-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtest_security.js
209 lines (182 loc) · 6.14 KB
/
test_security.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
function test() {
const api = include("app_api");
const assert = include("utils").assert;
const nameCluster = "SC-test-cluster";
const defaultClusters = ["all","orphans"];
const userAdmin = {
user: "TestAdmin",
title: "Cluster admin",
password: "7s,49dh3k9mq.0",
tenant: "root",
roles: [
{name: "ROLE_ADMIN", tenant: "root"}
]
};
const userOne = {
user: "TestUserOne",
title: "Cluster user",
password: "_-_-_-_",
tenant: "root"
};
const userTwo = {
user: "TestUserTwo",
title: "Unprivileged user",
password: "2",
tenant: "root"
};
const userBad = {
user: "TestBadUser",
title: "Bad user",
password: "0000",
tenant: "root"
};
var tokenAdmin;
function clear() {
console.debug("Clean...");
if(!api.token) {
api.login("admin", "password");
}
[userOne.user, userAdmin.user, userTwo.user].forEach(api.userDelete);
api.clusterDelete(nameCluster);
}
function userCompare(expected, actual) {
var name = expected.user || actual && actual.user;
assert.equal(expected, actual, {
message: "User '" + name + "' is not same:\n",
skip:["password"]
});
}
function userDelete(name) {
console.debug("Delete user:", name);
var res = api.userDelete(name);
console.assert(res.code == 200, "Can not delete user:", name, "due to error:", res.message);
}
function userUpdate(user) {
var name = user.user;
console.debug("Create user:", name);
var tmp = clone(user);
delete tmp.user; //server must create name
var res = api.userUpdate(name, tmp);
console.assert(res.code == 200, "Can not create user due error: ", res);
var loaded = api.user(name).data;
userCompare(tmp, loaded);
}
function aclSetFor(user) {
return api.acl("CLUSTER/" + nameCluster, {
"entries": [
{
"id":"1",
"sid": {
"type": "PRINCIPAL",
"principal": user.user,
"tenant": user.tenant
},
"granting": true,
"permission": "CRUDEA"
}
]
})
}
function userTests(user) {
console.debug("Test unprivileged access to user creation");
var res = api.userUpdate(userBad.user, userBad);
console.assert(res.code >= 400, "User is unexpectedly created: ", res);
var tmpToken = api.token;
api.token = tokenAdmin;
try {
var res = api.user(userBad.user);
console.assert(res.code == 404, "User is unexpectedly found: ", res);
} finally {
api.token = tmpToken;
}
console.debug("Test unprivileged access to acl modification");
var res = aclSetFor(userOne);
console.assert(res.code == 500, "Acl is modified: ", res);
{
console.debug("Do allowed own modification");
var name = user.user;
console.debug("Modify self:", name);
var tmp = clone(user);
delete tmp.user; //server must create name
tmp.email = "updated" + user.email;
tmp.title = "updated" + user.title;
var res = api.userUpdate(name, tmp);
console.assert(res.code == 200, "Can not create user due error: ", res);
res = api.userCurrent();
console.assert(res.code == 200, "Can not load self due error: ", res);
var loaded = res.data;
userCompare(tmp, loaded);
}
{
console.debug("Try to do disallowed own modification");
var name = user.user;
console.debug("Modify self for admin role:", name);
var tmp = clone(user);
tmp.roles = [userAdmin.roles[0]];
var res = api.userUpdate(name, tmp);
console.assert(res.code >= 400, "User unexpectedly modified: ", res);
var loaded = api.userCurrent().data;
console.assert(loaded.roles.length == 0, "User unexpectedly modified: ", res);
}
}
function userLogin(user) {
if(user == "admin") {
api.token = tokeAdmin;
} else {
api.login(user.user, user.password);
}
var res = api.userCurrent().data;
userCompare(user, res);
}
api.host = process.env.API_HOST;
console.debug("api.host:", api.host);
//login
var tokenAdmin = api.login("admin", "password");
clear();
//Create admin
userUpdate(userAdmin);
//logout
api.logout();
//login as userAdminName
userLogin(userAdmin);
//create cluster by new admin
api.clusterCreate(nameCluster);
userUpdate(userOne);
// grant ACL on cluster to userOne
var res = aclSetFor(userOne);
console.assert(res.code === 200, "Can not update acl");
//test delete
userDelete(userOne.user);
//create again
userUpdate(userOne);
// acl for this user must be remained
userUpdate(userTwo);
// none to grant
//logout
api.logout();
//login as userOne,
userLogin(userOne);
//check access
{
console.debug("Check access for", userOne.user)
var clusters = api.clustersMap();
var clusterNames = Object.keys(clusters);
console.assert(clusterNames.length == (defaultClusters.length + 1) && clusterNames.indexOf(nameCluster) >= 0,
"User ", userOne.user, "has invalid access to clusters:", clusterNames);
userTests(userOne);
}
api.logout();
//login as userTwo
userLogin(userTwo);
//check access
{
console.debug("Check access for", userTwo.user)
var clusters = api.clustersMap();
var clusterNames = Object.keys(clusters);
console.assert(clusterNames.length == defaultClusters.length, "User ", userTwo.user,
"has invalid access to clusters:", clusterNames);
userTests(userTwo);
}
api.logout();
clear();
}