git-proxy/test/processors/checkUserPushPermission.test.ts at 2d914eaa5ffcbc2aaa47aaac4bf723294d144d4f · finos/git-proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import fc from 'fast-check';
import { Action, Step } from '../../src/proxy/actions';
import type { Mock } from 'vitest';

vi.mock('../../src/db', () => ({
  getUsers: vi.fn(),
  isUserPushAllowed: vi.fn(),
}));

// import after mocking
import { getUsers, isUserPushAllowed } from '../../src/db';
import { exec } from '../../src/proxy/processors/push-action/checkUserPushPermission';

describe('checkUserPushPermission', () => {
  let getUsersMock: Mock;
  let isUserPushAllowedMock: Mock;

  beforeEach(() => {
    getUsersMock = vi.mocked(getUsers);
    isUserPushAllowedMock = vi.mocked(isUserPushAllowed);
  });

  afterEach(() => {
    vi.clearAllMocks();
    vi.restoreAllMocks();
  });

  describe('exec', () => {
    let action: Action;
    let req: any;
    let stepLogSpy: ReturnType<typeof vi.spyOn>;

    beforeEach(() => {
      req = {};
      action = new Action(
        '1234567890',
        'push',
        'POST',
        1234567890,
        'https://github.com/finos/git-proxy.git',
      );
      action.user = 'git-user';
      action.userEmail = 'db-user@test.com';
      stepLogSpy = vi.spyOn(Step.prototype, 'log');
    });

    it('should allow push when user has permission', async () => {
      getUsersMock.mockResolvedValue([
        { username: 'db-user', email: 'db-user@test.com', gitAccount: 'git-user' },
      ]);
      isUserPushAllowedMock.mockResolvedValue(true);

      const result = await exec(req, action);

      expect(result.steps).toHaveLength(1);
      expect(result.steps[0].error).toBe(false);
      expect(stepLogSpy).toHaveBeenLastCalledWith(
        'User db-user@test.com is allowed to push on repo https://github.com/finos/git-proxy.git',
      );
      expect(stepLogSpy).toHaveBeenCalledWith(
        'User db-user@test.com permission on Repo https://github.com/finos/git-proxy.git : true',
      );
    });

    it('should reject push when user has no permission', async () => {
      getUsersMock.mockResolvedValue([
        { username: 'db-user', email: 'db-user@test.com', gitAccount: 'git-user' },
      ]);
      isUserPushAllowedMock.mockResolvedValue(false);

      const result = await exec(req, action);

      expect(result.steps).toHaveLength(1);
      expect(result.steps[0].error).toBe(true);
      expect(stepLogSpy).toHaveBeenLastCalledWith(
        `Your push has been blocked (db-user@test.com is not allowed to push on repo https://github.com/finos/git-proxy.git)`,
      );
      expect(result.steps[0].errorMessage).toContain('Your push has been blocked');
      expect(stepLogSpy).toHaveBeenCalledWith('User not allowed to Push');
    });

    it('should reject push when no user found for git account', async () => {
      getUsersMock.mockResolvedValue([]);

      const result = await exec(req, action);

      expect(result.steps).toHaveLength(1);
      expect(result.steps[0].error).toBe(true);
      expect(stepLogSpy).toHaveBeenLastCalledWith(
        `Your push has been blocked (db-user@test.com is not allowed to push on repo https://github.com/finos/git-proxy.git)`,
      );
      expect(result.steps[0].errorMessage).toContain('Your push has been blocked');
    });

    it('should handle multiple users for git account by rejecting the push', async () => {
      getUsersMock.mockResolvedValue([
        { username: 'user1', email: 'db-user@test.com', gitAccount: 'git-user' },
        { username: 'user2', email: 'db-user@test.com', gitAccount: 'git-user' },
      ]);

      const result = await exec(req, action);

      expect(result.steps).toHaveLength(1);
      expect(result.steps[0].error).toBe(true);
      expect(stepLogSpy).toHaveBeenLastCalledWith(
        'Your push has been blocked (there are multiple users with email db-user@test.com)',
      );
      expect(stepLogSpy).toHaveBeenCalledWith(
        'Multiple users found with email address db-user@test.com, ending',
      );
    });

    it('should return error when no user is set in the action', async () => {
      action.user = undefined;
      action.userEmail = undefined;
      getUsersMock.mockResolvedValue([]);

      const result = await exec(req, action);

      expect(result.steps).toHaveLength(1);
      expect(result.steps[0].error).toBe(true);
      expect(result.steps[0].errorMessage).toContain(
        'Push blocked: User not found. Please contact an administrator for support.',
      );
    });

    describe('fuzzing', () => {
      it('should not crash on arbitrary getUsers return values (fuzzing)', async () => {
        const userList = fc.sample(
          fc.array(
            fc.record({
              username: fc.string(),
              gitAccount: fc.string(),
            }),
            { maxLength: 5 },
          ),
          1,
        )[0];
        getUsersMock.mockResolvedValue(userList);

        const result = await exec(req, action);

        expect(result.steps).toHaveLength(1);
        expect(result.steps[0].error).toBe(true);
      });
    });
  });
});