RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/server/test/IdentityCheckMiddleware.tes...

174 lines
6.9 KiB
TypeScript
Raw Normal View History

Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
import sinon = require("sinon");
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution.
2017-10-06 22:09:42 +00:00
import IdentityValidator = require("../src/lib/IdentityCheckMiddleware");
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
import AuthenticationSessionHandler = require("../src/lib/AuthenticationSession");
import { AuthenticationSession } from "../types/AuthenticationSession";
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution.
2017-10-06 22:09:42 +00:00
import { UserDataStore } from "../src/lib/storage/UserDataStore";
import exceptions = require("../src/lib/Exceptions");
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
import { ServerVariables } from "../src/lib/ServerVariables";
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
import Assert = require("assert");
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
import express = require("express");
import BluebirdPromise = require("bluebird");
import ExpressMock = require("./mocks/express");
import NotifierMock = require("./mocks/Notifier");
import IdentityValidatorMock = require("./mocks/IdentityValidator");
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
import { RequestLoggerStub } from "./mocks/RequestLoggerStub";
import { ServerVariablesMock, ServerVariablesMockBuilder } from "./mocks/ServerVariablesMockBuilder";
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
describe("test identity check process", function () {
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
let app: express.Application;
let app_get: sinon.SinonStub;
let app_post: sinon.SinonStub;
let identityValidable: IdentityValidatorMock.IdentityValidableMock;
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
let mocks: ServerVariablesMock;
let vars: ServerVariables;
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
beforeEach(function () {
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const s = ServerVariablesMockBuilder.build();
mocks = s.mocks;
vars = s.variables;
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
req = ExpressMock.RequestMock();
res = ExpressMock.ResponseMock();
identityValidable = IdentityValidatorMock.IdentityValidableMock();
req.headers = {};
req.session = {};
req.session = {};
req.query = {};
req.app = {};
Add Mongo as scalable and resilient storage backend
2017-07-19 19:06:12 +00:00
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
mocks.notifier.notifyStub.returns(BluebirdPromise.resolve());
Add Mongo as scalable and resilient storage backend
2017-07-19 19:06:12 +00:00
mocks.userDataStore.produceIdentityValidationTokenStub.returns(Promise.resolve());
mocks.userDataStore.consumeIdentityValidationTokenStub.returns(Promise.resolve({ userId: "user" }));
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
app = express();
app_get = sinon.stub(app, "get");
app_post = sinon.stub(app, "post");
});
afterEach(function () {
app_get.restore();
app_post.restore();
});
describe("test start GET", test_start_get_handler);
describe("test finish GET", test_finish_get_handler);
function test_start_get_handler() {
it("should send 401 if pre validation initialization throws a first factor error", function () {
identityValidable.preValidationInit.returns(BluebirdPromise.reject(new exceptions.FirstFactorValidationError("Error during prevalidation")));
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_start_validation(identityValidable, "/endpoint", vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () { return BluebirdPromise.reject("Should fail"); })
.catch(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 401);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
});
});
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should send 401 if email is missing in provided identity", function () {
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
const identity = { userid: "abc" };
identityValidable.preValidationInit.returns(BluebirdPromise.resolve(identity));
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_start_validation(identityValidable, "/endpoint", vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () { return BluebirdPromise.reject("Should fail"); })
.catch(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 401);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
});
});
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should send 401 if userid is missing in provided identity", function () {
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
const endpoint = "/protected";
const identity = { email: "abc@example.com" };
identityValidable.preValidationInit.returns(BluebirdPromise.resolve(identity));
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_start_validation(identityValidable, "/endpoint", vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () { return BluebirdPromise.reject(new Error("It should fail")); })
.catch(function (err: Error) {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 401);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return BluebirdPromise.resolve();
});
});
it("should issue a token, send an email and return 204", function () {
const endpoint = "/protected";
const identity = { userid: "user", email: "abc@example.com" };
req.get = sinon.stub().withArgs("Host").returns("localhost");
identityValidable.preValidationInit.returns(BluebirdPromise.resolve(identity));
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_start_validation(identityValidable, "/finish_endpoint", vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () {
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
Assert(mocks.notifier.notifyStub.calledOnce);
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert(mocks.userDataStore.produceIdentityValidationTokenStub.calledOnce);
Assert.equal(mocks.userDataStore.produceIdentityValidationTokenStub.getCall(0).args[0], "user");
Assert.equal(mocks.userDataStore.produceIdentityValidationTokenStub.getCall(0).args[3], 240000);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
});
});
}
function test_finish_get_handler() {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should send 401 if no identity_token is provided", function () {
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_finish_validation(identityValidable, vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () { return BluebirdPromise.reject("Should fail"); })
.catch(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 401);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
});
});
it("should call postValidation if identity_token is provided and still valid", function () {
req.query.identity_token = "token";
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_finish_validation(identityValidable, vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined);
});
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should return 401 if identity_token is provided but invalid", function () {
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
req.query.identity_token = "token";
Add Mongo as scalable and resilient storage backend
2017-07-19 19:06:12 +00:00
mocks.userDataStore.consumeIdentityValidationTokenStub.returns(BluebirdPromise.reject(new Error("Invalid token")));
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
const callback = IdentityValidator.get_finish_validation(identityValidable, vars);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return callback(req as any, res as any, undefined)
.then(function () { return BluebirdPromise.reject("Should fail"); })
.catch(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 401);
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
});
});
it("should set the identity_check session object even if session does not exist yet", function () {
req.query.identity_token = "token";
req.session = {};
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
let authSession: AuthenticationSession;
const callback = IdentityValidator.get_finish_validation(identityValidable, vars);
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem
2017-09-21 20:07:34 +00:00
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
return AuthenticationSessionHandler.get(req as any, vars.logger)
.then(function (_authSession) {
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem
2017-09-21 20:07:34 +00:00
authSession = _authSession;
return callback(req as any, res as any, undefined);
})
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
.then(function () { return BluebirdPromise.reject("Should fail"); })
.catch(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(authSession.identity_check.userid, "user");
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
return BluebirdPromise.resolve();
});
});
}
});