tests: Disable cargo compatibility status code enforcement

The middleware has its own unit tests to verify its functionality. Here, we can test what would happen if we toggled the status code enforcement off eventually.

Author: Turbo87

src/tests/krate/publish/auth.rs

@@ -13,7 +13,7 @@ fn new_wrong_token() {
     // Try to publish without a token
     let crate_to_publish = PublishBuilder::new("foo", "1.0.0");
     let response = anon.publish_crate(crate_to_publish);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -29,7 +29,7 @@ fn new_wrong_token() {
 
     let crate_to_publish = PublishBuilder::new("foo", "1.0.0");
     let response = token.publish_crate(crate_to_publish);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })

src/tests/owners.rs

@@ -366,7 +366,7 @@ fn owner_change_via_change_owner_token_with_wrong_crate_scope() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, body);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -388,7 +388,7 @@ fn owner_change_via_publish_token() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, body);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -409,7 +409,7 @@ fn owner_change_without_auth() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = anon.put::<()>(&url, body);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })

src/tests/pagination.rs

@@ -21,7 +21,7 @@ fn pagination_blocks_ip_from_cidr_block_list() {
     });
 
     let response = anon.get_with_query::<()>("/api/v1/crates", "page=2&per_page=1");
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "requested page offset is too large" }] })

src/tests/read_only_mode.rs

@@ -32,7 +32,7 @@ fn cannot_hit_endpoint_which_writes_db_in_read_only_mode() {
     });
 
     let response = token.delete::<()>("/api/v1/crates/foo_yank_read_only/1.0.0/yank");
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::SERVICE_UNAVAILABLE);
     assert_json_snapshot!(response.into_json());
 }
 

src/tests/routes/crates/list.rs

@@ -799,7 +799,7 @@ fn invalid_seek_parameter() {
     let (_app, anon, _cookie) = TestApp::init().with_user();
 
     let response = anon.get::<()>("/api/v1/crates?seek=broken");
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_json_snapshot!(response.into_json());
 }
 
@@ -816,15 +816,15 @@ fn pagination_parameters_only_accept_integers() {
 
     let response =
         anon.get_with_query::<()>("/api/v1/crates", "page=1&per_page=100%22%EF%BC%8Cexception");
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "invalid digit found in string" }] })
     );
 
     let response =
         anon.get_with_query::<()>("/api/v1/crates", "page=100%22%EF%BC%8Cexception&per_page=1");
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_eq!(
         response.into_json(),
         json!({ "errors": [{ "detail": "invalid digit found in string" }] })

src/tests/routes/crates/versions/yank_unyank.rs

@@ -115,14 +115,14 @@ mod auth {
         let (_, client, _) = prepare();
 
         let response = client.yank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
         );
 
         let response = client.unyank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -182,14 +182,14 @@ mod auth {
             client.db_new_scoped_token("test-token", None, None, Some(expired_at.naive_utc()));
 
         let response = client.yank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
         );
 
         let response = client.unyank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -222,14 +222,14 @@ mod auth {
         );
 
         let response = client.yank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
         );
 
         let response = client.unyank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -286,14 +286,14 @@ mod auth {
         );
 
         let response = client.yank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
         );
 
         let response = client.unyank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
@@ -311,14 +311,14 @@ mod auth {
         );
 
         let response = client.yank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
         );
 
         let response = client.unyank(CRATE_NAME, CRATE_VERSION);
-        assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
         assert_eq!(
             response.into_json(),
             json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })

src/tests/server.rs

@@ -11,15 +11,15 @@ fn user_agent_is_required() {
 
     let req = Request::get("/api/v1/crates").body("").unwrap();
     let resp = anon.run::<()>(req);
-    assert_eq!(resp.status(), StatusCode::OK);
+    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
     assert_json_snapshot!(resp.into_json());
 
     let req = Request::get("/api/v1/crates")
         .header(header::USER_AGENT, "")
         .body("")
         .unwrap();
     let resp = anon.run::<()>(req);
-    assert_eq!(resp.status(), StatusCode::OK);
+    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
     assert_json_snapshot!(resp.into_json());
 }
 
@@ -101,6 +101,6 @@ fn block_traffic_via_ip() {
         .empty();
 
     let resp = anon.get::<()>("/api/v1/crates");
-    assert_eq!(resp.status(), StatusCode::OK);
+    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
     assert_json_snapshot!(resp.into_json());
 }

src/tests/util/response.rs

@@ -75,7 +75,7 @@ impl<T> Response<T> {
             detail: String,
         }
 
-        assert_eq!(self.status(), StatusCode::OK);
+        assert_eq!(self.status(), StatusCode::TOO_MANY_REQUESTS);
 
         let expected_message_start = format!("{}. Please try again after ", action.error_message());
         let error: ErrorResponse = json(self.response);

src/tests/util/test_app.rs

@@ -427,7 +427,11 @@ fn simple_config() -> config::Server {
         version_id_cache_ttl: Duration::from_secs(5 * 60),
         cdn_user_agent: "Amazon CloudFront".to_string(),
         balance_capacity,
-        use_cargo_compat_status_codes: true,
+
+        // The middleware has its own unit tests to verify its functionality.
+        // Here, we can test what would happen if we toggled the status code
+        // enforcement off eventually.
+        use_cargo_compat_status_codes: false,
 
         // The frontend code is not needed for the backend tests.
         serve_dist: false,