integration tests

Author: neSpecc

docker-compose.test.yml

@@ -11,9 +11,11 @@ services:
       - ./:/usr/src/app
       - /usr/src/app/node_modules
       - ./test/integration/api.env:/usr/src/app/.env
+      - ../keycloak:/keycloak:ro
     depends_on:
       - mongodb
       - rabbitmq
+      - keycloak
       # - accounting
     stdin_open: true
     tty: true
@@ -32,10 +34,20 @@ services:
         condition: service_healthy
       api:
         condition: service_started
-    command: dockerize -wait http://api:4000/.well-known/apollo/server-health -timeout 30s yarn jest --config=./test/integration/jest.config.js --runInBand test/integration
+      keycloak:
+        condition: service_healthy
+    environment:
+      - KEYCLOAK_URL=http://keycloak:8180
+    entrypoint: ["/bin/bash", "-c"]
+    command:
+      - |
+        dockerize -wait http://api:4000/.well-known/apollo/server-health -timeout 30s -wait http://keycloak:8180/health/ready -timeout 60s &&
+        /keycloak/setup.sh &&
+        yarn jest --config=./test/integration/jest.config.js --runInBand test/integration
     volumes:
       - ./:/usr/src/app
       - /usr/src/app/node_modules
+      - ../keycloak:/keycloak:ro
 
   rabbitmq:
     image: rabbitmq:3-management
@@ -52,6 +64,29 @@ services:
       timeout: 3s
       retries: 5
 
+  keycloak:
+    image: quay.io/keycloak/keycloak:23.0
+    environment:
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=admin
+      - KC_HTTP_PORT=8180
+      - KC_HOSTNAME_STRICT=false
+      - KC_HOSTNAME_STRICT_HTTPS=false
+      - KC_HTTP_ENABLED=true
+      - KC_HEALTH_ENABLED=true
+    ports:
+      - 8180:8180
+    command:
+      - start-dev
+    volumes:
+      - keycloak-test-data:/opt/keycloak/data
+      - ../keycloak:/opt/keycloak/config
+    healthcheck:
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8180;echo -e 'GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n' >&3;if [ $? -eq 0 ]; then echo 'Healthcheck Successful';exit 0;else echo 'Healthcheck Failed';exit 1;fi;"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
   # accounting:
   #   image: codexteamuser/codex-accounting:prod
   #   env_file:
@@ -61,3 +96,4 @@ services:
 
 volumes:
   mongodata-test:
+  keycloak-test-data:

docker/Dockerfile.dev

@@ -12,7 +12,7 @@ FROM node:${NODE_VERSION}-alpine
 
 WORKDIR /usr/src/app
 
-RUN apk add --no-cache openssl
+RUN apk add --no-cache openssl bash curl
 
 ENV DOCKERIZE_VERSION v0.6.1
 RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \

package.json

@@ -23,6 +23,7 @@
     "@shelf/jest-mongodb": "^6.0.2",
     "@swc/core": "^1.3.0",
     "@types/jest": "^26.0.8",
+    "@types/xml2js": "^0.4.14",
     "eslint": "^6.7.2",
     "eslint-config-codex": "1.2.4",
     "eslint-plugin-import": "^2.19.1",
@@ -32,7 +33,8 @@
     "redis-mock": "^0.56.3",
     "ts-jest": "^26.1.4",
     "ts-node": "^10.9.1",
-    "typescript": "^4.7.4"
+    "typescript": "^4.7.4",
+    "xml2js": "^0.6.2"
   },
   "dependencies": {
     "@ai-sdk/openai": "^2.0.64",
@@ -41,8 +43,9 @@
     "@graphql-tools/schema": "^8.5.1",
     "@graphql-tools/utils": "^8.9.0",
     "@hawk.so/nodejs": "^3.1.1",
-    "@hawk.so/types": "^0.4.0",
+    "@hawk.so/types": "^0.4.2",
     "@n1ru4l/json-patch-plus": "^0.2.0",
+    "@node-saml/node-saml": "^5.0.1",
     "@types/amqp-connection-manager": "^2.0.4",
     "@types/debug": "^4.1.5",
     "@types/escape-html": "^1.0.0",
@@ -57,7 +60,6 @@
     "@types/uuid": "^8.3.4",
     "ai": "^5.0.89",
     "amqp-connection-manager": "^3.1.0",
-    "@node-saml/node-saml": "^5.0.1",
     "amqplib": "^0.5.5",
     "apollo-server-express": "^3.10.0",
     "argon2": "^0.28.7",

src/resolvers/user.ts

@@ -94,13 +94,15 @@ export default {
     ): Promise<TokensPair> {
       const user = await factories.usersFactory.findByEmail(email);
 
-      if (!user || !(await user.comparePassword(password))) {
+      if (!user) {
         throw new AuthenticationError('Wrong email or password');
       }
 
       /**
        * Check if there is a workspace with enforced SSO
        * If user is a member of any workspace with enforced SSO, they must use SSO login
+       * This check must happen BEFORE password validation to prevent password-based login
+       * even if the password is correct
        */
       const workspacesIds = await user.getWorkspacesIds([]);
       const workspaces = await factories.workspacesFactory.findManyByIds(workspacesIds);
@@ -123,6 +125,13 @@ export default {
         throw error;
       }
 
+      /**
+       * Only validate password if SSO is not enforced
+       */
+      if (!(await user.comparePassword(password))) {
+        throw new AuthenticationError('Wrong email or password');
+      }
+
       return user.generateTokensPair();
     },
 

test/integration/api.env

@@ -72,13 +72,16 @@ GITHUB_CLIENT_ID=fakedata
 GITHUB_CLIENT_SECRET=fakedata
 
 ## Hawk API public url (used in OAuth to redirect to callback, should match OAuth app callback URL)
-API_URL=http://127.0.0.1:4000
+API_URL=http://localhost:4000
 
 ## Garage url
-GARAGE_URL=http://127.0.0.1:8080
+GARAGE_URL=http://localhost:8080
 
 ## Garage login url
-GARAGE_LOGIN_URL=http://127.0.0.1:8080/login
+GARAGE_LOGIN_URL=http://localhost:8080/login
+
+## SSO Service Provider Entity ID (must match Keycloak client ID)
+SSO_SP_ENTITY_ID=urn:hawk:tracker:saml
 
 ## Upload dir
 UPLOAD_DIR=uploads