2017-05-21 17:27:12 +07:00
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
import Assert = require("assert");
|
2017-10-07 05:09:42 +07:00
|
|
|
import VerifyGet = require("../../../src/lib/routes/verify/get");
|
|
|
|
import AuthenticationSession = require("../../../src/lib/AuthenticationSession");
|
2017-05-25 20:09:29 +07:00
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
import Sinon = require("sinon");
|
2017-05-21 17:27:12 +07:00
|
|
|
import winston = require("winston");
|
2017-05-25 20:09:29 +07:00
|
|
|
import BluebirdPromise = require("bluebird");
|
2017-05-21 17:27:12 +07:00
|
|
|
|
|
|
|
import express = require("express");
|
|
|
|
|
2017-05-25 20:09:29 +07:00
|
|
|
import ExpressMock = require("../../mocks/express");
|
2017-09-03 20:22:09 +07:00
|
|
|
import { AccessControllerStub } from "../../mocks/AccessControllerStub";
|
2017-05-25 20:09:29 +07:00
|
|
|
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");
|
2017-05-21 17:27:12 +07:00
|
|
|
|
|
|
|
describe("test authentication token verification", function () {
|
|
|
|
let req: ExpressMock.RequestMock;
|
|
|
|
let res: ExpressMock.ResponseMock;
|
2017-09-03 20:22:09 +07:00
|
|
|
let accessController: AccessControllerStub;
|
2017-05-21 17:27:12 +07:00
|
|
|
|
|
|
|
beforeEach(function () {
|
2017-09-03 20:22:09 +07:00
|
|
|
accessController = new AccessControllerStub();
|
|
|
|
accessController.isAccessAllowedMock.returns(true);
|
2017-05-21 17:27:12 +07:00
|
|
|
|
|
|
|
req = ExpressMock.RequestMock();
|
|
|
|
res = ExpressMock.ResponseMock();
|
2017-09-25 04:19:03 +07:00
|
|
|
req.session = {};
|
|
|
|
req.query = {
|
|
|
|
redirect: "http://redirect.url"
|
|
|
|
};
|
2017-09-22 03:07:34 +07:00
|
|
|
req.app = {
|
2017-09-25 04:19:03 +07:00
|
|
|
get: Sinon.stub().returns({ logger: winston })
|
2017-09-22 03:07:34 +07:00
|
|
|
};
|
2017-08-03 05:30:41 +07:00
|
|
|
AuthenticationSession.reset(req as any);
|
2017-05-21 17:27:12 +07:00
|
|
|
req.headers = {};
|
|
|
|
req.headers.host = "secret.example.com";
|
2017-05-25 20:09:29 +07:00
|
|
|
const mocks = ServerVariablesMock.mock(req.app);
|
2017-07-16 22:37:13 +07:00
|
|
|
mocks.config = {} as any;
|
2017-05-25 20:09:29 +07:00
|
|
|
mocks.logger = winston;
|
2017-07-16 22:37:13 +07:00
|
|
|
mocks.accessController = accessController as any;
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
|
2017-08-03 05:30:41 +07:00
|
|
|
it("should be already authenticated", function () {
|
2017-05-21 17:27:12 +07:00
|
|
|
req.session = {};
|
2017-05-25 20:09:29 +07:00
|
|
|
AuthenticationSession.reset(req as any);
|
2017-09-22 03:07:34 +07:00
|
|
|
return AuthenticationSession.get(req as any)
|
|
|
|
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
|
|
|
authSession.first_factor = true;
|
|
|
|
authSession.second_factor = true;
|
|
|
|
authSession.userid = "myuser";
|
2017-09-23 02:18:38 +07:00
|
|
|
authSession.groups = ["mygroup", "othergroup"];
|
2017-09-22 03:07:34 +07:00
|
|
|
return VerifyGet.default(req as express.Request, res as any);
|
|
|
|
})
|
2017-08-03 05:30:41 +07:00
|
|
|
.then(function () {
|
2017-09-25 04:19:03 +07:00
|
|
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");
|
|
|
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
|
|
|
|
Assert.equal(204, res.status.getCall(0).args[0]);
|
2017-08-03 05:30:41 +07:00
|
|
|
});
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
function test_session(_authSession: AuthenticationSession.AuthenticationSession, status_code: number) {
|
|
|
|
return AuthenticationSession.get(req as any)
|
|
|
|
.then(function (authSession) {
|
|
|
|
authSession = _authSession;
|
|
|
|
return VerifyGet.default(req as express.Request, res as any);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
Assert.equal(status_code, res.status.getCall(0).args[0]);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
function test_non_authenticated_401(auth_session: AuthenticationSession.AuthenticationSession) {
|
|
|
|
return test_session(auth_session, 401);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test_unauthorized_403(auth_session: AuthenticationSession.AuthenticationSession) {
|
|
|
|
return test_session(auth_session, 403);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test_authorized(auth_session: AuthenticationSession.AuthenticationSession) {
|
|
|
|
return test_session(auth_session, 204);
|
|
|
|
}
|
|
|
|
|
|
|
|
describe("given user tries to access a 2-factor endpoint", function () {
|
|
|
|
describe("given different cases of session", function () {
|
|
|
|
it("should not be authenticated when second factor is missing", function () {
|
|
|
|
return test_non_authenticated_401({
|
|
|
|
userid: "user",
|
|
|
|
first_factor: true,
|
|
|
|
second_factor: false,
|
|
|
|
email: undefined,
|
|
|
|
groups: [],
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
it("should not be authenticated when first factor is missing", function () {
|
|
|
|
return test_non_authenticated_401({
|
|
|
|
userid: "user",
|
|
|
|
first_factor: false,
|
|
|
|
second_factor: true,
|
|
|
|
email: undefined,
|
|
|
|
groups: [],
|
|
|
|
});
|
2017-05-25 20:09:29 +07:00
|
|
|
});
|
2017-05-21 17:27:12 +07:00
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
it("should not be authenticated when userid is missing", function () {
|
|
|
|
return test_non_authenticated_401({
|
|
|
|
userid: undefined,
|
|
|
|
first_factor: true,
|
|
|
|
second_factor: false,
|
|
|
|
email: undefined,
|
|
|
|
groups: [],
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it("should not be authenticated when first and second factor are missing", function () {
|
|
|
|
return test_non_authenticated_401({
|
|
|
|
userid: "user",
|
|
|
|
first_factor: false,
|
|
|
|
second_factor: false,
|
|
|
|
email: undefined,
|
|
|
|
groups: [],
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it("should not be authenticated when session has not be initiated", function () {
|
|
|
|
return test_non_authenticated_401(undefined);
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
it("should not be authenticated when domain is not allowed for user", function () {
|
|
|
|
return AuthenticationSession.get(req as any)
|
|
|
|
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
|
|
|
authSession.first_factor = true;
|
|
|
|
authSession.second_factor = true;
|
|
|
|
authSession.userid = "myuser";
|
|
|
|
|
|
|
|
req.headers.host = "test.example.com";
|
|
|
|
|
|
|
|
accessController.isAccessAllowedMock.returns(false);
|
|
|
|
accessController.isAccessAllowedMock.withArgs("test.example.com", "user", ["group1", "group2"]).returns(true);
|
|
|
|
|
|
|
|
return test_unauthorized_403({
|
|
|
|
first_factor: true,
|
|
|
|
second_factor: true,
|
|
|
|
userid: "user",
|
|
|
|
groups: ["group1", "group2"],
|
|
|
|
email: undefined
|
|
|
|
});
|
|
|
|
});
|
2017-08-03 05:30:41 +07:00
|
|
|
});
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
2017-09-25 04:19:03 +07:00
|
|
|
});
|
2017-05-21 17:27:12 +07:00
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
describe("given user tries to access a basic auth endpoint", function () {
|
|
|
|
beforeEach(function () {
|
|
|
|
req.query = {
|
|
|
|
redirect: "http://redirect.url",
|
|
|
|
only_basic_auth: "true"
|
|
|
|
};
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
it("should be authenticated when first factor is validated and not second factor", function () {
|
2017-09-22 03:07:34 +07:00
|
|
|
return AuthenticationSession.get(req as any)
|
|
|
|
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
|
|
|
authSession.first_factor = true;
|
2017-09-25 04:19:03 +07:00
|
|
|
return VerifyGet.default(req as express.Request, res as any);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
Assert(res.status.calledWith(204));
|
|
|
|
Assert(res.send.calledOnce);
|
|
|
|
});
|
|
|
|
});
|
2017-09-22 03:07:34 +07:00
|
|
|
|
2017-09-25 04:19:03 +07:00
|
|
|
it("should be rejected with 401 when first factor is not validated", function () {
|
|
|
|
return AuthenticationSession.get(req as any)
|
|
|
|
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
|
|
|
authSession.first_factor = false;
|
|
|
|
return VerifyGet.default(req as express.Request, res as any);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
Assert(res.status.calledWith(401));
|
2017-09-22 03:07:34 +07:00
|
|
|
});
|
2017-05-22 04:32:09 +07:00
|
|
|
});
|
2017-05-21 17:27:12 +07:00
|
|
|
});
|
|
|
|
});
|
|
|
|
|