public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lint and test timeouts for webaccess.js

mochawesome
John McLear 2021-01-27 21:18:39 +00:00
parent 5aa0ad3f55
commit ac420f4683
1 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
tests/backend/specs/webaccess.js
View File

@ -1,4 +1,4 @@
/* global __dirname, __filename, Buffer, afterEach, before, beforeEach, describe, it, require */
'use strict';
function m(mod) { return `${__dirname}/../../../src/${mod}`; }
@ -8,6 +8,7 @@ const plugins = require(m('static/js/pluginfw/plugin_defs'));
const settings = require(m('node/utils/Settings'));
describe(__filename, function () {
this.timeout(30000);
let agent;
const backups = {};
const authHookNames = ['preAuthorize', 'authenticate', 'authorize'];
@ -37,56 +38,67 @@ describe(__filename, function () {
describe('webaccess: without plugins', function () {
it('!authn !authz anonymous / -> 200', async function () {
this.timeout(150);
settings.requireAuthentication = false;
settings.requireAuthorization = false;
await agent.get('/').expect(200);
});
it('!authn !authz anonymous /admin/ -> 401', async function () {
this.timeout(100);
settings.requireAuthentication = false;
settings.requireAuthorization = false;
await agent.get('/admin/').expect(401);
});
it('authn !authz anonymous / -> 401', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = false;
await agent.get('/').expect(401);
});
it('authn !authz user / -> 200', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = false;
await agent.get('/').auth('user', 'user-password').expect(200);
});
it('authn !authz user /admin/ -> 403', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = false;
await agent.get('/admin/').auth('user', 'user-password').expect(403);
});
it('authn !authz admin / -> 200', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = false;
await agent.get('/').auth('admin', 'admin-password').expect(200);
});
it('authn !authz admin /admin/ -> 200', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = false;
await agent.get('/admin/').auth('admin', 'admin-password').expect(200);
});
it('authn authz user / -> 403', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/').auth('user', 'user-password').expect(403);
});
it('authn authz user /admin/ -> 403', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/admin/').auth('user', 'user-password').expect(403);
});
it('authn authz admin / -> 200', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/').auth('admin', 'admin-password').expect(200);
});
it('authn authz admin /admin/ -> 200', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/admin/').auth('admin', 'admin-password').expect(200);
@ -100,6 +112,7 @@ describe(__filename, function () {
// parsing, resulting in successful comparisons against a null or undefined password.
for (const creds of ['admin', 'admin:']) {
it(`admin password: ${adminPassword} credentials: ${creds}`, async function () {
this.timeout(100);
settings.users.admin.password = adminPassword;
const encCreds = Buffer.from(creds).toString('base64');
await agent.get('/admin/').set('Authorization', `Basic ${encCreds}`).expect(401);
@ -152,11 +165,13 @@ describe(__filename, function () {
});
it('defers if it returns []', async function () {
this.timeout(100);
await agent.get('/').expect(200);
// Note: The preAuthorize hook always runs even if requireAuthorization is false.
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']);
});
it('bypasses authenticate and authorize hooks when true is returned', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
handlers.preAuthorize[0].innerHandle = () => [true];
@ -164,6 +179,7 @@ describe(__filename, function () {
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('bypasses authenticate and authorize hooks when false is returned', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
handlers.preAuthorize[0].innerHandle = () => [false];
@ -171,12 +187,14 @@ describe(__filename, function () {
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('bypasses authenticate and authorize hooks for static content, defers', async function () {
this.timeout(100);
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/static/robots.txt').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']);
});
it('cannot grant access to /admin', async function () {
this.timeout(100);
handlers.preAuthorize[0].innerHandle = () => [true];
await agent.get('/admin/').expect(401);
// Notes:
@ -190,11 +208,13 @@ describe(__filename, function () {
'authenticate_1']);
});
it('can deny access to /admin', async function () {
this.timeout(100);
handlers.preAuthorize[0].innerHandle = () => [false];
await agent.get('/admin/').auth('admin', 'admin-password').expect(403);
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('runs preAuthzFailure hook when access is denied', async function () {
this.timeout(100);
handlers.preAuthorize[0].innerHandle = () => [false];
let called = false;
plugins.hooks.preAuthzFailure = [{hook_fn: (hookName, {req, res}, cb) => {
@ -210,6 +230,7 @@ describe(__filename, function () {
assert(called);
});
it('returns 500 if an exception is thrown', async function () {
this.timeout(100);
handlers.preAuthorize[0].innerHandle = () => { throw new Error('exception test'); };
await agent.get('/').expect(500);
});
@ -222,11 +243,13 @@ describe(__filename, function () {
});
it('is not called if !requireAuthentication and not /admin/*', async function () {
this.timeout(100);
settings.requireAuthentication = false;
await agent.get('/').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']);
});
it('is called if !requireAuthentication and /admin/*', async function () {
this.timeout(100);
settings.requireAuthentication = false;
await agent.get('/admin/').expect(401);
assert.deepEqual(callOrder, ['preAuthorize_0',
@ -235,6 +258,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('defers if empty list returned', async function () {
this.timeout(100);
await agent.get('/').expect(401);
assert.deepEqual(callOrder, ['preAuthorize_0',
'preAuthorize_1',
@ -242,18 +266,21 @@ describe(__filename, function () {
'authenticate_1']);
});
it('does not defer if return [true], 200', async function () {
this.timeout(100);
handlers.authenticate[0].innerHandle = (req) => { req.session.user = {}; return [true]; };
await agent.get('/').expect(200);
// Note: authenticate_1 was not called because authenticate_0 handled it.
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
});
it('does not defer if return [false], 401', async function () {
this.timeout(100);
handlers.authenticate[0].innerHandle = (req) => [false];
await agent.get('/').expect(401);
// Note: authenticate_1 was not called because authenticate_0 handled it.
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
});
it('falls back to HTTP basic auth', async function () {
this.timeout(100);
await agent.get('/').auth('user', 'user-password').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0',
'preAuthorize_1',
@ -261,6 +288,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('passes settings.users in context', async function () {
this.timeout(100);
handlers.authenticate[0].checkContext = ({users}) => {
assert.equal(users, settings.users);
};
@ -271,6 +299,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('passes user, password in context if provided', async function () {
this.timeout(100);
handlers.authenticate[0].checkContext = ({username, password}) => {
assert.equal(username, 'user');
assert.equal(password, 'user-password');
@ -282,6 +311,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('does not pass user, password in context if not provided', async function () {
this.timeout(100);
handlers.authenticate[0].checkContext = ({username, password}) => {
assert(username == null);
assert(password == null);
@ -293,11 +323,13 @@ describe(__filename, function () {
'authenticate_1']);
});
it('errors if req.session.user is not created', async function () {
this.timeout(100);
handlers.authenticate[0].innerHandle = () => [true];
await agent.get('/').expect(500);
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
});
it('returns 500 if an exception is thrown', async function () {
this.timeout(100);
handlers.authenticate[0].innerHandle = () => { throw new Error('exception test'); };
await agent.get('/').expect(500);
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
@ -311,6 +343,7 @@ describe(__filename, function () {
});
it('is not called if !requireAuthorization (non-/admin)', async function () {
this.timeout(100);
settings.requireAuthorization = false;
await agent.get('/').auth('user', 'user-password').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0',
@ -319,6 +352,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('is not called if !requireAuthorization (/admin)', async function () {
this.timeout(100);
settings.requireAuthorization = false;
await agent.get('/admin/').auth('admin', 'admin-password').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0',
@ -327,6 +361,7 @@ describe(__filename, function () {
'authenticate_1']);
});
it('defers if empty list returned', async function () {
this.timeout(100);
await agent.get('/').auth('user', 'user-password').expect(403);
assert.deepEqual(callOrder, ['preAuthorize_0',
'preAuthorize_1',
@ -336,6 +371,7 @@ describe(__filename, function () {
'authorize_1']);
});
it('does not defer if return [true], 200', async function () {
this.timeout(100);
handlers.authorize[0].innerHandle = () => [true];
await agent.get('/').auth('user', 'user-password').expect(200);
// Note: authorize_1 was not called because authorize_0 handled it.
@ -346,6 +382,7 @@ describe(__filename, function () {
'authorize_0']);
});
it('does not defer if return [false], 403', async function () {
this.timeout(100);
handlers.authorize[0].innerHandle = (req) => [false];
await agent.get('/').auth('user', 'user-password').expect(403);
// Note: authorize_1 was not called because authorize_0 handled it.
@ -356,6 +393,7 @@ describe(__filename, function () {
'authorize_0']);
});
it('passes req.path in context', async function () {
this.timeout(100);
handlers.authorize[0].checkContext = ({resource}) => {
assert.equal(resource, '/');
};
@ -368,6 +406,7 @@ describe(__filename, function () {
'authorize_1']);
});
it('returns 500 if an exception is thrown', async function () {
this.timeout(100);
handlers.authorize[0].innerHandle = () => { throw new Error('exception test'); };
await agent.get('/').auth('user', 'user-password').expect(500);
assert.deepEqual(callOrder, ['preAuthorize_0',
@ -414,6 +453,7 @@ describe(__filename, function () {
// authn failure tests
it('authn fail, no hooks handle -> 401', async function () {
this.timeout(100);
await agent.get('/').expect(401);
assert(handlers.authnFailure.called);
assert(!handlers.authzFailure.called);
@ -427,6 +467,7 @@ describe(__filename, function () {
assert(!handlers.authFailure.called);
});
it('authn fail, authFailure handles', async function () {
this.timeout(100);
handlers.authFailure.shouldHandle = true;
await agent.get('/').expect(200, 'authFailure');
assert(handlers.authnFailure.called);
@ -434,6 +475,7 @@ describe(__filename, function () {
assert(handlers.authFailure.called);
});
it('authnFailure trumps authFailure', async function () {
this.timeout(100);
handlers.authnFailure.shouldHandle = true;
handlers.authFailure.shouldHandle = true;
await agent.get('/').expect(200, 'authnFailure');
@ -443,12 +485,14 @@ describe(__filename, function () {
// authz failure tests
it('authz fail, no hooks handle -> 403', async function () {
this.timeout(100);
await agent.get('/').auth('user', 'user-password').expect(403);
assert(!handlers.authnFailure.called);
assert(handlers.authzFailure.called);
assert(handlers.authFailure.called);
});
it('authz fail, authzFailure handles', async function () {
this.timeout(100);
handlers.authzFailure.shouldHandle = true;
await agent.get('/').auth('user', 'user-password').expect(200, 'authzFailure');
assert(!handlers.authnFailure.called);
@ -456,6 +500,7 @@ describe(__filename, function () {
assert(!handlers.authFailure.called);
});
it('authz fail, authFailure handles', async function () {
this.timeout(100);
handlers.authFailure.shouldHandle = true;
await agent.get('/').auth('user', 'user-password').expect(200, 'authFailure');
assert(!handlers.authnFailure.called);
@ -463,6 +508,7 @@ describe(__filename, function () {
assert(handlers.authFailure.called);
});
it('authzFailure trumps authFailure', async function () {
this.timeout(100);
handlers.authzFailure.shouldHandle = true;
handlers.authFailure.shouldHandle = true;
await agent.get('/').auth('user', 'user-password').expect(200, 'authzFailure');