authelia/test/features/access-control.feature

Feature: User has access restricted access to domains

  @need-registered-user-john
  Scenario: User john has admin access
    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
    And I login with user "john" and password "password"
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    And I'm redirected to "https://home.example.com:8080/"
    Then I have access to:
      | url                                                    |
      | https://public.example.com:8080/secret.html             |
      | https://dev.example.com:8080/groups/admin/secret.html   |
      | https://dev.example.com:8080/groups/dev/secret.html     |
      | https://dev.example.com:8080/users/john/secret.html     |
      | https://dev.example.com:8080/users/harry/secret.html    |
      | https://dev.example.com:8080/users/bob/secret.html      |
      | https://admin.example.com:8080/secret.html              |
      | https://mx1.mail.example.com:8080/secret.html           |
      | https://single_factor.example.com:8080/secret.html      |
    And I have no access to:
      | url                                                    |
      | https://mx2.mail.example.com:8080/secret.html           |

  @need-registered-user-bob
  Scenario: User bob has restricted access
    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
    And I login with user "bob" and password "password"
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    And I'm redirected to "https://home.example.com:8080/"
    Then I have access to:
      | url                                                    |
      | https://public.example.com:8080/secret.html             |
      | https://dev.example.com:8080/groups/dev/secret.html     |
      | https://dev.example.com:8080/users/bob/secret.html      |
      | https://mx1.mail.example.com:8080/secret.html           |
      | https://mx2.mail.example.com:8080/secret.html           |
    And I have no access to:
      | url                                                    |
      | https://dev.example.com:8080/groups/admin/secret.html   |
      | https://admin.example.com:8080/secret.html              |
      | https://dev.example.com:8080/users/john/secret.html     |
      | https://dev.example.com:8080/users/harry/secret.html    |
      | https://single_factor.example.com:8080/secret.html      |

  @need-registered-user-harry
  Scenario: User harry has restricted access
    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
    And I login with user "harry" and password "password"
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    And I'm redirected to "https://home.example.com:8080/"
    Then I have access to:
      | url                                                    |
      | https://public.example.com:8080/secret.html             |
      | https://dev.example.com:8080/users/harry/secret.html    |
    And I have no access to:
      | url                                                    |
      | https://dev.example.com:8080/groups/dev/secret.html     |
      | https://dev.example.com:8080/users/bob/secret.html      |
      | https://dev.example.com:8080/groups/admin/secret.html   |
      | https://admin.example.com:8080/secret.html              |
      | https://dev.example.com:8080/users/john/secret.html     |
      | https://mx1.mail.example.com:8080/secret.html           |
      | https://mx2.mail.example.com:8080/secret.html           |
      | https://single_factor.example.com:8080/secret.html      |
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Feature: User has access restricted access to domains`

Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-john`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Scenario: User john has admin access`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I login with user "john" and password "password"`
			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Then I have access to:`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://public.example.com:8080/secret.html \|`
			`\| https://dev.example.com:8080/groups/admin/secret.html \|`
			`\| https://dev.example.com:8080/groups/dev/secret.html \|`
			`\| https://dev.example.com:8080/users/john/secret.html \|`
			`\| https://dev.example.com:8080/users/harry/secret.html \|`
			`\| https://dev.example.com:8080/users/bob/secret.html \|`
			`\| https://admin.example.com:8080/secret.html \|`
			`\| https://mx1.mail.example.com:8080/secret.html \|`
			`\| https://single_factor.example.com:8080/secret.html \|`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`And I have no access to:`
			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://mx2.mail.example.com:8080/secret.html \|`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-bob`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Scenario: User bob has restricted access`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I login with user "bob" and password "password"`
			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Then I have access to:`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://public.example.com:8080/secret.html \|`
			`\| https://dev.example.com:8080/groups/dev/secret.html \|`
			`\| https://dev.example.com:8080/users/bob/secret.html \|`
			`\| https://mx1.mail.example.com:8080/secret.html \|`
			`\| https://mx2.mail.example.com:8080/secret.html \|`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`And I have no access to:`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://dev.example.com:8080/groups/admin/secret.html \|`
			`\| https://admin.example.com:8080/secret.html \|`
			`\| https://dev.example.com:8080/users/john/secret.html \|`
			`\| https://dev.example.com:8080/users/harry/secret.html \|`
			`\| https://single_factor.example.com:8080/secret.html \|`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-harry`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Scenario: User harry has restricted access`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I login with user "harry" and password "password"`
			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`Then I have access to:`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://public.example.com:8080/secret.html \|`
			`\| https://dev.example.com:8080/users/harry/secret.html \|`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00			`And I have no access to:`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`\| url \|`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`\| https://dev.example.com:8080/groups/dev/secret.html \|`
			`\| https://dev.example.com:8080/users/bob/secret.html \|`
			`\| https://dev.example.com:8080/groups/admin/secret.html \|`
			`\| https://admin.example.com:8080/secret.html \|`
			`\| https://dev.example.com:8080/users/john/secret.html \|`
			`\| https://mx1.mail.example.com:8080/secret.html \|`
			`\| https://mx2.mail.example.com:8080/secret.html \|`
			`\| https://single_factor.example.com:8080/secret.html \|`