ben.carrasco/jambonz-api-server
1
0
Fork 0
mirror of https://github.com/jambonz/jambonz-api-server.git synced 2026-05-06 08:47:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

added more authentication tests

Browse Source
This commit is contained in:
Dave Horton
2019-12-05 15:11:53 -05:00
parent ce587d828f
commit c95a9ebaf7
7 changed files with 319 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/auth/index.js
+4 -1
View File
@@ -41,7 +41,10 @@ function makeStrategy(logger) {
const user = {
account_sid: results[0].account_sid,
service_provider_sid: results[0].service_provider_sid,
hasScope: (s) => scope.includes(s)
hasScope: (s) => scope.includes(s),
hasAdminAuth: scope.length === 3,
hasServiceProviderAuth: scope.includes('service_provider') && !scope.includes('admin'),
hasAccountAuth: scope.includes('account') && !scope.includes('service_provider')
};
logger.info(user, `successfully validated with scope ${scope}`);
return done(null, user, {scope});
lib/routes/api/accounts.js
+33 -5
View File
@@ -10,18 +10,46 @@ const preconditions = {
};
async function validateAdd(req) {
/* check that service provider exists */
const result = await ServiceProvider.retrieve(req.body.service_provider_sid);
if (!result || result.length === 0) {
throw new DbErrorBadRequest(`service_provider not found for sid ${req.body.service_provider_sid}`);
/* account-level token can not be used to add accounts */
if (req.user.hasAccountAuth) {
throw new DbErrorUnprocessableRequest('insufficient permissions to create accounts');
}
if (req.user.hasServiceProviderAuth) {
/* service providers can only create accounts under themselves */
req.body.service_provider_sid = req.user.service_provider_sid;
}
if (req.body.service_provider_sid) {
const result = await ServiceProvider.retrieve(req.body.service_provider_sid);
if (!result || result.length === 0) {
throw new DbErrorBadRequest(`service_provider not found for sid ${req.body.service_provider_sid}`);
}
}
}
async function validateUpdate(req, sid) {
if (req.body.service_provider_sid) throw new DbErrorBadRequest('service_provider_sid may not be modified')
if (req.user.hasAccountAuth && req.user.account_sid !== sid) {
throw new DbErrorUnprocessableRequest('insufficient privileges to update this account');
}
if (req.user.service_provider_sid && !req.user.hasScope('admin')) {
const result = await Account.retrieve(sid);
if (result[0].service_provider_sid !== req.user.service_provider_sid) {
throw new DbErrorUnprocessableRequest('cannot update account from different service provider');
}
}
if (req.body.service_provider_sid) throw new DbErrorBadRequest('service_provider_sid may not be modified');
}
async function validateDelete(req, sid) {
if (req.user.hasAccountAuth && req.user.account_sid !== sid) {
throw new DbErrorUnprocessableRequest('insufficient privileges to update this account');
}
const assignedPhoneNumbers = await Account.getForeignKeyReferences('phone_numbers.account_sid', sid);
if (assignedPhoneNumbers > 0) throw new DbErrorUnprocessableRequest('cannot delete account with phone numbers');
if (req.user.service_provider_sid && !req.user.hasScope('admin')) {
const result = await Account.retrieve(sid);
if (result[0].service_provider_sid !== req.user.service_provider_sid) {
throw new DbErrorUnprocessableRequest('cannot delete account from different service provider');
}
}
}
decorate(router, Account, ['*'], preconditions);
lib/routes/api/api-keys.js
+10 -8
View File
@@ -11,18 +11,20 @@ const preconditions = {
};
function validateAddToken(req) {
if (req.user.hasScope('admin') && ('account_sid' in req.body)) {
// ok
req.body.token = uuidv4();
if (req.user.hasAdminAuth) return;
if (req.user.hasServiceProviderAuth) {
if (req.body.account_sid) delete req.body.service_provider_sid;
else req.body.service_provider_sid = req.user.service_provider_sid;
}
else if (req.user.hasScope('service_provider') &&
(!('account_sid' in req.body) && !('service_provider_sid' in req.body))) {
req.body['service_provider_sid'] = req.user.service_provider_sid;
}
else if (req.user.hasScope('account') && !req.user.hasScope('service_provider')) {
if (req.user.hasAccountAuth) {
if (req.body.account_sid !== req.user.account_sid) {
throw new DbErrorBadRequest('an account level token may not be used to create a token for a different account');
}
delete req.body['service_provider_sid'];
req.body['account_sid'] = req.user.account_sid;
}
req.body.token = uuidv4();
}
async function validateDeleteToken(req, sid) {
lib/swagger/swagger.yaml
+1 -1
View File
@@ -12,7 +12,7 @@ servers:
- url: /v1
description: development server
paths:
/Apikeys:
/ApiKeys:
post:
summary: create an api key
operationId: createApikey
test/auth.js
+262
View File
@@ -0,0 +1,262 @@
const test = require('tape').test ;
const ADMIN_TOKEN = '38700987-c7a4-4685-a5bb-af378f9734de';
const authAdmin = {bearer: ADMIN_TOKEN};
const request = require('request-promise-native').defaults({
baseUrl: 'http://127.0.0.1:3000/v1'
});
const {createVoipCarrier, createServiceProvider, createPhoneNumber, createAccount, deleteObjectBySid} = require('./utils');
process.on('unhandledRejection', (reason, p) => {
console.log('Unhandled Rejection at: Promise', p, 'reason:', reason);
});
test('authentication tests', async(t) => {
const app = require('../app');
try {
let result;
/* create two service providers */
const spA_sid = await createServiceProvider(request, 'spA');
const spB_sid = await createServiceProvider(request, 'spB');
const voip_carrier_sid = await createVoipCarrier(request);
/* create a service provider token for each sp */
result = await request.post('/ApiKeys', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
service_provider_sid: spA_sid
}
});
t.ok(result.statusCode === 201 && result.body.token, 'successfully created auth token for service provider A');
const spA_token_sid = result.body.sid;
const spA_token = result.body.token;
result = await request.post('/ApiKeys', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
service_provider_sid: spB_sid
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 201 && result.body.token, 'successfully created auth token for service provider B');
const spB_token_sid = result.body.sid;
const spB_token = result.body.token;
/* use service provider tokens to create two accounts for each SP */
result = await request.post('/Accounts', {
auth: {bearer: spA_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
name: 'accountA1'
}
});
t.ok(result.statusCode === 201, 'successfully created account A1 using service provider token A');
const accA1 = result.body.sid;
result = await request.post('/Accounts', {
auth: {bearer: spA_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
name: 'accountA2'
}
});
t.ok(result.statusCode === 201, 'successfully created account A2 using service provider token A');
const accA2 = result.body.sid;
result = await request.post('/Accounts', {
auth: {bearer: spB_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
name: 'accountB1'
}
});
t.ok(result.statusCode === 201, 'successfully created account B1 using service provider token B');
const accB1 = result.body.sid;
result = await request.post('/Accounts', {
auth: {bearer: spB_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
name: 'accountB2'
}
});
t.ok(result.statusCode === 201, 'successfully created account B2 using service provider token B');
const accB2 = result.body.sid;
/* cannot update account from different service provider */
result = await request.put(`/Accounts/${accA1}`, {
auth: {bearer: spB_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
sip_realm: 'sip.foo.bar'
}
});
t.ok(result.statusCode === 422 && result.body.msg === 'cannot update account from different service provider',
'service provider token B cannot be used to update account from service provider A');
/* cannot delete account from different service provider */
result = await request.delete(`/Accounts/${accA1}`, {
auth: {bearer: spB_token},
resolveWithFullResponse: true,
simple: false,
json: true,
});
t.ok(result.statusCode === 422 && result.body.msg === 'cannot delete account from different service provider',
'service provider token B cannot be used to delete account from service provider A');
/* service provider token A can update account A1 */
result = await request.put(`/Accounts/${accA1}`, {
auth: {bearer: spA_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
sip_realm: 'sip.foo.bar'
}
});
t.ok(result.statusCode === 204, 'service provider token A can update account A1');
/* create a account token for account A1 */
result = await request.post('/ApiKeys', {
resolveWithFullResponse: true,
simple: false,
auth: {bearer: spA_token},
json: true,
body: {
account_sid: accA1
}
});
t.ok(result.statusCode === 201 && result.body.token, 'successfully created auth token for account A1');
const accA1_token_sid = result.body.sid;
const accA1_token = result.body.token;
/* cannot create an account using an account-level token */
result = await request.post('/Accounts', {
auth: {bearer: accA1_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
name: 'accountC',
service_provider_sid: spA_sid
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 422 && result.body.msg === 'insufficient permissions to create accounts',
'cannot create an account using an account-level token');
/* cannot update account A2 using auth token for account A1*/
result = await request.put(`/Accounts/${accA2}`, {
auth: {bearer: accA1_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
sip_realm: 'sip.foo.bar'
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 422 && result.body.msg === 'insufficient privileges to update this account',
'cannot update account A2 using auth token for account A1');
/* can update an account using an appropriate account-level token */
result = await request.put(`/Accounts/${accA1}`, {
auth: {bearer: accA1_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
sip_realm: 'sip.foo.bar'
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 204, 'successfully updated account A1 using auth token for account A1');
/* service provider token can not be used to add phone number */
result = await request.post('/PhoneNumbers', {
auth: {bearer: spA_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
number: '16173333456',
voip_carrier_sid
}
});
t.ok(result.statusCode === 403, 'service provider token can not be used to add phone number');
/* account token can not be used to add phone number */
result = await request.post('/PhoneNumbers', {
auth: {bearer: accA1_token},
resolveWithFullResponse: true,
simple: false,
json: true,
body: {
number: '16173333456',
voip_carrier_sid
}
});
t.ok(result.statusCode === 403, 'account level token can not be used to add phone number');
/* account level token can not create token for another account */
result = await request.post('/ApiKeys', {
resolveWithFullResponse: true,
simple: false,
auth: {bearer: accA1_token},
json: true,
body: {
account_sid: accA2
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 400 && result.body.msg === 'an account level token may not be used to create a token for a different account',
'an account level token may not be used to create a token for a different account');
/* account level token can create token for the same account */
result = await request.post('/ApiKeys', {
resolveWithFullResponse: true,
simple: false,
auth: {bearer: accA1_token},
json: true,
body: {
account_sid: accA1
}
});
//console.log(`result: ${JSON.stringify(result)}`);
t.ok(result.statusCode === 201, 'successfully created a token for the same account using an account level token');
const accA1_token_sid2 = result.body.sid;
const accA2_token2 = result.body.token;
/* delete all objects */
await deleteObjectBySid(request, '/ApiKeys', accA1_token_sid);
await deleteObjectBySid(request, '/ApiKeys', accA1_token_sid2);
await deleteObjectBySid(request, '/ApiKeys', spA_token_sid);
await deleteObjectBySid(request, '/ApiKeys', spB_token_sid);
await deleteObjectBySid(request, '/Accounts', accA1);
await deleteObjectBySid(request, '/Accounts', accA2);
await deleteObjectBySid(request, '/Accounts', accB1);
await deleteObjectBySid(request, '/Accounts', accB2);
await deleteObjectBySid(request, '/ServiceProviders', spA_sid);
await deleteObjectBySid(request, '/ServiceProviders', spB_sid);
t.end();
}
catch (err) {
console.error(err);
t.end(err);
}
});
test/index.js
+1
View File
@@ -4,4 +4,5 @@ require('./voip-carriers');
require('./accounts');
require('./phone-numbers');
require('./applications');
require('./auth');
require('./remove-test-db');
test/utils.js
+8 -8
View File
@@ -2,46 +2,46 @@
const ADMIN_TOKEN = '38700987-c7a4-4685-a5bb-af378f9734de';
const authAdmin = {bearer: ADMIN_TOKEN};
async function createServiceProvider(request) {
async function createServiceProvider(request, name = 'daveh') {
const result = await request.post('/ServiceProviders', {
auth: authAdmin,
json: true,
body: {
name: 'daveh'
name
}
});
return result.sid;
}
async function createVoipCarrier(request) {
async function createVoipCarrier(request, name = 'daveh') {
const result = await request.post('/VoipCarriers', {
auth: authAdmin,
json: true,
body: {
name: 'daveh'
name
}
});
return result.sid;
}
async function createPhoneNumber(request, voip_carrier_sid) {
async function createPhoneNumber(request, voip_carrier_sid, number = '15083333456') {
const result = await request.post('/PhoneNumbers', {
auth: authAdmin,
json: true,
body: {
number: '15083084809',
number,
voip_carrier_sid
}
});
return result.sid;
}
async function createAccount(request, service_provider_sid) {
async function createAccount(request, service_provider_sid, name = 'daveh') {
const result = await request.post('/Accounts', {
auth: authAdmin,
json: true,
body: {
name: 'daveh',
name,
service_provider_sid
}
});