authelia/test/unit/server/routes/firstfactor/post.test.ts

import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import assert = require("assert");
import winston = require("winston");

import FirstFactorPost = require("../../../../../src/server/lib/routes/firstfactor/post");
import exceptions = require("../../../../../src/server/lib/Exceptions");
import AuthenticationSession = require("../../../../../src/server/lib/AuthenticationSession");
import Endpoints = require("../../../../../src/server/endpoints");

import AuthenticationRegulatorMock = require("../../mocks/AuthenticationRegulator");
import AccessControllerMock = require("../../mocks/AccessController");
import { LdapClientMock } from "../../mocks/LdapClient";
import ExpressMock = require("../../mocks/express");
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");

describe("test the first factor validation route", function () {
  let req: ExpressMock.RequestMock;
  let res: ExpressMock.ResponseMock;
  let emails: string[];
  let groups: string[];
  let configuration;
  let ldapMock: LdapClientMock;
  let regulator: AuthenticationRegulatorMock.AuthenticationRegulatorMock;
  let accessController: AccessControllerMock.AccessControllerMock;

  beforeEach(function () {
    configuration = {
      ldap: {
        base_dn: "ou=users,dc=example,dc=com",
        user_name_attribute: "uid"
      }
    };

    emails = ["test_ok@example.com"];
    groups = ["group1", "group2" ];

    ldapMock = LdapClientMock();

    accessController = AccessControllerMock.AccessControllerMock();
    accessController.isDomainAllowedForUser.returns(true);

    regulator = AuthenticationRegulatorMock.AuthenticationRegulatorMock();
    regulator.regulate.returns(BluebirdPromise.resolve());
    regulator.mark.returns(BluebirdPromise.resolve());

    req = {
      app: {
      },
      body: {
        username: "username",
        password: "password"
      },
      session: {
      },
      headers: {
        host: "home.example.com"
      }
    };

    AuthenticationSession.reset(req as any);

    const mocks = ServerVariablesMock.mock(req.app);
    mocks.ldap = ldapMock;
    mocks.config = configuration;
    mocks.logger = winston;
    mocks.regulator = regulator;
    mocks.accessController = accessController;

    res = ExpressMock.ResponseMock();
  });

  it("should redirect client to second factor page", function () {
    ldapMock.checkPassword.withArgs("username").returns(BluebirdPromise.resolve());
    ldapMock.retrieveEmails.returns(BluebirdPromise.resolve(emails));
    const authSession = AuthenticationSession.get(req as any);
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal("username", authSession.userid);
        assert.equal(Endpoints.SECOND_FACTOR_GET, res.redirect.getCall(0).args[0]);
      });
  });

  it("should retrieve email from LDAP", function () {
    ldapMock.checkPassword.returns(BluebirdPromise.resolve());
    ldapMock.retrieveEmails = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
    return FirstFactorPost.default(req as any, res as any);
  });

  it("should set first email address as user session variable", function () {
    const emails = ["test_ok@example.com"];
    const authSession = AuthenticationSession.get(req as any);
    ldapMock.checkPassword.returns(BluebirdPromise.resolve());
    ldapMock.retrieveEmails.returns(BluebirdPromise.resolve(emails));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal("test_ok@example.com", authSession.email);
      });
  });

  it("should return status code 401 when LDAP binding throws", function () {
    ldapMock.checkPassword.returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal(401, res.status.getCall(0).args[0]);
        assert.equal(regulator.mark.getCall(0).args[0], "username");
      });
  });

  it("should return status code 500 when LDAP search throws", function () {
    ldapMock.checkPassword.returns(BluebirdPromise.resolve());
    ldapMock.retrieveEmails.returns(BluebirdPromise.reject(new exceptions.LdapSearchError("error while retrieving emails")));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal(500, res.status.getCall(0).args[0]);
      });
  });

  it("should return status code 403 when regulator rejects authentication", function () {
    const err = new exceptions.AuthenticationRegulationError("Authentication regulation...");
    regulator.regulate.returns(BluebirdPromise.reject(err));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal(403, res.status.getCall(0).args[0]);
        assert.equal(1, res.send.callCount);
      });
  });

  it("should fail when admin user does not have rights to retrieve attribute mail", function () {
    ldapMock.checkPassword.returns(BluebirdPromise.resolve());
    ldapMock.retrieveEmails = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve([]));
    ldapMock.retrieveGroups = sinon.stub().withArgs("username").returns(BluebirdPromise.resolve(["group1"]));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        assert.equal(500, res.status.getCall(0).args[0]);
        assert.equal(1, res.send.callCount);
      });
  });
});