]> git.openstreetmap.org Git - rails.git/blobdiff - test/test_helper.rb
Prevent CSRF bypass with login form
[rails.git] / test / test_helper.rb
index 4d9372148f270cd447df619f1c438f2f4335b238..da36be28b7f10bff08912e68b2252e740747a82f 100644 (file)
@@ -1,21 +1,33 @@
-require "coveralls"
-Coveralls.wear!("rails")
-
-# Override the simplecov output message, since it is mostly unwanted noise
-module SimpleCov
-  module Formatter
-    class HTMLFormatter
-      def output_message(_result); end
+require "simplecov"
+require "simplecov-lcov"
+
+# Fix incompatibility of simplecov-lcov with older versions of simplecov that are not expresses in its gemspec.
+# https://github.com/fortissimo1997/simplecov-lcov/pull/25
+unless SimpleCov.respond_to?(:branch_coverage)
+  module SimpleCov
+    def self.branch_coverage?
+      false
     end
   end
 end
 
-# Output both the local simplecov html and the coveralls report
-SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new(
-  [SimpleCov::Formatter::HTMLFormatter,
-   Coveralls::SimpleCov::Formatter]
+SimpleCov::Formatter::LcovFormatter.config do |config|
+  config.report_with_single_file = true
+  config.single_report_path = "coverage/lcov.info"
+end
+
+SimpleCov.formatters = SimpleCov::Formatter::MultiFormatter.new(
+  [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::LcovFormatter
+  ]
 )
 
+SimpleCov.start("rails")
+
+require "securerandom"
+require "digest/sha1"
+
 ENV["RAILS_ENV"] = "test"
 require_relative "../config/environment"
 require "rails/test_help"
@@ -28,6 +40,17 @@ module ActiveSupport
     include FactoryBot::Syntax::Methods
     include ActiveJob::TestHelper
 
+    # Run tests in parallel with specified workers
+    parallelize(:workers => :number_of_processors)
+
+    parallelize_setup do |worker|
+      SimpleCov.command_name "#{SimpleCov.command_name}-#{worker}"
+    end
+
+    parallelize_teardown do
+      SimpleCov.result
+    end
+
     ##
     # takes a block which is executed in the context of a different
     # ActionController instance. this is used so that code can call methods
@@ -110,15 +133,58 @@ module ActiveSupport
     end
 
     ##
-    # set request headers for HTTP basic authentication
-    def basic_authorization(user, pass)
-      @request.env["HTTP_AUTHORIZATION"] = format("Basic %{auth}", :auth => Base64.encode64("#{user}:#{pass}"))
+    # return request header for HTTP Basic Authorization
+    def basic_authorization_header(user, pass)
+      { "Authorization" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
     end
 
     ##
-    # set request readers to ask for a particular error format
-    def error_format(format)
-      @request.env["HTTP_X_ERROR_FORMAT"] = format
+    # make an OAuth signed request
+    def signed_request(method, uri, options = {})
+      uri = URI.parse(uri)
+      uri.scheme ||= "http"
+      uri.host ||= "www.example.com"
+
+      oauth = options.delete(:oauth)
+      params = options.fetch(:params, {}).transform_keys(&:to_s)
+
+      oauth[:consumer] ||= oauth[:token].client_application
+
+      helper = OAuth::Client::Helper.new(nil, oauth)
+
+      request = OAuth::RequestProxy.proxy(
+        "method" => method.to_s.upcase,
+        "uri" => uri,
+        "parameters" => params.merge(helper.oauth_parameters)
+      )
+
+      request.sign!(oauth)
+
+      method(method).call(request.signed_uri, options)
+    end
+
+    ##
+    # make an OAuth signed GET request
+    def signed_get(uri, options = {})
+      signed_request(:get, uri, options)
+    end
+
+    ##
+    # make an OAuth signed POST request
+    def signed_post(uri, options = {})
+      signed_request(:post, uri, options)
+    end
+
+    ##
+    # return request header for HTTP Accept
+    def accept_format_header(format)
+      { "Accept" => format }
+    end
+
+    ##
+    # return request header to ask for a particular error format
+    def error_format_header(f)
+      { "X-Error-Format" => f }
     end
 
     ##
@@ -126,7 +192,7 @@ module ActiveSupport
     # when the owner of the changset has their data not marked as public
     def assert_require_public_data(msg = "Shouldn't be able to use API when the user's data is not public")
       assert_response :forbidden, msg
-      assert_equal @response.headers["Error"], "You must make your edits public to upload new data", "Wrong error message"
+      assert_equal("You must make your edits public to upload new data", @response.headers["Error"], "Wrong error message")
     end
 
     ##
@@ -159,12 +225,6 @@ module ActiveSupport
       stub_request(:get, url).and_return(:status => status, :body => body)
     end
 
-    def stub_hostip_requests
-      # Controller tests and integration tests use different IPs
-      stub_request(:get, "https://api.hostip.info/country.php?ip=0.0.0.0")
-      stub_request(:get, "https://api.hostip.info/country.php?ip=127.0.0.1")
-    end
-
     def email_text_parts(message)
       message.parts.each_with_object([]) do |part, text_parts|
         if part.content_type.start_with?("text/")
@@ -176,13 +236,18 @@ module ActiveSupport
     end
 
     def sign_in_as(user)
-      stub_hostip_requests
       visit login_path
       fill_in "username", :with => user.email
       fill_in "password", :with => "test"
       click_on "Login", :match => :first
     end
 
+    def session_for(user)
+      get login_path
+      post login_path, :params => { :username => user.display_name, :password => "test" }
+      follow_redirect!
+    end
+
     def xml_for_node(node)
       doc = OSM::API.new.get_xml_doc
       doc.root << xml_node_for_node(node)