If external auth system is in use, skip sudo-mode checks

2024-09-16 02:52:31 -04:00 · 2017-05-15 15:46:24 +01:00 · 2017-05-15 15:46:24 +01:00 · 60d3e4a97b
commit 60d3e4a97b
parent 707a81cc2a
5 changed files with 55 additions and 7 deletions
--- a/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee
+++ b/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee
@ -9,6 +9,9 @@ UserGetter = require '../User/UserGetter'
 module.exports = SudoModeController =

 	sudoModePrompt: (req, res, next) ->
+		if req.externalAuthenticationSystemUsed()
+			logger.log {userId}, "[SudoMode] using external auth, redirecting"
+			return res.redirect('/project')
 		userId = AuthenticationController.getLoggedInUserId(req)
 		logger.log {userId}, "[SudoMode] rendering sudo mode password page"
 		SudoModeHandler.isSudoModeActive userId, (err, isActive) ->
--- a/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee
+++ b/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee
@ -6,6 +6,9 @@ AuthenticationController = require '../Authentication/AuthenticationController'
 module.exports = SudoModeMiddlewear =

 	protectPage: (req, res, next) ->
+		if req.externalAuthenticationSystemUsed()
+			logger.log {userId}, "[SudoMode] using external auth, skipping sudo-mode check"
+			return next()
 		userId = AuthenticationController.getLoggedInUserId(req)
 		logger.log {userId}, "[SudoMode] protecting endpoint, checking if sudo mode is active"
 		SudoModeHandler.isSudoModeActive userId, (err, isActive) ->
--- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee
+++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
@ -84,6 +84,11 @@ module.exports = (app, webRouter, apiRouter)->
 	webRouter.use addSetContentDisposition
 	apiRouter.use addSetContentDisposition

+	webRouter.use (req, res, next)->
+		req.externalAuthenticationSystemUsed = res.locals.externalAuthenticationSystemUsed = ->
+			Settings.ldap? or Settings.saml?
+		next()
+
 	webRouter.use (req, res, next)->

 		cdnBlocked = req.query.nocdn == 'true' or req.session.cdnBlocked
@ -222,11 +227,6 @@ module.exports = (app, webRouter, apiRouter)->
 		res.locals.formatPrice = SubscriptionFormatters.formatPrice
 		next()

-	webRouter.use (req, res, next)->
-		res.locals.externalAuthenticationSystemUsed = ->
-			Settings.ldap? or Settings.saml?
-		next()
-
 	webRouter.use (req, res, next)->
 		currentUser = AuthenticationController.getSessionUser(req)
 		if currentUser?
--- a/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee
@ -34,7 +34,7 @@ describe 'SudoModeController', ->
 	describe 'sudoModePrompt', ->
 		beforeEach ->
 			@SudoModeHandler.isSudoModeActive = sinon.stub().callsArgWith(1, null, false)
-			@req = {}
+			@req = {externalAuthenticationSystemUsed: sinon.stub().returns(false)}
 			@res = {redirect: sinon.stub(), render: sinon.stub()}
 			@next = sinon.stub()

@ -70,6 +70,27 @@ describe 'SudoModeController', ->
 				@next.callCount.should.equal 1
 				expect(@next.lastCall.args[0]).to.be.instanceof Error

+			it 'should not render page', ->
+				@SudoModeController.sudoModePrompt(@req, @res, @next)
+				@res.render.callCount.should.equal 0
+
+		describe 'when external auth system is used', ->
+			beforeEach ->
+				@req.externalAuthenticationSystemUsed = sinon.stub().returns(true)
+
+			it 'should redirect', ->
+				@SudoModeController.sudoModePrompt(@req, @res, @next)
+				@res.redirect.callCount.should.equal 1
+				@res.redirect.calledWith('/project').should.equal true
+
+			it 'should not check if sudo mode is active', ->
+				@SudoModeController.sudoModePrompt(@req, @res, @next)
+				@SudoModeHandler.isSudoModeActive.callCount.should.equal 0
+
+			it 'should not render page', ->
+				@SudoModeController.sudoModePrompt(@req, @res, @next)
+				@res.render.callCount.should.equal 0
+
 	describe 'submitPassword', ->
 		beforeEach ->
 			@AuthenticationController._getRedirectFromSession = sinon.stub().returns '/somewhere'
--- a/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee
+++ b/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee
@ -21,8 +21,9 @@ describe 'SudoModeMiddlewear', ->

 	describe 'protectPage', ->
 		beforeEach ->
+			@externalAuth = false
 			@call = (cb) =>
-				@req = {}
+				@req = {externalAuthenticationSystemUsed: sinon.stub().returns(@externalAuth)}
 				@res = {redirect: sinon.stub()}
 				@next = sinon.stub()
 				@SudoModeMiddlewear.protectPage @req, @res, @next
@ -100,3 +101,23 @@ describe 'SudoModeMiddlewear', ->
 					@next.callCount.should.equal 1
 					expect(@next.lastCall.args[0]).to.be.instanceof Error
 					done()
+
+		describe 'when external auth is being used', ->
+			beforeEach ->
+				@externalAuth = true
+
+			it 'should immediately return next with no args', (done) ->
+				@call () =>
+					@next.callCount.should.equal 1
+					expect(@next.lastCall.args[0]).to.not.exist
+					done()
+
+			it 'should not get the current user id', (done) ->
+				@call () =>
+					@AuthenticationController.getLoggedInUserId.callCount.should.equal 0
+					done()
+
+			it 'should not check if sudo-mode is active', (done) ->
+				@call () =>
+					@SudoModeHandler.isSudoModeActive.callCount.should.equal 0
+					done()