authelia/test/unitary/routes/test_first_factor.js


var sinon = require('sinon');
var Promise = require('bluebird');
var assert = require('assert');
var winston = require('winston');
var first_factor = require('../../../src/lib/routes/first_factor');
var exceptions = require('../../../src/lib/exceptions');
var Ldap = require('../../../src/lib/ldap');

describe('test the first factor validation route', function() {
  var req, res;
  var ldap_interface_mock;
  var emails;
  var search_res_ok;
  var regulator;
  var config;

  beforeEach(function() {
    ldap_interface_mock = sinon.createStubInstance(Ldap);
    config = {
      ldap: {
        base_dn: 'ou=users,dc=example,dc=com',
        user_name_attribute: 'uid'
      }
    }

    emails = [ 'test_ok@example.com' ];
    groups = [ 'group1', 'group2' ];
 
    regulator = {};
    regulator.mark = sinon.stub();
    regulator.regulate = sinon.stub();

    regulator.mark.returns(Promise.resolve());
    regulator.regulate.returns(Promise.resolve());

    var app_get = sinon.stub();
    app_get.withArgs('ldap').returns(ldap_interface_mock);
    app_get.withArgs('config').returns(config);
    app_get.withArgs('logger').returns(winston);
    app_get.withArgs('authentication regulator').returns(regulator);

    req = {
      app: {
        get: app_get
      },
      body: {
        username: 'username',
        password: 'password'
      },
      session: {
        auth_session: {
          first_factor: false,
          second_factor: false
        }
      }
    }
    res = {
      send: sinon.spy(),
      status: sinon.spy()
    }
  });
  
  it('should return status code 204 when LDAP binding succeeds', function() {
    return new Promise(function(resolve, reject) {
      res.send = sinon.spy(function(data) {
        assert.equal('username', req.session.auth_session.userid);
        assert.equal(204, res.status.getCall(0).args[0]);
        resolve();
      });
      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
      first_factor(req, res);
    });
  });

  it('should store the allowed domains in the auth session', function() {
    config.access_control = [];
    config.access_control.push({ 
      group: 'group1', 
      allowed_domains: ['domain1.example.com', 'domain2.example.com']
    });
    return new Promise(function(resolve, reject) {
      res.send = sinon.spy(function(data) {
        assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
          req.session.auth_session.allowed_domains);
        assert.equal(204, res.status.getCall(0).args[0]);
        resolve();
      });
      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
      ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
      first_factor(req, res);
    });
  });

  it('should retrieve email from LDAP', function(done) {
    res.send = sinon.spy(function(data) { done(); });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails = sinon.stub().withArgs('usernam').returns(Promise.resolve([{mail: ['test@example.com'] }]));
    first_factor(req, res);
  });

  it('should set email as session variables', function() {
    return new Promise(function(resolve, reject) {
      res.send = sinon.spy(function(data) {
        assert.equal('test_ok@example.com', req.session.auth_session.email);
        resolve();
      });
      var emails = [ 'test_ok@example.com' ];
      ldap_interface_mock.bind.returns(Promise.resolve());
      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
      first_factor(req, res);
    });
  });

  it('should return status code 401 when LDAP binding throws', function(done) {
    res.send = sinon.spy(function(data) {
      assert.equal(401, res.status.getCall(0).args[0]);
      assert.equal(regulator.mark.getCall(0).args[0], 'username');
      done();
    });
    ldap_interface_mock.bind.throws(new exceptions.LdapBindError('Bad credentials'));
    first_factor(req, res);
  });

  it('should return status code 500 when LDAP search throws', function(done) {
    res.send = sinon.spy(function(data) {
      assert.equal(500, res.status.getCall(0).args[0]);
      done();
    });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails.throws(new exceptions.LdapSearchError('err'));
    first_factor(req, res);
  });

  it('should return status code 403 when regulator rejects authentication', function(done) {
    var err = new exceptions.AuthenticationRegulationError();
    regulator.regulate.returns(Promise.reject(err));
    res.send = sinon.spy(function(data) {
      assert.equal(403, res.status.getCall(0).args[0]);
      done();
    });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails.returns(Promise.resolve());
    first_factor(req, res);
  });
});
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
 								var sinon = require('sinon');
 								var Promise = require('bluebird');
 								var assert = require('assert');
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
+								var winston = require('winston');
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
+								var first_factor = require('../../../src/lib/routes/first_factor');
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								var exceptions = require('../../../src/lib/exceptions');
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								var Ldap = require('../../../src/lib/ldap');
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
 								describe('test the first factor validation route', function() {
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								  var req, res;
 								  var ldap_interface_mock;
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								  var emails;
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
+								  var search_res_ok;
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								  var regulator;
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								  var config;
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
 								  beforeEach(function() {
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    ldap_interface_mock = sinon.createStubInstance(Ldap);
 								    config = {
 								      ldap: {
 								        base_dn: 'ou=users,dc=example,dc=com',
 								        user_name_attribute: 'uid'
 								      }
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								    }
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    emails = [ 'test_ok@example.com' ];
 								    groups = [ 'group1', 'group2' ];
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    regulator = {};
 								    regulator.mark = sinon.stub();
 								    regulator.regulate = sinon.stub();
 								    regulator.mark.returns(Promise.resolve());
 								    regulator.regulate.returns(Promise.resolve());
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								    var app_get = sinon.stub();
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    app_get.withArgs('ldap').returns(ldap_interface_mock);
-												Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP

											
										
										
											2017-03-16 00:25:55 +00:00
+								    app_get.withArgs('config').returns(config);
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
+								    app_get.withArgs('logger').returns(winston);
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    app_get.withArgs('authentication regulator').returns(regulator);
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								    req = {
 								      app: {
 								        get: app_get
 								      },
 								      body: {
 								        username: 'username',
 								        password: 'password'
 								      },
 								      session: {
 								        auth_session: {
 								          first_factor: false,
 								          second_factor: false
 								        }
 								      }
 								    }
 								    res = {
 								      send: sinon.spy(),
 								      status: sinon.spy()
 								    }
 								  });
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
+								  it('should return status code 204 when LDAP binding succeeds', function() {
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								    return new Promise(function(resolve, reject) {
 								      res.send = sinon.spy(function(data) {
 								        assert.equal('username', req.session.auth_session.userid);
 								        assert.equal(204, res.status.getCall(0).args[0]);
 								        resolve();
 								      });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
 								      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								      first_factor(req, res);
 								    });
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
+								  });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								  it('should store the allowed domains in the auth session', function() {
 								    config.access_control = [];
 								    config.access_control.push({
 								      group: 'group1',
 								      allowed_domains: ['domain1.example.com', 'domain2.example.com']
 								    });
 								    return new Promise(function(resolve, reject) {
 								      res.send = sinon.spy(function(data) {
 								        assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
 								          req.session.auth_session.allowed_domains);
 								        assert.equal(204, res.status.getCall(0).args[0]);
 								        resolve();
 								      });
 								      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
 								      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
 								      ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
 								      first_factor(req, res);
-												Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP

											
										
										
											2017-03-16 00:25:55 +00:00
+								    });
 								  });
 								  it('should retrieve email from LDAP', function(done) {
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    res.send = sinon.spy(function(data) { done(); });
 								    ldap_interface_mock.bind.returns(Promise.resolve());
 								    ldap_interface_mock.get_emails = sinon.stub().withArgs('usernam').returns(Promise.resolve([{mail: ['test@example.com'] }]));
-												Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP

											
										
										
											2017-03-16 00:25:55 +00:00
+								    first_factor(req, res);
 								  });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								  it('should set email as session variables', function() {
 								    return new Promise(function(resolve, reject) {
 								      res.send = sinon.spy(function(data) {
 								        assert.equal('test_ok@example.com', req.session.auth_session.email);
 								        resolve();
 								      });
 								      var emails = [ 'test_ok@example.com' ];
 								      ldap_interface_mock.bind.returns(Promise.resolve());
 								      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
 								      first_factor(req, res);
 								    });
 								  });
 								  it('should return status code 401 when LDAP binding throws', function(done) {
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    res.send = sinon.spy(function(data) {
 								      assert.equal(401, res.status.getCall(0).args[0]);
 								      assert.equal(regulator.mark.getCall(0).args[0], 'username');
 								      done();
-												Implement FIDO u2f authentication

											
										
										
											2017-01-21 16:41:06 +00:00
+								    });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    ldap_interface_mock.bind.throws(new exceptions.LdapBindError('Bad credentials'));
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    first_factor(req, res);
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
+								  });
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								  it('should return status code 500 when LDAP search throws', function(done) {
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    res.send = sinon.spy(function(data) {
 								      assert.equal(500, res.status.getCall(0).args[0]);
 								      done();
 								    });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    ldap_interface_mock.bind.returns(Promise.resolve());
 								    ldap_interface_mock.get_emails.throws(new exceptions.LdapSearchError('err'));
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    first_factor(req, res);
 								  });
 								  it('should return status code 403 when regulator rejects authentication', function(done) {
 								    var err = new exceptions.AuthenticationRegulationError();
 								    regulator.regulate.returns(Promise.reject(err));
 								    res.send = sinon.spy(function(data) {
 								      assert.equal(403, res.status.getCall(0).args[0]);
 								      done();
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
+								    });
-												Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains

											
										
										
											2017-03-25 14:17:21 +00:00
+								    ldap_interface_mock.bind.returns(Promise.resolve());
 								    ldap_interface_mock.get_emails.returns(Promise.resolve());
-												Implement authentication regulation

											
										
										
											2017-01-28 00:32:25 +00:00
+								    first_factor(req, res);
-												Registration process sends an email to allow user to register its U2F device

											
										
										
											2017-01-22 16:54:45 +00:00
+								  });
-												Validate first factor through a post request

											
										
										
											2017-01-19 00:01:37 +00:00
+								});