185 lines
4.9 KiB
JavaScript
185 lines
4.9 KiB
JavaScript
import { suite, test } from 'node:test'
|
|
import assert from 'node:assert'
|
|
import { TokenManager } from '../server/server.js'
|
|
import fs from 'node:fs/promises'
|
|
import path from 'node:path'
|
|
import { fileURLToPath } from 'node:url'
|
|
|
|
const __filename = fileURLToPath(import.meta.url)
|
|
const __dirname = path.dirname(__filename)
|
|
|
|
// Import the securityEnhancer to test isAdmin
|
|
import { securityEnhancer } from '../index.js'
|
|
|
|
suite('isAdmin functionality with tokens', () => {
|
|
let tempDir
|
|
let tokenManager
|
|
let enhancer
|
|
let adminUser
|
|
let regularUser
|
|
let adminToken
|
|
let regularToken
|
|
|
|
const setup = async () => {
|
|
tempDir = path.join(__dirname, 'temp-admin-' + Date.now())
|
|
await fs.mkdir(tempDir, { recursive: true })
|
|
|
|
tokenManager = new TokenManager(tempDir)
|
|
|
|
adminUser = {
|
|
displayName: 'Admin User',
|
|
email: 'admin@example.com',
|
|
provider: 'github',
|
|
id: 'admin123'
|
|
}
|
|
|
|
regularUser = {
|
|
displayName: 'Regular User',
|
|
email: 'user@example.com',
|
|
provider: 'github',
|
|
id: 'user456'
|
|
}
|
|
|
|
// Create tokens for both users
|
|
const adminResult = await tokenManager.createToken(adminUser, 'admin-token')
|
|
adminToken = adminResult.token
|
|
|
|
const regularResult = await tokenManager.createToken(regularUser, 'regular-token')
|
|
regularToken = regularResult.token
|
|
|
|
// Create the enhancer with admin configuration
|
|
const mockLog = console.log
|
|
const mockLoga = console.log
|
|
const mockArgv = {
|
|
status: tempDir,
|
|
admin: adminUser // Configure admin user
|
|
}
|
|
const mockBaseHandler = {
|
|
getUser: (req) => req.user || null,
|
|
isAuthorized: () => false,
|
|
isAdmin: () => false // Base handler doesn't grant admin access
|
|
}
|
|
|
|
enhancer = securityEnhancer(mockLog, mockLoga, mockArgv, mockBaseHandler)
|
|
}
|
|
|
|
const cleanup = async () => {
|
|
if (tempDir) {
|
|
await fs.rm(tempDir, { recursive: true, force: true })
|
|
}
|
|
}
|
|
|
|
test('isAdmin returns true for tokens belonging to admin users', async () => {
|
|
await setup()
|
|
try {
|
|
const req = {
|
|
headers: {
|
|
authorization: `Bearer ${adminToken}`
|
|
}
|
|
}
|
|
|
|
// Set up token auth context (normally done by middleware)
|
|
await enhancer.middleware(req, {}, () => {})
|
|
|
|
// Test isAdmin
|
|
const baseIsAdmin = () => false
|
|
const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
|
|
|
|
assert.equal(isAdmin, true)
|
|
} finally {
|
|
await cleanup()
|
|
}
|
|
})
|
|
|
|
test('isAdmin returns false for tokens belonging to regular users', async () => {
|
|
await setup()
|
|
try {
|
|
const req = {
|
|
headers: {
|
|
authorization: `Bearer ${regularToken}`
|
|
}
|
|
}
|
|
|
|
// Set up token auth context (normally done by middleware)
|
|
await enhancer.middleware(req, {}, () => {})
|
|
|
|
// Test isAdmin
|
|
const baseIsAdmin = () => false
|
|
const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
|
|
|
|
assert.equal(isAdmin, false)
|
|
} finally {
|
|
await cleanup()
|
|
}
|
|
})
|
|
|
|
test('isAdmin respects base admin when base returns true', async () => {
|
|
await setup()
|
|
try {
|
|
const req = {
|
|
headers: {
|
|
authorization: `Bearer ${regularToken}`
|
|
}
|
|
}
|
|
|
|
// Set up token auth context (normally done by middleware)
|
|
await enhancer.middleware(req, {}, () => {})
|
|
|
|
// Test isAdmin with base admin returning true (session-based admin)
|
|
const baseIsAdmin = () => true
|
|
const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
|
|
|
|
assert.equal(isAdmin, true)
|
|
} finally {
|
|
await cleanup()
|
|
}
|
|
})
|
|
|
|
test('isAdmin returns false when no token auth present', async () => {
|
|
await setup()
|
|
try {
|
|
const req = { headers: {} }
|
|
|
|
// Test isAdmin without token auth
|
|
const baseIsAdmin = () => false
|
|
const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
|
|
|
|
assert.equal(isAdmin, false)
|
|
} finally {
|
|
await cleanup()
|
|
}
|
|
})
|
|
|
|
test('isAdmin returns false when no admin is configured', async () => {
|
|
// Create enhancer without admin configuration
|
|
const tempDir2 = path.join(__dirname, 'temp-no-admin-' + Date.now())
|
|
await fs.mkdir(tempDir2, { recursive: true })
|
|
|
|
try {
|
|
const mockArgv = { status: tempDir2 } // No admin configured
|
|
const mockBaseHandler = {
|
|
getUser: () => null,
|
|
isAuthorized: () => false,
|
|
isAdmin: () => false
|
|
}
|
|
|
|
const enhancerNoAdmin = securityEnhancer(console.log, console.log, mockArgv, mockBaseHandler)
|
|
|
|
const req = {
|
|
tokenAuth: {
|
|
user: adminUser,
|
|
scopes: ['site:read', 'site:write'],
|
|
tokenName: 'test-token'
|
|
}
|
|
}
|
|
|
|
const baseIsAdmin = () => false
|
|
const isAdmin = enhancerNoAdmin.isAdmin(req, baseIsAdmin)
|
|
|
|
assert.equal(isAdmin, false)
|
|
} finally {
|
|
await fs.rm(tempDir2, { recursive: true, force: true })
|
|
}
|
|
})
|
|
})
|