Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: protect the metadata in case of basic and ucl-mtls authentication #111

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
+489 −4
Draft

feat: protect the metadata in case of basic and ucl-mtls authentication #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1541f5c
initial commit
aramovic79 Jan 22, 2025
4bc4300
add authentication types
aramovic79 Jan 22, 2025
51dc01e
tmp change
aramovic79 Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
368 changes: 368 additions & 0 deletions __tests__/unittest/authentication.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,368 @@
// const authenticate = require('../../lib/authentication');

describe('Authentication Middleware', () => {
const mockValidUsers = { admin: "secret" };
const mockTrustedSubject = "CN=test.example.com,OU=Test,O=Example";
const protectedRoute = "/open-resource-discovery/v1/documents/1";

beforeAll(() => {
// Mock environment variables
process.env.APP_USERS = JSON.stringify(mockValidUsers);
process.env.CMP_DEV_INFO_ENDPOINT = "https://test-endpoint.com";

// Mock fetch for trusted subjects
// eslint-disable-next-line no-unused-vars
const mockFetch = jest.fn().mockImplementation(() =>
Promise.resolve({
ok: true,
json: () => Promise.resolve({ certSubject: mockTrustedSubject }),
}),
);
});

afterAll(() => {
delete process.env.APP_USERS;
delete process.env.CMP_DEV_INFO_ENDPOINT;
jest.restoreAllMocks();
});

describe("Invalid authentication", () => {
beforeEach(async () => {
// server = {};
// server.setErrorHandler(errorHandler);
// await setupAuthentication(server, {
// authMethods: [OptAuthMethod.Open],
// });
// // Add a test route
// server.get(protectedRoute, () => {
// return { status: "ok" };
// });
// await server.ready();
});

afterEach(async () => {
// await server.close();
});

it("should reject with invalid authentication type", async () => {
// authenticate({}, {}, () => {});
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(500).toBe(500);
});
});

describe("Open - without authentication", () => {
beforeEach(async () => {
// server = {};
// server.setErrorHandler(errorHandler);
// await setupAuthentication(server, {
// authMethods: [OptAuthMethod.Open],
// });
// // Add a test route
// server.get(protectedRoute, () => {
// return { status: "ok" };
// });
// await server.ready();
});

afterEach(async () => {
// await server.close();
});

it("should have access without credentials", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(200).toBe(200);
});
});

describe("Basic Authentication", () => {
beforeEach(async () => {
// server = fastify() as FastifyInstanceType;
// server.setErrorHandler(errorHandler);
// await setupAuthentication(server, {
// authMethods: [OptAuthMethod.Basic],
// validUsers: mockValidUsers,
// });
// Add a test route
// server.get(protectedRoute, () => {
// return { status: "ok" };
// });
// await server.ready();
});

afterEach(async () => {
// await server.close();
});

it("should authenticate with valid credentials", async () => {
const credentials = Buffer.from("admin:secret").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// Authorization: `Basic ${credentials}`,
// },
// });

expect(credentials).toBe(credentials);
expect(200).toBe(200);
});

it("should reject with authorization header missing", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
});

it("should reject with invalid authentication type", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
});

it("should reject with invalid credentials", async () => {
const credentials = Buffer.from("admin:wrong").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// Authorization: `Basic ${credentials}`,
// },
// });

expect(credentials).toBe(credentials);
expect(401).toBe(401);
});

it("should reject without credentials", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
});

it("should reject without credentials", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
});
});

describe("UCL mTLS Authentication", () => {
beforeEach(async () => {
// server = fastify();
// server.setErrorHandler(errorHandler);
// await setupAuthentication(server, {
// authMethods: [OptAuthMethod.UclMtls],
// trustedSubjects: [mockTrustedSubject],
// });
// // Add a test route
// server.get(protectedRoute, () => {
// return { status: "ok" };
// });
// await server.ready();
});

afterEach(async () => {
// await server.close();
});

it("should authenticate with valid certificate subject", async () => {
const encodedSubject = Buffer.from(mockTrustedSubject, "ascii").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// "x-ssl-client-subject-dn": encodedSubject,
// },
// });

expect(protectedRoute).toBe(protectedRoute);
expect(encodedSubject).toBe(encodedSubject);
expect(200).toBe(200);
});

it("should reject with invalid certificate subject", async () => {
const invalidSubject = Buffer.from("CN=invalid.example.com", "ascii").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// "x-ssl-client-subject-dn": invalidSubject,
// },
// });

expect(401).toBe(401);
expect(invalidSubject).toBe(invalidSubject);
});

it("should reject without certificate subject", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
expect(protectedRoute).toBe(protectedRoute);
});
});

describe("Combined Authentication", () => {
beforeEach(async () => {
// server = fastify();
// server.setErrorHandler(errorHandler);
// await setupAuthentication(server, {
// authMethods: [OptAuthMethod.Basic, OptAuthMethod.UclMtls],
// validUsers: mockValidUsers,
// trustedSubjects: [mockTrustedSubject],
// });
// // Add a test route
// server.get(protectedRoute, () => {
// return { status: "ok" };
// });
// await server.ready();
});

afterEach(async () => {
// await server.close();
});

it("should authenticate with valid basic auth", async () => {
const credentials = Buffer.from("admin:secret").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// Authorization: `Basic ${credentials}`,
// },
// });

expect(200).toBe(200);
expect(credentials).toBe(credentials);
});

it("should authenticate with valid certificate", async () => {
const encodedSubject = Buffer.from(mockTrustedSubject).toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// "x-ssl-client-subject-dn": encodedSubject,
// },
// });

expect(200).toBe(200);
expect(encodedSubject).toBe(encodedSubject);
});

it("should reject with invalid certificate", async () => {
const encodedSubject = Buffer.from("CN=invalid.example.com", "ascii").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// "x-ssl-client-subject-dn": encodedSubject,
// },
// });

expect(401).toBe(401);
expect(encodedSubject).toBe(encodedSubject);
});

it("should reject with invalid basic auth", async () => {
const credentials = Buffer.from("admin:invalid").toString("base64");
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// headers: {
// Authorization: `Basic ${credentials}`,
// },
// });

expect(401).toBe(401);
expect(credentials).toBe(credentials);
});

it("should reject without any authentication", async () => {
// const response = await server.inject({
// method: "GET",
// url: protectedRoute,
// });

expect(401).toBe(401);
});
});

// beforeEach(() => {
// app = express();
// app.use((req, res, next) => {
// process.env.ORD_AUTH = undefined;
// cds.env = {
// authentication: {
// type: undefined,
// username: 'testuser',
// password: 'testpassword'
// }
// };
// next();
// });
// app.use(authenticationMiddleware);
// app.get('/test', (req, res) => res.status(200).send('Success'));
// });

// it('should allow access with Open authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.Open;
// await request(app).get('/test').expect(200);
// });

// it('should return 401 if authorization header is missing for Basic authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.Basic;
// await request(app).get('/test').expect(401, 'Authorization header missing');
// });

// it('should return 401 if authorization type is not Basic for Basic authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.Basic;
// await request(app).get('/test').set('Authorization', 'Bearer token').expect(401, 'Invalid authentication type');
// });

// it('should return 401 if credentials are invalid for Basic authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.Basic;
// const invalidCredentials = Buffer.from('invaliduser:invalidpassword').toString('base64');
// await request(app).get('/test').set('Authorization', `Basic ${invalidCredentials}`).expect(401, 'Invalid credentials');
// });

// it('should allow access with valid credentials for Basic authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.Basic;
// const validCredentials = Buffer.from('testuser:testpassword').toString('base64');
// await request(app).get('/test').set('Authorization', `Basic ${validCredentials}`).expect(200);
// });

// it('should allow access with UclMtls authentication', async () => {
// cds.env.authentication.type = AUTHENTICATION_TYPE.UclMtls;
// await request(app).get('/test').expect(200);
// });

// it('should return 500 for invalid authentication type', async () => {
// cds.env.authentication.type = 'InvalidType';
// await request(app).get('/test').expect(500, 'Invalid authentication type');
// });
});
Loading
Loading