authelia/test/unitary/routes/test_first_factor.js

var sinon = require('sinon');
var Promise = require('bluebird');
var assert = require('assert');
var winston = require('winston');
var first_factor = require('../../../src/lib/routes/first_factor');
var exceptions = require('../../../src/lib/exceptions');
var Ldap = require('../../../src/lib/ldap');

describe('test the first factor validation route', function() {
  var req, res;
  var ldap_interface_mock;
  var emails;
  var search_res_ok;
  var regulator;
  var config;

  beforeEach(function() {
    ldap_interface_mock = sinon.createStubInstance(Ldap);
    config = {
      ldap: {
        base_dn: 'ou=users,dc=example,dc=com',
        user_name_attribute: 'uid'
      }
    }

    emails = [ 'test_ok@example.com' ];
    groups = [ 'group1', 'group2' ];
 
    regulator = {};
    regulator.mark = sinon.stub();
    regulator.regulate = sinon.stub();

    regulator.mark.returns(Promise.resolve());
    regulator.regulate.returns(Promise.resolve());

    var app_get = sinon.stub();
    app_get.withArgs('ldap').returns(ldap_interface_mock);
    app_get.withArgs('config').returns(config);
    app_get.withArgs('logger').returns(winston);
    app_get.withArgs('authentication regulator').returns(regulator);

    req = {
      app: {
        get: app_get
      },
      body: {
        username: 'username',
        password: 'password'
      },
      session: {
        auth_session: {
          first_factor: false,
          second_factor: false
        }
      }
    }
    res = {
      send: sinon.spy(),
      status: sinon.spy()
    }
  });
  
  it('should return status code 204 when LDAP binding succeeds', function() {
    return new Promise(function(resolve, reject) {
      res.send = sinon.spy(function(data) {
        assert.equal('username', req.session.auth_session.userid);
        assert.equal(204, res.status.getCall(0).args[0]);
        resolve();
      });
      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
      first_factor(req, res);
    });
  });

  describe('store the allowed domains in the auth session', function() {
    it('should store the per group allowed domains', function() {
      config.access_control = [];
      config.access_control.push({ 
        group: 'group1', 
        allowed_domains: ['domain1.example.com', 'domain2.example.com']
      });
      return new Promise(function(resolve, reject) {
        res.send = sinon.spy(function(data) {
          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
            req.session.auth_session.allowed_domains);
          assert.equal(204, res.status.getCall(0).args[0]);
          resolve();
        });
        ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
        ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
        ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
        first_factor(req, res);
      });
    });

    it('should store the per group allowed domains', function() {
      config.access_control = [];
      config.access_control.push({ 
        user: 'username', 
        allowed_domains: ['domain1.example.com', 'domain2.example.com']
      });
      return new Promise(function(resolve, reject) {
        res.send = sinon.spy(function(data) {
          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
            req.session.auth_session.allowed_domains);
          assert.equal(204, res.status.getCall(0).args[0]);
          resolve();
        });
        ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
        ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
        ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
        first_factor(req, res);
      });
    });
  });

  it('should retrieve email from LDAP', function(done) {
    res.send = sinon.spy(function(data) { done(); });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails = sinon.stub().withArgs('usernam').returns(Promise.resolve([{mail: ['test@example.com'] }]));
    first_factor(req, res);
  });

  it('should set email as session variables', function() {
    return new Promise(function(resolve, reject) {
      res.send = sinon.spy(function(data) {
        assert.equal('test_ok@example.com', req.session.auth_session.email);
        resolve();
      });
      var emails = [ 'test_ok@example.com' ];
      ldap_interface_mock.bind.returns(Promise.resolve());
      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
      first_factor(req, res);
    });
  });

  it('should return status code 401 when LDAP binding throws', function(done) {
    res.send = sinon.spy(function(data) {
      assert.equal(401, res.status.getCall(0).args[0]);
      assert.equal(regulator.mark.getCall(0).args[0], 'username');
      done();
    });
    ldap_interface_mock.bind.throws(new exceptions.LdapBindError('Bad credentials'));
    first_factor(req, res);
  });

  it('should return status code 500 when LDAP search throws', function(done) {
    res.send = sinon.spy(function(data) {
      assert.equal(500, res.status.getCall(0).args[0]);
      done();
    });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails.throws(new exceptions.LdapSearchError('err'));
    first_factor(req, res);
  });

  it('should return status code 403 when regulator rejects authentication', function(done) {
    var err = new exceptions.AuthenticationRegulationError();
    regulator.regulate.returns(Promise.reject(err));
    res.send = sinon.spy(function(data) {
      assert.equal(403, res.status.getCall(0).args[0]);
      done();
    });
    ldap_interface_mock.bind.returns(Promise.resolve());
    ldap_interface_mock.get_emails.returns(Promise.resolve());
    first_factor(req, res);
  });
});