balena-supervisor/test/27-supervisor-api-auth.spec.ts

import * as supertest from 'supertest';

import SupervisorAPI from '../src/supervisor-api';
import mockedAPI = require('./lib/mocked-device-api');

const mockedOptions = {
	listenPort: 12345,
	timeout: 30000,
};

const VALID_SECRET = mockedAPI.DEFAULT_SECRET;
const INVALID_SECRET = 'bad_api_secret';
const ALLOWED_INTERFACES = ['lo']; // Only need loopback since this is for testing

describe('SupervisorAPI authentication', () => {
	let api: SupervisorAPI;
	const request = supertest(`http://127.0.0.1:${mockedOptions.listenPort}`);

	before(async () => {
		// Create test API
		api = await mockedAPI.create();
		// Start test API
		return api.listen(
			ALLOWED_INTERFACES,
			mockedOptions.listenPort,
			mockedOptions.timeout,
		);
	});

	after(async () => {
		try {
			await api.stop();
		} catch (e) {
			if (e.message !== 'Server is not running.') {
				throw e;
			}
		}
		// Remove any test data generated
		await mockedAPI.cleanUp();
	});

	it('finds no apiKey and rejects', async () => {
		return request.post('/v1/blink').expect(401);
	});

	it('finds apiKey from query', async () => {
		return request.post(`/v1/blink?apikey=${VALID_SECRET}`).expect(200);
	});

	it('finds apiKey from Authorization header (ApiKey scheme)', async () => {
		return request
			.post('/v1/blink')
			.set('Authorization', `ApiKey ${VALID_SECRET}`)
			.expect(200);
	});

	it('finds apiKey from Authorization header (Bearer scheme)', async () => {
		return request
			.post('/v1/blink')
			.set('Authorization', `Bearer ${VALID_SECRET}`)
			.expect(200);
	});

	it('finds apiKey from Authorization header (case insensitive)', async () => {
		const randomCases = [
			'Bearer',
			'bearer',
			'BEARER',
			'BeAReR',
			'ApiKey',
			'apikey',
			'APIKEY',
			'ApIKeY',
		];
		for (const scheme of randomCases) {
			return request
				.post('/v1/blink')
				.set('Authorization', `${scheme} ${VALID_SECRET}`)
				.expect(200);
		}
	});

	it('rejects invalid apiKey from query', async () => {
		return request.post(`/v1/blink?apikey=${INVALID_SECRET}`).expect(401);
	});

	it('rejects invalid apiKey from Authorization header (ApiKey scheme)', async () => {
		return request
			.post('/v1/blink')
			.set('Authorization', `ApiKey ${INVALID_SECRET}`)
			.expect(401);
	});

	it('rejects invalid apiKey from Authorization header (Bearer scheme)', async () => {
		return request
			.post('/v1/blink')
			.set('Authorization', `Bearer ${INVALID_SECRET}`)
			.expect(401);
	});
});
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`import * as supertest from 'supertest';`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`import SupervisorAPI from '../src/supervisor-api';`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`import mockedAPI = require('./lib/mocked-device-api');`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00
			`const mockedOptions = {`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`listenPort: 12345,`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`timeout: 30000,`
			`};`

Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`const VALID_SECRET = mockedAPI.DEFAULT_SECRET;`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`const INVALID_SECRET = 'bad_api_secret';`
			`const ALLOWED_INTERFACES = ['lo']; // Only need loopback since this is for testing`

			`describe('SupervisorAPI authentication', () => {`
			`let api: SupervisorAPI;`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			const request = supertest(`http://127.0.0.1:${mockedOptions.listenPort}`);
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`before(async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`// Create test API`
			`api = await mockedAPI.create();`
			`// Start test API`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`return api.listen(`
			`ALLOWED_INTERFACES,`
			`mockedOptions.listenPort,`
			`mockedOptions.timeout,`
			`);`
			`});`

Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`after(async () => {`
			`try {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`await api.stop();`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`} catch (e) {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`if (e.message !== 'Server is not running.') {`
			`throw e;`
			`}`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`}`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`// Remove any test data generated`
			`await mockedAPI.cleanUp();`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`

			`it('finds no apiKey and rejects', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request.post('/v1/blink').expect(401);`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`

			`it('finds apiKey from query', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			return request.post(`/v1/blink?apikey=${VALID_SECRET}`).expect(200);
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`

			`it('finds apiKey from Authorization header (ApiKey scheme)', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request`
			`.post('/v1/blink')`
			.set('Authorization', `ApiKey ${VALID_SECRET}`)
			`.expect(200);`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`

Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`it('finds apiKey from Authorization header (Bearer scheme)', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request`
			`.post('/v1/blink')`
			.set('Authorization', `Bearer ${VALID_SECRET}`)
			`.expect(200);`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`});`

			`it('finds apiKey from Authorization header (case insensitive)', async () => {`
			`const randomCases = [`
			`'Bearer',`
			`'bearer',`
			`'BEARER',`
			`'BeAReR',`
			`'ApiKey',`
			`'apikey',`
			`'APIKEY',`
			`'ApIKeY',`
			`];`
			`for (const scheme of randomCases) {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request`
			`.post('/v1/blink')`
			.set('Authorization', `${scheme} ${VALID_SECRET}`)
			`.expect(200);`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`}`
			`});`

Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`it('rejects invalid apiKey from query', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			return request.post(`/v1/blink?apikey=${INVALID_SECRET}`).expect(401);
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`

Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`it('rejects invalid apiKey from Authorization header (ApiKey scheme)', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request`
			`.post('/v1/blink')`
			.set('Authorization', `ApiKey ${INVALID_SECRET}`)
			`.expect(401);`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00
			`it('rejects invalid apiKey from Authorization header (Bearer scheme)', async () => {`
Added endpoint to check if VPN is connected Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-05-08 20:04:21 +00:00			`return request`
			`.post('/v1/blink')`
			.set('Authorization', `Bearer ${INVALID_SECRET}`)
			`.expect(401);`
Added Bearer Authorization spec Closes: #1249 Change-type: minor Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 02:21:03 +00:00			`});`
Added spec for current auth implementation Signed-off-by: Miguel Casqueira <miguel@balena.io> 2020-04-28 01:20:50 +00:00			`});`