-
Notifications
You must be signed in to change notification settings - Fork 20
Add Step-up rechallenge implementation #2869
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 34 commits
Commits
Show all changes
35 commits
Select commit
Hold shift + click to select a range
479ffae
feat(rechallenge): add types and error classes
rinatkhaziev 586b7af
feat(rechallenge): add keychain-backed per-scope elevated-token cache
rinatkhaziev cd414f0
feat(rechallenge): add REST client for Parker v2 session endpoints
rinatkhaziev 5b0fab9
fix(rechallenge): satisfy tsc check-types in test files
rinatkhaziev 49e5a49
feat(rechallenge): orchestrate session create, poll, exchange
rinatkhaziev 6b938df
feat(rechallenge): add Apollo link that intercepts elevated-permissio…
rinatkhaziev 96161a9
feat(api): insert rechallenge link into Apollo chain
rinatkhaziev da63adf
feat(defensive-mode): add GraphQL helpers for status and config mutat…
rinatkhaziev 3566bbf
feat(cli): add vip defensive-mode parent command
rinatkhaziev b6a676d
feat(cli): add vip defensive-mode enable subcommand
rinatkhaziev b800278
feat(cli): add vip defensive-mode disable subcommand
rinatkhaziev a90d285
feat(cli): add vip defensive-mode configure subcommand
rinatkhaziev a697290
feat(cli): register vip defensive-mode top-level command
rinatkhaziev 9210d1f
feat(logout): clear elevated-token cache on logout
rinatkhaziev d489e55
fix(api): lint cleanup for lazy rechallenge link import
rinatkhaziev e94f81a
fix: address final-review findings (diff in configure, non-interactiv…
rinatkhaziev 4fa6269
fix: address PR review feedback (data guards, version constant, paylo…
rinatkhaziev 4879454
fix: address PR review feedback (output formatting, login hardening, …
rinatkhaziev df88602
chore(lint): scope no-await-in-loop disable to rechallenge polling loop
rinatkhaziev c4e5e96
fix(lint): stop importing Response type from node-fetch in rechalleng…
rinatkhaziev 9ce0cd9
fix: address sjinks PR review feedback (rechallenge + defensive-mode)
rinatkhaziev 920ab77
test: cover rechallenge poll-interval floor (NaN / tight-loop guard)
rinatkhaziev 62ae49e
fix(test): make rechallenge abort test deterministic on Node current
rinatkhaziev 15d4e8e
feat(rechallenge): add --rechallenge-wait opt-in for non-interactive …
rinatkhaziev 054bbc8
fix: purge token/cache even if logout fails
sjinks e734d78
fix: eslint issues and code smells
sjinks a00c99c
fix(rechallenge): handle sync downstream errors
sjinks 530098c
fix: SonarSource findings
sjinks 9065f51
test(rechallenge): add api and command coverage
sjinks 18b30b2
docs: document elevated token scope granularity
sjinks 3b31c86
fix: address code review comments
sjinks a912ed2
fix: address code review comments
sjinks b217b54
fix: address code review comments
sjinks 57643a0
fix: add `salesforceId` to query for telemetry
sjinks 9329cc3
fix: apply suggestions from code review
sjinks File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| import { beforeEach, describe, expect, it, jest } from '@jest/globals'; | ||
|
|
||
| const httpResponse = ( status, body ) => { | ||
| return Promise.resolve( { | ||
| ok: status >= 200 && status < 300, | ||
| status, | ||
| headers: { | ||
| get: name => ( name.toLowerCase() === 'content-type' ? 'application/json' : null ), | ||
| }, | ||
| json: () => Promise.resolve( body ), | ||
| text: () => Promise.resolve( JSON.stringify( body ) ), | ||
| } ); | ||
| }; | ||
|
|
||
| describe( 'vip app deploy rechallenge smoke', () => { | ||
| let appDeployCmd; | ||
| let http; | ||
| let runRechallenge; | ||
| let exitWithError; | ||
|
|
||
| beforeEach( () => { | ||
| jest.resetModules(); | ||
|
|
||
| jest.doMock( '../../src/lib/cli/command', () => { | ||
| const commandMock = { | ||
| argv: () => commandMock, | ||
| examples: () => commandMock, | ||
| option: () => commandMock, | ||
| command: () => commandMock, | ||
| }; | ||
| return jest.fn( () => commandMock ); | ||
| } ); | ||
|
|
||
| jest.doMock( '../../src/lib/client-file-uploader', () => ( { | ||
| getFileMeta: jest.fn().mockResolvedValue( { | ||
| fileName: '/vip/skeleton.zip', | ||
| basename: 'skeleton.zip', | ||
| fileSize: 123, | ||
| isCompressed: true, | ||
| } ), | ||
| uploadImportFileToS3: jest.fn().mockResolvedValue( { | ||
| fileMeta: { | ||
| basename: 'skeleton.zip', | ||
| fileName: '/vip/skeleton.zip', | ||
| fileSize: 123, | ||
| isCompressed: true, | ||
| }, | ||
| checksum: 'abc123', | ||
| result: 'ok', | ||
| } ), | ||
| } ) ); | ||
|
|
||
| jest.doMock( '../../src/lib/custom-deploy/custom-deploy', () => ( { | ||
| validateFile: jest.fn().mockResolvedValue( true ), | ||
| validateLargeArchiveFiles: jest.fn().mockResolvedValue( true ), | ||
| promptToContinue: jest.fn().mockResolvedValue( true ), | ||
| validateCustomDeployKey: jest.fn().mockResolvedValue( { | ||
| appId: 123, | ||
| envId: 456, | ||
| envType: 'develop', | ||
| envUniqueLabel: 'develop', | ||
| primaryDomainName: 'example.com/develop', | ||
| launched: false, | ||
| } ), | ||
| } ) ); | ||
|
|
||
| jest.doMock( '../../src/lib/tracker', () => ( { | ||
| trackEventWithEnv: jest.fn( () => Promise.resolve() ), | ||
| } ) ); | ||
|
|
||
| jest.doMock( '../../src/lib/api/http', () => ( { | ||
| __esModule: true, | ||
| default: jest.fn(), | ||
| } ) ); | ||
|
|
||
| jest.doMock( '../../src/lib/rechallenge/flow', () => ( { | ||
| runRechallenge: jest.fn(), | ||
| isInteractiveContext: () => false, | ||
| shouldWaitForRechallenge: () => true, | ||
| } ) ); | ||
|
|
||
| jest.doMock( '../../src/lib/rechallenge/token-cache', () => ( { | ||
| __esModule: true, | ||
| default: { | ||
| get: jest.fn( () => Promise.resolve( null ) ), | ||
| set: jest.fn( () => Promise.resolve() ), | ||
| clearScope: jest.fn(), | ||
| clearAll: jest.fn(), | ||
| }, | ||
| } ) ); | ||
|
|
||
| const exitModule = require( '../../src/lib/cli/exit' ); | ||
| exitWithError = jest.spyOn( exitModule, 'withError' ).mockImplementation( () => { | ||
| throw new Error( 'exit.withError called' ); | ||
| } ); | ||
|
|
||
| appDeployCmd = require( '../../src/bin/vip-app-deploy' ).appDeployCmd; | ||
| http = require( '../../src/lib/api/http' ).default; | ||
| runRechallenge = require( '../../src/lib/rechallenge/flow' ).runRechallenge; | ||
|
|
||
| process.env.NODE_ENV = 'test'; | ||
| process.env.WPVIP_DEPLOY_TOKEN = 'deploy-token'; | ||
| jest.spyOn( console, 'log' ).mockImplementation( () => {} ); | ||
| jest.spyOn( console, 'error' ).mockImplementation( () => {} ); | ||
| } ); | ||
|
|
||
| it( 'retries app deploy mutation with elevated header in API chain', async () => { | ||
| runRechallenge.mockResolvedValueOnce( { | ||
| token: 'manual-elevated-token', | ||
| expiresAt: new Date( Date.now() + 60_000 ).toISOString(), | ||
| purpose: 'validate-elevated-permissions', | ||
| } ); | ||
|
|
||
| http | ||
| .mockReturnValueOnce( | ||
| httpResponse( 200, { | ||
| data: null, | ||
| errors: [ | ||
| { | ||
| message: 'Missing elevated token', | ||
| extensions: { | ||
| code: 'elevated-permission-required', | ||
| rechallenge: { | ||
| version: 'v2', | ||
| createSessionPath: '/rechallenge/v2/sessions', | ||
| statusPathTemplate: '/rechallenge/v2/sessions/{challengeId}', | ||
| exchangePathTemplate: '/rechallenge/v2/sessions/{challengeId}/exchange', | ||
| elevatedHeaderName: 'x-elevated-token', | ||
| }, | ||
| }, | ||
| }, | ||
| ], | ||
| } ) | ||
| ) | ||
| .mockReturnValueOnce( | ||
| httpResponse( 200, { | ||
| data: { | ||
| startCustomDeploy: { | ||
| success: true, | ||
| message: 'ok', | ||
| }, | ||
| }, | ||
| } ) | ||
| ); | ||
|
|
||
| await expect( | ||
| appDeployCmd( [ '/vip/skeleton.zip' ], { app: 1, env: 2, force: true } ) | ||
| ).resolves.toBeUndefined(); | ||
|
|
||
| expect( runRechallenge ).toHaveBeenCalledTimes( 1 ); | ||
| expect( http ).toHaveBeenCalledTimes( 2 ); | ||
| const secondCallInit = http.mock.calls[ 1 ][ 1 ]; | ||
| expect( secondCallInit.headers[ 'x-elevated-token' ] ).toBe( 'manual-elevated-token' ); | ||
| expect( secondCallInit.headers.authorization ).toBe( 'Bearer deploy-token' ); | ||
| expect( exitWithError ).not.toHaveBeenCalled(); | ||
| } ); | ||
| } ); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,176 @@ | ||
| import { describe, expect, it, jest, beforeEach } from '@jest/globals'; | ||
|
|
||
| import { defensiveModeConfigureCommand } from '../../src/bin/vip-defensive-mode-configure'; | ||
| import command from '../../src/lib/cli/command'; | ||
| import { updateDefensiveModeConfig } from '../../src/lib/defensive-mode/api'; | ||
| import { trackEvent } from '../../src/lib/tracker'; | ||
|
|
||
| function mockExit() { | ||
| throw 'EXIT'; | ||
| } | ||
| jest.spyOn( console, 'log' ).mockImplementation( () => {} ); | ||
| jest.spyOn( console, 'error' ).mockImplementation( () => {} ); | ||
| jest.spyOn( process, 'exit' ).mockImplementation( mockExit ); | ||
|
|
||
| jest.mock( '../../src/lib/cli/command', () => { | ||
| const commandMock = { | ||
| argv: () => commandMock, | ||
| examples: () => commandMock, | ||
| option: () => commandMock, | ||
| }; | ||
| return jest.fn( () => commandMock ); | ||
| } ); | ||
|
|
||
| jest.mock( '../../src/lib/defensive-mode/api', () => ( { | ||
| updateDefensiveModeConfig: jest.fn( () => | ||
| Promise.resolve( { success: true, message: 'configured' } ) | ||
| ), | ||
| appQuery: 'mock-app-query', | ||
| } ) ); | ||
|
|
||
| jest.mock( '../../src/lib/tracker', () => ( { | ||
| trackEvent: jest.fn( () => Promise.resolve() ), | ||
| } ) ); | ||
|
|
||
| jest.mock( '../../src/lib/envvar/input', () => ( { | ||
| confirm: jest.fn( () => Promise.resolve( true ) ), | ||
| } ) ); | ||
|
|
||
| function baseOpts() { | ||
| return { | ||
| app: { id: 7, name: 'demo', organization: { id: 1, salesforceId: 'X' } }, | ||
| env: { id: 9, type: 'develop' }, | ||
| skipConfirmation: true, | ||
| }; | ||
| } | ||
|
|
||
| describe( 'vip defensive-mode configure', () => { | ||
| it( 'registers as a command', () => { | ||
| expect( command ).toHaveBeenCalled(); | ||
| } ); | ||
| } ); | ||
|
|
||
| describe( 'defensiveModeConfigureCommand', () => { | ||
| beforeEach( () => { | ||
| jest.clearAllMocks(); | ||
| } ); | ||
|
|
||
| it( 'applies full input when all flags are supplied', async () => { | ||
| await defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'true', | ||
| challengeType: '1', | ||
| connectionThresholdAbsolute: '1000', | ||
| connectionThresholdPercentage: '50', | ||
| } ); | ||
| expect( updateDefensiveModeConfig ).toHaveBeenCalledWith( { | ||
| appId: 7, | ||
| envId: 9, | ||
| enabled: true, | ||
| challengeType: 1, | ||
| connectionThresholdAbsolute: 1000, | ||
| connectionThresholdPercentage: 50, | ||
| } ); | ||
| } ); | ||
|
|
||
| it( 'errors when required flags missing in non-interactive mode', async () => { | ||
| await expect( | ||
| defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| nonInteractive: true, | ||
| } ) | ||
| ).rejects.toBe( 'EXIT' ); | ||
| expect( updateDefensiveModeConfig ).not.toHaveBeenCalled(); | ||
| } ); | ||
|
|
||
| it( 'rejects non-boolean enabled values', async () => { | ||
| await expect( | ||
| defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'maybe', | ||
| challengeType: '1', | ||
| nonInteractive: true, | ||
| } ) | ||
| ).rejects.toBe( 'EXIT' ); | ||
| } ); | ||
|
|
||
| it( 'rejects non-integer challenge-type', async () => { | ||
| await expect( | ||
| defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'true', | ||
| challengeType: 'oops', | ||
| nonInteractive: true, | ||
| } ) | ||
| ).rejects.toBe( 'EXIT' ); | ||
| } ); | ||
|
|
||
| it( 'tracks success', async () => { | ||
| await defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'false', | ||
| challengeType: '1', | ||
| } ); | ||
| expect( trackEvent ).toHaveBeenCalledWith( | ||
| 'defensive_mode_configure_command_success', | ||
| expect.any( Object ) | ||
| ); | ||
| } ); | ||
|
|
||
| it( 'logs the proposed configuration before mutating', async () => { | ||
| const consoleSpy = jest.spyOn( console, 'log' ); | ||
| await defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'true', | ||
| challengeType: '2', | ||
| } ); | ||
| const allArgs = consoleSpy.mock.calls.flat().filter( arg => typeof arg === 'string' ); | ||
| const settingsTable = allArgs.find( arg => arg.includes( 'Challenge type' ) ); | ||
| expect( settingsTable ).toBeDefined(); | ||
| expect( settingsTable ).toContain( 'Enabled' ); | ||
| expect( settingsTable ).toContain( 'true' ); | ||
| expect( settingsTable ).toContain( '2' ); | ||
| expect( settingsTable ).toContain( '(not specified)' ); | ||
| } ); | ||
|
|
||
| it( 'rejects bare threshold flags (boolean true)', async () => { | ||
| await expect( | ||
| defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| enabled: 'true', | ||
| challengeType: '1', | ||
| connectionThresholdAbsolute: true, | ||
| nonInteractive: true, | ||
| } ) | ||
| ).rejects.toBe( 'EXIT' ); | ||
| expect( updateDefensiveModeConfig ).not.toHaveBeenCalled(); | ||
| } ); | ||
|
|
||
| it( 'refuses production mutation in non-interactive mode without --skip-confirmation', async () => { | ||
| await expect( | ||
| defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| env: { id: 9, type: 'production' }, | ||
| skipConfirmation: false, | ||
| nonInteractive: true, | ||
| enabled: 'false', | ||
| challengeType: '1', | ||
| } ) | ||
| ).rejects.toBe( 'EXIT' ); | ||
| expect( updateDefensiveModeConfig ).not.toHaveBeenCalled(); | ||
| } ); | ||
|
|
||
| it( 'allows production mutation in non-interactive mode with --skip-confirmation', async () => { | ||
| await defensiveModeConfigureCommand( [], { | ||
| ...baseOpts(), | ||
| env: { id: 9, type: 'production' }, | ||
| skipConfirmation: true, | ||
| nonInteractive: true, | ||
| enabled: 'false', | ||
| challengeType: '1', | ||
| } ); | ||
| expect( updateDefensiveModeConfig ).toHaveBeenCalledWith( | ||
| expect.objectContaining( { envId: 9, enabled: false, challengeType: 1 } ) | ||
| ); | ||
| } ); | ||
| } ); | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.