fix access control

ref #238
rlidwka · Apr 21, 2015 · 137fd59 · 137fd59
1 parent e8593c4
commit 137fd59
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 2 deletions.
diff --git a/lib/auth.js b/lib/auth.js
@@ -154,11 +154,11 @@ Auth.prototype.allow_publish = function(package_name, user, callback) {
   ;(function next() {
     var p = plugins.shift()
 
-    if (typeof(p.allow_access) !== 'function') {
+    if (typeof(p.allow_publish) !== 'function') {
       return next()
     }
 
-    p.allow_access(user, package, function(err, ok) {
+    p.allow_publish(user, package, function(err, ok) {
       if (err) return callback(err)
       if (ok) return callback(null, ok)
       next() // cb(null, false) causes next plugin to roll

diff --git a/test/functional/access.js b/test/functional/access.js
@@ -0,0 +1,80 @@
+
+module.exports = function () {
+  describe('access control', function () {
+    var server = process.server
+    var oldauth
+
+    before(function () {
+      oldauth = server.authstr
+    })
+
+    after(function () {
+      server.authstr = oldauth
+    })
+
+    function check_access(auth, pkg, ok) {
+      it((ok ? 'allows' : 'forbids') +' access ' + auth + ' to ' + pkg, function () {
+        server.authstr = auth
+                       ? 'Basic '+(new Buffer(auth).toString('base64'))
+                       : undefined
+
+        var req = server.get_package(pkg)
+
+        if (ok) {
+          return req.status(404)
+                    .body_error(/no such package available/)
+        } else {
+          return req.status(403)
+                    .body_error(/not allowed to access package/)
+        }
+      })
+    }
+
+    function check_publish(auth, pkg, ok) {
+      it((ok ? 'allows' : 'forbids') + ' publish ' + auth + ' to ' + pkg, function () {
+        server.authstr = auth
+                       ? 'Basic '+(new Buffer(auth).toString('base64'))
+                       : undefined
+
+        var req = server.put_package(pkg, require('./lib/package')(pkg))
+
+        if (ok) {
+          return req.status(404)
+                    .body_error(/this package cannot be added/)
+        } else {
+          return req.status(403)
+                    .body_error(/not allowed to publish package/)
+        }
+      })
+    }
+
+    check_access('test:test',     'test-access-only',  true)
+    check_access(undefined,       'test-access-only',  true)
+    check_access('test:badpass',  'test-access-only',  true)
+    check_publish('test:test',    'test-access-only',  false)
+    check_publish(undefined,      'test-access-only',  false)
+    check_publish('test:badpass', 'test-access-only',  false)
+
+    check_access('test:test',     'test-publish-only', false)
+    check_access(undefined,       'test-publish-only', false)
+    check_access('test:badpass',  'test-publish-only', false)
+    check_publish('test:test',    'test-publish-only', true)
+    check_publish(undefined,      'test-publish-only', true)
+    check_publish('test:badpass', 'test-publish-only', true)
+
+    check_access('test:test',     'test-only-test',  true)
+    check_access(undefined,       'test-only-test', false)
+    check_access('test:badpass',  'test-only-test', false)
+    check_publish('test:test',    'test-only-test',  true)
+    check_publish(undefined,      'test-only-test', false)
+    check_publish('test:badpass', 'test-only-test', false)
+
+    check_access('test:test',     'test-only-auth',  true)
+    check_access(undefined,       'test-only-auth', false)
+    check_access('test:badpass',  'test-only-auth', false)
+    check_publish('test:test',    'test-only-auth',  true)
+    check_publish(undefined,      'test-only-auth', false)
+    check_publish('test:badpass', 'test-only-auth', false)
+  })
+}
+
diff --git a/test/functional/config-1.yaml b/test/functional/config-1.yaml
@@ -56,6 +56,26 @@ packages:
     allow_publish: all
     proxy_access: baduplink
 
+  'test-access-only':
+    allow_access: $all
+    allow_publish: nobody
+    storage: false
+
+  'test-publish-only':
+    allow_access: nobody
+    allow_publish: $all
+    storage: false
+
+  'test-only-test':
+    allow_access: test
+    allow_publish: test
+    storage: false
+
+  'test-only-auth':
+    allow_access: $authenticated
+    allow_publish: $authenticated
+    storage: false
+
   '*':
     allow_access: test undefined
     allow_publish: test undefined

diff --git a/test/functional/index.js b/test/functional/index.js
@@ -45,6 +45,7 @@ describe('Func', function() {
 
   it('authenticate', function(){/* test for before() */})
 
+  require('./access')()
   require('./basic')()
   require('./gh29')()
   require('./tags')()