test: Adds permission tests to impersonation (#9660)

* Adds permission tests to impersonation

* NIT + new test for none numbers
pull/9335/head^2
sean-brydon 2023-06-20 14:42:37 +01:00 committed by GitHub
parent e521bf6f0b
commit 4e529e5c6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 108 additions and 12 deletions

View File

@ -0,0 +1,81 @@
import type { Session } from "next-auth";
import { describe, expect, it } from "vitest";
import { UserPermissionRole } from "@calcom/prisma/enums";
import {
parseTeamId,
checkSelfImpersonation,
checkUserIdentifier,
checkPermission,
} from "./ImpersonationProvider";
const session: Session = {
expires: "2021-08-31T15:00:00.000Z",
hasValidLicense: true,
user: {
id: 123,
username: "test",
role: UserPermissionRole.USER,
email: "test@example.com",
},
};
describe("parseTeamId", () => {
it("should return undefined if no teamId is provided", () => {
expect(parseTeamId(undefined)).toBeUndefined();
});
it("should return the parsed teamId if a teamId is provided", () => {
expect(parseTeamId({ username: "test", teamId: "123" })).toBe(123);
});
it("should throw an error if the provided teamId is not a positive number", () => {
expect(() => parseTeamId({ username: "test", teamId: "-123" })).toThrow();
});
it("should throw an error if the provided teamId is not a number", () => {
expect(() => parseTeamId({ username: "test", teamId: "notanumber" })).toThrow();
});
});
describe("checkSelfImpersonation", () => {
it("should throw an error if the provided username is the same as the session user's username", () => {
expect(() => checkSelfImpersonation(session, { username: "test" })).toThrow();
});
it("should throw an error if the provided username is the same as the session user's email", () => {
expect(() => checkSelfImpersonation(session, { username: "test@example.com" })).toThrow();
});
it("should not throw an error if the provided username is different from the session user's username and email", () => {
expect(() => checkSelfImpersonation(session, { username: "other" })).not.toThrow();
});
});
describe("checkUserIdentifier", () => {
it("should throw an error if no username is provided", () => {
expect(() => checkUserIdentifier(undefined)).toThrow();
});
it("should not throw an error if a username is provided", () => {
expect(() => checkUserIdentifier({ username: "test" })).not.toThrow();
});
});
describe("checkPermission", () => {
it("should throw an error if the user is not an admin and team impersonation is disabled", () => {
process.env.NEXT_PUBLIC_TEAM_IMPERSONATION = "false";
expect(() => checkPermission(session)).toThrow();
});
it("should not throw an error if the user is an admin and team impersonation is disabled", () => {
const modifiedSession = { ...session, user: { ...session.user, role: UserPermissionRole.ADMIN } };
process.env.NEXT_PUBLIC_TEAM_IMPERSONATION = "false";
expect(() => checkPermission(modifiedSession)).not.toThrow();
});
it("should not throw an error if the user is not an admin but team impersonation is enabled", () => {
process.env.NEXT_PUBLIC_TEAM_IMPERSONATION = "true";
expect(() => checkPermission(session)).not.toThrow();
});
});

View File

@ -1,4 +1,5 @@
import type { User } from "@prisma/client"; import type { User } from "@prisma/client";
import type { Session } from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials"; import CredentialsProvider from "next-auth/providers/credentials";
import { z } from "zod"; import { z } from "zod";
@ -44,6 +45,28 @@ const auditAndReturnNextUser = async (
return obj; return obj;
}; };
type Credentials = Record<"username" | "teamId", string> | undefined;
export function parseTeamId(creds: Partial<Credentials>) {
return creds?.teamId ? teamIdschema.parse({ teamId: creds.teamId }).teamId : undefined;
}
export function checkSelfImpersonation(session: Session | null, creds: Partial<Credentials>) {
if (session?.user.username === creds?.username || session?.user.email === creds?.username) {
throw new Error("You cannot impersonate yourself.");
}
}
export function checkUserIdentifier(creds: Partial<Credentials>) {
if (!creds?.username) throw new Error("User identifier must be present");
}
export function checkPermission(session: Session | null) {
if (session?.user.role !== "ADMIN" && process.env.NEXT_PUBLIC_TEAM_IMPERSONATION === "false") {
throw new Error("You do not have permission to do this.");
}
}
const ImpersonationProvider = CredentialsProvider({ const ImpersonationProvider = CredentialsProvider({
id: "impersonation-auth", id: "impersonation-auth",
name: "Impersonation", name: "Impersonation",
@ -56,18 +79,10 @@ const ImpersonationProvider = CredentialsProvider({
// eslint-disable-next-line @typescript-eslint/ban-ts-comment // eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore need to figure out how to correctly type this // @ts-ignore need to figure out how to correctly type this
const session = await getSession({ req }); const session = await getSession({ req });
// If teamId is present -> parse the teamId and throw error itn ot number. If not present teamId is set to undefined const teamId = parseTeamId(creds);
const teamId = creds?.teamId ? teamIdschema.parse({ teamId: creds.teamId }).teamId : undefined; checkSelfImpersonation(session, creds);
checkUserIdentifier(creds);
if (session?.user.username === creds?.username || session?.user.email === creds?.username) { checkPermission(session);
throw new Error("You cannot impersonate yourself.");
}
if (!creds?.username) throw new Error("User identifier must be present");
// If you are an ADMIN we return way before team impersonation logic is executed, so NEXT_PUBLIC_TEAM_IMPERSONATION certainly true
if (session?.user.role !== "ADMIN" && process.env.NEXT_PUBLIC_TEAM_IMPERSONATION === "false") {
throw new Error("You do not have permission to do this.");
}
// Get user who is being impersonated // Get user who is being impersonated
const impersonatedUser = await prisma.user.findFirst({ const impersonatedUser = await prisma.user.findFirst({