UNPKG

@infomaker/service-authorization-lib

Version:

IMID Service Authorization Library

964 lines (871 loc) 32 kB
/*eslint-env node, jasmine */ 'use strict' const testData = require('./test-data') const errors = require('../../src/errors') module.exports = function({ expectFunctionRunner, expectValidationError, expectAuthError, expectLoginToBeTriggered, expectSystemError, expectCredentialsToBeAddedToRequest, expectModifiedRequest }) { describe('Failure test: Config validation', () => { it('ValidationError when org missing', async () => { const authParams = { accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) const invalidStaticOrgValues = [undefined, 1,[]] invalidStaticOrgValues.forEach(invalidOrg => { it(`ValidationError when org statically set to ${invalidOrg} (only string allowed)`, async () => { const authParams = { org: invalidOrg, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) const invalidOrgFunReturns = [undefined, 1, () => {}, []] invalidOrgFunReturns.forEach(invalidOrg => { it(`ValidationError when resulting org from fun is ${invalidOrg} (only string and false allowed)`, async () => { const authParams = { org: () => invalidOrg, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building org' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) it('ValidationError when accessRules is an empty array', async () => { const authParams = { org: testData.ORG_A, accessRules: [] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('ValidationError when accessRules is not an array', async () => { const authParams = { org: testData.ORG_A, accessRules: 'Not an array' } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) const invalidStaticSubs = [1, []] invalidStaticSubs.forEach(invalidSub => { it(`ValidationError when sub is ${invalidSub} (only string allowed)`, async () => { const authParams = { org: testData.ORG_A, accessRules: [{ sub: invalidSub, permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) /* This test SHOULD be with the ones above, but because of how joi handles validation of key values set explicitly to undefined (it ignores them), the error is caught a bit later in the code and throws a 'Error thrown while building access rules' instead of a 'Authentication parameters are misconfigured'. If someone feels strongly about this, you're more than welcome to fix it, but as long as the error is caught, I'm happy. */ it('ValidationError when sub is undefined (only string allowed)', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ sub: undefined, permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building access rules' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) const invalidSubFunReturns = [undefined, 1, () => {}, []] invalidSubFunReturns.forEach(invalidSub => { it(`ValidationError when resulting sub from fun is ${invalidSub} (only string allowed)`, async () => { const authParams = { org: testData.ORG_A, accessRules: [{ sub: () => invalidSub, permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building access rules' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) it('ValidationError when unexpected parameter is provided', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }], unexpectedParameter: true } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('ValidationError when only suppressLoginTrigger is set', async () => { const authParams = { suppressLoginTrigger: true } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('should throw error when authParams is set to true', async () => { const authParams = true const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Authentication parameters are misconfigured' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: Build org', () => { it('catches generic error when an exception occurs', async () => { const expectedError = new Error('error-while-building-org') const authParams = { org: () => {throw expectedError}, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectSystemError const expectFuncParams = {internalError: expectedError} return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('propagates im error when an exception occurs', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { org: () => {throw expectedError}, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: Get token payload from request', () => { it('401 Unauthorized + login trigger when token missing', async () => { const authParams = { org: testData.ORG_B, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectLoginToBeTriggered const expectFuncParams = { statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE, errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE, loginRedirectOrg: testData.ORG_B } return await expectFunctionRunner({authParams, serviceToken: false, expectFunc, expectFuncParams}) }) it('401 Unauthorized + login trigger when token invalid', async () => { const authParams = { org: testData.ORG_B, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectLoginToBeTriggered const expectFuncParams = { statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE, errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE, loginRedirectOrg: testData.ORG_B } return await expectFunctionRunner({authParams, serviceToken: 'invalid-token', expectFunc, expectFuncParams}) }) }) describe('Failure test: serviceAdmin access', () => { it('403 Forbidden when serviceAdmin does not match and org/accessRules are not defined', async () => { const authParams = testData.AUTH_MODE_SERVICE_ADMIN_ENDPOINT const expectFunc = expectAuthError const expectFuncParams = { noCredentials: false, statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE, errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: authorized endpoint access', () => { it('403 Forbidden when authorized endpoint set but user not logged in', async () => { const authParams = testData.AUTH_MODE_AUTHENTICATED_ENDPOINT const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE, errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams, noServiceToken: true}) }) }) describe('Failure test: Organization match', () => { it('401 Unauthorized + login trigger when org does not match', async () => { const authParams = { org: testData.ORG_B, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectLoginToBeTriggered const expectFuncParams = { statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE, errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE, loginRedirectOrg: testData.ORG_B } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: onPreAuth', () => { it('propagates im error when an exception occurs while building onPreAuth', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { onPreAuth: async () => { throw expectedError }, org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: onPreAuth', () => { it('ValidationError when an exception occurs while building onPreAuth', async () => { const authParams = { onPreAuth: async () => {throw new Error('error-while-building-onPreAuth')}, org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building onPreAuth' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('propagates im error when an exception occurs while building onPreAuth', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { onPreAuth: async () => { throw expectedError }, org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Failure test: Rule access', () => { it('ValidationError when an exception occurs while building access rules (permission)', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ permission: () => {throw new Error('error-while-building-rule')} }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building access rules' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('propagates im error when an exception occurs while building access rules (permission)', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { org: testData.ORG_A, accessRules: [{ permission: () => { throw expectedError } }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('ValidationError when an exception occurs while building access rules (sub)', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ sub: () => {throw new Error('error-while-building-rule')} }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building access rules' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('propagates im error when an exception occurs while building access rules (sub)', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { org: testData.ORG_A, accessRules: [{ sub: () => { throw expectedError } }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('ValidationError when an exception occurs while building access rules (unit)', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ unit: () => {throw new Error('error-while-building-rule')} }] } const expectFunc = expectValidationError const expectFuncParams = { internalErrorMessage: 'Error thrown while building access rules' } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('propagates im error when an exception occurs while building access rules (unit)', async () => { const expectedStatusCode = 417 const expectedMessage = '' const expectedError = new errors.ServiceAuthorizationError({ httpCode: expectedStatusCode, publicMessage: expectedMessage }) expectedError.isImError = true const authParams = { org: testData.ORG_A, accessRules: [{ unit: () => { throw expectedError } }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: true, noServiceToken: true, statusCode: expectedStatusCode, errorMessage: expectedMessage, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('403 Forbidden when access rule permission does not match', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_B }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: false, statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE, errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('403 Forbidden when access rule sub does not match', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ sub: testData.SUB_B }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: false, statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE, errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('403 Forbidden when access rule unit does exist in token', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ unit: testData.UNIT_C }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: false, statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE, errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) it('403 Forbidden when access rule unit does exists in token but does not contain permission', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ unit: testData.UNIT_A, permission: testData.UNIT_B_PERMISSION }] } const expectFunc = expectAuthError const expectFuncParams = { noCredentials: false, statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE, errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE, } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) describe('Success test: serviceAdmin access', () => { it('Token payload is added to credentials on success', async () => { const authParams = { org: testData.ORG_B, accessRules: [{ permission: testData.PERMISSION_B }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.SERVICE_ADMIN_MATCH, authenticationParameters: authParams, matchingAccessRules: [], matchingServiceAdmin: { serviceAdmin: true } } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN, authParams, expectFunc, expectFuncParams }) }) it('Token payload is added to credentials on success even if serviceAdmin is the only one defined', async () => { const authParams = testData.AUTH_MODE_SERVICE_ADMIN_ENDPOINT const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.SERVICE_ADMIN_MATCH, authenticationParameters: authParams, matchingAccessRules: [], matchingServiceAdmin: { serviceAdmin: true } } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN, authParams, expectFunc, expectFuncParams }) }) }) describe('Success test: Rule access', () => { it('onPreAuth should be able to modify request object', async () => { const expectedRequestString = 'string-on-request-object' const authParams = { onPreAuth: async (req) => { req.temp = expectedRequestString }, org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectModifiedRequest const expectFuncParams = { expectedRequestString } return await expectFunctionRunner({ authParams, expectFunc, expectFuncParams }) }) it('Token payload is added to credentials when non-unit permission matches', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.ORG_RULE_MATCH, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({ authParams, expectFunc, expectFuncParams }) }) it('Token payload is added to credentials when unit in token and org permission and unit matches', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ unit: testData.UNIT_A, permission: testData.PERMISSION_A }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.ORG_RULE_MATCH, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({ authParams, expectFunc, expectFuncParams }) }) it('Token payload is added to credentials when unit in token and unit permission and unit matches', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ unit: testData.UNIT_A, permission: testData.UNIT_A_PERMISSION }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.ORG_RULE_MATCH, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({ authParams, expectFunc, expectFuncParams }) }) it('should include serviceToken for open endpoint when authParams set to open endpoint', async () => { const authParams = testData.AUTH_MODE_OPEN_ENDPOINT const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.NO_ACCESS_RULES, authenticationParameters: testData.AUTH_MODE_OPEN_ENDPOINT, matchingAccessRules: [], matchingServiceAdmin: null } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS, authParams, expectFunc, expectFuncParams }) }) it('should allow request even without serviceToken for open endpoint when authParams set to open endpoint', async () => { const authParams = testData.AUTH_MODE_OPEN_ENDPOINT const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: {}, artifacts: { reason: testData.artifactReasons.NO_SERVICE_TOKEN_NO_ACCESS_RULES, authenticationParameters: testData.AUTH_MODE_OPEN_ENDPOINT, matchingAccessRules: [], matchingServiceAdmin: null } } return await expectFunctionRunner({ noServiceToken: true, authParams, expectFunc, expectFuncParams }) }) it('should include serviceToken for authenticated endpoint when authParams set to authenticated endpoint', async () => { const authParams = testData.AUTH_MODE_AUTHENTICATED_ENDPOINT const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.AUTHENTICATED_ENDPOINT, authenticationParameters: testData.AUTH_MODE_AUTHENTICATED_ENDPOINT, matchingAccessRules: [], matchingServiceAdmin: null } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS, authParams, expectFunc, expectFuncParams }) }) it('should allow missing accessRules and only validate org', async () => { const authParams = { org: testData.ORG_A } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.ORG_MATCH, authenticationParameters: authParams, matchingAccessRules: [], matchingServiceAdmin: null } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS, authParams, expectFunc, expectFuncParams }) }) it('should allow false org and only validate accessRules (Org A)', async () => { const authParams = { org: false, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_A), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.FALSE_ORG_MATCHING_ACCESS_RULES, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A, authParams, expectFunc, expectFuncParams }) }) it('should allow false org and only validate accessRules (Org B)', async () => { const authParams = { org: false, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number) }, testData.VALID_SERVICE_TOKEN_PAYLOAD_B), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.FALSE_ORG_MATCHING_ACCESS_RULES, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({ serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_B, authParams, expectFunc, expectFuncParams }) }) it('Token payload is added to credentials on success even if serviceAdmin does not match', async () => { const authParams = { org: testData.ORG_A, accessRules: [{ permission: testData.PERMISSION_A }] } const expectFunc = expectCredentialsToBeAddedToRequest const expectFuncParams = { credentials: { serviceToken: Object.assign({}, { iat: expect.any(Number), exp: expect.any(Number)}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A), imidToken: 'should be put in req credentials' }, artifacts: { reason: testData.artifactReasons.ORG_RULE_MATCH, authenticationParameters: authParams, matchingAccessRules: [authParams.accessRules[0]], matchingServiceAdmin: null } } return await expectFunctionRunner({authParams, expectFunc, expectFuncParams}) }) }) }