2014-11-06 23:59:48 +01:00
|
|
|
/**
|
2017-01-11 16:24:33 +01:00
|
|
|
* Copyright JS Foundation and other contributors, http://js.foundation
|
2014-11-06 23:59:48 +01:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
**/
|
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
var should = require("should");
|
|
|
|
var when = require('when');
|
|
|
|
var sinon = require('sinon');
|
|
|
|
|
2018-08-20 17:17:24 +02:00
|
|
|
var NR_TEST_UTILS = require("nr-test-utils");
|
|
|
|
|
|
|
|
var strategies = NR_TEST_UTILS.require("@node-red/editor-api/lib/auth/strategies");
|
|
|
|
var Users = NR_TEST_UTILS.require("@node-red/editor-api/lib/auth/users");
|
|
|
|
var Tokens = NR_TEST_UTILS.require("@node-red/editor-api/lib/auth/tokens");
|
|
|
|
var Clients = NR_TEST_UTILS.require("@node-red/editor-api/lib/auth/clients");
|
2014-11-06 23:59:48 +01:00
|
|
|
|
2017-09-20 11:30:07 +02:00
|
|
|
describe("api/auth/strategies", function() {
|
2015-01-28 23:41:13 +01:00
|
|
|
describe("Password Token Exchange", function() {
|
|
|
|
var userAuthentication;
|
|
|
|
afterEach(function() {
|
|
|
|
if (userAuthentication) {
|
|
|
|
userAuthentication.restore();
|
2015-03-29 23:27:07 +02:00
|
|
|
userAuthentication = null;
|
2015-01-28 23:41:13 +01:00
|
|
|
}
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
it('Handles authentication failure',function(done) {
|
|
|
|
userAuthentication = sinon.stub(Users,"authenticate",function(username,password) {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
strategies.passwordTokenExchange({},"user","password","scope",function(err,token) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
2016-10-10 14:27:43 +02:00
|
|
|
token.should.be.false();
|
2015-01-28 23:41:13 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
2015-11-11 23:11:02 +01:00
|
|
|
|
2015-03-29 23:27:07 +02:00
|
|
|
it('Handles scope overreach',function(done) {
|
|
|
|
userAuthentication = sinon.stub(Users,"authenticate",function(username,password) {
|
|
|
|
return when.resolve({username:"user",permissions:"read"});
|
|
|
|
});
|
|
|
|
|
|
|
|
strategies.passwordTokenExchange({},"user","password","*",function(err,token) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
2016-10-10 14:27:43 +02:00
|
|
|
token.should.be.false();
|
2015-03-29 23:27:07 +02:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
it('Creates new token on authentication success',function(done) {
|
|
|
|
userAuthentication = sinon.stub(Users,"authenticate",function(username,password) {
|
2015-03-29 23:27:07 +02:00
|
|
|
return when.resolve({username:"user",permissions:"*"});
|
2015-01-28 23:41:13 +01:00
|
|
|
});
|
|
|
|
var tokenDetails = {};
|
|
|
|
var tokenCreate = sinon.stub(Tokens,"create",function(username,client,scope) {
|
|
|
|
tokenDetails.username = username;
|
|
|
|
tokenDetails.client = client;
|
|
|
|
tokenDetails.scope = scope;
|
|
|
|
return when.resolve({accessToken: "123456"});
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-03-29 23:27:07 +02:00
|
|
|
strategies.passwordTokenExchange({id:"myclient"},"user","password","read",function(err,token) {
|
2015-01-28 23:41:13 +01:00
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
|
|
|
token.should.equal("123456");
|
|
|
|
tokenDetails.should.have.property("username","user");
|
|
|
|
tokenDetails.should.have.property("client","myclient");
|
2015-03-29 23:27:07 +02:00
|
|
|
tokenDetails.should.have.property("scope","read");
|
2015-01-28 23:41:13 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
tokenCreate.restore();
|
|
|
|
}
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
});
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
describe("Anonymous Strategy", function() {
|
|
|
|
it('Succeeds if anon user enabled',function(done) {
|
|
|
|
var userDefault = sinon.stub(Users,"default",function() {
|
|
|
|
return when.resolve("anon");
|
|
|
|
});
|
|
|
|
strategies.anonymousStrategy._success = strategies.anonymousStrategy.success;
|
|
|
|
strategies.anonymousStrategy.success = function(user) {
|
|
|
|
user.should.equal("anon");
|
|
|
|
strategies.anonymousStrategy.success = strategies.anonymousStrategy._success;
|
|
|
|
delete strategies.anonymousStrategy._success;
|
|
|
|
done();
|
|
|
|
};
|
|
|
|
strategies.anonymousStrategy.authenticate({});
|
|
|
|
});
|
|
|
|
it('Fails if anon user not enabled',function(done) {
|
|
|
|
var userDefault = sinon.stub(Users,"default",function() {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
|
|
|
strategies.anonymousStrategy._fail = strategies.anonymousStrategy.fail;
|
|
|
|
strategies.anonymousStrategy.fail = function(err) {
|
|
|
|
err.should.equal(401);
|
|
|
|
strategies.anonymousStrategy.fail = strategies.anonymousStrategy._fail;
|
|
|
|
delete strategies.anonymousStrategy._fail;
|
|
|
|
done();
|
|
|
|
};
|
|
|
|
strategies.anonymousStrategy.authenticate({});
|
|
|
|
});
|
2018-04-24 23:13:35 +02:00
|
|
|
afterEach(function() {
|
|
|
|
Users.default.restore();
|
|
|
|
})
|
2015-01-28 23:41:13 +01:00
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2020-02-26 04:59:40 +01:00
|
|
|
describe("Tokens Strategy", function() {
|
2020-02-27 08:01:57 +01:00
|
|
|
it('Succeeds if tokens user enabled custom header',function(done) {
|
|
|
|
var userTokens = sinon.stub(Users,"tokens",function(token) {
|
2020-02-26 04:59:40 +01:00
|
|
|
return when.resolve("tokens-"+token);
|
|
|
|
});
|
2020-02-27 08:01:57 +01:00
|
|
|
var userTokenHeader = sinon.stub(Users,"tokenHeader",function(token) {
|
|
|
|
return "x-test-token";
|
|
|
|
});
|
2020-02-26 04:59:40 +01:00
|
|
|
strategies.tokensStrategy._success = strategies.tokensStrategy.success;
|
|
|
|
strategies.tokensStrategy.success = function(user) {
|
|
|
|
user.should.equal("tokens-1234");
|
|
|
|
strategies.tokensStrategy.success = strategies.tokensStrategy._success;
|
|
|
|
delete strategies.tokensStrategy._success;
|
|
|
|
done();
|
|
|
|
};
|
2020-02-27 08:01:57 +01:00
|
|
|
strategies.tokensStrategy.authenticate({headers:{"x-test-token":"1234"}});
|
|
|
|
});
|
|
|
|
it('Succeeds if tokens user enabled default header',function(done) {
|
|
|
|
var userTokens = sinon.stub(Users,"tokens",function(token) {
|
|
|
|
return when.resolve("tokens-"+token);
|
|
|
|
});
|
|
|
|
var userTokenHeader = sinon.stub(Users,"tokenHeader",function(token) {
|
|
|
|
return "authorization";
|
|
|
|
});
|
|
|
|
strategies.tokensStrategy._success = strategies.tokensStrategy.success;
|
|
|
|
strategies.tokensStrategy.success = function(user) {
|
|
|
|
user.should.equal("tokens-1234");
|
|
|
|
strategies.tokensStrategy.success = strategies.tokensStrategy._success;
|
|
|
|
delete strategies.tokensStrategy._success;
|
|
|
|
done();
|
|
|
|
};
|
|
|
|
strategies.tokensStrategy.authenticate({headers:{"authorization":"Bearer 1234"}});
|
2020-02-26 04:59:40 +01:00
|
|
|
});
|
|
|
|
it('Fails if tokens user not enabled',function(done) {
|
2020-02-27 08:01:57 +01:00
|
|
|
var userTokens = sinon.stub(Users,"tokens",function() {
|
2020-02-26 04:59:40 +01:00
|
|
|
return when.resolve(null);
|
|
|
|
});
|
2020-02-27 08:01:57 +01:00
|
|
|
var userTokenHeader = sinon.stub(Users,"tokenHeader",function(token) {
|
|
|
|
return "authorization";
|
|
|
|
});
|
2020-02-26 04:59:40 +01:00
|
|
|
strategies.tokensStrategy._fail = strategies.tokensStrategy.fail;
|
|
|
|
strategies.tokensStrategy.fail = function(err) {
|
|
|
|
err.should.equal(401);
|
|
|
|
strategies.tokensStrategy.fail = strategies.tokensStrategy._fail;
|
|
|
|
delete strategies.tokensStrategy._fail;
|
|
|
|
done();
|
|
|
|
};
|
2020-02-27 08:01:57 +01:00
|
|
|
strategies.tokensStrategy.authenticate({headers:{"authorization":"Bearer 1234"}});
|
2020-02-26 04:59:40 +01:00
|
|
|
});
|
|
|
|
afterEach(function() {
|
|
|
|
Users.tokens.restore();
|
2020-02-27 08:01:57 +01:00
|
|
|
Users.tokenHeader.restore();
|
2020-02-26 04:59:40 +01:00
|
|
|
})
|
|
|
|
});
|
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
describe("Bearer Strategy", function() {
|
|
|
|
it('Rejects invalid token',function(done) {
|
|
|
|
var getToken = sinon.stub(Tokens,"get",function(token) {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
strategies.bearerStrategy("1234",function(err,user) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
2016-10-10 14:27:43 +02:00
|
|
|
user.should.be.false();
|
2015-01-28 23:41:13 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getToken.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
it('Accepts valid token',function(done) {
|
|
|
|
var getToken = sinon.stub(Tokens,"get",function(token) {
|
|
|
|
return when.resolve({user:"user",scope:"scope"});
|
|
|
|
});
|
|
|
|
var getUser = sinon.stub(Users,"get",function(username) {
|
|
|
|
return when.resolve("aUser");
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
strategies.bearerStrategy("1234",function(err,user,opts) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
|
|
|
user.should.equal("aUser");
|
|
|
|
opts.should.have.a.property("scope","scope");
|
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getToken.restore();
|
|
|
|
getUser.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
it('Fail if no user for token',function(done) {
|
|
|
|
var getToken = sinon.stub(Tokens,"get",function(token) {
|
|
|
|
return when.resolve({user:"user",scope:"scope"});
|
|
|
|
});
|
|
|
|
var getUser = sinon.stub(Users,"get",function(username) {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
|
|
|
|
|
|
|
strategies.bearerStrategy("1234",function(err,user,opts) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
|
|
|
user.should.equal(false);
|
|
|
|
should.not.exist(opts);
|
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getToken.restore();
|
|
|
|
getUser.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
2015-01-28 23:41:13 +01:00
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
describe("Client Password Strategy", function() {
|
|
|
|
it('Accepts valid client',function(done) {
|
|
|
|
var testClient = {id:"node-red-editor",secret:"not_available"};
|
|
|
|
var getClient = sinon.stub(Clients,"get",function(client) {
|
|
|
|
return when.resolve(testClient);
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
strategies.clientPasswordStrategy(testClient.id,testClient.secret,function(err,client) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
|
|
|
client.should.eql(testClient);
|
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getClient.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
it('Rejects invalid client secret',function(done) {
|
|
|
|
var testClient = {id:"node-red-editor",secret:"not_available"};
|
|
|
|
var getClient = sinon.stub(Clients,"get",function(client) {
|
|
|
|
return when.resolve(testClient);
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
strategies.clientPasswordStrategy(testClient.id,"invalid_secret",function(err,client) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
2016-10-10 14:27:43 +02:00
|
|
|
client.should.be.false();
|
2015-01-28 23:41:13 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getClient.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
it('Rejects invalid client id',function(done) {
|
|
|
|
var getClient = sinon.stub(Clients,"get",function(client) {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
|
|
|
strategies.clientPasswordStrategy("invalid_id","invalid_secret",function(err,client) {
|
|
|
|
try {
|
|
|
|
should.not.exist(err);
|
2016-10-10 14:27:43 +02:00
|
|
|
client.should.be.false();
|
2015-01-28 23:41:13 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
getClient.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
2015-03-07 14:22:21 +01:00
|
|
|
|
|
|
|
var userAuthentication;
|
|
|
|
it('Blocks after 5 failures',function(done) {
|
|
|
|
userAuthentication = sinon.stub(Users,"authenticate",function(username,password) {
|
|
|
|
return when.resolve(null);
|
|
|
|
});
|
|
|
|
for (var z=0; z<5; z++) {
|
|
|
|
strategies.passwordTokenExchange({},"user","badpassword","scope",function(err,token) {
|
|
|
|
});
|
|
|
|
}
|
|
|
|
strategies.passwordTokenExchange({},"user","badpassword","scope",function(err,token) {
|
|
|
|
try {
|
|
|
|
err.toString().should.equal("Error: Too many login attempts. Wait 10 minutes and try again");
|
2016-10-10 14:27:43 +02:00
|
|
|
token.should.be.false();
|
2015-03-07 14:22:21 +01:00
|
|
|
done();
|
|
|
|
} catch(e) {
|
|
|
|
done(e);
|
|
|
|
} finally {
|
|
|
|
userAuthentication.restore();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
2015-01-28 23:41:13 +01:00
|
|
|
});
|
|
|
|
});
|