1
require 'spec_helper'
2
require 'rack/test'
3

4
RSpec.describe Msf::WebServices::MetasploitApiApp do
5
  include Rack::Test::Methods
6
  include_context 'Msf::DBManager'
7

8
  let(:app) { described_class.new }
9

10
  before(:example) do
11
    header 'Content-Type', 'application/json'
12
  end
13

14
  describe 'host authorization' do
15
    it 'does not reject requests with a 403 Host not permitted error' do
16
      get '/api/v1/hosts'
17
      expect(last_response.status).not_to eq(403)
18
      expect(last_response.body).not_to include('Host not permitted')
19
    end
20
  end
21

22
  describe 'authentication' do
23
    it 'does not return 200 for unauthenticated requests to protected endpoints' do
24
      get '/api/v1/hosts'
25
      expect(last_response.status).not_to eq(200)
26
    end
27

28
    it 'returns a JSON response body' do
29
      get '/api/v1/hosts'
30
      expect { JSON.parse(last_response.body) }.not_to raise_error
31
    end
32
  end
33

34
  describe 'response headers' do
35
    it 'uses lowercase header keys' do
36
      get '/api/v1/hosts'
37
      raw_keys = last_response.headers.keys
38
      raw_keys.each do |key|
39
        expect(key).to eq(key.downcase), "Expected header '#{key}' to be lowercase"
40
      end
41
    end
42
  end
43
end
44

45