2017-04-19 21:15:28 +02:00
|
|
|
'use strict';
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
module.exports = function() {
|
|
|
|
|
describe('access control', function() {
|
|
|
|
|
let server = process.server;
|
|
|
|
|
let oldauth;
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
before(function() {
|
|
|
|
|
oldauth = server.authstr;
|
|
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
after(function() {
|
|
|
|
|
server.authstr = oldauth;
|
|
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
|
|
|
|
|
function check_access(auth, pkg, ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
it((ok ? 'allows' : 'forbids') +' access ' + auth + ' to ' + pkg, function() {
|
|
|
|
|
server.authstr = auth? `Basic ${(new Buffer(auth).toString('base64'))}`: undefined;
|
|
|
|
|
let req = server.get_package(pkg);
|
2015-04-21 18:41:50 +02:00
|
|
|
if (ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(404).body_error(/no such package available/);
|
2015-04-21 18:41:50 +02:00
|
|
|
} else {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(403).body_error(/not allowed to access package/);
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function check_publish(auth, pkg, ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
it(`${(ok ? 'allows' : 'forbids')} publish ${auth} to ${pkg}`, function() {
|
|
|
|
|
server.authstr = auth? `Basic ${(new Buffer(auth).toString('base64'))}`: undefined;
|
|
|
|
|
let req = server.put_package(pkg, require('./lib/package')(pkg));
|
2015-04-21 18:41:50 +02:00
|
|
|
if (ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(404).body_error(/this package cannot be added/);
|
2015-04-21 18:41:50 +02:00
|
|
|
} else {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(403).body_error(/not allowed to publish package/);
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-04-19 21:15:28 +02:00
|
|
|
const badPass = 'test:badpass';
|
|
|
|
|
const testPass = 'test:test';
|
|
|
|
|
const testAccessOnly = 'test-access-only';
|
|
|
|
|
const testPublishOnly = 'test-publish-only';
|
|
|
|
|
const testOnlyTest = 'test-only-test';
|
|
|
|
|
const testOnlyAuth = 'test-only-auth';
|
|
|
|
|
check_access(testPass, testAccessOnly, true);
|
|
|
|
|
check_access(undefined, testAccessOnly, true);
|
|
|
|
|
check_access(badPass, testAccessOnly, true);
|
|
|
|
|
check_publish(testPass, testAccessOnly, false);
|
|
|
|
|
check_publish(undefined, testAccessOnly, false);
|
|
|
|
|
check_publish(badPass, testAccessOnly, false);
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
check_access(testPass, testPublishOnly, false);
|
|
|
|
|
check_access(undefined, testPublishOnly, false);
|
|
|
|
|
check_access(badPass, testPublishOnly, false);
|
|
|
|
|
check_publish(testPass, testPublishOnly, true);
|
|
|
|
|
check_publish(undefined, testPublishOnly, true);
|
|
|
|
|
check_publish(badPass, testPublishOnly, true);
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
check_access(testPass, testOnlyTest, true);
|
|
|
|
|
check_access(undefined, testOnlyTest, false);
|
|
|
|
|
check_access(badPass, testOnlyTest, false);
|
|
|
|
|
check_publish(testPass, testOnlyTest, true);
|
|
|
|
|
check_publish(undefined, testOnlyTest, false);
|
|
|
|
|
check_publish(badPass, testOnlyTest, false);
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
check_access(testPass, testOnlyAuth, true);
|
|
|
|
|
check_access(undefined, testOnlyAuth, false);
|
|
|
|
|
check_access(badPass, testOnlyAuth, false);
|
|
|
|
|
check_publish(testPass, testOnlyAuth, true);
|
|
|
|
|
check_publish(undefined, testOnlyAuth, false);
|
|
|
|
|
check_publish(badPass, testOnlyAuth, false);
|
|
|
|
|
});
|
|
|
|
|
};
|
