2017-04-19 21:15:28 +02:00
|
|
|
'use strict';
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
module.exports = function() {
|
2017-07-02 00:05:58 +02:00
|
|
|
describe('package access control', function() {
|
|
|
|
|
|
|
|
const server = process.server;
|
|
|
|
const buildToken = (auth) => {
|
|
|
|
return `Basic ${(new Buffer(auth).toString('base64'))}`;
|
|
|
|
};
|
|
|
|
let oldAuth;
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
before(function() {
|
2017-07-02 00:05:58 +02:00
|
|
|
oldAuth = server.authstr;
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-04-19 21:15:28 +02:00
|
|
|
after(function() {
|
2017-07-02 00:05:58 +02:00
|
|
|
server.authstr = oldAuth;
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-07-02 00:05:58 +02:00
|
|
|
/**
|
|
|
|
* Check whether the user is allowed to fetch packages
|
|
|
|
* @param auth {object} disable auth
|
|
|
|
* @param pkg {string} package name
|
|
|
|
* @param ok {boolean}
|
|
|
|
*/
|
|
|
|
function checkAccess(auth, pkg, ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
it((ok ? 'allows' : 'forbids') +' access ' + auth + ' to ' + pkg, function() {
|
2017-07-02 00:05:58 +02:00
|
|
|
server.authstr = auth ? buildToken(auth) : undefined;
|
2017-06-28 22:56:02 +02:00
|
|
|
let req = server.getPackage(pkg);
|
2015-04-21 18:41:50 +02:00
|
|
|
if (ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(404).body_error(/no such package available/);
|
2015-04-21 18:41:50 +02:00
|
|
|
} else {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(403).body_error(/not allowed to access package/);
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
|
|
|
|
2017-07-02 00:05:58 +02:00
|
|
|
/**
|
|
|
|
* Check whether the user is allowed to publish packages
|
|
|
|
* @param auth {object} disable auth
|
|
|
|
* @param pkg {string} package name
|
|
|
|
* @param ok {boolean}
|
|
|
|
*/
|
|
|
|
function checkPublish(auth, pkg, ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
it(`${(ok ? 'allows' : 'forbids')} publish ${auth} to ${pkg}`, function() {
|
2017-07-02 00:05:58 +02:00
|
|
|
server.authstr = auth ? buildToken(auth) : undefined;
|
2017-08-06 21:54:15 +02:00
|
|
|
const req = server.putPackage(pkg, require('../fixtures/package')(pkg));
|
2015-04-21 18:41:50 +02:00
|
|
|
if (ok) {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(404).body_error(/this package cannot be added/);
|
2015-04-21 18:41:50 +02:00
|
|
|
} else {
|
2017-04-19 21:15:28 +02:00
|
|
|
return req.status(403).body_error(/not allowed to publish package/);
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
2015-04-21 18:41:50 +02:00
|
|
|
}
|
2017-07-02 00:05:58 +02:00
|
|
|
|
|
|
|
// credentials
|
|
|
|
const badCredentials = 'test:badpass';
|
|
|
|
// test user is logged by default
|
|
|
|
const validCredentials = 'test:test';
|
|
|
|
|
|
|
|
// defined on server1 configuration
|
2017-04-19 21:15:28 +02:00
|
|
|
const testAccessOnly = 'test-access-only';
|
|
|
|
const testPublishOnly = 'test-publish-only';
|
|
|
|
const testOnlyTest = 'test-only-test';
|
|
|
|
const testOnlyAuth = 'test-only-auth';
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-07-02 00:05:58 +02:00
|
|
|
// all are allowed to access
|
|
|
|
checkAccess(validCredentials, testAccessOnly, true);
|
|
|
|
checkAccess(undefined, testAccessOnly, true);
|
|
|
|
checkAccess(badCredentials, testAccessOnly, true);
|
|
|
|
checkPublish(validCredentials, testAccessOnly, false);
|
|
|
|
checkPublish(undefined, testAccessOnly, false);
|
|
|
|
checkPublish(badCredentials, testAccessOnly, false);
|
|
|
|
|
|
|
|
// all are allowed to publish
|
|
|
|
checkAccess(validCredentials, testPublishOnly, false);
|
|
|
|
checkAccess(undefined, testPublishOnly, false);
|
|
|
|
checkAccess(badCredentials, testPublishOnly, false);
|
|
|
|
checkPublish(validCredentials, testPublishOnly, true);
|
|
|
|
checkPublish(undefined, testPublishOnly, true);
|
|
|
|
checkPublish(badCredentials, testPublishOnly, true);
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-07-02 00:05:58 +02:00
|
|
|
// only user "test" is allowed to publish and access
|
|
|
|
checkAccess(validCredentials, testOnlyTest, true);
|
|
|
|
checkAccess(undefined, testOnlyTest, false);
|
|
|
|
checkAccess(badCredentials, testOnlyTest, false);
|
|
|
|
checkPublish(validCredentials, testOnlyTest, true);
|
|
|
|
checkPublish(undefined, testOnlyTest, false);
|
|
|
|
checkPublish(badCredentials, testOnlyTest, false);
|
2015-04-21 18:41:50 +02:00
|
|
|
|
2017-07-02 00:05:58 +02:00
|
|
|
// only authenticated users are allowed
|
|
|
|
checkAccess(validCredentials, testOnlyAuth, true);
|
|
|
|
checkAccess(undefined, testOnlyAuth, false);
|
|
|
|
checkAccess(badCredentials, testOnlyAuth, false);
|
|
|
|
checkPublish(validCredentials, testOnlyAuth, true);
|
|
|
|
checkPublish(undefined, testOnlyAuth, false);
|
|
|
|
checkPublish(badCredentials, testOnlyAuth, false);
|
2017-04-19 21:15:28 +02:00
|
|
|
});
|
|
|
|
};
|