mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the service must not be protected by 2 factors. The Remote-User and Remote-Groups are forwarded from Authelia like any browser authentication.
This commit is contained in:
parent
e3e1235755
commit
009e7c2b78
20
README.md
20
README.md
|
@ -22,7 +22,7 @@ used in production to secure internal services in a small docker swarm cluster.
|
||||||
3. [Second factor with U2F security keys](#second-factor-with-u2f-security-keys)
|
3. [Second factor with U2F security keys](#second-factor-with-u2f-security-keys)
|
||||||
4. [Password reset](#password-reset)
|
4. [Password reset](#password-reset)
|
||||||
5. [Access control](#access-control)
|
5. [Access control](#access-control)
|
||||||
6. [Basic authentication](#basic-authentication)
|
6. [Single factor authentication](#single-factor-authentication)
|
||||||
7. [Session management with Redis](#session-management-with-redis)
|
7. [Session management with Redis](#session-management-with-redis)
|
||||||
4. [Security](#security)
|
4. [Security](#security)
|
||||||
5. [Documentation](#documentation)
|
5. [Documentation](#documentation)
|
||||||
|
@ -37,12 +37,12 @@ used in production to secure internal services in a small docker swarm cluster.
|
||||||
* Two-factor authentication using either
|
* Two-factor authentication using either
|
||||||
**[TOTP] - Time-Base One Time password -** or **[U2F] - Universal 2-Factor -**
|
**[TOTP] - Time-Base One Time password -** or **[U2F] - Universal 2-Factor -**
|
||||||
as 2nd factor.
|
as 2nd factor.
|
||||||
* Password reset with identity verification by sending links to user email
|
* Password reset with identity verification using email.
|
||||||
address.
|
* Single and two factors authentication methods available.
|
||||||
* Two-factor and basic authentication methods available.
|
|
||||||
* Access restriction after too many authentication attempts.
|
* Access restriction after too many authentication attempts.
|
||||||
* Session management using Redis key/value store.
|
|
||||||
* User-defined access control per subdomain and resource.
|
* User-defined access control per subdomain and resource.
|
||||||
|
* Support of [basic authentication] for endpoints protected by single factor.
|
||||||
|
* High-availability using a highly-available distributed database and KV store.
|
||||||
|
|
||||||
## Deployment
|
## Deployment
|
||||||
|
|
||||||
|
@ -190,11 +190,14 @@ user access to some resources and subdomains. Those rules are defined and fully
|
||||||
in the configuration file. They can apply to users, groups or everyone.
|
in the configuration file. They can apply to users, groups or everyone.
|
||||||
Check out [config.template.yml] to see how they are defined.
|
Check out [config.template.yml] to see how they are defined.
|
||||||
|
|
||||||
### Basic Authentication
|
### Single factor authentication
|
||||||
Authelia allows you to customize the authentication method to use for each sub-domain.
|
Authelia allows you to customize the authentication method to use for each
|
||||||
The supported methods are either "single_factor" and "two_factor".
|
sub-domain.The supported methods are either "single_factor" or "two_factor".
|
||||||
Please see [config.template.yml] to see an example of configuration.
|
Please see [config.template.yml] to see an example of configuration.
|
||||||
|
|
||||||
|
It is also possible to use [basic authentication] to access a resource
|
||||||
|
protected by a single factor.
|
||||||
|
|
||||||
### Session management with Redis
|
### Session management with Redis
|
||||||
When your users authenticate against Authelia, sessions are stored in a Redis key/value store. You can specify your own Redis instance in [config.template.yml].
|
When your users authenticate against Authelia, sessions are stored in a Redis key/value store. You can specify your own Redis instance in [config.template.yml].
|
||||||
|
|
||||||
|
@ -293,3 +296,4 @@ Follow [contributing](CONTRIBUTORS.md) file.
|
||||||
[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
|
[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
|
||||||
[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
|
[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
|
||||||
[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||||
|
[basic authentication]: https://en.wikipedia.org/wiki/Basic_access_authentication
|
||||||
|
|
|
@ -119,7 +119,7 @@ http {
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://auth.test.local:8080/error/403;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
@ -262,6 +262,7 @@ http {
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_set_header Proxy-Authorization $http_authorization;
|
||||||
|
|
||||||
proxy_pass http://authelia/api/verify;
|
proxy_pass http://authelia/api/verify;
|
||||||
}
|
}
|
||||||
|
@ -280,6 +281,23 @@ http {
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://auth.test.local:8080/error/403;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
location /headers {
|
||||||
|
auth_request /auth_verify;
|
||||||
|
|
||||||
|
auth_request_set $redirect $upstream_http_redirect;
|
||||||
|
|
||||||
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
|
proxy_set_header Custom-Forwarded-User $user;
|
||||||
|
|
||||||
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
proxy_set_header Custom-Forwarded-Groups $groups;
|
||||||
|
|
||||||
|
proxy_pass http://httpbin:8000/headers;
|
||||||
|
|
||||||
|
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||||
|
error_page 403 = https://auth.test.local:8080/error/403;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
22
server/src/lib/routes/verify/access_control.ts
Normal file
22
server/src/lib/routes/verify/access_control.ts
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
import Express = require("express");
|
||||||
|
import BluebirdPromise = require("bluebird");
|
||||||
|
import Util = require("util");
|
||||||
|
|
||||||
|
import { ServerVariables } from "../../ServerVariables";
|
||||||
|
import Exceptions = require("../../Exceptions");
|
||||||
|
|
||||||
|
export default function (req: Express.Request, vars: ServerVariables,
|
||||||
|
domain: string, path: string, username: string, groups: string[]) {
|
||||||
|
|
||||||
|
return new BluebirdPromise(function (resolve, reject) {
|
||||||
|
const isAllowed = vars.accessController
|
||||||
|
.isAccessAllowed(domain, path, username, groups);
|
||||||
|
|
||||||
|
if (!isAllowed) {
|
||||||
|
reject(new Exceptions.DomainAccessDenied(Util.format(
|
||||||
|
"User '%s' does not have access to '%s'", username, domain)));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
resolve();
|
||||||
|
});
|
||||||
|
}
|
|
@ -1,118 +1,69 @@
|
||||||
|
|
||||||
import objectPath = require("object-path");
|
|
||||||
import BluebirdPromise = require("bluebird");
|
import BluebirdPromise = require("bluebird");
|
||||||
import express = require("express");
|
import Express = require("express");
|
||||||
import exceptions = require("../../Exceptions");
|
import Exceptions = require("../../Exceptions");
|
||||||
import winston = require("winston");
|
|
||||||
import ErrorReplies = require("../../ErrorReplies");
|
import ErrorReplies = require("../../ErrorReplies");
|
||||||
import { AppConfiguration } from "../../configuration/Configuration";
|
|
||||||
import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler";
|
|
||||||
import { AuthenticationSession } from "../../../../types/AuthenticationSession";
|
|
||||||
import Constants = require("../../../../../shared/constants");
|
|
||||||
import Util = require("util");
|
|
||||||
import { DomainExtractor } from "../../utils/DomainExtractor";
|
|
||||||
import { ServerVariables } from "../../ServerVariables";
|
import { ServerVariables } from "../../ServerVariables";
|
||||||
import { MethodCalculator } from "../../authentication/MethodCalculator";
|
import GetWithSessionCookieMethod from "./get_session_cookie";
|
||||||
import { IRequestLogger } from "../../logging/IRequestLogger";
|
import GetWithBasicAuthMethod from "./get_basic_auth";
|
||||||
|
|
||||||
const FIRST_FACTOR_NOT_VALIDATED_MESSAGE = "First factor not yet validated";
|
import { AuthenticationSessionHandler }
|
||||||
const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated";
|
from "../../AuthenticationSessionHandler";
|
||||||
|
import { AuthenticationSession }
|
||||||
|
from "../../../../types/AuthenticationSession";
|
||||||
|
|
||||||
const REMOTE_USER = "Remote-User";
|
const REMOTE_USER = "Remote-User";
|
||||||
const REMOTE_GROUPS = "Remote-Groups";
|
const REMOTE_GROUPS = "Remote-Groups";
|
||||||
|
|
||||||
function verify_inactivity(req: express.Request,
|
|
||||||
authSession: AuthenticationSession,
|
|
||||||
configuration: AppConfiguration, logger: IRequestLogger)
|
|
||||||
: BluebirdPromise<void> {
|
|
||||||
|
|
||||||
const lastActivityTime = authSession.last_activity_datetime;
|
function verifyWithSelectedMethod(req: Express.Request, res: Express.Response,
|
||||||
const currentTime = new Date().getTime();
|
vars: ServerVariables, authSession: AuthenticationSession)
|
||||||
authSession.last_activity_datetime = currentTime;
|
: () => BluebirdPromise<{ username: string, groups: string[] }> {
|
||||||
|
return function () {
|
||||||
|
const authorization: string = "" + req.headers["proxy-authorization"];
|
||||||
|
if (authorization && authorization.startsWith("Basic "))
|
||||||
|
return GetWithBasicAuthMethod(req, res, vars, authorization);
|
||||||
|
|
||||||
// If inactivity is not specified, then inactivity timeout does not apply
|
return GetWithSessionCookieMethod(req, res, vars, authSession);
|
||||||
if (!configuration.session.inactivity) {
|
};
|
||||||
return BluebirdPromise.resolve();
|
|
||||||
}
|
|
||||||
|
|
||||||
const inactivityPeriodMs = currentTime - lastActivityTime;
|
|
||||||
logger.debug(req, "Inactivity period was %s s and max period was %s.",
|
|
||||||
inactivityPeriodMs / 1000, configuration.session.inactivity / 1000);
|
|
||||||
if (inactivityPeriodMs < configuration.session.inactivity) {
|
|
||||||
return BluebirdPromise.resolve();
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.debug(req, "Session has been reset after too long inactivity period.");
|
|
||||||
AuthenticationSessionHandler.reset(req);
|
|
||||||
return BluebirdPromise.reject(new Error("Inactivity period exceeded."));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function verify_filter(req: express.Request, res: express.Response,
|
function setRedirectHeader(req: Express.Request, res: Express.Response) {
|
||||||
vars: ServerVariables): BluebirdPromise<void> {
|
return function () {
|
||||||
let authSession: AuthenticationSession;
|
|
||||||
let username: string;
|
|
||||||
let groups: string[];
|
|
||||||
|
|
||||||
return new BluebirdPromise(function (resolve, reject) {
|
|
||||||
authSession = AuthenticationSessionHandler.get(req, vars.logger);
|
|
||||||
username = authSession.userid;
|
|
||||||
groups = authSession.groups;
|
|
||||||
|
|
||||||
res.set("Redirect", encodeURIComponent("https://" + req.headers["host"] +
|
res.set("Redirect", encodeURIComponent("https://" + req.headers["host"] +
|
||||||
req.headers["x-original-uri"]));
|
req.headers["x-original-uri"]));
|
||||||
|
return BluebirdPromise.resolve();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
if (!authSession.userid) {
|
function setUserAndGroupsHeaders(res: Express.Response) {
|
||||||
reject(new exceptions.AccessDeniedError(
|
return function (u: { username: string, groups: string[] }) {
|
||||||
Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE, "userid is missing")));
|
res.setHeader(REMOTE_USER, u.username);
|
||||||
return;
|
res.setHeader(REMOTE_GROUPS, u.groups.join(","));
|
||||||
}
|
return BluebirdPromise.resolve();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
const host = objectPath.get<express.Request, string>(req, "headers.host");
|
function replyWith200(res: Express.Response) {
|
||||||
const path = objectPath.get<express.Request, string>(req, "headers.x-original-uri");
|
return function () {
|
||||||
|
res.status(204);
|
||||||
const domain = DomainExtractor.fromHostHeader(host);
|
res.send();
|
||||||
const authenticationMethod =
|
};
|
||||||
MethodCalculator.compute(vars.config.authentication_methods, domain);
|
|
||||||
vars.logger.debug(req, "domain=%s, path=%s, user=%s, groups=%s", domain, path,
|
|
||||||
username, groups.join(","));
|
|
||||||
|
|
||||||
if (!authSession.first_factor)
|
|
||||||
return reject(new exceptions.AccessDeniedError(
|
|
||||||
Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE, "first factor is false")));
|
|
||||||
|
|
||||||
if (authenticationMethod == "two_factor" && !authSession.second_factor)
|
|
||||||
return reject(new exceptions.AccessDeniedError(
|
|
||||||
Util.format("%s: %s.", SECOND_FACTOR_NOT_VALIDATED_MESSAGE, "second factor is false")));
|
|
||||||
|
|
||||||
const isAllowed = vars.accessController.isAccessAllowed(domain, path, username, groups);
|
|
||||||
if (!isAllowed) return reject(
|
|
||||||
new exceptions.DomainAccessDenied(Util.format("User '%s' does not have access to '%s'",
|
|
||||||
username, domain)));
|
|
||||||
|
|
||||||
resolve();
|
|
||||||
})
|
|
||||||
.then(function () {
|
|
||||||
return verify_inactivity(req, authSession,
|
|
||||||
vars.config, vars.logger);
|
|
||||||
})
|
|
||||||
.then(function () {
|
|
||||||
res.setHeader(REMOTE_USER, username);
|
|
||||||
res.setHeader(REMOTE_GROUPS, groups.join(","));
|
|
||||||
return BluebirdPromise.resolve();
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
export default function (vars: ServerVariables) {
|
export default function (vars: ServerVariables) {
|
||||||
return function (req: express.Request, res: express.Response)
|
return function (req: Express.Request, res: Express.Response)
|
||||||
: BluebirdPromise<void> {
|
: BluebirdPromise<void> {
|
||||||
return verify_filter(req, res, vars)
|
let authSession: AuthenticationSession;
|
||||||
.then(function () {
|
return new BluebirdPromise(function (resolve, reject) {
|
||||||
res.status(204);
|
authSession = AuthenticationSessionHandler.get(req, vars.logger);
|
||||||
res.send();
|
resolve();
|
||||||
return BluebirdPromise.resolve();
|
})
|
||||||
})
|
.then(setRedirectHeader(req, res))
|
||||||
|
.then(verifyWithSelectedMethod(req, res, vars, authSession))
|
||||||
|
.then(setUserAndGroupsHeaders(res))
|
||||||
|
.then(replyWith200(res))
|
||||||
// The user is authenticated but has restricted access -> 403
|
// The user is authenticated but has restricted access -> 403
|
||||||
.catch(exceptions.DomainAccessDenied, ErrorReplies
|
.catch(Exceptions.DomainAccessDenied, ErrorReplies
|
||||||
.replyWithError403(req, res, vars.logger))
|
.replyWithError403(req, res, vars.logger))
|
||||||
// The user is not yet authenticated -> 401
|
// The user is not yet authenticated -> 401
|
||||||
.catch(ErrorReplies.replyWithError401(req, res, vars.logger));
|
.catch(ErrorReplies.replyWithError401(req, res, vars.logger));
|
||||||
|
|
75
server/src/lib/routes/verify/get_basic_auth.ts
Normal file
75
server/src/lib/routes/verify/get_basic_auth.ts
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
import Express = require("express");
|
||||||
|
import BluebirdPromise = require("bluebird");
|
||||||
|
import ObjectPath = require("object-path");
|
||||||
|
import { ServerVariables } from "../../ServerVariables";
|
||||||
|
import { AuthenticationSession }
|
||||||
|
from "../../../../types/AuthenticationSession";
|
||||||
|
import { DomainExtractor } from "../../utils/DomainExtractor";
|
||||||
|
import { MethodCalculator } from "../../authentication/MethodCalculator";
|
||||||
|
import AccessControl from "./access_control";
|
||||||
|
|
||||||
|
export default function (req: Express.Request, res: Express.Response,
|
||||||
|
vars: ServerVariables, authorizationHeader: string)
|
||||||
|
: BluebirdPromise<{ username: string, groups: string[] }> {
|
||||||
|
let username: string;
|
||||||
|
let groups: string[];
|
||||||
|
let domain: string;
|
||||||
|
let path: string;
|
||||||
|
|
||||||
|
return new BluebirdPromise<[string, string]>(function (resolve, reject) {
|
||||||
|
const host = ObjectPath.get<Express.Request, string>(req, "headers.host");
|
||||||
|
domain = DomainExtractor.fromHostHeader(host);
|
||||||
|
path =
|
||||||
|
ObjectPath.get<Express.Request, string>(req, "headers.x-original-uri");
|
||||||
|
const authenticationMethod =
|
||||||
|
MethodCalculator.compute(vars.config.authentication_methods, domain);
|
||||||
|
|
||||||
|
if (authenticationMethod != "single_factor") {
|
||||||
|
reject(new Error("This domain is not protected with single factor. " +
|
||||||
|
"You cannot log in with basic authentication."));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const base64Re = new RegExp("^Basic ((?:[A-Za-z0-9+/]{4})*" +
|
||||||
|
"(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)$");
|
||||||
|
const isTokenValidBase64 = base64Re.test(authorizationHeader);
|
||||||
|
|
||||||
|
if (!isTokenValidBase64) {
|
||||||
|
reject(new Error("No valid base64 token found in the header"));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const tokenMatches = authorizationHeader.match(base64Re);
|
||||||
|
const base64Token = tokenMatches[1];
|
||||||
|
const decodedToken = Buffer.from(base64Token, "base64").toString();
|
||||||
|
const splittedToken = decodedToken.split(":");
|
||||||
|
|
||||||
|
if (splittedToken.length != 2) {
|
||||||
|
reject(new Error(
|
||||||
|
"The authorization token is invalid. Expecting 'userid:password'"));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
username = splittedToken[0];
|
||||||
|
const password = splittedToken[1];
|
||||||
|
resolve([username, password]);
|
||||||
|
})
|
||||||
|
.then(function ([userid, password]) {
|
||||||
|
return vars.ldapAuthenticator.authenticate(userid, password);
|
||||||
|
})
|
||||||
|
.then(function (groupsAndEmails) {
|
||||||
|
groups = groupsAndEmails.groups;
|
||||||
|
return AccessControl(req, vars, domain, path, username, groups);
|
||||||
|
})
|
||||||
|
.then(function () {
|
||||||
|
return BluebirdPromise.resolve({
|
||||||
|
username: username,
|
||||||
|
groups: groups
|
||||||
|
});
|
||||||
|
})
|
||||||
|
.catch(function (err: Error) {
|
||||||
|
return BluebirdPromise.reject(
|
||||||
|
new Error("Unable to authenticate the user with basic auth. Cause: "
|
||||||
|
+ err.message));
|
||||||
|
});
|
||||||
|
}
|
102
server/src/lib/routes/verify/get_session_cookie.ts
Normal file
102
server/src/lib/routes/verify/get_session_cookie.ts
Normal file
|
@ -0,0 +1,102 @@
|
||||||
|
import Express = require("express");
|
||||||
|
import BluebirdPromise = require("bluebird");
|
||||||
|
import Util = require("util");
|
||||||
|
import ObjectPath = require("object-path");
|
||||||
|
|
||||||
|
import Exceptions = require("../../Exceptions");
|
||||||
|
import { AppConfiguration } from "../../configuration/Configuration";
|
||||||
|
import Constants = require("../../../../../shared/constants");
|
||||||
|
import { DomainExtractor } from "../../utils/DomainExtractor";
|
||||||
|
import { ServerVariables } from "../../ServerVariables";
|
||||||
|
import { MethodCalculator } from "../../authentication/MethodCalculator";
|
||||||
|
import { IRequestLogger } from "../../logging/IRequestLogger";
|
||||||
|
import { AuthenticationSession }
|
||||||
|
from "../../../../types/AuthenticationSession";
|
||||||
|
import { AuthenticationSessionHandler }
|
||||||
|
from "../../AuthenticationSessionHandler";
|
||||||
|
import AccessControl from "./access_control";
|
||||||
|
|
||||||
|
const FIRST_FACTOR_NOT_VALIDATED_MESSAGE = "First factor not yet validated";
|
||||||
|
const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated";
|
||||||
|
|
||||||
|
function verify_inactivity(req: Express.Request,
|
||||||
|
authSession: AuthenticationSession,
|
||||||
|
configuration: AppConfiguration, logger: IRequestLogger)
|
||||||
|
: BluebirdPromise<void> {
|
||||||
|
|
||||||
|
// If inactivity is not specified, then inactivity timeout does not apply
|
||||||
|
if (!configuration.session.inactivity) {
|
||||||
|
return BluebirdPromise.resolve();
|
||||||
|
}
|
||||||
|
|
||||||
|
const lastActivityTime = authSession.last_activity_datetime;
|
||||||
|
const currentTime = new Date().getTime();
|
||||||
|
authSession.last_activity_datetime = currentTime;
|
||||||
|
|
||||||
|
const inactivityPeriodMs = currentTime - lastActivityTime;
|
||||||
|
logger.debug(req, "Inactivity period was %s s and max period was %s.",
|
||||||
|
inactivityPeriodMs / 1000, configuration.session.inactivity / 1000);
|
||||||
|
if (inactivityPeriodMs < configuration.session.inactivity) {
|
||||||
|
return BluebirdPromise.resolve();
|
||||||
|
}
|
||||||
|
|
||||||
|
logger.debug(req, "Session has been reset after too long inactivity period.");
|
||||||
|
AuthenticationSessionHandler.reset(req);
|
||||||
|
return BluebirdPromise.reject(new Error("Inactivity period exceeded."));
|
||||||
|
}
|
||||||
|
|
||||||
|
export default function (req: Express.Request, res: Express.Response,
|
||||||
|
vars: ServerVariables, authSession: AuthenticationSession)
|
||||||
|
: BluebirdPromise<{ username: string, groups: string[] }> {
|
||||||
|
let username: string;
|
||||||
|
let groups: string[];
|
||||||
|
let domain: string;
|
||||||
|
let path: string;
|
||||||
|
|
||||||
|
return new BluebirdPromise(function (resolve, reject) {
|
||||||
|
username = authSession.userid;
|
||||||
|
groups = authSession.groups;
|
||||||
|
|
||||||
|
if (!authSession.userid) {
|
||||||
|
reject(new Exceptions.AccessDeniedError(
|
||||||
|
Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE,
|
||||||
|
"userid is missing")));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const host = ObjectPath.get<Express.Request, string>(req, "headers.host");
|
||||||
|
path =
|
||||||
|
ObjectPath.get<Express.Request, string>(req, "headers.x-original-uri");
|
||||||
|
|
||||||
|
domain = DomainExtractor.fromHostHeader(host);
|
||||||
|
const authenticationMethod =
|
||||||
|
MethodCalculator.compute(vars.config.authentication_methods, domain);
|
||||||
|
vars.logger.debug(req, "domain=%s, path=%s, user=%s, groups=%s", domain,
|
||||||
|
path, username, groups.join(","));
|
||||||
|
|
||||||
|
if (!authSession.first_factor)
|
||||||
|
return reject(new Exceptions.AccessDeniedError(
|
||||||
|
Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE,
|
||||||
|
"first factor is false")));
|
||||||
|
|
||||||
|
if (authenticationMethod == "two_factor" && !authSession.second_factor)
|
||||||
|
return reject(new Exceptions.AccessDeniedError(
|
||||||
|
Util.format("%s: %s.", SECOND_FACTOR_NOT_VALIDATED_MESSAGE,
|
||||||
|
"second factor is false")));
|
||||||
|
|
||||||
|
resolve();
|
||||||
|
})
|
||||||
|
.then(function () {
|
||||||
|
return AccessControl(req, vars, domain, path, username, groups);
|
||||||
|
})
|
||||||
|
.then(function () {
|
||||||
|
return verify_inactivity(req, authSession,
|
||||||
|
vars.config, vars.logger);
|
||||||
|
})
|
||||||
|
.then(function () {
|
||||||
|
return BluebirdPromise.resolve({
|
||||||
|
username: authSession.userid,
|
||||||
|
groups: authSession.groups
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
|
@ -28,190 +28,284 @@ describe("test /api/verify endpoint", function () {
|
||||||
};
|
};
|
||||||
AuthenticationSessionHandler.reset(req as any);
|
AuthenticationSessionHandler.reset(req as any);
|
||||||
req.headers.host = "secret.example.com";
|
req.headers.host = "secret.example.com";
|
||||||
const s = ServerVariablesMockBuilder.build();
|
const s = ServerVariablesMockBuilder.build(true);
|
||||||
mocks = s.mocks;
|
mocks = s.mocks;
|
||||||
vars = s.variables;
|
vars = s.variables;
|
||||||
vars.config.authentication_methods.default_method = "two_factor";
|
|
||||||
|
|
||||||
authSession = AuthenticationSessionHandler.get(req as any, vars.logger);
|
authSession = AuthenticationSessionHandler.get(req as any, vars.logger);
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should be already authenticated", function () {
|
describe("with session cookie", function () {
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
beforeEach(function () {
|
||||||
authSession.first_factor = true;
|
vars.config.authentication_methods.default_method = "two_factor";
|
||||||
authSession.second_factor = true;
|
|
||||||
authSession.userid = "myuser";
|
|
||||||
authSession.groups = ["mygroup", "othergroup"];
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
|
||||||
.then(function () {
|
|
||||||
Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");
|
|
||||||
Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
|
|
||||||
Assert.equal(204, res.status.getCall(0).args[0]);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
function test_session(_authSession: AuthenticationSession, status_code: number) {
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
|
||||||
.then(function () {
|
|
||||||
Assert.equal(status_code, res.status.getCall(0).args[0]);
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
function test_non_authenticated_401(authSession: AuthenticationSession) {
|
|
||||||
return test_session(authSession, 401);
|
|
||||||
}
|
|
||||||
|
|
||||||
function test_unauthorized_403(authSession: AuthenticationSession) {
|
|
||||||
return test_session(authSession, 403);
|
|
||||||
}
|
|
||||||
|
|
||||||
function test_authorized(authSession: AuthenticationSession) {
|
|
||||||
return test_session(authSession, 204);
|
|
||||||
}
|
|
||||||
|
|
||||||
describe("given user tries to access a 2-factor endpoint", function () {
|
|
||||||
before(function () {
|
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("given different cases of session", function () {
|
it("should be already authenticated", function () {
|
||||||
it("should not be authenticated when second factor is missing", function () {
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
return test_non_authenticated_401({
|
authSession.first_factor = true;
|
||||||
userid: "user",
|
authSession.second_factor = true;
|
||||||
first_factor: true,
|
authSession.userid = "myuser";
|
||||||
second_factor: false,
|
authSession.groups = ["mygroup", "othergroup"];
|
||||||
email: undefined,
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
groups: [],
|
.then(function () {
|
||||||
last_activity_datetime: new Date().getTime()
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");
|
||||||
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
|
||||||
|
Assert.equal(204, res.status.getCall(0).args[0]);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
function test_session(_authSession: AuthenticationSession, status_code: number) {
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
Assert.equal(status_code, res.status.getCall(0).args[0]);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
function test_non_authenticated_401(authSession: AuthenticationSession) {
|
||||||
|
return test_session(authSession, 401);
|
||||||
|
}
|
||||||
|
|
||||||
|
function test_unauthorized_403(authSession: AuthenticationSession) {
|
||||||
|
return test_session(authSession, 403);
|
||||||
|
}
|
||||||
|
|
||||||
|
function test_authorized(authSession: AuthenticationSession) {
|
||||||
|
return test_session(authSession, 204);
|
||||||
|
}
|
||||||
|
|
||||||
|
describe("given user tries to access a 2-factor endpoint", function () {
|
||||||
|
before(function () {
|
||||||
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("given different cases of session", function () {
|
||||||
|
it("should not be authenticated when second factor is missing", function () {
|
||||||
|
return test_non_authenticated_401({
|
||||||
|
userid: "user",
|
||||||
|
first_factor: true,
|
||||||
|
second_factor: false,
|
||||||
|
email: undefined,
|
||||||
|
groups: [],
|
||||||
|
last_activity_datetime: new Date().getTime()
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should not be authenticated when first factor is missing", function () {
|
||||||
|
return test_non_authenticated_401({
|
||||||
|
userid: "user",
|
||||||
|
first_factor: false,
|
||||||
|
second_factor: true,
|
||||||
|
email: undefined,
|
||||||
|
groups: [],
|
||||||
|
last_activity_datetime: new Date().getTime()
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should not be authenticated when userid is missing", function () {
|
||||||
|
return test_non_authenticated_401({
|
||||||
|
userid: undefined,
|
||||||
|
first_factor: true,
|
||||||
|
second_factor: false,
|
||||||
|
email: undefined,
|
||||||
|
groups: [],
|
||||||
|
last_activity_datetime: new Date().getTime()
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should not be authenticated when first and second factor are missing", function () {
|
||||||
|
return test_non_authenticated_401({
|
||||||
|
userid: "user",
|
||||||
|
first_factor: false,
|
||||||
|
second_factor: false,
|
||||||
|
email: undefined,
|
||||||
|
groups: [],
|
||||||
|
last_activity_datetime: new Date().getTime()
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should not be authenticated when session has not be initiated", function () {
|
||||||
|
return test_non_authenticated_401(undefined);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should not be authenticated when domain is not allowed for user", function () {
|
||||||
|
authSession.first_factor = true;
|
||||||
|
authSession.second_factor = true;
|
||||||
|
authSession.userid = "myuser";
|
||||||
|
req.headers.host = "test.example.com";
|
||||||
|
mocks.accessController.isAccessAllowedMock.returns(false);
|
||||||
|
|
||||||
|
return test_unauthorized_403({
|
||||||
|
first_factor: true,
|
||||||
|
second_factor: true,
|
||||||
|
userid: "user",
|
||||||
|
groups: ["group1", "group2"],
|
||||||
|
email: undefined,
|
||||||
|
last_activity_datetime: new Date().getTime()
|
||||||
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it("should not be authenticated when first factor is missing", function () {
|
describe("given user tries to access a single factor endpoint", function () {
|
||||||
return test_non_authenticated_401({
|
beforeEach(function () {
|
||||||
userid: "user",
|
req.query = {
|
||||||
first_factor: false,
|
redirect: "http://redirect.url"
|
||||||
second_factor: true,
|
};
|
||||||
email: undefined,
|
req.headers["host"] = "redirect.url";
|
||||||
groups: [],
|
mocks.config.authentication_methods.per_subdomain_methods = {
|
||||||
last_activity_datetime: new Date().getTime()
|
"redirect.url": "single_factor"
|
||||||
});
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should not be authenticated when userid is missing", function () {
|
it("should be authenticated when first factor is validated and second factor is not", function () {
|
||||||
return test_non_authenticated_401({
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
userid: undefined,
|
authSession.first_factor = true;
|
||||||
first_factor: true,
|
authSession.userid = "user1";
|
||||||
second_factor: false,
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
email: undefined,
|
.then(function () {
|
||||||
groups: [],
|
Assert(res.status.calledWith(204));
|
||||||
last_activity_datetime: new Date().getTime()
|
Assert(res.send.calledOnce);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should not be authenticated when first and second factor are missing", function () {
|
it("should be rejected with 401 when first factor is not validated", function () {
|
||||||
return test_non_authenticated_401({
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
userid: "user",
|
authSession.first_factor = false;
|
||||||
first_factor: false,
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
second_factor: false,
|
.then(function () {
|
||||||
email: undefined,
|
Assert(res.status.calledWith(401));
|
||||||
groups: [],
|
});
|
||||||
last_activity_datetime: new Date().getTime()
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it("should not be authenticated when session has not be initiated", function () {
|
describe("inactivity period", function () {
|
||||||
return test_non_authenticated_401(undefined);
|
it("should update last inactivity period on requests on /api/verify", function () {
|
||||||
});
|
mocks.config.session.inactivity = 200000;
|
||||||
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
it("should not be authenticated when domain is not allowed for user", function () {
|
const currentTime = new Date().getTime() - 1000;
|
||||||
|
AuthenticationSessionHandler.reset(req as any);
|
||||||
authSession.first_factor = true;
|
authSession.first_factor = true;
|
||||||
authSession.second_factor = true;
|
authSession.second_factor = true;
|
||||||
authSession.userid = "myuser";
|
authSession.userid = "myuser";
|
||||||
req.headers.host = "test.example.com";
|
authSession.groups = ["mygroup", "othergroup"];
|
||||||
mocks.accessController.isAccessAllowedMock.returns(false);
|
authSession.last_activity_datetime = currentTime;
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
return AuthenticationSessionHandler.get(req as any, vars.logger);
|
||||||
|
})
|
||||||
|
.then(function (authSession) {
|
||||||
|
Assert(authSession.last_activity_datetime > currentTime);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
return test_unauthorized_403({
|
it("should reset session when max inactivity period has been reached", function () {
|
||||||
first_factor: true,
|
mocks.config.session.inactivity = 1;
|
||||||
second_factor: true,
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
userid: "user",
|
const currentTime = new Date().getTime() - 1000;
|
||||||
groups: ["group1", "group2"],
|
AuthenticationSessionHandler.reset(req as any);
|
||||||
email: undefined,
|
authSession.first_factor = true;
|
||||||
last_activity_datetime: new Date().getTime()
|
authSession.second_factor = true;
|
||||||
});
|
authSession.userid = "myuser";
|
||||||
|
authSession.groups = ["mygroup", "othergroup"];
|
||||||
|
authSession.last_activity_datetime = currentTime;
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
return AuthenticationSessionHandler.get(req as any, vars.logger);
|
||||||
|
})
|
||||||
|
.then(function (authSession) {
|
||||||
|
Assert.equal(authSession.first_factor, false);
|
||||||
|
Assert.equal(authSession.second_factor, false);
|
||||||
|
Assert.equal(authSession.userid, undefined);
|
||||||
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("given user tries to access a basic auth endpoint", function () {
|
describe("with basic auth", function () {
|
||||||
beforeEach(function () {
|
it("should authenticate correctly", function () {
|
||||||
req.query = {
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
redirect: "http://redirect.url"
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
};
|
mocks.ldapAuthenticator.authenticateStub.returns({
|
||||||
req.headers["host"] = "redirect.url";
|
groups: ["mygroup", "othergroup"],
|
||||||
|
});
|
||||||
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
||||||
|
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "john");
|
||||||
|
Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
|
||||||
|
Assert.equal(204, res.status.getCall(0).args[0]);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should fail when endpoint is protected by two factors", function () {
|
||||||
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
mocks.config.authentication_methods.per_subdomain_methods = {
|
mocks.config.authentication_methods.per_subdomain_methods = {
|
||||||
"redirect.url": "single_factor"
|
"secret.example.com": "two_factor"
|
||||||
};
|
};
|
||||||
});
|
mocks.ldapAuthenticator.authenticateStub.resolves({
|
||||||
|
groups: ["mygroup", "othergroup"],
|
||||||
|
});
|
||||||
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
||||||
|
|
||||||
it("should be authenticated when first factor is validated and second factor is not", function () {
|
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
|
||||||
authSession.first_factor = true;
|
|
||||||
authSession.userid = "user1";
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
Assert(res.status.calledWith(204));
|
Assert(res.status.calledWithExactly(401));
|
||||||
Assert(res.send.calledOnce);
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should be rejected with 401 when first factor is not validated", function () {
|
it("should fail when base64 token is not valid", function () {
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
authSession.first_factor = false;
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
mocks.ldapAuthenticator.authenticateStub.resolves({
|
||||||
.then(function () {
|
groups: ["mygroup", "othergroup"],
|
||||||
Assert(res.status.calledWith(401));
|
});
|
||||||
});
|
req.headers["proxy-authorization"] = "Basic i_m*not_a_base64*token";
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
describe("inactivity period", function () {
|
|
||||||
it("should update last inactivity period on requests on /api/verify", function () {
|
|
||||||
mocks.config.session.inactivity = 200000;
|
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
|
||||||
const currentTime = new Date().getTime() - 1000;
|
|
||||||
AuthenticationSessionHandler.reset(req as any);
|
|
||||||
authSession.first_factor = true;
|
|
||||||
authSession.second_factor = true;
|
|
||||||
authSession.userid = "myuser";
|
|
||||||
authSession.groups = ["mygroup", "othergroup"];
|
|
||||||
authSession.last_activity_datetime = currentTime;
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return AuthenticationSessionHandler.get(req as any, vars.logger);
|
Assert(res.status.calledWithExactly(401));
|
||||||
})
|
|
||||||
.then(function (authSession) {
|
|
||||||
Assert(authSession.last_activity_datetime > currentTime);
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it("should reset session when max inactivity period has been reached", function () {
|
it("should fail when base64 token has not format user:psswd", function () {
|
||||||
mocks.config.session.inactivity = 1;
|
|
||||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
const currentTime = new Date().getTime() - 1000;
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
AuthenticationSessionHandler.reset(req as any);
|
mocks.ldapAuthenticator.authenticateStub.resolves({
|
||||||
authSession.first_factor = true;
|
groups: ["mygroup", "othergroup"],
|
||||||
authSession.second_factor = true;
|
});
|
||||||
authSession.userid = "myuser";
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzOmJhZA==";
|
||||||
authSession.groups = ["mygroup", "othergroup"];
|
|
||||||
authSession.last_activity_datetime = currentTime;
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return AuthenticationSessionHandler.get(req as any, vars.logger);
|
Assert(res.status.calledWithExactly(401));
|
||||||
})
|
});
|
||||||
.then(function (authSession) {
|
});
|
||||||
Assert.equal(authSession.first_factor, false);
|
|
||||||
Assert.equal(authSession.second_factor, false);
|
it("should fail when bad user password is provided", function () {
|
||||||
Assert.equal(authSession.userid, undefined);
|
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||||
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
|
mocks.ldapAuthenticator.authenticateStub.rejects(new Error(
|
||||||
|
"Invalid credentials"));
|
||||||
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
||||||
|
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
Assert(res.status.calledWithExactly(401));
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should fail when resource is restricted", function () {
|
||||||
|
mocks.accessController.isAccessAllowedMock.returns(false);
|
||||||
|
mocks.config.authentication_methods.default_method = "single_factor";
|
||||||
|
mocks.ldapAuthenticator.authenticateStub.resolves({
|
||||||
|
groups: ["mygroup", "othergroup"],
|
||||||
|
});
|
||||||
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
||||||
|
|
||||||
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
|
.then(function () {
|
||||||
|
Assert(res.status.calledWithExactly(401));
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -4,3 +4,8 @@ Feature: User and groups headers are correctly forwarded to backend
|
||||||
When I visit "https://public.test.local:8080/headers"
|
When I visit "https://public.test.local:8080/headers"
|
||||||
Then I see header "Custom-Forwarded-User" set to "john"
|
Then I see header "Custom-Forwarded-User" set to "john"
|
||||||
Then I see header "Custom-Forwarded-Groups" set to "dev,admin"
|
Then I see header "Custom-Forwarded-Groups" set to "dev,admin"
|
||||||
|
|
||||||
|
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used
|
||||||
|
When I request "https://single_factor.test.local:8080/headers" with username "john" and password "password" using basic authentication
|
||||||
|
Then I received header "Custom-Forwarded-User" set to "john"
|
||||||
|
And I received header "Custom-Forwarded-Groups" set to "dev,admin"
|
|
@ -1,13 +1,15 @@
|
||||||
Feature: User can access certain subdomains with single factor
|
Feature: User can access certain subdomains with single factor
|
||||||
|
|
||||||
@need-registered-user-john
|
|
||||||
Scenario: User is redirected to service after first factor if allowed
|
Scenario: User is redirected to service after first factor if allowed
|
||||||
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html"
|
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://single_factor.test.local:8080/secret.html"
|
Then I'm redirected to "https://single_factor.test.local:8080/secret.html"
|
||||||
|
|
||||||
@need-registered-user-john
|
|
||||||
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
|
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
|
||||||
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
|
Scenario: User can login using basic authentication
|
||||||
|
When I request "https://single_factor.test.local:8080/secret.html" with username "john" and password "password" using basic authentication
|
||||||
|
Then I receive the secret page
|
|
@ -10,7 +10,7 @@ Cucumber.defineSupportCode(function ({ Given, When, Then }) {
|
||||||
function (expectedHeaderName: string, expectedValue: string) {
|
function (expectedHeaderName: string, expectedValue: string) {
|
||||||
return this.driver.findElement(seleniumWebdriver.By.tagName("body")).getText()
|
return this.driver.findElement(seleniumWebdriver.By.tagName("body")).getText()
|
||||||
.then(function (txt: string) {
|
.then(function (txt: string) {
|
||||||
const expectedLine = Util.format("\"%s\": \"%s\"", expectedHeaderName, expectedValue);
|
const expectedLine = Util.format("\"%s\": \"%s\"", expectedHeaderName, expectedValue);
|
||||||
if (txt.indexOf(expectedLine) > 0)
|
if (txt.indexOf(expectedLine) > 0)
|
||||||
return BluebirdPromise.resolve();
|
return BluebirdPromise.resolve();
|
||||||
else
|
else
|
||||||
|
|
39
test/features/step_definitions/single-factor.ts
Normal file
39
test/features/step_definitions/single-factor.ts
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
import Cucumber = require("cucumber");
|
||||||
|
import seleniumWebdriver = require("selenium-webdriver");
|
||||||
|
import Request = require("request-promise");
|
||||||
|
import BluebirdPromise = require("bluebird");
|
||||||
|
import Util = require("util");
|
||||||
|
|
||||||
|
Cucumber.defineSupportCode(function ({ Given, When, Then }) {
|
||||||
|
When("I request {stringInDoubleQuotes} with username {stringInDoubleQuotes}" +
|
||||||
|
" and password {stringInDoubleQuotes} using basic authentication",
|
||||||
|
function (url: string, username: string, password: string) {
|
||||||
|
const that = this;
|
||||||
|
return Request(url, {
|
||||||
|
auth: {
|
||||||
|
username: username,
|
||||||
|
password: password
|
||||||
|
},
|
||||||
|
resolveWithFullResponse: true
|
||||||
|
})
|
||||||
|
.then(function (response: any) {
|
||||||
|
that.response = response;
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
Then("I receive the secret page", function () {
|
||||||
|
if (this.response.body.match("This is a very important secret!"))
|
||||||
|
return BluebirdPromise.resolve();
|
||||||
|
return BluebirdPromise.reject(new Error("Secret page not received."));
|
||||||
|
});
|
||||||
|
|
||||||
|
Then("I received header {stringInDoubleQuotes} set to {stringInDoubleQuotes}",
|
||||||
|
function (expectedHeaderName: string, expectedValue: string) {
|
||||||
|
const expectedLine = Util.format("\"%s\": \"%s\"", expectedHeaderName,
|
||||||
|
expectedValue);
|
||||||
|
if (this.response.body.indexOf(expectedLine) > 0)
|
||||||
|
return BluebirdPromise.resolve();
|
||||||
|
return BluebirdPromise.reject(new Error(
|
||||||
|
Util.format("No such header or with unexpected value.")));
|
||||||
|
})
|
||||||
|
});
|
Loading…
Reference in New Issue
Block a user