cookie = cookies[:session_id]
|
||||
|
||||
# Simulate multiple concurrent requests from different IPs
|
||||
threads = []
|
||||
results = []
|
||||
|
||||
10.times do |i|
|
||||
threads << Thread.new do
|
||||
start_time = Time.current
|
||||
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "app#{i}.example.com",
|
||||
"X-Forwarded-For" => "192.168.1.#{100 + i}",
|
||||
"Cookie" => "_clinch_session_id=#{session_cookie}"
|
||||
}
|
||||
|
||||
end_time = Time.current
|
||||
|
||||
results << {
|
||||
thread_id: i,
|
||||
status: response.status,
|
||||
user: response.headers["X-Remote-User"],
|
||||
duration: end_time - start_time
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
threads.each(&:join)
|
||||
|
||||
# All requests should succeed
|
||||
results.each do |result|
|
||||
assert_equal 200, result[:status], "Thread #{result[:thread_id]} failed"
|
||||
assert_equal @user.email_address, result[:user], "Thread #{result[:thread_id]} has wrong user"
|
||||
assert result[:duration] < 1.0, "Thread #{result[:thread_id]} was too slow"
|
||||
end
|
||||
end
|
||||
|
||||
# Complex Scenario System Tests
|
||||
test "complex multi-application scenario" do
|
||||
# Setup multiple applications with different requirements
|
||||
apps = [
|
||||
{
|
||||
domain: "dashboard.example.com",
|
||||
headers_config: { user: "X-DASHBOARD-USER", groups: "X-DASHBOARD-GROUPS" },
|
||||
groups: [@group]
|
||||
},
|
||||
{
|
||||
domain: "api.example.com",
|
||||
headers_config: { user: "X-API-USER", email: "X-API-EMAIL" },
|
||||
groups: []
|
||||
},
|
||||
{
|
||||
domain: "logs.example.com",
|
||||
headers_config: { user: "", email: "", name: "", groups: "", admin: "" },
|
||||
groups: []
|
||||
}
|
||||
]
|
||||
|
||||
# Create rules for each app
|
||||
rules = apps.map do |app|
|
||||
rule = ForwardAuthRule.create!(
|
||||
domain_pattern: app[:domain],
|
||||
active: true,
|
||||
headers_config: app[:headers_config]
|
||||
)
|
||||
app[:groups].each { |group| rule.allowed_groups << group }
|
||||
rule
|
||||
end
|
||||
|
||||
# Add user to required groups
|
||||
@user.groups << @group
|
||||
|
||||
# Sign in once
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
assert_response 302
|
||||
|
||||
# Test access to each application
|
||||
apps.each do |app|
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => app[:domain] }
|
||||
assert_response 200, "Failed for #{app[:domain]}"
|
||||
|
||||
# Verify headers are correct
|
||||
if app[:headers_config][:user].present?
|
||||
assert_equal app[:headers_config][:user],
|
||||
response.headers.keys.find { |k| k.include?("USER") },
|
||||
"Wrong user header for #{app[:domain]}"
|
||||
assert_equal @user.email_address, response.headers[app[:headers_config][:user]]
|
||||
else
|
||||
# Should have no auth headers
|
||||
auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
|
||||
assert_empty auth_headers, "Should have no headers for #{app[:domain]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
test "domain pattern edge cases" do
|
||||
# Test various domain patterns
|
||||
patterns = [
|
||||
{ pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "sub.app.example.com"] },
|
||||
{ pattern: "api.*.com", domains: ["api.example.com", "api.test.com"] },
|
||||
{ pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"] }
|
||||
]
|
||||
|
||||
patterns.each do |pattern_config|
|
||||
rule = ForwardAuthRule.create!(
|
||||
domain_pattern: pattern_config[:pattern],
|
||||
active: true
|
||||
)
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
|
||||
# Test each domain
|
||||
pattern_config[:domains].each do |domain|
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => domain }
|
||||
assert_response 200, "Failed for pattern #{pattern_config[:pattern]} with domain #{domain}"
|
||||
assert_equal @user.email_address, response.headers["X-Remote-User"]
|
||||
end
|
||||
|
||||
# Clean up for next test
|
||||
delete "/session"
|
||||
end
|
||||
end
|
||||
|
||||
# Performance System Tests
|
||||
test "system performance under load" do
|
||||
# Create test rule
|
||||
rule = ForwardAuthRule.create!(domain_pattern: "loadtest.example.com", active: true)
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
session_cookie = cookies[:session_id]
|
||||
|
||||
# Performance test
|
||||
start_time = Time.current
|
||||
request_count = 50
|
||||
results = []
|
||||
|
||||
request_count.times do |i|
|
||||
request_start = Time.current
|
||||
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "app#{i}.loadtest.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{session_cookie}"
|
||||
}
|
||||
|
||||
request_end = Time.current
|
||||
|
||||
results << {
|
||||
request_id: i,
|
||||
status: response.status,
|
||||
duration: request_end - request_start
|
||||
}
|
||||
end
|
||||
|
||||
total_time = Time.current - start_time
|
||||
average_duration = results.map { |r| r[:duration] }.sum / request_count
|
||||
|
||||
# Performance assertions
|
||||
assert total_time < 5.0, "Total time #{total_time}s is too slow"
|
||||
assert average_duration < 0.1, "Average request time #{average_duration}s is too slow"
|
||||
assert results.all? { |r| r[:status] == 200 }, "Some requests failed"
|
||||
|
||||
# Calculate requests per second
|
||||
rps = request_count / total_time
|
||||
assert rps > 10, "Requests per second #{rps} is too low"
|
||||
end
|
||||
|
||||
# Error Recovery System Tests
|
||||
test "graceful degradation with database issues" do
|
||||
# Sign in first
|
||||
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
||||
assert_response 302
|
||||
|
||||
# Simulate database connection issue by mocking
|
||||
original_method = Session.method(:find_by)
|
||||
|
||||
# Mock database failure
|
||||
Session.define_singleton_method(:find_by) do |id|
|
||||
raise ActiveRecord::ConnectionNotEstablished, "Database connection lost"
|
||||
end
|
||||
|
||||
begin
|
||||
# Request should handle the error gracefully
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
||||
|
||||
# Should return 302 (redirect to login) rather than 500 error
|
||||
assert_response 302, "Should gracefully handle database issues"
|
||||
assert_equal "Invalid session", response.headers["X-Auth-Reason"]
|
||||
ensure
|
||||
# Restore original method
|
||||
Session.define_singleton_method(:find_by, original_method)
|
||||
end
|
||||
|
||||
# Normal operation should still work
|
||||
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
||||
assert_response 200
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user