authelia/server/test/routes/firstfactor/post.test.ts


import sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import Assert = require("assert");
import winston = require("winston");

import FirstFactorPost = require("../../../src/lib/routes/firstfactor/post");
import exceptions = require("../../../src/lib/Exceptions");
import AuthenticationSession = require("../../../src/lib/AuthenticationSession");
import Endpoints = require("../../../../shared/api");

import AuthenticationRegulatorMock = require("../../mocks/AuthenticationRegulator");
import { AccessControllerStub } from "../../mocks/AccessControllerStub";
import ExpressMock = require("../../mocks/express");
import ServerVariablesMock = require("../../mocks/ServerVariablesMock");
import { ServerVariables } from "../../../src/lib/ServerVariables";

describe("test the first factor validation route", function () {
  let req: ExpressMock.RequestMock;
  let res: ExpressMock.ResponseMock;
  let emails: string[];
  let groups: string[];
  let configuration;
  let regulator: AuthenticationRegulatorMock.AuthenticationRegulatorMock;
  let accessController: AccessControllerStub;
  let serverVariables: ServerVariables;

  beforeEach(function () {
    configuration = {
      ldap: {
        base_dn: "ou=users,dc=example,dc=com",
        user_name_attribute: "uid"
      }
    };

    emails = ["test_ok@example.com"];
    groups = ["group1", "group2" ];

    accessController = new AccessControllerStub();
    accessController.isAccessAllowedMock.returns(true);

    regulator = AuthenticationRegulatorMock.AuthenticationRegulatorMock();
    regulator.regulate.returns(BluebirdPromise.resolve());
    regulator.mark.returns(BluebirdPromise.resolve());

    req = {
      app: {
        get: sinon.stub().returns({ logger: winston })
      },
      body: {
        username: "username",
        password: "password"
      },
      query: {
        redirect: "http://redirect.url"
      },
      session: {
      },
      headers: {
        host: "home.example.com"
      }
    };

    AuthenticationSession.reset(req as any);

    serverVariables = ServerVariablesMock.mock(req.app);
    serverVariables.ldapAuthenticator = {
      authenticate: sinon.stub()
    } as any;
    serverVariables.config = configuration as any;
    serverVariables.regulator = regulator as any;
    serverVariables.accessController = accessController as any;

    res = ExpressMock.ResponseMock();
  });

  it("should reply with 204 if success", function () {
    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
      .returns(BluebirdPromise.resolve({
        emails: emails,
        groups: groups
      }));
    let authSession: AuthenticationSession.AuthenticationSession;
    return AuthenticationSession.get(req as any)
      .then(function (_authSession: AuthenticationSession.AuthenticationSession) {
        authSession = _authSession;
        return FirstFactorPost.default(req as any, res as any);
      })
      .then(function () {
        Assert.equal("username", authSession.userid);
        Assert(res.send.calledOnce);
      });
  });

  it("should retrieve email from LDAP", function () {
    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
      .returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
    return FirstFactorPost.default(req as any, res as any);
  });

  it("should set first email address as user session variable", function () {
    const emails = ["test_ok@example.com"];
    let authSession: AuthenticationSession.AuthenticationSession;
    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
      .returns(BluebirdPromise.resolve({
        emails: emails,
        groups: groups
      }));

    return AuthenticationSession.get(req as any)
      .then(function (_authSession: AuthenticationSession.AuthenticationSession) {
        authSession = _authSession;
        return FirstFactorPost.default(req as any, res as any);
      })
      .then(function () {
        Assert.equal("test_ok@example.com", authSession.email);
      });
  });

  it("should return error message when LDAP authenticator throws", function () {
    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
      .returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        Assert.equal(res.status.getCall(0).args[0], 200);
        Assert.equal(regulator.mark.getCall(0).args[0], "username");
        Assert.deepEqual(res.send.getCall(0).args[0], {
          error: "Operation failed."
        });
      });
  });

  it("should return error message when regulator rejects authentication", function () {
    const err = new exceptions.AuthenticationRegulationError("Authentication regulation...");
    regulator.regulate.returns(BluebirdPromise.reject(err));
    return FirstFactorPost.default(req as any, res as any)
      .then(function () {
        Assert.equal(res.status.getCall(0).args[0], 200);
        Assert.deepEqual(res.send.getCall(0).args[0], {
          error: "Operation failed."
        });
      });
  });
});
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
 								import sinon = require("sinon");
 								import BluebirdPromise = require("bluebird");
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								import Assert = require("assert");
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								import winston = require("winston");
-												Split client and server

Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.

											
										
										
											2017-10-06 22:09:42 +00:00
+								import FirstFactorPost = require("../../../src/lib/routes/firstfactor/post");
 								import exceptions = require("../../../src/lib/Exceptions");
 								import AuthenticationSession = require("../../../src/lib/AuthenticationSession");
 								import Endpoints = require("../../../../shared/api");
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
 								import AuthenticationRegulatorMock = require("../../mocks/AuthenticationRegulator");
-												Refine access control with per resource ACLs

ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.

											
										
										
											2017-09-03 13:22:09 +00:00
+								import { AccessControllerStub } from "../../mocks/AccessControllerStub";
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
+								import ExpressMock = require("../../mocks/express");
 								import ServerVariablesMock = require("../../mocks/ServerVariablesMock");
-												Improve logging format for clarity

Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.

											
										
										
											2017-10-07 22:46:57 +00:00
+								import { ServerVariables } from "../../../src/lib/ServerVariables";
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
-												Fix issue with domain access during first factor phase

											
										
										
											2017-05-21 21:32:09 +00:00
+								describe("test the first factor validation route", function () {
-												Move TOTP authenticator to typescript

											
										
										
											2017-05-21 10:14:59 +00:00
+								  let req: ExpressMock.RequestMock;
 								  let res: ExpressMock.ResponseMock;
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								  let emails: string[];
 								  let groups: string[];
 								  let configuration;
-												Move TOTP authenticator to typescript

											
										
										
											2017-05-21 10:14:59 +00:00
+								  let regulator: AuthenticationRegulatorMock.AuthenticationRegulatorMock;
-												Refine access control with per resource ACLs

ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.

											
										
										
											2017-09-03 13:22:09 +00:00
+								  let accessController: AccessControllerStub;
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								  let serverVariables: ServerVariables;
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
-												Fix issue with domain access during first factor phase

											
										
										
											2017-05-21 21:32:09 +00:00
+								  beforeEach(function () {
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								    configuration = {
 								      ldap: {
 								        base_dn: "ou=users,dc=example,dc=com",
 								        user_name_attribute: "uid"
 								      }
 								    };
-												Fix issue with domain access during first factor phase

											
										
										
											2017-05-21 21:32:09 +00:00
+								    emails = ["test_ok@example.com"];
 								    groups = ["group1", "group2" ];
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
-												Refine access control with per resource ACLs

ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.

											
										
										
											2017-09-03 13:22:09 +00:00
+								    accessController = new AccessControllerStub();
 								    accessController.isAccessAllowedMock.returns(true);
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
-												Move TOTP authenticator to typescript

											
										
										
											2017-05-21 10:14:59 +00:00
+								    regulator = AuthenticationRegulatorMock.AuthenticationRegulatorMock();
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								    regulator.regulate.returns(BluebirdPromise.resolve());
 								    regulator.mark.returns(BluebirdPromise.resolve());
 								    req = {
 								      app: {
-												Add logs to detect redis connection issues earlier

Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem

											
										
										
											2017-09-21 20:07:34 +00:00
+								        get: sinon.stub().returns({ logger: winston })
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								      },
 								      body: {
 								        username: "username",
 								        password: "password"
 								      },
-												Disable second factor for certain subdomain

											
										
										
											2017-09-24 21:19:03 +00:00
+								      query: {
 								        redirect: "http://redirect.url"
 								      },
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								      session: {
-												Fix issue with domain access during first factor phase

											
										
										
											2017-05-21 21:32:09 +00:00
+								      },
 								      headers: {
 								        host: "home.example.com"
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								      }
 								    };
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
 								    AuthenticationSession.reset(req as any);
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								    serverVariables = ServerVariablesMock.mock(req.app);
 								    serverVariables.ldapAuthenticator = {
 								      authenticate: sinon.stub()
 								    } as any;
 								    serverVariables.config = configuration as any;
 								    serverVariables.regulator = regulator as any;
 								    serverVariables.accessController = accessController as any;
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
-												Move ldap client to typescript

											
										
										
											2017-05-20 23:15:34 +00:00
+								    res = ExpressMock.ResponseMock();
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								  });
-												Add redirection URL as a query parameter during authentication

Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.

											
										
										
											2017-09-22 15:53:18 +00:00
+								  it("should reply with 204 if success", function () {
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
 								      .returns(BluebirdPromise.resolve({
 								        emails: emails,
 								        groups: groups
 								      }));
-												Add logs to detect redis connection issues earlier

Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem

											
										
										
											2017-09-21 20:07:34 +00:00
+								    let authSession: AuthenticationSession.AuthenticationSession;
 								    return AuthenticationSession.get(req as any)
 								      .then(function (_authSession: AuthenticationSession.AuthenticationSession) {
 								        authSession = _authSession;
 								        return FirstFactorPost.default(req as any, res as any);
 								      })
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
+								      .then(function () {
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								        Assert.equal("username", authSession.userid);
 								        Assert(res.send.calledOnce);
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								      });
 								  });
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								  it("should retrieve email from LDAP", function () {
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
 								      .returns(BluebirdPromise.resolve([{ mail: ["test@example.com"] }]));
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								    return FirstFactorPost.default(req as any, res as any);
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								  });
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								  it("should set first email address as user session variable", function () {
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
+								    const emails = ["test_ok@example.com"];
-												Add logs to detect redis connection issues earlier

Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem

											
										
										
											2017-09-21 20:07:34 +00:00
+								    let authSession: AuthenticationSession.AuthenticationSession;
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
 								      .returns(BluebirdPromise.resolve({
 								        emails: emails,
 								        groups: groups
 								      }));
-												Add logs to detect redis connection issues earlier

Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem

											
										
										
											2017-09-21 20:07:34 +00:00
 								    return AuthenticationSession.get(req as any)
 								      .then(function (_authSession: AuthenticationSession.AuthenticationSession) {
 								        authSession = _authSession;
 								        return FirstFactorPost.default(req as any, res as any);
 								      })
-												Refactor client to make it responsive and testable

											
										
										
											2017-05-25 13:09:29 +00:00
+								      .then(function () {
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								        Assert.equal("test_ok@example.com", authSession.email);
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								      });
 								  });
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								  it("should return error message when LDAP authenticator throws", function () {
-												Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions

											
										
										
											2017-07-16 15:37:13 +00:00
+								    (serverVariables.ldapAuthenticator as any).authenticate.withArgs("username", "password")
 								      .returns(BluebirdPromise.reject(new exceptions.LdapBindError("Bad credentials")));
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								    return FirstFactorPost.default(req as any, res as any)
 								      .then(function () {
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								        Assert.equal(res.status.getCall(0).args[0], 200);
 								        Assert.equal(regulator.mark.getCall(0).args[0], "username");
 								        Assert.deepEqual(res.send.getCall(0).args[0], {
 								          error: "Operation failed."
 								        });
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								      });
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								  });
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								  it("should return error message when regulator rejects authentication", function () {
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								    const err = new exceptions.AuthenticationRegulationError("Authentication regulation...");
 								    regulator.regulate.returns(BluebirdPromise.reject(err));
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								    return FirstFactorPost.default(req as any, res as any)
 								      .then(function () {
-												Every public endpoints return 200 with harmonized error messages or 401

Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.

											
										
										
											2017-10-10 21:03:30 +00:00
+								        Assert.equal(res.status.getCall(0).args[0], 200);
 								        Assert.deepEqual(res.send.getCall(0).args[0], {
 								          error: "Operation failed."
 								        });
-												Fix LDAP binding non working on servers with restricted ACL rules and add unit tests

											
										
										
											2017-06-14 22:22:16 +00:00
+								      });
 								  });
-												Move exceptions to typescript

											
										
										
											2017-05-20 20:55:37 +00:00
+								});