@infomaker/service-authorization-lib
Version:
IMID Service Authorization Library
964 lines (871 loc) • 32 kB
JavaScript
/*eslint-env node, jasmine */
'use strict'
const testData = require('./test-data')
const errors = require('../../src/errors')
module.exports = function({
expectFunctionRunner,
expectValidationError,
expectAuthError,
expectLoginToBeTriggered,
expectSystemError,
expectCredentialsToBeAddedToRequest,
expectModifiedRequest
}) {
describe('Failure test: Config validation', () => {
it('ValidationError when org missing', async () => {
const authParams = {
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
const invalidStaticOrgValues = [undefined, 1,[]]
invalidStaticOrgValues.forEach(invalidOrg => {
it(`ValidationError when org statically set to ${invalidOrg} (only string allowed)`, async () => {
const authParams = {
org: invalidOrg,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
const invalidOrgFunReturns = [undefined, 1, () => {}, []]
invalidOrgFunReturns.forEach(invalidOrg => {
it(`ValidationError when resulting org from fun is ${invalidOrg} (only string and false allowed)`, async () => {
const authParams = {
org: () => invalidOrg,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building org'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
it('ValidationError when accessRules is an empty array', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: []
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('ValidationError when accessRules is not an array', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: 'Not an array'
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
const invalidStaticSubs = [1, []]
invalidStaticSubs.forEach(invalidSub => {
it(`ValidationError when sub is ${invalidSub} (only string allowed)`, async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: invalidSub,
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
/*
This test SHOULD be with the ones above, but because of how joi handles
validation of key values set explicitly to undefined (it ignores them),
the error is caught a bit later in the code and throws a
'Error thrown while building access rules' instead of a
'Authentication parameters are misconfigured'.
If someone feels strongly about this, you're more than welcome to fix it,
but as long as the error is caught, I'm happy.
*/
it('ValidationError when sub is undefined (only string allowed)', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: undefined,
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building access rules'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
const invalidSubFunReturns = [undefined, 1, () => {}, []]
invalidSubFunReturns.forEach(invalidSub => {
it(`ValidationError when resulting sub from fun is ${invalidSub} (only string allowed)`, async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: () => invalidSub,
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building access rules'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
it('ValidationError when unexpected parameter is provided', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}],
unexpectedParameter: true
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('ValidationError when only suppressLoginTrigger is set', async () => {
const authParams = {
suppressLoginTrigger: true
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('should throw error when authParams is set to true', async () => {
const authParams = true
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Authentication parameters are misconfigured'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: Build org', () => {
it('catches generic error when an exception occurs', async () => {
const expectedError = new Error('error-while-building-org')
const authParams = {
org: () => {throw expectedError},
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectSystemError
const expectFuncParams = {internalError: expectedError}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('propagates im error when an exception occurs', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
org: () => {throw expectedError},
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: Get token payload from request', () => {
it('401 Unauthorized + login trigger when token missing', async () => {
const authParams = {
org: testData.ORG_B,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectLoginToBeTriggered
const expectFuncParams = {
statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE,
errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE,
loginRedirectOrg: testData.ORG_B
}
return await expectFunctionRunner({authParams, serviceToken: false, expectFunc, expectFuncParams})
})
it('401 Unauthorized + login trigger when token invalid', async () => {
const authParams = {
org: testData.ORG_B,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectLoginToBeTriggered
const expectFuncParams = {
statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE,
errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE,
loginRedirectOrg: testData.ORG_B
}
return await expectFunctionRunner({authParams, serviceToken: 'invalid-token', expectFunc, expectFuncParams})
})
})
describe('Failure test: serviceAdmin access', () => {
it('403 Forbidden when serviceAdmin does not match and org/accessRules are not defined', async () => {
const authParams = testData.AUTH_MODE_SERVICE_ADMIN_ENDPOINT
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: false,
statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE,
errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: authorized endpoint access', () => {
it('403 Forbidden when authorized endpoint set but user not logged in', async () => {
const authParams = testData.AUTH_MODE_AUTHENTICATED_ENDPOINT
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE,
errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams, noServiceToken: true})
})
})
describe('Failure test: Organization match', () => {
it('401 Unauthorized + login trigger when org does not match', async () => {
const authParams = {
org: testData.ORG_B,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectLoginToBeTriggered
const expectFuncParams = {
statusCode: testData.ERRORS.UNAUTHORIZED.STATUS_CODE,
errorMessage: testData.ERRORS.UNAUTHORIZED.MESSAGE,
loginRedirectOrg: testData.ORG_B
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: onPreAuth', () => {
it('propagates im error when an exception occurs while building onPreAuth', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
onPreAuth: async () => {
throw expectedError
},
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: onPreAuth', () => {
it('ValidationError when an exception occurs while building onPreAuth', async () => {
const authParams = {
onPreAuth: async () => {throw new Error('error-while-building-onPreAuth')},
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building onPreAuth'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('propagates im error when an exception occurs while building onPreAuth', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
onPreAuth: async () => {
throw expectedError
},
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Failure test: Rule access', () => {
it('ValidationError when an exception occurs while building access rules (permission)', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: () => {throw new Error('error-while-building-rule')}
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building access rules'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('propagates im error when an exception occurs while building access rules (permission)', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: () => { throw expectedError }
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('ValidationError when an exception occurs while building access rules (sub)', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: () => {throw new Error('error-while-building-rule')}
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building access rules'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('propagates im error when an exception occurs while building access rules (sub)', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: () => { throw expectedError }
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('ValidationError when an exception occurs while building access rules (unit)', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: () => {throw new Error('error-while-building-rule')}
}]
}
const expectFunc = expectValidationError
const expectFuncParams = {
internalErrorMessage: 'Error thrown while building access rules'
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('propagates im error when an exception occurs while building access rules (unit)', async () => {
const expectedStatusCode = 417
const expectedMessage = ''
const expectedError = new errors.ServiceAuthorizationError({
httpCode: expectedStatusCode,
publicMessage: expectedMessage
})
expectedError.isImError = true
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: () => { throw expectedError }
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: true,
noServiceToken: true,
statusCode: expectedStatusCode,
errorMessage: expectedMessage,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('403 Forbidden when access rule permission does not match', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_B
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: false,
statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE,
errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('403 Forbidden when access rule sub does not match', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
sub: testData.SUB_B
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: false,
statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE,
errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('403 Forbidden when access rule unit does exist in token', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: testData.UNIT_C
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: false,
statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE,
errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
it('403 Forbidden when access rule unit does exists in token but does not contain permission', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: testData.UNIT_A,
permission: testData.UNIT_B_PERMISSION
}]
}
const expectFunc = expectAuthError
const expectFuncParams = {
noCredentials: false,
statusCode: testData.ERRORS.FORBIDDEN.STATUS_CODE,
errorMessage: testData.ERRORS.FORBIDDEN.MESSAGE,
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
describe('Success test: serviceAdmin access', () => {
it('Token payload is added to credentials on success', async () => {
const authParams = {
org: testData.ORG_B,
accessRules: [{
permission: testData.PERMISSION_B
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.SERVICE_ADMIN_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [],
matchingServiceAdmin: {
serviceAdmin: true
}
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN,
authParams,
expectFunc,
expectFuncParams
})
})
it('Token payload is added to credentials on success even if serviceAdmin is the only one defined', async () => {
const authParams = testData.AUTH_MODE_SERVICE_ADMIN_ENDPOINT
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.SERVICE_ADMIN_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [],
matchingServiceAdmin: {
serviceAdmin: true
}
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_SERVICE_ADMIN,
authParams,
expectFunc,
expectFuncParams
})
})
})
describe('Success test: Rule access', () => {
it('onPreAuth should be able to modify request object', async () => {
const expectedRequestString = 'string-on-request-object'
const authParams = {
onPreAuth: async (req) => {
req.temp = expectedRequestString
},
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectModifiedRequest
const expectFuncParams = {
expectedRequestString
}
return await expectFunctionRunner({
authParams,
expectFunc,
expectFuncParams
})
})
it('Token payload is added to credentials when non-unit permission matches', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.ORG_RULE_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
authParams,
expectFunc,
expectFuncParams
})
})
it('Token payload is added to credentials when unit in token and org permission and unit matches', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: testData.UNIT_A,
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.ORG_RULE_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
authParams,
expectFunc,
expectFuncParams
})
})
it('Token payload is added to credentials when unit in token and unit permission and unit matches', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
unit: testData.UNIT_A,
permission: testData.UNIT_A_PERMISSION
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.ORG_RULE_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
authParams,
expectFunc,
expectFuncParams
})
})
it('should include serviceToken for open endpoint when authParams set to open endpoint', async () => {
const authParams = testData.AUTH_MODE_OPEN_ENDPOINT
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.NO_ACCESS_RULES,
authenticationParameters: testData.AUTH_MODE_OPEN_ENDPOINT,
matchingAccessRules: [],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS,
authParams,
expectFunc,
expectFuncParams
})
})
it('should allow request even without serviceToken for open endpoint when authParams set to open endpoint', async () => {
const authParams = testData.AUTH_MODE_OPEN_ENDPOINT
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {},
artifacts: {
reason: testData.artifactReasons.NO_SERVICE_TOKEN_NO_ACCESS_RULES,
authenticationParameters: testData.AUTH_MODE_OPEN_ENDPOINT,
matchingAccessRules: [],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
noServiceToken: true,
authParams,
expectFunc,
expectFuncParams
})
})
it('should include serviceToken for authenticated endpoint when authParams set to authenticated endpoint', async () => {
const authParams = testData.AUTH_MODE_AUTHENTICATED_ENDPOINT
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.AUTHENTICATED_ENDPOINT,
authenticationParameters: testData.AUTH_MODE_AUTHENTICATED_ENDPOINT,
matchingAccessRules: [],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS,
authParams,
expectFunc,
expectFuncParams
})
})
it('should allow missing accessRules and only validate org', async () => {
const authParams = {
org: testData.ORG_A
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.ORG_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A_EMPTY_PERMISSIONS,
authParams,
expectFunc,
expectFuncParams
})
})
it('should allow false org and only validate accessRules (Org A)', async () => {
const authParams = {
org: false,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_A),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.FALSE_ORG_MATCHING_ACCESS_RULES,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_A,
authParams,
expectFunc,
expectFuncParams
})
})
it('should allow false org and only validate accessRules (Org B)', async () => {
const authParams = {
org: false,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)
}, testData.VALID_SERVICE_TOKEN_PAYLOAD_B),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.FALSE_ORG_MATCHING_ACCESS_RULES,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({
serviceTokenPayload: testData.VALID_SERVICE_TOKEN_PAYLOAD_B,
authParams,
expectFunc,
expectFuncParams
})
})
it('Token payload is added to credentials on success even if serviceAdmin does not match', async () => {
const authParams = {
org: testData.ORG_A,
accessRules: [{
permission: testData.PERMISSION_A
}]
}
const expectFunc = expectCredentialsToBeAddedToRequest
const expectFuncParams = {
credentials: {
serviceToken: Object.assign({}, {
iat: expect.any(Number),
exp: expect.any(Number)},
testData.VALID_SERVICE_TOKEN_PAYLOAD_A),
imidToken: 'should be put in req credentials'
},
artifacts: {
reason: testData.artifactReasons.ORG_RULE_MATCH,
authenticationParameters: authParams,
matchingAccessRules: [authParams.accessRules[0]],
matchingServiceAdmin: null
}
}
return await expectFunctionRunner({authParams, expectFunc, expectFuncParams})
})
})
}