authelia/server/test/routes/verify/get.test.ts


import Assert = require("assert");
import VerifyGet = require("../../../src/lib/routes/verify/get");
import AuthenticationSession = require("../../../src/lib/AuthenticationSession");

import Sinon = require("sinon");
import winston = require("winston");
import BluebirdPromise = require("bluebird");

import express = require("express");

import ExpressMock = require("../../mocks/express");
import { AccessControllerStub } from "../../mocks/AccessControllerStub";
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");

describe("test authentication token verification", function () {
  let req: ExpressMock.RequestMock;
  let res: ExpressMock.ResponseMock;
  let accessController: AccessControllerStub;

  beforeEach(function () {
    accessController = new AccessControllerStub();
    accessController.isAccessAllowedMock.returns(true);

    req = ExpressMock.RequestMock();
    res = ExpressMock.ResponseMock();
    req.session = {};
    req.query = {
      redirect: "http://redirect.url"
    };
    req.app = {
      get: Sinon.stub().returns({ logger: winston })
    };
    AuthenticationSession.reset(req as any);
    req.headers = {};
    req.headers.host = "secret.example.com";
    const mocks = ServerVariablesMock.mock(req.app);
    mocks.config = {} as any;
    mocks.logger = winston;
    mocks.accessController = accessController as any;
  });

  it("should be already authenticated", function () {
    req.session = {};
    AuthenticationSession.reset(req as any);
    return AuthenticationSession.get(req as any)
      .then(function (authSession: AuthenticationSession.AuthenticationSession) {
        authSession.first_factor = true;
        authSession.second_factor = true;
        authSession.userid = "myuser";
        authSession.groups = ["mygroup", "othergroup"];
        return VerifyGet.default(req as express.Request, res as any);
      })
      .then(function () {
        Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");
        Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
        Assert.equal(204, res.status.getCall(0).args[0]);
      });
  });

  function test_session(_authSession: AuthenticationSession.AuthenticationSession, status_code: number) {
    return AuthenticationSession.get(req as any)
      .then(function (authSession) {
        authSession = _authSession;
        return VerifyGet.default(req as express.Request, res as any);
      })
      .then(function () {
        Assert.equal(status_code, res.status.getCall(0).args[0]);
      });
  }

  function test_non_authenticated_401(auth_session: AuthenticationSession.AuthenticationSession) {
    return test_session(auth_session, 401);
  }

  function test_unauthorized_403(auth_session: AuthenticationSession.AuthenticationSession) {
    return test_session(auth_session, 403);
  }

  function test_authorized(auth_session: AuthenticationSession.AuthenticationSession) {
    return test_session(auth_session, 204);
  }

  describe("given user tries to access a 2-factor endpoint", function () {
    describe("given different cases of session", function () {
      it("should not be authenticated when second factor is missing", function () {
        return test_non_authenticated_401({
          userid: "user",
          first_factor: true,
          second_factor: false,
          email: undefined,
          groups: [],
        });
      });

      it("should not be authenticated when first factor is missing", function () {
        return test_non_authenticated_401({
          userid: "user",
          first_factor: false,
          second_factor: true,
          email: undefined,
          groups: [],
        });
      });

      it("should not be authenticated when userid is missing", function () {
        return test_non_authenticated_401({
          userid: undefined,
          first_factor: true,
          second_factor: false,
          email: undefined,
          groups: [],
        });
      });

      it("should not be authenticated when first and second factor are missing", function () {
        return test_non_authenticated_401({
          userid: "user",
          first_factor: false,
          second_factor: false,
          email: undefined,
          groups: [],
        });
      });

      it("should not be authenticated when session has not be initiated", function () {
        return test_non_authenticated_401(undefined);
      });

      it("should not be authenticated when domain is not allowed for user", function () {
        return AuthenticationSession.get(req as any)
          .then(function (authSession: AuthenticationSession.AuthenticationSession) {
            authSession.first_factor = true;
            authSession.second_factor = true;
            authSession.userid = "myuser";

            req.headers.host = "test.example.com";

            accessController.isAccessAllowedMock.returns(false);
            accessController.isAccessAllowedMock.withArgs("test.example.com", "user", ["group1", "group2"]).returns(true);

            return test_unauthorized_403({
              first_factor: true,
              second_factor: true,
              userid: "user",
              groups: ["group1", "group2"],
              email: undefined
            });
          });
      });
    });
  });

  describe("given user tries to access a basic auth endpoint", function () {
    beforeEach(function () {
      req.query = {
        redirect: "http://redirect.url",
        only_basic_auth: "true"
      };
    });

    it("should be authenticated when first factor is validated and not second factor", function () {
      return AuthenticationSession.get(req as any)
        .then(function (authSession: AuthenticationSession.AuthenticationSession) {
          authSession.first_factor = true;
          return VerifyGet.default(req as express.Request, res as any);
        })
        .then(function () {
          Assert(res.status.calledWith(204));
          Assert(res.send.calledOnce);
        });
    });

    it("should be rejected with 401 when first factor is not validated", function () {
      return AuthenticationSession.get(req as any)
        .then(function (authSession: AuthenticationSession.AuthenticationSession) {
          authSession.first_factor = false;
          return VerifyGet.default(req as express.Request, res as any);
        })
        .then(function () {
          Assert(res.status.calledWith(401));
        });
    });
  });
});
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`import Assert = require("assert");`
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution. 2017-10-06 22:09:42 +00:00			`import VerifyGet = require("../../../src/lib/routes/verify/get");`
			`import AuthenticationSession = require("../../../src/lib/AuthenticationSession");`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`import Sinon = require("sinon");`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`import winston = require("winston");`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`import BluebirdPromise = require("bluebird");`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
			`import express = require("express");`

Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`import ExpressMock = require("../../mocks/express");`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`import { AccessControllerStub } from "../../mocks/AccessControllerStub";`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`import ServerVariablesMock = require("../../mocks/ServerVariablesMock");`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
			`describe("test authentication token verification", function () {`
			`let req: ExpressMock.RequestMock;`
			`let res: ExpressMock.ResponseMock;`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`let accessController: AccessControllerStub;`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
			`beforeEach(function () {`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`accessController = new AccessControllerStub();`
			`accessController.isAccessAllowedMock.returns(true);`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
			`req = ExpressMock.RequestMock();`
			`res = ExpressMock.ResponseMock();`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`req.session = {};`
			`req.query = {`
			`redirect: "http://redirect.url"`
			`};`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`req.app = {`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`get: Sinon.stub().returns({ logger: winston })`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`};`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`AuthenticationSession.reset(req as any);`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`req.headers = {};`
			`req.headers.host = "secret.example.com";`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`const mocks = ServerVariablesMock.mock(req.app);`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`mocks.config = {} as any;`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`mocks.logger = winston;`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`mocks.accessController = accessController as any;`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`

Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`it("should be already authenticated", function () {`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`req.session = {};`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`AuthenticationSession.reset(req as any);`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`return AuthenticationSession.get(req as any)`
			`.then(function (authSession: AuthenticationSession.AuthenticationSession) {`
			`authSession.first_factor = true;`
			`authSession.second_factor = true;`
			`authSession.userid = "myuser";`
Set headers values Remote-User and Remote-Groups in /verify response 2017-09-22 19:18:38 +00:00			`authSession.groups = ["mygroup", "othergroup"];`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`return VerifyGet.default(req as express.Request, res as any);`
			`})`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`.then(function () {`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`Sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");`
			`Sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");`
			`Assert.equal(204, res.status.getCall(0).args[0]);`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`});`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`

Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`function test_session(_authSession: AuthenticationSession.AuthenticationSession, status_code: number) {`
			`return AuthenticationSession.get(req as any)`
			`.then(function (authSession) {`
			`authSession = _authSession;`
			`return VerifyGet.default(req as express.Request, res as any);`
			`})`
			`.then(function () {`
			`Assert.equal(status_code, res.status.getCall(0).args[0]);`
			`});`
			`}`

			`function test_non_authenticated_401(auth_session: AuthenticationSession.AuthenticationSession) {`
			`return test_session(auth_session, 401);`
			`}`

			`function test_unauthorized_403(auth_session: AuthenticationSession.AuthenticationSession) {`
			`return test_session(auth_session, 403);`
			`}`

			`function test_authorized(auth_session: AuthenticationSession.AuthenticationSession) {`
			`return test_session(auth_session, 204);`
			`}`

			`describe("given user tries to access a 2-factor endpoint", function () {`
			`describe("given different cases of session", function () {`
			`it("should not be authenticated when second factor is missing", function () {`
			`return test_non_authenticated_401({`
			`userid: "user",`
			`first_factor: true,`
			`second_factor: false,`
			`email: undefined,`
			`groups: [],`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`
			`});`

Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`it("should not be authenticated when first factor is missing", function () {`
			`return test_non_authenticated_401({`
			`userid: "user",`
			`first_factor: false,`
			`second_factor: true,`
			`email: undefined,`
			`groups: [],`
			`});`
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`});`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`it("should not be authenticated when userid is missing", function () {`
			`return test_non_authenticated_401({`
			`userid: undefined,`
			`first_factor: true,`
			`second_factor: false,`
			`email: undefined,`
			`groups: [],`
			`});`
			`});`

			`it("should not be authenticated when first and second factor are missing", function () {`
			`return test_non_authenticated_401({`
			`userid: "user",`
			`first_factor: false,`
			`second_factor: false,`
			`email: undefined,`
			`groups: [],`
			`});`
			`});`

			`it("should not be authenticated when session has not be initiated", function () {`
			`return test_non_authenticated_401(undefined);`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`

Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`it("should not be authenticated when domain is not allowed for user", function () {`
			`return AuthenticationSession.get(req as any)`
			`.then(function (authSession: AuthenticationSession.AuthenticationSession) {`
			`authSession.first_factor = true;`
			`authSession.second_factor = true;`
			`authSession.userid = "myuser";`

			`req.headers.host = "test.example.com";`

			`accessController.isAccessAllowedMock.returns(false);`
			`accessController.isAccessAllowedMock.withArgs("test.example.com", "user", ["group1", "group2"]).returns(true);`

			`return test_unauthorized_403({`
			`first_factor: true,`
			`second_factor: true,`
			`userid: "user",`
			`groups: ["group1", "group2"],`
			`email: undefined`
			`});`
			`});`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`});`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`});`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`describe("given user tries to access a basic auth endpoint", function () {`
			`beforeEach(function () {`
			`req.query = {`
			`redirect: "http://redirect.url",`
			`only_basic_auth: "true"`
			`};`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`

Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`it("should be authenticated when first factor is validated and not second factor", function () {`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`return AuthenticationSession.get(req as any)`
			`.then(function (authSession: AuthenticationSession.AuthenticationSession) {`
			`authSession.first_factor = true;`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`return VerifyGet.default(req as express.Request, res as any);`
			`})`
			`.then(function () {`
			`Assert(res.status.calledWith(204));`
			`Assert(res.send.calledOnce);`
			`});`
			`});`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`it("should be rejected with 401 when first factor is not validated", function () {`
			`return AuthenticationSession.get(req as any)`
			`.then(function (authSession: AuthenticationSession.AuthenticationSession) {`
			`authSession.first_factor = false;`
			`return VerifyGet.default(req as express.Request, res as any);`
			`})`
			`.then(function () {`
			`Assert(res.status.calledWith(401));`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`});`
Fix issue with domain access during first factor phase 2017-05-21 21:32:09 +00:00			`});`
Move Authentication validator and routes to typescript 2017-05-21 10:27:12 +00:00			`});`
			`});`