simple-sso/test/sessions.utest.lua

local lu = require("luaunit")
local ngx = require("ngx")
local b64 = require("ssso_base64")
local conf = require("ssso_config")
local crypt = require("ssso_crypto")
local login = require("ssso_login")
local sess = require("ssso_sessions")
local sites = require("ssso_sites")

local here = debug.getinfo(1).source:sub(2, -20)
conf.load_conf(here)
sites.load_sites(here)

function test_no_session_and_hint_401_if_no_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_var()
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertNil(s)
  lu.assertEquals(h, 401)
end

function test_no_session_and_hint_401_if_empty_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_var()
  ngx.var.cookie_SSSO_TOKEN = ""
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertNil(s)
  lu.assertEquals(h, 401)
end

function test_no_session_and_hint_403_if_bad_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_var()
  ngx.var.cookie_SSSO_TOKEN = "zzz"
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertNil(s)
  lu.assertEquals(h, 403)
end

function test_session_and_cookie_renewal_if_good_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_header()
  ngx.reset_var()
  local profile = sites.class__profile:build_from_lists("bob", nil, nil, nil, {}, {})
  local c, _ = crypt.get_jws_and_tslimit(profile)
  ngx.var.cookie_SSSO_TOKEN = c
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertEquals(s, profile)
  lu.assertEquals(h, 200)
  lu.assertNil(ngx.header["Set-Cookie"].link)
  lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")
end

function test_good_basic_auth_credentials_generate_a_session_and_a_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_header()
  ngx.reset_var()
  ngx.var.Authentication = "Basic " .. b64.encode_base64("bob:goodpassword")
  local expected = login.check_credentials_and_get_profile("bob", "goodpassword")
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertEquals(h, 200)
  lu.assertEquals(s, expected)
  lu.assertNil(ngx.header["Set-Cookie"].link)
  lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")
end

function test_basic_auth_takes_precedence_over_cookie()
  -- given
  ngx.req.reset()
  ngx.reset_header()
  ngx.reset_var()
  local profile = sites.class__profile:build_from_lists("forget me", nil, nil, nil, {}, {})
  local c, _ = crypt.get_jws_and_tslimit(profile)
  ngx.var.cookie_SSSO_TOKEN = c
  ngx.var.Authentication = "Basic " .. b64.encode_base64("bob:goodpassword")
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertEquals(h, 200)
  lu.assertEquals(s:user(), "bob")
  lu.assertNil(ngx.header["Set-Cookie"].link)
  lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")
end

function test_basic_auth_ignored_if_invalid()
  -- given
  ngx.req.reset()
  ngx.reset_header()
  ngx.reset_var()
  local profile = sites.class__profile:build_from_lists("do not forget me", nil, nil, nil, {}, {})
  local c, _ = crypt.get_jws_and_tslimit(profile)
  ngx.var.cookie_SSSO_TOKEN = c
  ngx.var.Authentication = "Basic !!!!"
  -- when
  local s, h = sess.get_session()
  -- then
  lu.assertEquals(h, 200)
  lu.assertEquals(s:user(), "do not forget me")
  lu.assertNil(ngx.header["Set-Cookie"].link)
  lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")
end

os.exit(lu.LuaUnit.run())
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`local lu = require("luaunit")`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`local ngx = require("ngx")`
			`local b64 = require("ssso_base64")`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`local conf = require("ssso_config")`
			`local crypt = require("ssso_crypto")`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`local login = require("ssso_login")`
			`local sess = require("ssso_sessions")`
			`local sites = require("ssso_sites")`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00
			`local here = debug.getinfo(1).source:sub(2, -20)`
			`conf.load_conf(here)`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`sites.load_sites(here)`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00
			`function test_no_session_and_hint_401_if_no_cookie()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_var()`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertNil(s)`
			`lu.assertEquals(h, 401)`
			`end`

			`function test_no_session_and_hint_401_if_empty_cookie()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_var()`
			`ngx.var.cookie_SSSO_TOKEN = ""`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertNil(s)`
			`lu.assertEquals(h, 401)`
			`end`

			`function test_no_session_and_hint_403_if_bad_cookie()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_var()`
			`ngx.var.cookie_SSSO_TOKEN = "zzz"`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertNil(s)`
			`lu.assertEquals(h, 403)`
			`end`

			`function test_session_and_cookie_renewal_if_good_cookie()`
			`-- given`
			`ngx.req.reset()`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`ngx.reset_header()`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`ngx.reset_var()`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`local profile = sites.class__profile:build_from_lists("bob", nil, nil, nil, {}, {})`
			`local c, _ = crypt.get_jws_and_tslimit(profile)`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`ngx.var.cookie_SSSO_TOKEN = c`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`lu.assertEquals(s, profile)`
minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`lu.assertEquals(h, 200)`
			`lu.assertNil(ngx.header["Set-Cookie"].link)`
			`lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")`
			`end`

HTTP basic auth 2021-09-02 22:58:01 +02:00			`function test_good_basic_auth_credentials_generate_a_session_and_a_cookie()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_header()`
			`ngx.reset_var()`
			`ngx.var.Authentication = "Basic " .. b64.encode_base64("bob:goodpassword")`
			`local expected = login.check_credentials_and_get_profile("bob", "goodpassword")`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertEquals(h, 200)`
			`lu.assertEquals(s, expected)`
			`lu.assertNil(ngx.header["Set-Cookie"].link)`
			`lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")`
			`end`

			`function test_basic_auth_takes_precedence_over_cookie()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_header()`
			`ngx.reset_var()`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`local profile = sites.class__profile:build_from_lists("forget me", nil, nil, nil, {}, {})`
			`local c, _ = crypt.get_jws_and_tslimit(profile)`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`ngx.var.cookie_SSSO_TOKEN = c`
			`ngx.var.Authentication = "Basic " .. b64.encode_base64("bob:goodpassword")`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertEquals(h, 200)`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`lu.assertEquals(s:user(), "bob")`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`lu.assertNil(ngx.header["Set-Cookie"].link)`
			`lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")`
			`end`

			`function test_basic_auth_ignored_if_invalid()`
			`-- given`
			`ngx.req.reset()`
			`ngx.reset_header()`
			`ngx.reset_var()`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`local profile = sites.class__profile:build_from_lists("do not forget me", nil, nil, nil, {}, {})`
			`local c, _ = crypt.get_jws_and_tslimit(profile)`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`ngx.var.cookie_SSSO_TOKEN = c`
			`ngx.var.Authentication = "Basic !!!!"`
			`-- when`
			`local s, h = sess.get_session()`
			`-- then`
			`lu.assertEquals(h, 200)`
refactor: use OOP where appropriate 2021-10-02 23:45:31 +02:00			`lu.assertEquals(s:user(), "do not forget me")`
HTTP basic auth 2021-09-02 22:58:01 +02:00			`lu.assertNil(ngx.header["Set-Cookie"].link)`
			`lu.assertStrMatches(ngx.header["Set-Cookie"].v, "SSSO_TOKEN=[^%.]+%.[^%.]+%.[^%.]+; Path=/; Expires=1626550390; Secure")`
			`end`

minimum: login, portal, redirects; todo: refactor, quality, security review 2021-08-09 17:43:42 +02:00			`os.exit(lu.LuaUnit.run())`