[auth] Add tests for BearerAuth.authExpressRequest

geropl · geropl · commit cebc8ff7f5a8 · 2023-11-16T16:06:08.000Z
diff --git a/components/server/src/auth/bearer-authenticator.spec.db.ts b/components/server/src/auth/bearer-authenticator.spec.db.ts
@@ -0,0 +1,119 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { TypeORM, resetDB } from "@gitpod/gitpod-db/lib";
+import { BearerAuth, PersonalAccessToken } from "./bearer-authenticator";
+import { expect } from "chai";
+import { describe } from "mocha";
+import { Container } from "inversify";
+import { createTestContainer } from "../test/service-testing-container-module";
+import { Experiments } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { UserService } from "../user/user-service";
+import { User } from "@gitpod/gitpod-protocol";
+import { Config } from "../config";
+import { Request } from "express";
+import { WithResourceAccessGuard } from "./resource-access";
+import { WithFunctionAccessGuard } from "./function-access";
+import { fail } from "assert";
+
+function toDateTime(date: Date): string {
+    return date.toISOString().replace("T", " ").replace("Z", "");
+}
+
+describe("BearerAuth", () => {
+    let container: Container;
+    let bearerAuth: BearerAuth;
+    let userService: UserService;
+    let typeORM: TypeORM;
+    let testUser: User;
+
+    async function insertPat(userId: string, patId: string, scopes: string[] = ["function:*"]): Promise<string> {
+        const patValue = "someValue";
+        const signature = "V7BsZVjpMQRaWxS5XJE9r-Ovpxk2xT_bfFSmic4yW6g"; // depends on the value
+        const pat = new PersonalAccessToken("doesnotmatter", patValue);
+
+        const conn = await typeORM.getConnection();
+        await conn.query(
+            "INSERT d_b_personal_access_token (id, userId, hash, name, scopes, expirationTime, createdAt) VALUES (?, ?, ?, ?, ?, ?, ?)",
+            [patId, userId, pat.hash(), patId, scopes, toDateTime(new Date("2030")), toDateTime(new Date())],
+        );
+        return `gitpod_pat_${signature}.${patValue}`;
+    }
+
+    beforeEach(async () => {
+        container = createTestContainer();
+        Experiments.configureTestingClient({
+            centralizedPermissions: true,
+        });
+        const oldConfig = container.get<Config>(Config);
+        container.rebind(Config).toDynamicValue((ctx) => {
+            return {
+                ...oldConfig,
+                patSigningKey: "super-duper-secret-pat-signing-key",
+            };
+        });
+        bearerAuth = container.get(BearerAuth);
+        userService = container.get<UserService>(UserService);
+        typeORM = container.get<TypeORM>(TypeORM);
+
+        testUser = await userService.createUser({
+            identity: {
+                authId: "gh-user-1",
+                authName: "user",
+                authProviderId: "public-github",
+            },
+        });
+    });
+
+    afterEach(async () => {
+        // Clean-up database
+        await resetDB(container.get(TypeORM));
+    });
+
+    it("authExpressRequest should successfully authenticate BearerToken (PAT)", async () => {
+        const pat1 = await insertPat(testUser.id, "pat-1");
+
+        const req = {
+            headers: {
+                authorization: `Bearer ${pat1}`,
+            },
+        } as Request;
+        await bearerAuth.authExpressRequest(req);
+
+        expect(req.user?.id).to.equal(testUser.id);
+        expect((req as WithResourceAccessGuard).resourceGuard).to.not.be.undefined;
+        expect((req as WithFunctionAccessGuard).functionGuard).to.not.be.undefined;
+    });
+
+    it("authExpressRequest should fail to authenticate with missing BearerToken in header", async () => {
+        await insertPat(testUser.id, "pat-1");
+
+        const req = {
+            headers: {
+                authorization: `Bearer `, // missing
+            },
+        } as Request;
+        await expectError(async () => bearerAuth.authExpressRequest(req), "missing bearer token header");
+    });
+
+    it("authExpressRequest should fail to authenticate with missing BearerToken from DB (PAT)", async () => {
+        const patNotStored = "gitpod_pat_GrvGthczSRf3ypqFhNtcRiN5fK6CV7rdCkkPLfpbc_4";
+
+        const req = {
+            headers: {
+                authorization: `Bearer ${patNotStored}`,
+            },
+        } as Request;
+        await expectError(async () => bearerAuth.authExpressRequest(req), "cannot find token");
+    });
+
+    async function expectError(fun: () => Promise<any>, message: string) {
+        try {
+            await fun();
+            fail(`Expected error: ${message}`);
+        } catch (err) {}
+    }
+});
diff --git a/components/server/src/auth/personal-access-token.spec.ts b/components/server/src/auth/personal-access-token.spec.ts
@@ -4,23 +4,20 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { suite, test } from "@testdeck/mocha";
 import { PersonalAccessToken } from "./bearer-authenticator";
 import { expect } from "chai";
+import { describe } from "mocha";
 
-@suite()
-class TestPersonalAccessToken {
-    @test
-    test_parse_token_ok() {
+describe("PersonalAccessToken", () => {
+    it("should parse token successfully", () => {
         const token = "gitpod_pat_GrvGthczSRf3ypqFhNtcRiN5fK6CV7rdCkkPLfpbc_4." + "test".repeat(10);
 
         const parsed = PersonalAccessToken.parse(token);
         const expected = new PersonalAccessToken("GrvGthczSRf3ypqFhNtcRiN5fK6CV7rdCkkPLfpbc_4", "test".repeat(10));
         expect(parsed).to.deep.equal(expected);
-    }
+    });
 
-    @test
-    test_parse_token_throws() {
+    it("should parse token and throw an error", () => {
         const tokens = [
             "gitpod_pat_GrvGthczSRf3ypqFhNtcRiN5fK6CV7rdCkkPLfpbc_4.", // no value
             `gitpod_pat_.${"test".repeat(10)}`, // no signature
@@ -30,7 +27,5 @@ class TestPersonalAccessToken {
         tokens.forEach((token) => {
             expect(() => PersonalAccessToken.parse(token)).to.throw();
         });
-    }
-}
-
-module.exports = new TestPersonalAccessToken();
+    });
+});
