1 | "use strict";
|
2 |
|
3 | const assert = require('assert');
|
4 | const describeConfig = require('./setupTester');
|
5 | const NoAuth = require('./auth/NoAuth');
|
6 | const PBKDF2 = require('./crypt/PBKDF2');
|
7 |
|
8 | describeConfig('empty', {}, function (handler)
|
9 | {
|
10 | it('should have no login methods', async function ()
|
11 | {
|
12 | const
|
13 | {
|
14 | status,
|
15 | data
|
16 | } = await handler.request('GET', '/methods.json');
|
17 | assert.deepEqual(status, 200);
|
18 | assert.deepEqual(data, []);
|
19 | });
|
20 |
|
21 | it('should not be able to access admin api', async function ()
|
22 | {
|
23 | const
|
24 | {
|
25 | status
|
26 | } = await handler.request('GET', '/search.json');
|
27 | assert.deepEqual(status, 400);
|
28 | });
|
29 |
|
30 | it('should not be able to access admin api', async function ()
|
31 | {
|
32 | const
|
33 | {
|
34 | data
|
35 | } = await handler.request('GET', '/current.json');
|
36 | assert.deepEqual(data, false);
|
37 | });
|
38 | });
|
39 |
|
40 | async function config()
|
41 | {
|
42 | const cfg = {};
|
43 | cfg.users = await describeConfig.createUsers([{
|
44 | id: 'regular',
|
45 | password: 'INVALID'
|
46 | }, {
|
47 | id: 'admin',
|
48 | roles: {
|
49 | admin: true
|
50 | }
|
51 | }]);
|
52 |
|
53 | cfg.auth = [
|
54 | new NoAuth({
|
55 | method: 'regular',
|
56 | loginUserId: 'regular'
|
57 | }),
|
58 | new NoAuth({
|
59 | method: 'admin',
|
60 | loginUserId: 'admin'
|
61 | })
|
62 | ];
|
63 |
|
64 | cfg.custom = {
|
65 | custom: {},
|
66 | customInvalid: {
|
67 | validate: () =>
|
68 | {
|
69 | throw new Error('Invalid')
|
70 | }
|
71 | },
|
72 | customValid: {
|
73 | validate: i => i
|
74 | }
|
75 | }
|
76 |
|
77 | cfg.crypt = new PBKDF2();
|
78 |
|
79 | cfg.administratorRoles = {
|
80 | admin: true
|
81 | };
|
82 | return cfg;
|
83 | }
|
84 |
|
85 | describeConfig('config', config, function (handler)
|
86 | {
|
87 | it('should have login methods', async function ()
|
88 | {
|
89 | const
|
90 | {
|
91 | status,
|
92 | data
|
93 | } = await handler.request('GET', '/methods.json');
|
94 | assert.deepEqual(status, 200);
|
95 | assert.notDeepEqual(data, []);
|
96 | });
|
97 |
|
98 | it('should be able to login', async function ()
|
99 | {
|
100 | assert.deepEqual((await handler.request('GET', '/regular/login.json'))
|
101 | .status, 200);
|
102 | const
|
103 | {
|
104 | data
|
105 | } = await handler.request('GET', '/current.json');
|
106 | assert.deepEqual(data.id, 'regular');
|
107 | assert.deepEqual(data.password, true);
|
108 | });
|
109 |
|
110 | it('should be able to logout', async function ()
|
111 | {
|
112 | await handler.request('GET', '/regular/login.json');
|
113 | await handler.request('GET', '/logout.json');
|
114 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
115 | .data, false);
|
116 | });
|
117 |
|
118 | it('should be update display name', async function ()
|
119 | {
|
120 | await handler.request('GET', '/regular/login.json');
|
121 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
122 | displayName: 'TEST'
|
123 | }))
|
124 | .status, 200);
|
125 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
126 | .data.displayName, 'TEST');
|
127 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
128 | displayName: ['TEST2']
|
129 | }))
|
130 | .status, 400);
|
131 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
132 | .data.displayName, 'TEST');
|
133 | });
|
134 |
|
135 | it('should be able to remove password', async function ()
|
136 | {
|
137 | await handler.request('GET', '/regular/login.json');
|
138 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
139 | password: false
|
140 | }))
|
141 | .status, 200);
|
142 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
143 | .data.password, undefined);
|
144 | });
|
145 |
|
146 | it('should not be able to set password if a module that does not use passsword is not present', async function ()
|
147 | {
|
148 | await handler.request('GET', '/admin/login.json');
|
149 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
150 | password: 'QAAS91723891ASD98@#!#'
|
151 | }))
|
152 | .status, 400);
|
153 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
154 | .data.password, undefined);
|
155 | });
|
156 |
|
157 | it('should not be able to set password if a crypt is not configured', async function ()
|
158 | {
|
159 | handler.getconfig()
|
160 | .crypt = null;
|
161 | await handler.request('GET', '/admin/login.json');
|
162 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
163 | password: 'QAAS91723891ASD98@#!#'
|
164 | }))
|
165 | .status, 400);
|
166 | assert.deepEqual((await handler.request('GET', '/current.json'))
|
167 | .data.password, undefined);
|
168 | });
|
169 |
|
170 | it('should be able to set password if a module that does use passsword is present', async function ()
|
171 | {
|
172 | handler.getconfig()
|
173 | .auth[0].description.usesPassword = true;
|
174 | await handler.request('GET', '/admin/login.json');
|
175 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
176 | password: 'QAAS91723891ASD98@#!#'
|
177 | }))
|
178 | .status, 200);
|
179 | assert.notDeepEqual((await handler.request('GET', '/current.json'))
|
180 | .data.password, undefined);
|
181 | });
|
182 |
|
183 | it('should not be able to update own roles', async function ()
|
184 | {
|
185 | await handler.request('GET', '/regular/login.json');
|
186 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
187 | roles: {}
|
188 | }))
|
189 | .status, 400);
|
190 | });
|
191 |
|
192 | it('should not be able to update random fields', async function ()
|
193 | {
|
194 | await handler.request('GET', '/regular/login.json');
|
195 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
196 | random: true
|
197 | }))
|
198 | .status, 400);
|
199 | });
|
200 |
|
201 | it('should be able to update custom fields', async function ()
|
202 | {
|
203 | await handler.request('GET', '/regular/login.json');
|
204 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
205 | custom: true
|
206 | }))
|
207 | .status, 200);
|
208 | });
|
209 |
|
210 | it('should be able to validate custom fields', async function ()
|
211 | {
|
212 | await handler.request('GET', '/regular/login.json');
|
213 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
214 | customInvalid: true
|
215 | }))
|
216 | .status, 400);
|
217 | });
|
218 |
|
219 | it('should be able to valid custom fields', async function ()
|
220 | {
|
221 | await handler.request('GET', '/regular/login.json');
|
222 | assert.deepEqual((await handler.request('PUT', '/current.json', {}, {
|
223 | customValid: true
|
224 | }))
|
225 | .status, 200);
|
226 | });
|
227 |
|
228 | it('regular user should not see users list', async function ()
|
229 | {
|
230 | await handler.request('GET', '/regular/login.json');
|
231 | assert.deepEqual((await handler.request('GET', '/search.json'))
|
232 | .status, 400);
|
233 | });
|
234 |
|
235 | it('regular user should not see other users', async function ()
|
236 | {
|
237 | await handler.request('GET', '/regular/login.json');
|
238 | assert.deepEqual((await handler.request('GET', '/regular.json'))
|
239 | .status, 400);
|
240 | });
|
241 |
|
242 | it('regular user should not update other users', async function ()
|
243 | {
|
244 | await handler.request('GET', '/regular/login.json');
|
245 | assert.deepEqual((await handler.request('PUT', '/regular.json', {}, {}))
|
246 | .status, 400);
|
247 | });
|
248 |
|
249 | it('regular user should not delete other users', async function ()
|
250 | {
|
251 | await handler.request('GET', '/regular/login.json');
|
252 | assert.deepEqual((await handler.request('DELETE', '/regular.json'))
|
253 | .status, 400);
|
254 | });
|
255 |
|
256 | it('admin user should see users list', async function ()
|
257 | {
|
258 | await handler.request('GET', '/admin/login.json');
|
259 | assert.deepEqual((await handler.request('GET', '/search.json'))
|
260 | .status, 200);
|
261 | });
|
262 |
|
263 | it('admin user should see other users', async function ()
|
264 | {
|
265 | await handler.request('GET', '/admin/login.json');
|
266 | assert.deepEqual((await handler.request('GET', '/regular.json'))
|
267 | .status, 200);
|
268 | assert.deepEqual((await handler.request('GET', '/admin.json'))
|
269 | .status, 200);
|
270 | });
|
271 |
|
272 | it('admin user should update other users', async function ()
|
273 | {
|
274 | await handler.request('GET', '/admin/login.json');
|
275 | assert.deepEqual((await handler.request('PUT', '/admin.json', {}, {}))
|
276 | .status, 200);
|
277 | });
|
278 |
|
279 | it('admin user should update other user role', async function ()
|
280 | {
|
281 | await handler.request('GET', '/admin/login.json');
|
282 | assert.deepEqual((await handler.request('PUT', '/regular.json', {}, {
|
283 | roles: {
|
284 | admin: true
|
285 | }
|
286 | }))
|
287 | .status, 200);
|
288 | });
|
289 |
|
290 | it('admin user should not update own role', async function ()
|
291 | {
|
292 | await handler.request('GET', '/admin/login.json');
|
293 | assert.deepEqual((await handler.request('PUT', '/admin.json', {}, {
|
294 | roles: {}
|
295 | }))
|
296 | .status, 400);
|
297 | });
|
298 |
|
299 | it('admin user should delete other users', async function ()
|
300 | {
|
301 | await handler.request('GET', '/admin/login.json');
|
302 | assert.deepEqual((await handler.request('DELETE', '/regular.json'))
|
303 | .status, 200);
|
304 | });
|
305 |
|
306 | it('admin user should not delete self', async function ()
|
307 | {
|
308 | await handler.request('GET', '/admin/login.json');
|
309 | assert.deepEqual((await handler.request('DELETE', '/admin.json'))
|
310 | .status, 400);
|
311 | });
|
312 |
|
313 | });
|