From 60d3e4a97b27960a2322e05c016126aeeac197cd Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Mon, 15 May 2017 15:46:24 +0100 Subject: [PATCH] If external auth system is in use, skip sudo-mode checks --- .../SudoMode/SudoModeController.coffee | 3 +++ .../SudoMode/SudoModeMiddlewear.coffee | 3 +++ .../infrastructure/ExpressLocals.coffee | 10 ++++---- .../SudoMode/SudoModeControllerTests.coffee | 23 ++++++++++++++++++- .../SudoMode/SudoModeMiddlewearTests.coffee | 23 ++++++++++++++++++- 5 files changed, 55 insertions(+), 7 deletions(-) diff --git a/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee b/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee index 1e3e9592b6..da31522a6c 100644 --- a/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee +++ b/services/web/app/coffee/Features/SudoMode/SudoModeController.coffee @@ -9,6 +9,9 @@ UserGetter = require '../User/UserGetter' module.exports = SudoModeController = sudoModePrompt: (req, res, next) -> + if req.externalAuthenticationSystemUsed() + logger.log {userId}, "[SudoMode] using external auth, redirecting" + return res.redirect('/project') userId = AuthenticationController.getLoggedInUserId(req) logger.log {userId}, "[SudoMode] rendering sudo mode password page" SudoModeHandler.isSudoModeActive userId, (err, isActive) -> diff --git a/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee b/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee index 62516f0d34..479d67eee0 100644 --- a/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee +++ b/services/web/app/coffee/Features/SudoMode/SudoModeMiddlewear.coffee @@ -6,6 +6,9 @@ AuthenticationController = require '../Authentication/AuthenticationController' module.exports = SudoModeMiddlewear = protectPage: (req, res, next) -> + if req.externalAuthenticationSystemUsed() + logger.log {userId}, "[SudoMode] using external auth, skipping sudo-mode check" + return next() userId = AuthenticationController.getLoggedInUserId(req) logger.log {userId}, "[SudoMode] protecting endpoint, checking if sudo mode is active" SudoModeHandler.isSudoModeActive userId, (err, isActive) -> diff --git a/services/web/app/coffee/infrastructure/ExpressLocals.coffee b/services/web/app/coffee/infrastructure/ExpressLocals.coffee index ba753cc86e..100fd28bd6 100644 --- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee +++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee @@ -84,6 +84,11 @@ module.exports = (app, webRouter, apiRouter)-> webRouter.use addSetContentDisposition apiRouter.use addSetContentDisposition + webRouter.use (req, res, next)-> + req.externalAuthenticationSystemUsed = res.locals.externalAuthenticationSystemUsed = -> + Settings.ldap? or Settings.saml? + next() + webRouter.use (req, res, next)-> cdnBlocked = req.query.nocdn == 'true' or req.session.cdnBlocked @@ -222,11 +227,6 @@ module.exports = (app, webRouter, apiRouter)-> res.locals.formatPrice = SubscriptionFormatters.formatPrice next() - webRouter.use (req, res, next)-> - res.locals.externalAuthenticationSystemUsed = -> - Settings.ldap? or Settings.saml? - next() - webRouter.use (req, res, next)-> currentUser = AuthenticationController.getSessionUser(req) if currentUser? diff --git a/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee b/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee index 1870ba1d76..c1de2e278c 100644 --- a/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/SudoMode/SudoModeControllerTests.coffee @@ -34,7 +34,7 @@ describe 'SudoModeController', -> describe 'sudoModePrompt', -> beforeEach -> @SudoModeHandler.isSudoModeActive = sinon.stub().callsArgWith(1, null, false) - @req = {} + @req = {externalAuthenticationSystemUsed: sinon.stub().returns(false)} @res = {redirect: sinon.stub(), render: sinon.stub()} @next = sinon.stub() @@ -70,6 +70,27 @@ describe 'SudoModeController', -> @next.callCount.should.equal 1 expect(@next.lastCall.args[0]).to.be.instanceof Error + it 'should not render page', -> + @SudoModeController.sudoModePrompt(@req, @res, @next) + @res.render.callCount.should.equal 0 + + describe 'when external auth system is used', -> + beforeEach -> + @req.externalAuthenticationSystemUsed = sinon.stub().returns(true) + + it 'should redirect', -> + @SudoModeController.sudoModePrompt(@req, @res, @next) + @res.redirect.callCount.should.equal 1 + @res.redirect.calledWith('/project').should.equal true + + it 'should not check if sudo mode is active', -> + @SudoModeController.sudoModePrompt(@req, @res, @next) + @SudoModeHandler.isSudoModeActive.callCount.should.equal 0 + + it 'should not render page', -> + @SudoModeController.sudoModePrompt(@req, @res, @next) + @res.render.callCount.should.equal 0 + describe 'submitPassword', -> beforeEach -> @AuthenticationController._getRedirectFromSession = sinon.stub().returns '/somewhere' diff --git a/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee b/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee index 0815428846..00e8d0ae57 100644 --- a/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee +++ b/services/web/test/UnitTests/coffee/SudoMode/SudoModeMiddlewearTests.coffee @@ -21,8 +21,9 @@ describe 'SudoModeMiddlewear', -> describe 'protectPage', -> beforeEach -> + @externalAuth = false @call = (cb) => - @req = {} + @req = {externalAuthenticationSystemUsed: sinon.stub().returns(@externalAuth)} @res = {redirect: sinon.stub()} @next = sinon.stub() @SudoModeMiddlewear.protectPage @req, @res, @next @@ -100,3 +101,23 @@ describe 'SudoModeMiddlewear', -> @next.callCount.should.equal 1 expect(@next.lastCall.args[0]).to.be.instanceof Error done() + + describe 'when external auth is being used', -> + beforeEach -> + @externalAuth = true + + it 'should immediately return next with no args', (done) -> + @call () => + @next.callCount.should.equal 1 + expect(@next.lastCall.args[0]).to.not.exist + done() + + it 'should not get the current user id', (done) -> + @call () => + @AuthenticationController.getLoggedInUserId.callCount.should.equal 0 + done() + + it 'should not check if sudo-mode is active', (done) -> + @call () => + @SudoModeHandler.isSudoModeActive.callCount.should.equal 0 + done()