Refactor SAML validation logic and add unit tests

Moved SAML audience, recipient, and time condition validation functions from SamlService to a new utils module for better separation of concerns. Added comprehensive unit tests for these utility functions and for SAML service logic. Improved test data isolation by introducing a unique test string generator. Updated existing user and usersFactory tests to use the new generator and ensure test isolation. Also, prevented MongoDB metrics setup in test environments.

Author: neSpecc

src/metrics/mongodb.ts

@@ -260,6 +260,18 @@ function logCommandFailed(event: any): void {
  * @param client - MongoDB client to monitor
  */
 export function setupMongoMetrics(client: MongoClient): void {
+  /**
+   * Skip setup in test environment
+   * Check NODE_ENV or if running under Jest
+   */
+  if (
+    process.env.NODE_ENV === 'test' ||
+    process.env.NODE_ENV === 'e2e' ||
+    typeof jest !== 'undefined'
+  ) {
+    return;
+  }
+
   client.on('commandStarted', (event) => {
     storeCommandInfo(event);
 

src/sso/saml/service.ts

@@ -1,5 +1,6 @@
 import { SamlConfig, SamlResponseData } from '../types';
 import { SamlValidationError, SamlValidationErrorType } from './types';
+import { validateAudience, validateRecipient, validateTimeConditions } from './utils';
 
 /**
  * Service for SAML SSO operations
@@ -65,51 +66,5 @@ export default class SamlService {
     throw new Error('Not implemented');
   }
 
-  /**
-   * Validate Audience value
-   *
-   * @param audience - audience value from SAML Assertion
-   * @returns true if audience matches SSO_SP_ENTITY_ID
-   */
-  public validateAudience(audience: string): boolean {
-    const spEntityId = process.env.SSO_SP_ENTITY_ID;
-
-    if (!spEntityId) {
-      throw new Error('SSO_SP_ENTITY_ID environment variable is not set');
-    }
-
-    return audience === spEntityId;
-  }
-
-  /**
-   * Validate Recipient value
-   *
-   * @param recipient - recipient URL from SAML Assertion
-   * @param expectedAcsUrl - expected ACS URL
-   * @returns true if recipient matches expected ACS URL
-   */
-  public validateRecipient(recipient: string, expectedAcsUrl: string): boolean {
-    return recipient === expectedAcsUrl;
-  }
-
-  /**
-   * Validate time conditions (NotBefore and NotOnOrAfter)
-   *
-   * @param notBefore - NotBefore timestamp
-   * @param notOnOrAfter - NotOnOrAfter timestamp
-   * @param clockSkew - allowed clock skew in milliseconds (default: 2 minutes)
-   * @returns true if assertion is valid at current time
-   */
-  public validateTimeConditions(
-    notBefore: Date,
-    notOnOrAfter: Date,
-    clockSkew: number = 2 * 60 * 1000
-  ): boolean {
-    const now = Date.now();
-    const notBeforeTime = notBefore.getTime() - clockSkew;
-    const notOnOrAfterTime = notOnOrAfter.getTime() + clockSkew;
-
-    return now >= notBeforeTime && now < notOnOrAfterTime;
-  }
 }
 

src/sso/saml/utils.ts

@@ -33,3 +33,51 @@ export function isValidPemCertificate(cert: string): boolean {
   return cert.includes('-----BEGIN CERTIFICATE-----') && cert.includes('-----END CERTIFICATE-----');
 }
 
+/**
+ * Validate Audience value
+ *
+ * @param audience - audience value from SAML Assertion
+ * @returns true if audience matches SSO_SP_ENTITY_ID
+ * @throws Error if SSO_SP_ENTITY_ID environment variable is not set
+ */
+export function validateAudience(audience: string): boolean {
+  const spEntityId = process.env.SSO_SP_ENTITY_ID;
+
+  if (!spEntityId) {
+    throw new Error('SSO_SP_ENTITY_ID environment variable is not set');
+  }
+
+  return audience === spEntityId;
+}
+
+/**
+ * Validate Recipient value
+ *
+ * @param recipient - recipient URL from SAML Assertion
+ * @param expectedAcsUrl - expected ACS URL
+ * @returns true if recipient matches expected ACS URL
+ */
+export function validateRecipient(recipient: string, expectedAcsUrl: string): boolean {
+  return recipient === expectedAcsUrl;
+}
+
+/**
+ * Validate time conditions (NotBefore and NotOnOrAfter)
+ *
+ * @param notBefore - NotBefore timestamp
+ * @param notOnOrAfter - NotOnOrAfter timestamp
+ * @param clockSkew - allowed clock skew in milliseconds (default: 2 minutes)
+ * @returns true if assertion is valid at current time
+ */
+export function validateTimeConditions(
+  notBefore: Date,
+  notOnOrAfter: Date,
+  clockSkew: number = 2 * 60 * 1000
+): boolean {
+  const now = Date.now();
+  const notBeforeTime = notBefore.getTime() - clockSkew;
+  const notOnOrAfterTime = notOnOrAfter.getTime() + clockSkew;
+
+  return now >= notBeforeTime && now < notOnOrAfterTime;
+}
+

test/models/user.test.ts

@@ -3,6 +3,7 @@ import UserModel from '../../src/models/user';
 import UsersFactory from '../../src/models/usersFactory';
 import * as mongo from '../../src/mongo';
 import DataLoaders from '../../src/dataLoaders';
+import { generateTestString } from '../utils/testData';
 
 beforeAll(async () => {
   await mongo.setupConnections();
@@ -11,36 +12,30 @@ beforeAll(async () => {
 describe('UserModel SSO identities', () => {
   let usersFactory: UsersFactory;
   let testUser: UserModel;
-  const testWorkspaceId = '507f1f77bcf86cd799439011';
-  const testSamlId = 'test-saml-name-id-123';
-  const testEmail = '[email protected]';
 
   beforeEach(async () => {
     /**
-     * Create factory instance
+     * Create factory instance with fresh DataLoaders
      */
     usersFactory = new UsersFactory(
       mongo.databases.hawk as any,
       new DataLoaders(mongo.databases.hawk as any)
     );
-
-    /**
-     * Create test user
-     */
-    testUser = await usersFactory.create(testEmail, 'test-password-123');
   });
 
   afterEach(async () => {
-    /**
-     * Clean up test user
-     */
-    if (testUser && testUser.email) {
+    if (testUser?.email) {
       await usersFactory.deleteByEmail(testUser.email);
     }
   });
 
   describe('linkSamlIdentity', () => {
     it('should link SAML identity to user and update local state', async () => {
+      const testWorkspaceId = '507f1f77bcf86cd799439011';
+      const testSamlId = generateTestString('model-link');
+      const testEmail = generateTestString('[email protected]');
+
+      testUser = await usersFactory.create(testEmail, 'test-password-123');
       /**
        * Initially, user should not have any identities
        */
@@ -63,6 +58,11 @@ describe('UserModel SSO identities', () => {
     });
 
     it('should persist SAML identity in database', async () => {
+      const testWorkspaceId = '507f1f77bcf86cd799439011';
+      const testSamlId = generateTestString('model-persist');
+      const testEmail = generateTestString('[email protected]');
+
+      testUser = await usersFactory.create(testEmail, 'test-password-123');
       /**
        * Link SAML identity
        */
@@ -83,13 +83,21 @@ describe('UserModel SSO identities', () => {
     });
 
     it('should update existing SAML identity for the same workspace', async () => {
-      const newSamlId = 'updated-saml-name-id-789';
+      const testWorkspaceId = '507f1f77bcf86cd799439011';
+      const testEmail = generateTestString('[email protected]');
+      testUser = await usersFactory.create(testEmail, 'test-password-123');
+
+      /**
+       * Use unique SAML IDs for this test
+       */
+      const initialSamlId = generateTestString('initial-identity');
+      const newSamlId = generateTestString('updated-identity');
       const newEmail = '[email protected]';
 
       /**
        * Link initial identity
        */
-      await testUser.linkSamlIdentity(testWorkspaceId, testSamlId, testEmail);
+      await testUser.linkSamlIdentity(testWorkspaceId, initialSamlId, testEmail);
 
       /**
        * Update identity for the same workspace
@@ -116,7 +124,10 @@ describe('UserModel SSO identities', () => {
   });
 
   describe('getSamlIdentity', () => {
-    it('should return null when identity does not exist', () => {
+    it('should return null when identity does not exist', async () => {
+      const testWorkspaceId = '507f1f77bcf86cd799439011';
+      const testEmail = generateTestString('[email protected]');
+      testUser = await usersFactory.create(testEmail, 'test-password-123');
       /**
        * User without any identities
        */
@@ -125,6 +136,11 @@ describe('UserModel SSO identities', () => {
     });
 
     it('should return SAML identity when it exists', async () => {
+      const testWorkspaceId = '507f1f77bcf86cd799439011';
+      const testSamlId = generateTestString('model-get');
+      const testEmail = generateTestString('[email protected]');
+
+      testUser = await usersFactory.create(testEmail, 'test-password-123');
       /**
        * Link SAML identity
        */