2021-03-25 07:21:23 +13:00
|
|
|
jest.mock("../../environment", () => ({
|
|
|
|
|
prod: false,
|
|
|
|
|
isTest: () => true,
|
|
|
|
|
isProd: () => this.prod,
|
2021-06-02 04:09:26 +12:00
|
|
|
_set: function(key, value) {
|
2021-03-25 07:21:23 +13:00
|
|
|
this.prod = value === "production"
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
)
|
2021-06-26 00:46:02 +12:00
|
|
|
const authorizedMiddleware = require("../authorized")
|
|
|
|
|
const env = require("../../environment")
|
2022-11-18 03:59:18 +13:00
|
|
|
const { PermissionType, PermissionLevel } = require("@budibase/backend-core/permissions")
|
2022-01-29 04:43:51 +13:00
|
|
|
const { doInAppContext } = require("@budibase/backend-core/context")
|
|
|
|
|
|
|
|
|
|
const APP_ID = ""
|
2021-03-10 00:27:12 +13:00
|
|
|
|
|
|
|
|
class TestConfiguration {
|
|
|
|
|
constructor(role) {
|
|
|
|
|
this.middleware = authorizedMiddleware(role)
|
|
|
|
|
this.next = jest.fn()
|
|
|
|
|
this.throw = jest.fn()
|
2022-01-26 11:54:50 +13:00
|
|
|
this.headers = {}
|
2021-03-10 00:27:12 +13:00
|
|
|
this.ctx = {
|
|
|
|
|
headers: {},
|
|
|
|
|
request: {
|
|
|
|
|
url: ""
|
|
|
|
|
},
|
2022-01-29 04:43:51 +13:00
|
|
|
appId: APP_ID,
|
2021-03-10 00:27:12 +13:00
|
|
|
auth: {},
|
|
|
|
|
next: this.next,
|
2022-01-26 11:54:50 +13:00
|
|
|
throw: this.throw,
|
|
|
|
|
get: (name) => this.headers[name],
|
2021-03-10 00:27:12 +13:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
executeMiddleware() {
|
2022-03-25 02:04:49 +13:00
|
|
|
return this.middleware(this.ctx, this.next)
|
2021-03-10 00:27:12 +13:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setUser(user) {
|
|
|
|
|
this.ctx.user = user
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setMiddlewareRequiredPermission(...perms) {
|
|
|
|
|
this.middleware = authorizedMiddleware(...perms)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setResourceId(id) {
|
|
|
|
|
this.ctx.resourceId = id
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setAuthenticated(isAuthed) {
|
2022-01-26 11:54:50 +13:00
|
|
|
this.ctx.isAuthenticated = isAuthed
|
2021-03-10 00:27:12 +13:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setRequestUrl(url) {
|
|
|
|
|
this.ctx.request.url = url
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-25 07:21:23 +13:00
|
|
|
setEnvironment(isProd) {
|
|
|
|
|
env._set("NODE_ENV", isProd ? "production" : "jest")
|
2021-03-10 00:27:12 +13:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setRequestHeaders(headers) {
|
|
|
|
|
this.ctx.headers = headers
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
afterEach() {
|
|
|
|
|
jest.clearAllMocks()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe("Authorization middleware", () => {
|
|
|
|
|
const next = jest.fn()
|
|
|
|
|
let config
|
|
|
|
|
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
config.afterEach()
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
config = new TestConfiguration()
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
describe("non-webhook call", () => {
|
|
|
|
|
let config
|
|
|
|
|
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
config = new TestConfiguration()
|
2021-03-25 07:21:23 +13:00
|
|
|
config.setEnvironment(true)
|
2021-03-10 00:27:12 +13:00
|
|
|
config.setAuthenticated(true)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
it("throws when no user data is present in context", async () => {
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
|
|
|
|
|
expect(config.throw).toHaveBeenCalledWith(403, "No user info found")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
it("passes on to next() middleware if user is an admin", async () => {
|
|
|
|
|
config.setUser({
|
2021-05-21 07:48:24 +12:00
|
|
|
_id: "user",
|
2021-03-10 00:27:12 +13:00
|
|
|
role: {
|
|
|
|
|
_id: "ADMIN",
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
|
|
|
|
|
expect(config.next).toHaveBeenCalled()
|
|
|
|
|
})
|
2021-04-08 03:08:29 +12:00
|
|
|
|
2022-01-26 11:54:50 +13:00
|
|
|
it("throws if the user does not have builder permissions", async () => {
|
2021-03-25 07:21:23 +13:00
|
|
|
config.setEnvironment(false)
|
2022-11-18 03:59:18 +13:00
|
|
|
config.setMiddlewareRequiredPermission(PermissionType.BUILDER)
|
2021-03-10 00:27:12 +13:00
|
|
|
config.setUser({
|
|
|
|
|
role: {
|
|
|
|
|
_id: ""
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
|
|
|
|
|
expect(config.throw).toHaveBeenCalledWith(403, "Not Authorized")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
it("passes on to next() middleware if the user has resource permission", async () => {
|
2022-11-18 03:59:18 +13:00
|
|
|
config.setResourceId(PermissionType.QUERY)
|
2021-03-10 00:27:12 +13:00
|
|
|
config.setUser({
|
|
|
|
|
role: {
|
|
|
|
|
_id: ""
|
|
|
|
|
}
|
|
|
|
|
})
|
2022-11-18 03:59:18 +13:00
|
|
|
config.setMiddlewareRequiredPermission(PermissionType.QUERY)
|
2021-03-10 00:27:12 +13:00
|
|
|
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
expect(config.next).toHaveBeenCalled()
|
|
|
|
|
})
|
|
|
|
|
|
2022-01-26 11:54:50 +13:00
|
|
|
it("throws if the user session is not authenticated", async () => {
|
2021-03-10 00:27:12 +13:00
|
|
|
config.setUser({
|
|
|
|
|
role: {
|
|
|
|
|
_id: ""
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
config.setAuthenticated(false)
|
|
|
|
|
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
expect(config.throw).toHaveBeenCalledWith(403, "Session not authenticated")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
it("throws if the user does not have base permissions to perform the operation", async () => {
|
|
|
|
|
config.setUser({
|
|
|
|
|
role: {
|
|
|
|
|
_id: ""
|
|
|
|
|
},
|
|
|
|
|
})
|
2022-11-18 03:59:18 +13:00
|
|
|
config.setMiddlewareRequiredPermission(PermissionType.ADMIN, PermissionLevel.BASIC)
|
2021-03-10 00:27:12 +13:00
|
|
|
|
|
|
|
|
await config.executeMiddleware()
|
|
|
|
|
expect(config.throw).toHaveBeenCalledWith(403, "User does not have permission")
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
})
|
