X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=test%2Flib%2Fauthenticator.js;h=6cac48faabc9b73fba373739777ac7fe8daa7751;hb=a821a0f79c42f8ea55aec503c992650113d82028;hp=3ab6fb34653d0189e5066c44ec4188c4544015bb;hpb=1e2d8a7bdb0df28d08258ee813ee6db77168d59e;p=squeep-authentication-module

diff --git a/test/lib/authenticator.js b/test/lib/authenticator.js
index 3ab6fb3..6cac48f 100644
--- a/test/lib/authenticator.js
+++ b/test/lib/authenticator.js
@@ -10,15 +10,13 @@ const Errors = require('../../lib/errors');
 const Enum = require('../../lib/enum');
 const Config = require('../stub-config');
 
-const noExpectedException = 'did not receive expected exception';
-
 describe('Authenticator', function () {
   let authenticator, credential, ctx, identifier, password, options;
   function _authMechanismRequired(a, m) {
     if (!a.authn[m]) { // eslint-disable-line security/detect-object-injection
       this.skip();
     }
-  };
+  }
 
   beforeEach(function () {
     options = Config('test');
@@ -35,12 +33,9 @@ describe('Authenticator', function () {
 
   it('covers no auth mechanisms', function () {
     options.authenticator.authnEnabled = [];
-    try {
-      authenticator = new Authenticator(stubLogger, stubDb, options);
-      assert.fail(noExpectedException);
-    } catch (e) {
-      assert.strictEqual(e.message, 'no authentication mechanisms available');
-    }
+    assert.throws(() => new Authenticator(stubLogger, stubDb, options), {
+      message: 'no authentication mechanisms available',
+    });
   });
 
   it('covers empty realm', function () {
@@ -117,6 +112,12 @@ describe('Authenticator', function () {
       assert.strictEqual(result, false);
       assert.strictEqual(ctx.authenticationId, undefined);
     });
+    it('covers non-string credential', async function () {
+      credential = '$argon2id$v=19$m=4096,t=3,p=1$SbAlHo5x2HM0PvMAWYHqww$gNn/o+B6+IWsnrVupPkTAiiK9tvwV+eM/HoXG41bnzM';
+      const result = await authenticator.isValidIdentifierCredential(identifier, undefined, ctx);
+      assert.strictEqual(result, false);
+      assert.strictEqual(ctx.authenticationId, undefined);
+    });
     it('covers unknown password hash', async function () {
       authenticator.db.authenticationGet.resolves({
         identifier,
@@ -165,12 +166,7 @@ describe('Authenticator', function () {
       _authMechanismRequired(authenticator, 'pam');
       const expected = new Error('blah');
       authenticator.authn.pam.pamAuthenticatePromise.rejects(expected);
-      try {
-        await authenticator._isValidPAMIdentifier(identifier, credential);
-        assert.fail(noExpectedException);
-      } catch (e) {
-        assert.deepStrictEqual(e, expected);
-      }
+      assert.rejects(() => authenticator._isValidPAMIdentifier(identifier, credential), expected);
     });
     it('covers forbidden', async function () {
       identifier = 'root';
@@ -222,16 +218,13 @@ describe('Authenticator', function () {
 
   describe('requestBasic', function () {
     it('covers', function () {
-      try {
-        const res = {
-          setHeader: () => {},
-        };
-        authenticator.requestBasic(res);
-        assert.fail(noExpectedException);
-      } catch (e) {
-        assert(e instanceof Errors.ResponseError);
-        assert.strictEqual(e.statusCode, Enum.ErrorResponse.Unauthorized.statusCode);
-      }
+      const res = {
+        setHeader: () => {},
+      };
+      assert.throws(() => authenticator.requestBasic(res), {
+        name: 'ResponseError',
+        statusCode: Enum.ErrorResponse.Unauthorized.statusCode,
+      });
     });
   }); // requestBasic
 
@@ -299,15 +292,22 @@ describe('Authenticator', function () {
       const result = await authenticator.sessionCheck(req, res, ctx, loginPath, required, profilesAllowed);
       assert.strictEqual(result, true);
     });
+    it('covers valid insecure cookie session', async function () {
+      authenticator.secureAuthOnly = false;
+      req.getHeader.returns(cookie);
+      sinon.stub(authenticator, 'isValidCookieAuth').resolves(true);
+      ctx.session = {
+        authenticatedIdentifier: 'user',
+      };
+      const result = await authenticator.sessionCheck(req, res, ctx, loginPath, required, profilesAllowed);
+      assert.strictEqual(result, true);
+    });
     it('rejects insecure connection', async function () {
       ctx.clientProtocol = 'http';
-      try {
-        await authenticator.sessionCheck(req, res, ctx, loginPath, required, profilesAllowed);
-        assert.fail(noExpectedException);
-      } catch (e) {
-        assert(e instanceof Errors.ResponseError);
-        assert.strictEqual(e.statusCode, Enum.ErrorResponse.Forbidden.statusCode);
-      }
+      assert.rejects(() => authenticator.sessionCheck(req, res, ctx, loginPath, required, profilesAllowed), {
+        name: 'ResponseError',
+        sttausCode: Enum.ErrorResponse.Forbidden.statusCode,
+      });
     });
     it('ignores insecure connection if auth not required', async function () {
       ctx.clientProtocol = 'http';
@@ -407,7 +407,7 @@ describe('Authenticator', function () {
   }); // sessionCheck
 
   describe('apiRequiredLocal', function () {
-    let req, res, ctx;
+    let req, res;
     beforeEach(function () {
       ctx = {};
       req = {
@@ -423,23 +423,40 @@ describe('Authenticator', function () {
       sinon.stub(authenticator, 'sessionCheck').resolves(false);
       sinon.stub(authenticator, 'isValidAuthorization').resolves(true);
       const result = await authenticator.apiRequiredLocal(req, res, ctx);
-      assert(authenticator.sessionCheck.called);
+      assert.strictEqual(result, true);
       assert(authenticator.isValidAuthorization.called);
+      assert(!authenticator.sessionCheck.called);
+    });
+    it('covers invalid basic auth', async function () {
+      req.getHeader.returns('Basic Zm9vOmJhcg==');
+      sinon.stub(authenticator, 'sessionCheck').resolves(false);
+      sinon.stub(authenticator, 'isValidAuthorization').resolves(false);
+      assert.rejects(() => authenticator.apiRequiredLocal(req, res, ctx), {
+        name: 'ResponseError',
+        statusCode: 401,
+      });
+      assert(!authenticator.sessionCheck.called);
+      assert(authenticator.isValidAuthorization.called);
+    });
+    it('covers missing basic auth, valid session', async function () {
+      req.getHeader.returns();
+      sinon.stub(authenticator, 'sessionCheck').resolves(true);
+      sinon.stub(authenticator, 'isValidAuthorization').resolves(false);
+      const result = await authenticator.apiRequiredLocal(req, res, ctx);
       assert.strictEqual(result, true);
+      assert(!authenticator.isValidAuthorization.called);
+      assert(authenticator.sessionCheck.called);
     });
-    it('requests basic auth when missing, ignores session', async function () {
+    it('covers missing basic auth, ignores session', async function () {
       req.getHeader.returns();
       sinon.stub(authenticator, 'isValidAuthorization').resolves(true);
-      try {
-        await authenticator.apiRequiredLocal(req, res, ctx, false);
-        assert.fail(noExpectedException);
-      } catch (e) {
-        console.log(e);
-        assert.strictEqual(e.statusCode, 401);
-        assert(!authenticator.sessionCheck.called);
-        assert(!authenticator.isValidAuthorization.called);
-        assert(res.setHeader.called);
-      }
+      assert.rejects(authenticator.apiRequiredLocal(req, res, ctx, false), {
+        name: 'ResponseError',
+        statusCode: 401,
+      });
+      assert(!authenticator.sessionCheck.called);
+      assert(!authenticator.isValidAuthorization.called);
+      assert(res.setHeader.called);
     });
   }); // apiRequiredLocal