RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/server/test/routes/firstfactor/post.test.ts

116 lines
4.1 KiB
TypeScript
Raw Normal View History

Move exceptions to typescript
2017-05-20 20:55:37 +00:00
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
import Sinon = require("sinon");
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
import BluebirdPromise = require("bluebird");
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
import Assert = require("assert");
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution.
2017-10-06 22:09:42 +00:00
import FirstFactorPost = require("../../../src/lib/routes/firstfactor/post");
import exceptions = require("../../../src/lib/Exceptions");
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required.
2017-10-22 15:42:05 +00:00
import { AuthenticationSessionHandler } from "../../../src/lib/AuthenticationSessionHandler";
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
import { AuthenticationSession } from "../../../types/AuthenticationSession";
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution.
2017-10-06 22:09:42 +00:00
import Endpoints = require("../../../../shared/api");
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
import AuthenticationRegulatorMock = require("../../mocks/AuthenticationRegulator");
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README.
2017-09-03 13:22:09 +00:00
import { AccessControllerStub } from "../../mocks/AccessControllerStub";
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
import ExpressMock = require("../../mocks/express");
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
import { ServerVariablesMock, ServerVariablesMockBuilder } from "../../mocks/ServerVariablesMockBuilder";
Improve logging format for clarity Previously, logs were not very friendly and it was hard to track a request because of the lack of request ID. Now every log message comes with a header containing: method, path request ID, session ID, IP of the user, date. Moreover, the configurations displayed in the logs have their secrets hidden from this commit.
2017-10-07 22:46:57 +00:00
import { ServerVariables } from "../../../src/lib/ServerVariables";
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
Fix issue with domain access during first factor phase
2017-05-21 21:32:09 +00:00
describe("test the first factor validation route", function () {
Move TOTP authenticator to typescript
2017-05-21 10:14:59 +00:00
let req: ExpressMock.RequestMock;
let res: ExpressMock.ResponseMock;
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
let emails: string[];
let groups: string[];
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
let vars: ServerVariables;
let mocks: ServerVariablesMock;
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required.
2017-10-22 15:42:05 +00:00
let authSession: AuthenticationSession;
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
Fix issue with domain access during first factor phase
2017-05-21 21:32:09 +00:00
beforeEach(function () {
emails = ["test_ok@example.com"];
groups = ["group1", "group2" ];
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
const s = ServerVariablesMockBuilder.build();
mocks = s.mocks;
vars = s.variables;
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.accessController.isAccessAllowedMock.returns(true);
mocks.regulator.regulateStub.returns(BluebirdPromise.resolve());
mocks.regulator.markStub.returns(BluebirdPromise.resolve());
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
req = {
body: {
username: "username",
password: "password"
},
Disable second factor for certain subdomain
2017-09-24 21:19:03 +00:00
query: {
redirect: "http://redirect.url"
},
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
session: {
Fix issue with domain access during first factor phase
2017-05-21 21:32:09 +00:00
},
headers: {
host: "home.example.com"
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
}
};
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
Move ldap client to typescript
2017-05-20 23:15:34 +00:00
res = ExpressMock.ResponseMock();
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required.
2017-10-22 15:42:05 +00:00
authSession = AuthenticationSessionHandler.get(req as any, vars.logger);
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected.
2017-09-22 15:53:18 +00:00
it("should reply with 204 if success", function () {
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.ldapAuthenticator.authenticateStub.withArgs("username", "password")
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions
2017-07-16 15:37:13 +00:00
.returns(BluebirdPromise.resolve({
emails: emails,
groups: groups
}));
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required.
2017-10-22 15:42:05 +00:00
return FirstFactorPost.default(vars)(req as any, res as any)
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
.then(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal("username", authSession.userid);
Assert(res.send.calledOnce);
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});
});
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
it("should retrieve email from LDAP", function () {
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.ldapAuthenticator.authenticateStub.withArgs("username", "password")
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions
2017-07-16 15:37:13 +00:00
.returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
return FirstFactorPost.default(vars)(req as any, res as any);
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
it("should set first email address as user session variable", function () {
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
const emails = ["test_ok@example.com"];
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.ldapAuthenticator.authenticateStub.withArgs("username", "password")
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions
2017-07-16 15:37:13 +00:00
.returns(BluebirdPromise.resolve({
emails: emails,
groups: groups
}));
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem
2017-09-21 20:07:34 +00:00
Disable notifiers when server uses single factor method only Notifier is not mandatory when authentication method is single_factor for all sub-domains since there is no registration required.
2017-10-22 15:42:05 +00:00
return FirstFactorPost.default(vars)(req as any, res as any)
Refactor client to make it responsive and testable
2017-05-25 13:09:29 +00:00
.then(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal("test_ok@example.com", authSession.email);
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});
});
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should return error message when LDAP authenticator throws", function () {
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.ldapAuthenticator.authenticateStub.withArgs("username", "password")
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions
2017-07-16 15:37:13 +00:00
.returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
Fix unhandled rejections in unit tests
2017-10-14 23:34:23 +00:00
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
return FirstFactorPost.default(vars)(req as any, res as any)
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
.then(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 200);
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
Assert.equal(mocks.regulator.markStub.getCall(0).args[0], "username");
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.deepEqual(res.send.getCall(0).args[0], {
error: "Operation failed."
});
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
});
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
it("should return error message when regulator rejects authentication", function () {
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
const err = new exceptions.AuthenticationRegulationError("Authentication regulation...");
Refactor endpoints to get server variables as input parameters This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
2017-10-16 22:35:34 +00:00
mocks.regulator.regulateStub.returns(BluebirdPromise.reject(err));
return FirstFactorPost.default(vars)(req as any, res as any)
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
.then(function () {
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
2017-10-10 21:03:30 +00:00
Assert.equal(res.status.getCall(0).args[0], 200);
Assert.deepEqual(res.send.getCall(0).args[0], {
error: "Operation failed."
});
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-14 22:22:16 +00:00
});
});
Move exceptions to typescript
2017-05-20 20:55:37 +00:00
});