Path: blob/master/spec/integration/msfmcpd/jsonrpc_auth_flow_spec.rb
70330 views
# frozen_string_literal: true12require 'msf/core/mcp'3require 'webmock/rspec'45RSpec.describe 'JSON-RPC Authentication Flow Integration' do6# Disable real HTTP connections for integration tests7before(:all) do8WebMock.disable_net_connect!(allow_localhost: false)9end1011after(:all) do12WebMock.allow_net_connect!13end1415let(:host) { 'localhost' }16let(:port) { 8081 }17let(:endpoint) { '/api/v1/json-rpc' }18let(:token) { 'test_bearer_token_12345' }19let(:jsonrpc_url) { "https://#{host}:#{port}#{endpoint}" }2021describe 'Bearer Token Authentication' do22it 'uses bearer token in HTTP headers' do23# Stub HTTP endpoint and verify Authorization header24stub = stub_request(:post, jsonrpc_url)25.with(26headers: {27'Authorization' => "Bearer #{token}",28'Content-Type' => 'application/json'29}30)31.to_return(32status: 200,33body: { jsonrpc: '2.0', result: { modules: [] }, id: 1 }.to_json,34headers: { 'Content-Type' => 'application/json' }35)3637client = Msf::MCP::Metasploit::JsonRpcClient.new(38host: host,39port: port,40endpoint: endpoint,41token: token42)4344client.call_api('module.search', ['smb'])4546# Verify the HTTP request was made with correct Authorization header47expect(stub).to have_been_requested.once48end4950it 'follows stateless request pattern (no session management)' do51client = Msf::MCP::Metasploit::JsonRpcClient.new(52host: host,53port: port,54endpoint: endpoint,55token: token56)5758# No session storage should exist (only token)59expect(client.instance_variable_defined?(:@session_id)).to eq(false)60expect(client.instance_variable_defined?(:@session_token)).to eq(false)6162# Has token stored63expect(client.instance_variable_get(:@token)).to eq(token)6465# No session state (only token which is stateless)66expect(client.instance_variables.grep(/@session/)).to be_empty67end68end69end707172