From 137fd5978fc94ad51a38be0bfa2d88a998f2cfba Mon Sep 17 00:00:00 2001
From: Alex Kocharin <alex@kocharin.ru>
Date: Tue, 21 Apr 2015 19:41:50 +0300
Subject: [PATCH] fix access control

ref #238
---
 lib/auth.js                   |  4 +-
 test/functional/access.js     | 80 +++++++++++++++++++++++++++++++++++
 test/functional/config-1.yaml | 20 +++++++++
 test/functional/index.js      |  1 +
 4 files changed, 103 insertions(+), 2 deletions(-)
 create mode 100644 test/functional/access.js

diff --git a/lib/auth.js b/lib/auth.js
index e8fc69091..c1028e4a9 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -154,11 +154,11 @@ Auth.prototype.allow_publish = function(package_name, user, callback) {
   ;(function next() {
     var p = plugins.shift()
 
-    if (typeof(p.allow_access) !== 'function') {
+    if (typeof(p.allow_publish) !== 'function') {
       return next()
     }
 
-    p.allow_access(user, package, function(err, ok) {
+    p.allow_publish(user, package, function(err, ok) {
       if (err) return callback(err)
       if (ok) return callback(null, ok)
       next() // cb(null, false) causes next plugin to roll
diff --git a/test/functional/access.js b/test/functional/access.js
new file mode 100644
index 000000000..f0acddffc
--- /dev/null
+++ b/test/functional/access.js
@@ -0,0 +1,80 @@
+
+module.exports = function () {
+  describe('access control', function () {
+    var server = process.server
+    var oldauth
+
+    before(function () {
+      oldauth = server.authstr
+    })
+
+    after(function () {
+      server.authstr = oldauth
+    })
+
+    function check_access(auth, pkg, ok) {
+      it((ok ? 'allows' : 'forbids') +' access ' + auth + ' to ' + pkg, function () {
+        server.authstr = auth
+                       ? 'Basic '+(new Buffer(auth).toString('base64'))
+                       : undefined
+
+        var req = server.get_package(pkg)
+
+        if (ok) {
+          return req.status(404)
+                    .body_error(/no such package available/)
+        } else {
+          return req.status(403)
+                    .body_error(/not allowed to access package/)
+        }
+      })
+    }
+
+    function check_publish(auth, pkg, ok) {
+      it((ok ? 'allows' : 'forbids') + ' publish ' + auth + ' to ' + pkg, function () {
+        server.authstr = auth
+                       ? 'Basic '+(new Buffer(auth).toString('base64'))
+                       : undefined
+
+        var req = server.put_package(pkg, require('./lib/package')(pkg))
+
+        if (ok) {
+          return req.status(404)
+                    .body_error(/this package cannot be added/)
+        } else {
+          return req.status(403)
+                    .body_error(/not allowed to publish package/)
+        }
+      })
+    }
+
+    check_access('test:test',     'test-access-only',  true)
+    check_access(undefined,       'test-access-only',  true)
+    check_access('test:badpass',  'test-access-only',  true)
+    check_publish('test:test',    'test-access-only',  false)
+    check_publish(undefined,      'test-access-only',  false)
+    check_publish('test:badpass', 'test-access-only',  false)
+
+    check_access('test:test',     'test-publish-only', false)
+    check_access(undefined,       'test-publish-only', false)
+    check_access('test:badpass',  'test-publish-only', false)
+    check_publish('test:test',    'test-publish-only', true)
+    check_publish(undefined,      'test-publish-only', true)
+    check_publish('test:badpass', 'test-publish-only', true)
+
+    check_access('test:test',     'test-only-test',  true)
+    check_access(undefined,       'test-only-test', false)
+    check_access('test:badpass',  'test-only-test', false)
+    check_publish('test:test',    'test-only-test',  true)
+    check_publish(undefined,      'test-only-test', false)
+    check_publish('test:badpass', 'test-only-test', false)
+
+    check_access('test:test',     'test-only-auth',  true)
+    check_access(undefined,       'test-only-auth', false)
+    check_access('test:badpass',  'test-only-auth', false)
+    check_publish('test:test',    'test-only-auth',  true)
+    check_publish(undefined,      'test-only-auth', false)
+    check_publish('test:badpass', 'test-only-auth', false)
+  })
+}
+
diff --git a/test/functional/config-1.yaml b/test/functional/config-1.yaml
index 87b3db09d..7c005d53e 100644
--- a/test/functional/config-1.yaml
+++ b/test/functional/config-1.yaml
@@ -56,6 +56,26 @@ packages:
     allow_publish: all
     proxy_access: baduplink
 
+  'test-access-only':
+    allow_access: $all
+    allow_publish: nobody
+    storage: false
+
+  'test-publish-only':
+    allow_access: nobody
+    allow_publish: $all
+    storage: false
+
+  'test-only-test':
+    allow_access: test
+    allow_publish: test
+    storage: false
+
+  'test-only-auth':
+    allow_access: $authenticated
+    allow_publish: $authenticated
+    storage: false
+
   '*':
     allow_access: test undefined
     allow_publish: test undefined
diff --git a/test/functional/index.js b/test/functional/index.js
index 0974e185e..c424eaa2c 100644
--- a/test/functional/index.js
+++ b/test/functional/index.js
@@ -45,6 +45,7 @@ describe('Func', function() {
 
   it('authenticate', function(){/* test for before() */})
 
+  require('./access')()
   require('./basic')()
   require('./gh29')()
   require('./tags')()