2017-01-19 07:01:37 +07:00
|
|
|
|
|
|
|
|
|
var sinon = require('sinon');
|
|
|
|
|
var Promise = require('bluebird');
|
|
|
|
|
var assert = require('assert');
|
2017-01-22 23:54:45 +07:00
|
|
|
|
var winston = require('winston');
|
2017-01-19 07:01:37 +07:00
|
|
|
|
var first_factor = require('../../../src/lib/routes/first_factor');
|
2017-01-28 07:32:25 +07:00
|
|
|
|
var exceptions = require('../../../src/lib/exceptions');
|
2017-03-25 21:17:21 +07:00
|
|
|
|
var Ldap = require('../../../src/lib/ldap');
|
2017-03-26 00:38:14 +07:00
|
|
|
|
var AccessControl = require('../../../src/lib/access_control');
|
2017-01-19 07:01:37 +07:00
|
|
|
|
|
|
|
|
|
describe('test the first factor validation route', function() {
|
2017-01-21 23:41:06 +07:00
|
|
|
|
var req, res;
|
|
|
|
|
var ldap_interface_mock;
|
2017-03-25 21:17:21 +07:00
|
|
|
|
var emails;
|
2017-01-22 23:54:45 +07:00
|
|
|
|
var search_res_ok;
|
2017-01-28 07:32:25 +07:00
|
|
|
|
var regulator;
|
2017-03-26 00:38:14 +07:00
|
|
|
|
var access_control;
|
2017-03-25 21:17:21 +07:00
|
|
|
|
var config;
|
2017-01-21 23:41:06 +07:00
|
|
|
|
|
|
|
|
|
beforeEach(function() {
|
2017-03-25 21:17:21 +07:00
|
|
|
|
ldap_interface_mock = sinon.createStubInstance(Ldap);
|
|
|
|
|
config = {
|
|
|
|
|
ldap: {
|
|
|
|
|
base_dn: 'ou=users,dc=example,dc=com',
|
|
|
|
|
user_name_attribute: 'uid'
|
|
|
|
|
}
|
2017-01-21 23:41:06 +07:00
|
|
|
|
}
|
|
|
|
|
|
2017-03-25 21:17:21 +07:00
|
|
|
|
emails = [ 'test_ok@example.com' ];
|
|
|
|
|
groups = [ 'group1', 'group2' ];
|
2017-01-22 23:54:45 +07:00
|
|
|
|
|
2017-01-28 07:32:25 +07:00
|
|
|
|
regulator = {};
|
|
|
|
|
regulator.mark = sinon.stub();
|
|
|
|
|
regulator.regulate = sinon.stub();
|
|
|
|
|
|
|
|
|
|
regulator.mark.returns(Promise.resolve());
|
|
|
|
|
regulator.regulate.returns(Promise.resolve());
|
|
|
|
|
|
2017-03-26 00:38:14 +07:00
|
|
|
|
access_control = {
|
|
|
|
|
builder: {
|
|
|
|
|
get_allowed_domains: sinon.stub(),
|
|
|
|
|
get_any_domain: sinon.stub(),
|
|
|
|
|
},
|
|
|
|
|
matcher: {
|
|
|
|
|
is_domain_allowed: sinon.stub()
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2017-01-21 23:41:06 +07:00
|
|
|
|
var app_get = sinon.stub();
|
2017-03-25 21:17:21 +07:00
|
|
|
|
app_get.withArgs('ldap').returns(ldap_interface_mock);
|
2017-03-16 07:25:55 +07:00
|
|
|
|
app_get.withArgs('config').returns(config);
|
2017-01-22 23:54:45 +07:00
|
|
|
|
app_get.withArgs('logger').returns(winston);
|
2017-01-28 07:32:25 +07:00
|
|
|
|
app_get.withArgs('authentication regulator').returns(regulator);
|
2017-03-26 00:38:14 +07:00
|
|
|
|
app_get.withArgs('access control').returns(access_control);
|
2017-01-22 23:54:45 +07:00
|
|
|
|
|
2017-01-21 23:41:06 +07:00
|
|
|
|
req = {
|
|
|
|
|
app: {
|
|
|
|
|
get: app_get
|
|
|
|
|
},
|
|
|
|
|
body: {
|
|
|
|
|
username: 'username',
|
|
|
|
|
password: 'password'
|
|
|
|
|
},
|
|
|
|
|
session: {
|
|
|
|
|
auth_session: {
|
|
|
|
|
first_factor: false,
|
|
|
|
|
second_factor: false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
res = {
|
|
|
|
|
send: sinon.spy(),
|
|
|
|
|
status: sinon.spy()
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
2017-01-19 07:01:37 +07:00
|
|
|
|
it('should return status code 204 when LDAP binding succeeds', function() {
|
2017-01-21 23:41:06 +07:00
|
|
|
|
return new Promise(function(resolve, reject) {
|
|
|
|
|
res.send = sinon.spy(function(data) {
|
|
|
|
|
assert.equal('username', req.session.auth_session.userid);
|
|
|
|
|
assert.equal(204, res.status.getCall(0).args[0]);
|
|
|
|
|
resolve();
|
|
|
|
|
});
|
2017-03-25 21:17:21 +07:00
|
|
|
|
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
2017-01-21 23:41:06 +07:00
|
|
|
|
first_factor(req, res);
|
|
|
|
|
});
|
2017-01-19 07:01:37 +07:00
|
|
|
|
});
|
|
|
|
|
|
2017-03-26 00:38:14 +07:00
|
|
|
|
describe('store the ACL matcher in the auth session', function() {
|
|
|
|
|
it('should store the allowed domains in the auth session', function() {
|
|
|
|
|
config.access_control = {};
|
|
|
|
|
access_control.builder.get_allowed_domains.returns(['example.com', 'test.example.com']);
|
2017-03-25 21:28:57 +07:00
|
|
|
|
return new Promise(function(resolve, reject) {
|
|
|
|
|
res.send = sinon.spy(function(data) {
|
2017-03-26 00:38:14 +07:00
|
|
|
|
assert.deepEqual(['example.com', 'test.example.com'],
|
2017-03-25 21:28:57 +07:00
|
|
|
|
req.session.auth_session.allowed_domains);
|
|
|
|
|
assert.equal(204, res.status.getCall(0).args[0]);
|
|
|
|
|
resolve();
|
|
|
|
|
});
|
|
|
|
|
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
|
|
|
|
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
|
|
|
|
first_factor(req, res);
|
|
|
|
|
});
|
2017-03-25 21:17:21 +07:00
|
|
|
|
});
|
2017-03-25 21:28:57 +07:00
|
|
|
|
|
2017-03-26 00:38:14 +07:00
|
|
|
|
it('should store the allow all ACL matcher in the auth session', function() {
|
|
|
|
|
access_control.builder.get_any_domain.returns(['*']);
|
2017-03-25 21:28:57 +07:00
|
|
|
|
return new Promise(function(resolve, reject) {
|
|
|
|
|
res.send = sinon.spy(function(data) {
|
2017-03-26 00:38:14 +07:00
|
|
|
|
assert(req.session.auth_session.allowed_domains);
|
2017-03-25 21:28:57 +07:00
|
|
|
|
assert.equal(204, res.status.getCall(0).args[0]);
|
|
|
|
|
resolve();
|
|
|
|
|
});
|
|
|
|
|
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
|
|
|
|
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
|
|
|
|
first_factor(req, res);
|
2017-03-25 21:17:21 +07:00
|
|
|
|
});
|
2017-03-16 07:25:55 +07:00
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should retrieve email from LDAP', function(done) {
|
2017-03-25 21:17:21 +07:00
|
|
|
|
res.send = sinon.spy(function(data) { done(); });
|
|
|
|
|
ldap_interface_mock.bind.returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails = sinon.stub().withArgs('usernam').returns(Promise.resolve([{mail: ['test@example.com'] }]));
|
2017-03-16 07:25:55 +07:00
|
|
|
|
first_factor(req, res);
|
|
|
|
|
});
|
|
|
|
|
|
2017-03-25 21:17:21 +07:00
|
|
|
|
it('should set email as session variables', function() {
|
|
|
|
|
return new Promise(function(resolve, reject) {
|
|
|
|
|
res.send = sinon.spy(function(data) {
|
|
|
|
|
assert.equal('test_ok@example.com', req.session.auth_session.email);
|
|
|
|
|
resolve();
|
|
|
|
|
});
|
|
|
|
|
var emails = [ 'test_ok@example.com' ];
|
|
|
|
|
ldap_interface_mock.bind.returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
|
|
|
|
first_factor(req, res);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return status code 401 when LDAP binding throws', function(done) {
|
2017-01-28 07:32:25 +07:00
|
|
|
|
res.send = sinon.spy(function(data) {
|
|
|
|
|
assert.equal(401, res.status.getCall(0).args[0]);
|
|
|
|
|
assert.equal(regulator.mark.getCall(0).args[0], 'username');
|
|
|
|
|
done();
|
2017-01-21 23:41:06 +07:00
|
|
|
|
});
|
2017-03-25 21:17:21 +07:00
|
|
|
|
ldap_interface_mock.bind.throws(new exceptions.LdapBindError('Bad credentials'));
|
2017-01-28 07:32:25 +07:00
|
|
|
|
first_factor(req, res);
|
2017-01-19 07:01:37 +07:00
|
|
|
|
});
|
2017-01-22 23:54:45 +07:00
|
|
|
|
|
2017-03-25 21:17:21 +07:00
|
|
|
|
it('should return status code 500 when LDAP search throws', function(done) {
|
2017-01-28 07:32:25 +07:00
|
|
|
|
res.send = sinon.spy(function(data) {
|
|
|
|
|
assert.equal(500, res.status.getCall(0).args[0]);
|
|
|
|
|
done();
|
|
|
|
|
});
|
2017-03-25 21:17:21 +07:00
|
|
|
|
ldap_interface_mock.bind.returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.throws(new exceptions.LdapSearchError('err'));
|
2017-01-28 07:32:25 +07:00
|
|
|
|
first_factor(req, res);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return status code 403 when regulator rejects authentication', function(done) {
|
|
|
|
|
var err = new exceptions.AuthenticationRegulationError();
|
|
|
|
|
regulator.regulate.returns(Promise.reject(err));
|
|
|
|
|
res.send = sinon.spy(function(data) {
|
|
|
|
|
assert.equal(403, res.status.getCall(0).args[0]);
|
|
|
|
|
done();
|
2017-01-22 23:54:45 +07:00
|
|
|
|
});
|
2017-03-25 21:17:21 +07:00
|
|
|
|
ldap_interface_mock.bind.returns(Promise.resolve());
|
|
|
|
|
ldap_interface_mock.get_emails.returns(Promise.resolve());
|
2017-01-28 07:32:25 +07:00
|
|
|
|
first_factor(req, res);
|
2017-01-22 23:54:45 +07:00
|
|
|
|
});
|
2017-01-19 07:01:37 +07:00
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|