test: coverage for push API calls

Author: kriswest

src/service/routes/push.js

@@ -36,16 +36,13 @@ router.get('/:id', async (req, res) => {
 router.post('/:id/reject', async (req, res) => {
   if (req.user) {
     const id = req.params.id;
-    console.log({ id });
 
     // Get the push request
     const push = await db.getPush(id);
-    console.log({ push });
 
     // Get the committer of the push via their email
     const committerEmail = push.userEmail;
     const list = await db.getUsers({ email: committerEmail });
-    console.log({ list });
 
     if (list.length === 0) {
       res.status(401).send({
@@ -86,6 +83,8 @@ router.post('/:id/authorise', async (req, res) => {
   const questions = req.body.params?.attestation;
   console.log({ questions });
 
+  // TODO: compare attestation to configuration and ensure all questions are answered
+  // - we shouldn't go on the definition in the request!
   const attestationComplete = questions?.every((question) => !!question.checked);
   console.log({ attestationComplete });
 

test/testPush.test.js

@@ -8,32 +8,120 @@ chai.use(chaiHttp);
 chai.should();
 const expect = chai.expect;
 
+// dummy repo
+const TEST_ORG = 'finos';
+const TEST_REPO = 'test-push';
+const TEST_URL = 'https://github.com/finos/test-push.git';
+// approver user
+const TEST_USERNAME_1 = 'push-test';
+const TEST_EMAIL_1 = '[email protected]';
+const TEST_PASSWORD_1 = 'test1234';
+// committer user
+const TEST_USERNAME_2 = 'push-test-2';
+const TEST_EMAIL_2 = '[email protected]';
+const TEST_PASSWORD_2 = 'test5678';
+// unknown user
+const TEST_USERNAME_3 = 'push-test-3';
+const TEST_EMAIL_3 = '[email protected]';
+
+const TEST_PUSH = {
+  steps: [],
+  error: false,
+  blocked: false,
+  allowPush: false,
+  authorised: false,
+  canceled: false,
+  rejected: false,
+  autoApproved: false,
+  autoRejected: false,
+  commitData: [],
+  id: '0000000000000000000000000000000000000000__1744380874110',
+  type: 'push',
+  method: 'get',
+  timestamp: 1744380903338,
+  project: TEST_ORG,
+  repoName: TEST_REPO + '.git',
+  url: TEST_REPO,
+  repo: TEST_ORG + '/' + TEST_REPO + '.git',
+  user: TEST_USERNAME_2,
+  userEmail: TEST_EMAIL_2,
+  lastStep: null,
+  blockedMessage:
+    '\n\n\nGitProxy has received your push:\n\nhttp://localhost:8080/requests/0000000000000000000000000000000000000000__1744380874110\n\n\n',
+  _id: 'GIMEz8tU2KScZiTz',
+  attestation: null,
+};
+
 describe('auth', async () => {
   let app;
   let cookie;
 
-  before(async function () {
-    app = await service.start();
-    await db.deleteUser('login-test-user');
+  const setCookie = function (res) {
+    res.headers['set-cookie'].forEach((x) => {
+      if (x.startsWith('connect')) {
+        const value = x.split(';')[0];
+        cookie = value;
+      }
+    });
+  };
 
+  const login = async function (username, password) {
+    console.log(`logging in as ${username}...`);
     const res = await chai.request(app).post('/api/auth/login').send({
-      username: 'admin',
-      password: 'admin',
+      username: username,
+      password: password,
     });
-
+    res.should.have.status(200);
     expect(res).to.have.cookie('connect.sid');
+    setCookie(res);
+  };
+
+  const loginAsApprover = () => login(TEST_USERNAME_1, TEST_PASSWORD_1);
+  const loginAsCommitter = () => login(TEST_USERNAME_2, TEST_PASSWORD_2);
+  const loginAsAdmin = () => login('admin', 'admin');
+
+  const logout = async function () {
+    const res = await chai.request(app).post('/api/auth/logout').set('Cookie', `${cookie}`);
     res.should.have.status(200);
+    cookie = null;
+  };
 
-    // Get the connect cooie
-    res.headers['set-cookie'].forEach((x) => {
-      if (x.startsWith('connect')) {
-        cookie = x.split(';')[0];
-      }
+  before(async function () {
+    app = await service.start();
+    await loginAsAdmin();
+
+    // set up a repo, user and push to test against
+    await db.deleteRepo(TEST_REPO);
+    await db.deleteUser(TEST_USERNAME_1);
+    await db.createRepo({
+      project: TEST_ORG,
+      name: TEST_REPO,
+      url: TEST_URL,
     });
+
+    // Create a new user for the approver
+    console.log('creating approver');
+    await db.createUser(TEST_USERNAME_1, TEST_PASSWORD_1, TEST_EMAIL_1, TEST_USERNAME_1, false);
+    await db.addUserCanAuthorise(TEST_REPO, TEST_USERNAME_1);
+
+    // create a new user for the committer
+    console.log('creating committer');
+    await db.createUser(TEST_USERNAME_2, TEST_PASSWORD_2, TEST_EMAIL_2, TEST_USERNAME_2, false);
+    await db.addUserCanPush(TEST_REPO, TEST_USERNAME_2);
+
+    // logout of admin account
+    await logout();
   });
 
   describe('test push API', async function () {
+    afterEach(async function () {
+      await db.deletePush(TEST_PUSH.id);
+      await logout();
+    });
+
     it('should get 404 for unknown push', async function () {
+      await loginAsApprover();
+
       const commitId =
         '0000000000000000000000000000000000000000__79b4d8953cbc324bcc1eb53d6412ff89666c241f'; // eslint-disable-line max-len
       const res = await chai
@@ -42,12 +130,188 @@ describe('auth', async () => {
         .set('Cookie', `${cookie}`);
       res.should.have.status(404);
     });
+
+    it('should allow an authorizer to approve a push', async function () {
+      await db.writeAudit(TEST_PUSH);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/authorise`)
+        .set('Cookie', `${cookie}`)
+        .set('content-type', 'application/x-www-form-urlencoded')
+        .send({
+          params: {
+            attestation: [
+              {
+                label: 'I am happy for this to be pushed to the upstream repository',
+                tooltip: {
+                  text: 'Are you happy for this contribution to be pushed upstream?',
+                  links: [],
+                },
+                checked: true,
+              },
+            ],
+          },
+        });
+      res.should.have.status(200);
+    });
+
+    it('should NOT allow an authorizer to approve if attestation is incomplete', async function () {
+      // make the approver also the committer
+      const testPush = { ...TEST_PUSH };
+      testPush.user = TEST_USERNAME_1;
+      testPush.userEmail = TEST_EMAIL_1;
+      await db.writeAudit(testPush);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/authorise`)
+        .set('Cookie', `${cookie}`)
+        .set('content-type', 'application/x-www-form-urlencoded')
+        .send({
+          params: {
+            attestation: [
+              {
+                label: 'I am happy for this to be pushed to the upstream repository',
+                tooltip: {
+                  text: 'Are you happy for this contribution to be pushed upstream?',
+                  links: [],
+                },
+                checked: false,
+              },
+            ],
+          },
+        });
+      res.should.have.status(401);
+    });
+
+    it('should NOT allow an authorizer to approve if committer is unknown', async function () {
+      // make the approver also the committer
+      const testPush = { ...TEST_PUSH };
+      testPush.user = TEST_USERNAME_3;
+      testPush.userEmail = TEST_EMAIL_3;
+      await db.writeAudit(testPush);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/authorise`)
+        .set('Cookie', `${cookie}`)
+        .set('content-type', 'application/x-www-form-urlencoded')
+        .send({
+          params: {
+            attestation: [
+              {
+                label: 'I am happy for this to be pushed to the upstream repository',
+                tooltip: {
+                  text: 'Are you happy for this contribution to be pushed upstream?',
+                  links: [],
+                },
+                checked: true,
+              },
+            ],
+          },
+        });
+      res.should.have.status(401);
+    });
+
+    it('should NOT allow an authorizer to approve their own push', async function () {
+      // make the approver also the committer
+      const testPush = { ...TEST_PUSH };
+      testPush.user = TEST_USERNAME_1;
+      testPush.userEmail = TEST_EMAIL_1;
+      await db.writeAudit(testPush);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/authorise`)
+        .set('Cookie', `${cookie}`)
+        .set('content-type', 'application/x-www-form-urlencoded')
+        .send({
+          params: {
+            attestation: [
+              {
+                label: 'I am happy for this to be pushed to the upstream repository',
+                tooltip: {
+                  text: 'Are you happy for this contribution to be pushed upstream?',
+                  links: [],
+                },
+                checked: true,
+              },
+            ],
+          },
+        });
+      res.should.have.status(401);
+    });
+
+    it('should NOT allow a non-authorizer to approve a push', async function () {
+      await db.writeAudit(TEST_PUSH);
+      await loginAsCommitter();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/authorise`)
+        .set('Cookie', `${cookie}`)
+        .set('content-type', 'application/x-www-form-urlencoded')
+        .send({
+          params: {
+            attestation: [
+              {
+                label: 'I am happy for this to be pushed to the upstream repository',
+                tooltip: {
+                  text: 'Are you happy for this contribution to be pushed upstream?',
+                  links: [],
+                },
+                checked: true,
+              },
+            ],
+          },
+        });
+      res.should.have.status(401);
+    });
+
+    it('should allow an authorizer to reject a push', async function () {
+      await db.writeAudit(TEST_PUSH);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/reject`)
+        .set('Cookie', `${cookie}`);
+      res.should.have.status(200);
+    });
+
+    it('should NOT allow an authorizer to reject their own push', async function () {
+      // make the approver also the committer
+      const testPush = { ...TEST_PUSH };
+      testPush.user = TEST_USERNAME_1;
+      testPush.userEmail = TEST_EMAIL_1;
+      await db.writeAudit(testPush);
+      await loginAsApprover();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/reject`)
+        .set('Cookie', `${cookie}`);
+      res.should.have.status(401);
+    });
+
+    it('should NOT allow a non-authorizer to reject a push', async function () {
+      await db.writeAudit(TEST_PUSH);
+      await loginAsCommitter();
+      const res = await chai
+        .request(app)
+        .post(`/api/v1/push/${TEST_PUSH.id}/reject`)
+        .set('Cookie', `${cookie}`);
+      res.should.have.status(401);
+    });
   });
 
   after(async function () {
     const res = await chai.request(app).post('/api/auth/logout').set('Cookie', `${cookie}`);
     res.should.have.status(200);
 
     await service.httpServer.close();
+
+    await db.deleteRepo(TEST_REPO);
+    await db.deleteUser(TEST_USERNAME_1);
+    await db.deleteUser(TEST_USERNAME_2);
+    await db.deletePush(TEST_PUSH.id);
   });
 });