diff --git a/tests/backend/specs/webaccess.js b/tests/backend/specs/webaccess.js index a21cc73a8..0843c3538 100644 --- a/tests/backend/specs/webaccess.js +++ b/tests/backend/specs/webaccess.js @@ -1,4 +1,4 @@ -/* global __dirname, __filename, Buffer, afterEach, before, beforeEach, describe, it, require */ +'use strict'; function m(mod) { return `${__dirname}/../../../src/${mod}`; } @@ -8,6 +8,7 @@ const plugins = require(m('static/js/pluginfw/plugin_defs')); const settings = require(m('node/utils/Settings')); describe(__filename, function () { + this.timeout(30000); let agent; const backups = {}; const authHookNames = ['preAuthorize', 'authenticate', 'authorize']; @@ -37,56 +38,67 @@ describe(__filename, function () { describe('webaccess: without plugins', function () { it('!authn !authz anonymous / -> 200', async function () { + this.timeout(150); settings.requireAuthentication = false; settings.requireAuthorization = false; await agent.get('/').expect(200); }); it('!authn !authz anonymous /admin/ -> 401', async function () { + this.timeout(100); settings.requireAuthentication = false; settings.requireAuthorization = false; await agent.get('/admin/').expect(401); }); it('authn !authz anonymous / -> 401', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = false; await agent.get('/').expect(401); }); it('authn !authz user / -> 200', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = false; await agent.get('/').auth('user', 'user-password').expect(200); }); it('authn !authz user /admin/ -> 403', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = false; await agent.get('/admin/').auth('user', 'user-password').expect(403); }); it('authn !authz admin / -> 200', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = false; await agent.get('/').auth('admin', 'admin-password').expect(200); }); it('authn !authz admin /admin/ -> 200', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = false; await agent.get('/admin/').auth('admin', 'admin-password').expect(200); }); it('authn authz user / -> 403', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; await agent.get('/').auth('user', 'user-password').expect(403); }); it('authn authz user /admin/ -> 403', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; await agent.get('/admin/').auth('user', 'user-password').expect(403); }); it('authn authz admin / -> 200', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; await agent.get('/').auth('admin', 'admin-password').expect(200); }); it('authn authz admin /admin/ -> 200', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; await agent.get('/admin/').auth('admin', 'admin-password').expect(200); @@ -100,6 +112,7 @@ describe(__filename, function () { // parsing, resulting in successful comparisons against a null or undefined password. for (const creds of ['admin', 'admin:']) { it(`admin password: ${adminPassword} credentials: ${creds}`, async function () { + this.timeout(100); settings.users.admin.password = adminPassword; const encCreds = Buffer.from(creds).toString('base64'); await agent.get('/admin/').set('Authorization', `Basic ${encCreds}`).expect(401); @@ -152,11 +165,13 @@ describe(__filename, function () { }); it('defers if it returns []', async function () { + this.timeout(100); await agent.get('/').expect(200); // Note: The preAuthorize hook always runs even if requireAuthorization is false. assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']); }); it('bypasses authenticate and authorize hooks when true is returned', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; handlers.preAuthorize[0].innerHandle = () => [true]; @@ -164,6 +179,7 @@ describe(__filename, function () { assert.deepEqual(callOrder, ['preAuthorize_0']); }); it('bypasses authenticate and authorize hooks when false is returned', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; handlers.preAuthorize[0].innerHandle = () => [false]; @@ -171,12 +187,14 @@ describe(__filename, function () { assert.deepEqual(callOrder, ['preAuthorize_0']); }); it('bypasses authenticate and authorize hooks for static content, defers', async function () { + this.timeout(100); settings.requireAuthentication = true; settings.requireAuthorization = true; await agent.get('/static/robots.txt').expect(200); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']); }); it('cannot grant access to /admin', async function () { + this.timeout(100); handlers.preAuthorize[0].innerHandle = () => [true]; await agent.get('/admin/').expect(401); // Notes: @@ -190,11 +208,13 @@ describe(__filename, function () { 'authenticate_1']); }); it('can deny access to /admin', async function () { + this.timeout(100); handlers.preAuthorize[0].innerHandle = () => [false]; await agent.get('/admin/').auth('admin', 'admin-password').expect(403); assert.deepEqual(callOrder, ['preAuthorize_0']); }); it('runs preAuthzFailure hook when access is denied', async function () { + this.timeout(100); handlers.preAuthorize[0].innerHandle = () => [false]; let called = false; plugins.hooks.preAuthzFailure = [{hook_fn: (hookName, {req, res}, cb) => { @@ -210,6 +230,7 @@ describe(__filename, function () { assert(called); }); it('returns 500 if an exception is thrown', async function () { + this.timeout(100); handlers.preAuthorize[0].innerHandle = () => { throw new Error('exception test'); }; await agent.get('/').expect(500); }); @@ -222,11 +243,13 @@ describe(__filename, function () { }); it('is not called if !requireAuthentication and not /admin/*', async function () { + this.timeout(100); settings.requireAuthentication = false; await agent.get('/').expect(200); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']); }); it('is called if !requireAuthentication and /admin/*', async function () { + this.timeout(100); settings.requireAuthentication = false; await agent.get('/admin/').expect(401); assert.deepEqual(callOrder, ['preAuthorize_0', @@ -235,6 +258,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('defers if empty list returned', async function () { + this.timeout(100); await agent.get('/').expect(401); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', @@ -242,18 +266,21 @@ describe(__filename, function () { 'authenticate_1']); }); it('does not defer if return [true], 200', async function () { + this.timeout(100); handlers.authenticate[0].innerHandle = (req) => { req.session.user = {}; return [true]; }; await agent.get('/').expect(200); // Note: authenticate_1 was not called because authenticate_0 handled it. assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']); }); it('does not defer if return [false], 401', async function () { + this.timeout(100); handlers.authenticate[0].innerHandle = (req) => [false]; await agent.get('/').expect(401); // Note: authenticate_1 was not called because authenticate_0 handled it. assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']); }); it('falls back to HTTP basic auth', async function () { + this.timeout(100); await agent.get('/').auth('user', 'user-password').expect(200); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', @@ -261,6 +288,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('passes settings.users in context', async function () { + this.timeout(100); handlers.authenticate[0].checkContext = ({users}) => { assert.equal(users, settings.users); }; @@ -271,6 +299,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('passes user, password in context if provided', async function () { + this.timeout(100); handlers.authenticate[0].checkContext = ({username, password}) => { assert.equal(username, 'user'); assert.equal(password, 'user-password'); @@ -282,6 +311,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('does not pass user, password in context if not provided', async function () { + this.timeout(100); handlers.authenticate[0].checkContext = ({username, password}) => { assert(username == null); assert(password == null); @@ -293,11 +323,13 @@ describe(__filename, function () { 'authenticate_1']); }); it('errors if req.session.user is not created', async function () { + this.timeout(100); handlers.authenticate[0].innerHandle = () => [true]; await agent.get('/').expect(500); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']); }); it('returns 500 if an exception is thrown', async function () { + this.timeout(100); handlers.authenticate[0].innerHandle = () => { throw new Error('exception test'); }; await agent.get('/').expect(500); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']); @@ -311,6 +343,7 @@ describe(__filename, function () { }); it('is not called if !requireAuthorization (non-/admin)', async function () { + this.timeout(100); settings.requireAuthorization = false; await agent.get('/').auth('user', 'user-password').expect(200); assert.deepEqual(callOrder, ['preAuthorize_0', @@ -319,6 +352,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('is not called if !requireAuthorization (/admin)', async function () { + this.timeout(100); settings.requireAuthorization = false; await agent.get('/admin/').auth('admin', 'admin-password').expect(200); assert.deepEqual(callOrder, ['preAuthorize_0', @@ -327,6 +361,7 @@ describe(__filename, function () { 'authenticate_1']); }); it('defers if empty list returned', async function () { + this.timeout(100); await agent.get('/').auth('user', 'user-password').expect(403); assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', @@ -336,6 +371,7 @@ describe(__filename, function () { 'authorize_1']); }); it('does not defer if return [true], 200', async function () { + this.timeout(100); handlers.authorize[0].innerHandle = () => [true]; await agent.get('/').auth('user', 'user-password').expect(200); // Note: authorize_1 was not called because authorize_0 handled it. @@ -346,6 +382,7 @@ describe(__filename, function () { 'authorize_0']); }); it('does not defer if return [false], 403', async function () { + this.timeout(100); handlers.authorize[0].innerHandle = (req) => [false]; await agent.get('/').auth('user', 'user-password').expect(403); // Note: authorize_1 was not called because authorize_0 handled it. @@ -356,6 +393,7 @@ describe(__filename, function () { 'authorize_0']); }); it('passes req.path in context', async function () { + this.timeout(100); handlers.authorize[0].checkContext = ({resource}) => { assert.equal(resource, '/'); }; @@ -368,6 +406,7 @@ describe(__filename, function () { 'authorize_1']); }); it('returns 500 if an exception is thrown', async function () { + this.timeout(100); handlers.authorize[0].innerHandle = () => { throw new Error('exception test'); }; await agent.get('/').auth('user', 'user-password').expect(500); assert.deepEqual(callOrder, ['preAuthorize_0', @@ -414,6 +453,7 @@ describe(__filename, function () { // authn failure tests it('authn fail, no hooks handle -> 401', async function () { + this.timeout(100); await agent.get('/').expect(401); assert(handlers.authnFailure.called); assert(!handlers.authzFailure.called); @@ -427,6 +467,7 @@ describe(__filename, function () { assert(!handlers.authFailure.called); }); it('authn fail, authFailure handles', async function () { + this.timeout(100); handlers.authFailure.shouldHandle = true; await agent.get('/').expect(200, 'authFailure'); assert(handlers.authnFailure.called); @@ -434,6 +475,7 @@ describe(__filename, function () { assert(handlers.authFailure.called); }); it('authnFailure trumps authFailure', async function () { + this.timeout(100); handlers.authnFailure.shouldHandle = true; handlers.authFailure.shouldHandle = true; await agent.get('/').expect(200, 'authnFailure'); @@ -443,12 +485,14 @@ describe(__filename, function () { // authz failure tests it('authz fail, no hooks handle -> 403', async function () { + this.timeout(100); await agent.get('/').auth('user', 'user-password').expect(403); assert(!handlers.authnFailure.called); assert(handlers.authzFailure.called); assert(handlers.authFailure.called); }); it('authz fail, authzFailure handles', async function () { + this.timeout(100); handlers.authzFailure.shouldHandle = true; await agent.get('/').auth('user', 'user-password').expect(200, 'authzFailure'); assert(!handlers.authnFailure.called); @@ -456,6 +500,7 @@ describe(__filename, function () { assert(!handlers.authFailure.called); }); it('authz fail, authFailure handles', async function () { + this.timeout(100); handlers.authFailure.shouldHandle = true; await agent.get('/').auth('user', 'user-password').expect(200, 'authFailure'); assert(!handlers.authnFailure.called); @@ -463,6 +508,7 @@ describe(__filename, function () { assert(handlers.authFailure.called); }); it('authzFailure trumps authFailure', async function () { + this.timeout(100); handlers.authzFailure.shouldHandle = true; handlers.authFailure.shouldHandle = true; await agent.get('/').auth('user', 'user-password').expect(200, 'authzFailure');