be UTests

Author: ArtemHoruzhenko

redisinsight/api/src/__mocks__/cloud-auth.ts

@@ -1,4 +1,6 @@
-import { CloudAuthRequest, CloudAuthResponse, CloudAuthStatus } from 'src/modules/cloud/auth/models';
+import {
+  CloudAuthIdpType, CloudAuthRequest, CloudAuthResponse, CloudAuthStatus,
+} from 'src/modules/cloud/auth/models';
 import { mockSessionMetadata } from 'src/__mocks__/common';
 
 export const mockCloudAuthCode = 'ac_p6vA6A5tF36Jf6twH2cBOqtt7n';
@@ -43,6 +45,12 @@ export const mockCloudAuthGithubTokenParams = {
   idpType: 'github',
 };
 
+export const mockCloudAuthSsoTokenParams = {
+  ...mockCloudAuthGoogleTokenParams,
+  state: 'state_p6vA6A5tF36Jf6twH2cBOqtt7ssp',
+  idpType: 'sso',
+};
+
 export const mockCloudAuthGoogleRequest = Object.assign(new CloudAuthRequest(), {
   ...mockCloudAuthGoogleTokenParams,
   sessionMetadata: {
@@ -52,6 +60,15 @@ export const mockCloudAuthGoogleRequest = Object.assign(new CloudAuthRequest(),
   createdAt: new Date(),
 });
 
+export const mockCloudAuthSsoRequest = Object.assign(new CloudAuthRequest(), {
+  ...mockCloudAuthGoogleRequest,
+  ...mockCloudAuthSsoTokenParams,
+  tokenManager: { storage: {} },
+  createdAt: new Date(),
+  idpType: CloudAuthIdpType.Sso,
+  idp: 'idp_p6vA6A5tF36Jf6twH2cBOqtSSO',
+});
+
 export const mockCloudAuthGoogleAuthUrl = `${mockCloudAuthGoogleRequest.issuer}`
   + `/${mockCloudAuthGoogleRequest.authorizeUrl}`
   + `?client_id=${mockCloudAuthGoogleRequest.clientId}`
@@ -66,6 +83,20 @@ export const mockCloudAuthGoogleAuthUrl = `${mockCloudAuthGoogleRequest.issuer}`
   + `&${new URLSearchParams({ scope: mockCloudAuthGoogleRequest.scopes.join(' ') }).toString()}`
   + '&prompt=login';
 
+export const mockCloudAuthSsoAuthUrl = `${mockCloudAuthSsoRequest.issuer}`
+  + `/${mockCloudAuthSsoRequest.authorizeUrl}`
+  + `?client_id=${mockCloudAuthSsoRequest.clientId}`
+  + `&${new URLSearchParams({ redirect_uri: mockCloudAuthSsoRequest.redirectUri }).toString()}`
+  + `&response_type=${mockCloudAuthSsoRequest.responseType}`
+  + `&response_mode=${mockCloudAuthSsoRequest.responseMode}`
+  + `&idp=${mockCloudAuthSsoRequest.idp}`
+  + `&state=${mockCloudAuthSsoRequest.state}`
+  + `&nonce=${mockCloudAuthSsoRequest.nonce}`
+  + `&code_challenge_method=${mockCloudAuthSsoRequest.codeChallengeMethod}`
+  + `&code_challenge=${mockCloudAuthSsoRequest.codeChallenge}`
+  + `&${new URLSearchParams({ scope: mockCloudAuthSsoRequest.scopes.join(' ') }).toString()}`
+  + '&prompt=login';
+
 export const mockCloudAuthGoogleTokenUrl = `${mockCloudAuthGoogleRequest.issuer}`
   + `/${mockCloudAuthGoogleRequest.tokenUrl}`
   + `?client_id=${mockCloudAuthGoogleRequest.clientId}`
@@ -83,6 +114,12 @@ export const mockCloudAuthGoogleRevokeTokenUrl = `${mockCloudAuthGoogleRequest.i
   + `&token_type_hint=${mockCloudRevokeRefreshTokenHint}`
   + `&token=${mockCloudRefreshToken}`;
 
+export const mockCloudAuthSsoRevokeTokenUrl = `${mockCloudAuthSsoRequest.issuer}`
+  + `/${mockCloudAuthGoogleIdpConfig.revokeTokenUrl}`
+  + `?client_id=${mockCloudAuthSsoRequest.clientId}`
+  + `&token_type_hint=${mockCloudRevokeRefreshTokenHint}`
+  + `&token=${mockCloudRefreshToken}`;
+
 export const mockCloudAuthGoogleRenewTokenUrl = `${mockCloudAuthGoogleRequest.issuer}`
   + `/${mockCloudAuthGoogleIdpConfig.tokenUrl}`
   + `?client_id=${mockCloudAuthGoogleRequest.clientId}`
@@ -91,6 +128,14 @@ export const mockCloudAuthGoogleRenewTokenUrl = `${mockCloudAuthGoogleRequest.is
   + `&${new URLSearchParams({ scope: mockCloudAuthGoogleRequest.scopes.join(' ') }).toString()}`
   + `&refresh_token=${mockCloudRefreshToken}`;
 
+export const mockCloudAuthSsoRenewTokenUrl = `${mockCloudAuthSsoRequest.issuer}`
+  + `/${mockCloudAuthGoogleIdpConfig.tokenUrl}`
+  + `?client_id=${mockCloudAuthSsoRequest.clientId}`
+  + '&grant_type=refresh_token'
+  + `&${new URLSearchParams({ redirect_uri: mockCloudAuthSsoRequest.redirectUri }).toString()}`
+  + `&${new URLSearchParams({ scope: mockCloudAuthSsoRequest.scopes.join(' ') }).toString()}`
+  + `&refresh_token=${mockCloudRefreshToken}`;
+
 export const mockCloudAuthGithubRequest = Object.assign(new CloudAuthRequest(), {
   ...mockCloudAuthGithubTokenParams,
   sessionMetadata: {
@@ -160,6 +205,12 @@ export const mockGoogleIdpCloudAuthStrategy = jest.fn(() => ({
   generateRenewTokensUrl: jest.fn().mockReturnValue(new URL(mockCloudAuthGoogleRenewTokenUrl)),
 }));
 
+export const mockSsoIdpCloudAuthStrategy = jest.fn(() => ({
+  generateAuthRequest: jest.fn().mockResolvedValue(mockCloudAuthSsoRequest),
+  generateRevokeTokensUrl: jest.fn().mockReturnValue(new URL(mockCloudAuthSsoRevokeTokenUrl)),
+  generateRenewTokensUrl: jest.fn().mockReturnValue(new URL(mockCloudAuthSsoRenewTokenUrl)),
+}));
+
 export const mockCloudAuthService = jest.fn(() => ({
   renewTokens: jest.fn().mockResolvedValue(undefined),
 }));

redisinsight/api/src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy.spec.ts

@@ -0,0 +1,66 @@
+import axios from 'axios';
+import { Test, TestingModule } from '@nestjs/testing';
+import { EventEmitter2 } from '@nestjs/event-emitter';
+import { mockSessionMetadata } from 'src/__mocks__';
+import { mockCloudAuthSsoRequest, mockCloudAuthSsoTokenParams, mockOktaAuthClient } from 'src/__mocks__/cloud-auth';
+import { OktaAuth } from '@okta/okta-auth-js';
+import { SsoIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy';
+import { CloudAuthIdpType } from 'src/modules/cloud/auth/models';
+import {
+  CloudOauthSsoUnsupportedEmailException
+} from 'src/modules/cloud/auth/exceptions/cloud-oauth.sso-unsupported-email.exception';
+
+jest.mock('@okta/okta-auth-js');
+const mockedAxios = axios as jest.Mocked<typeof axios>;
+jest.mock('axios');
+
+describe('CloudAuthStrategy', () => {
+  let ssoStrategy: SsoIdpCloudAuthStrategy;
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+    jest.mock('axios', () => mockedAxios);
+    (OktaAuth as any).mockReturnValueOnce(mockOktaAuthClient);
+
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        EventEmitter2,
+        SsoIdpCloudAuthStrategy,
+      ],
+    }).compile();
+
+    ssoStrategy = await module.get(SsoIdpCloudAuthStrategy);
+  });
+
+  describe('generateAuthRequest', () => {
+    it('Check that Sso auth request is generated', async () => {
+      mockOktaAuthClient.token.prepareTokenParams.mockResolvedValueOnce(mockCloudAuthSsoTokenParams);
+      mockedAxios.get.mockResolvedValue({ data: mockCloudAuthSsoRequest.idp });
+
+      expect(await ssoStrategy.generateAuthRequest(mockSessionMetadata, {
+        strategy: CloudAuthIdpType.Sso,
+        data: {
+          email: '[email protected]',
+        },
+      })).toEqual({
+        ...mockCloudAuthSsoRequest,
+        createdAt: expect.anything(),
+      });
+    });
+    it('should throw CloudOauthSsoUnsupportedEmailException in case of idp check error ', async () => {
+      mockOktaAuthClient.token.prepareTokenParams.mockResolvedValueOnce(mockCloudAuthSsoTokenParams);
+      mockedAxios.get.mockRejectedValueOnce(new Error());
+
+      await expect(ssoStrategy.generateAuthRequest(mockSessionMetadata, {
+        strategy: CloudAuthIdpType.Sso,
+      })).rejects.toThrow(CloudOauthSsoUnsupportedEmailException);
+    });
+    it('should throw CloudOauthSsoUnsupportedEmailException in case of idp check error ', async () => {
+      mockOktaAuthClient.token.prepareTokenParams.mockResolvedValueOnce(mockCloudAuthSsoTokenParams);
+      mockedAxios.get.mockRejectedValueOnce(new Error());
+
+      await expect(ssoStrategy.generateAuthRequest(mockSessionMetadata))
+        .rejects.toThrow(CloudOauthSsoUnsupportedEmailException);
+    });
+  });
+});

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.spec.ts

@@ -16,28 +16,33 @@ import {
   mockCloudAuthResponse,
   mockCloudRefreshTokenNew,
   mockGithubIdpCloudAuthStrategy,
-  mockGoogleIdpCloudAuthStrategy,
+  mockGoogleIdpCloudAuthStrategy, mockSsoIdpCloudAuthStrategy,
   mockTokenResponse,
   mockTokenResponseNew,
 } from 'src/__mocks__/cloud-auth';
 import { Test, TestingModule } from '@nestjs/testing';
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import { CloudSessionService } from 'src/modules/cloud/session/cloud-session.service';
 import {
-  mockAxiosBadRequestError, mockCloudApiAuthDto, mockCloudSessionService, mockSessionMetadata, MockType
+  mockAxiosBadRequestError, mockCloudApiAuthDto, mockCloudSessionService, mockSessionMetadata, MockType,
 } from 'src/__mocks__';
 import { GithubIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/github-idp.cloud.auth-strategy';
 import { GoogleIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/google-idp.cloud.auth-strategy';
 import { CloudAuthAnalytics } from 'src/modules/cloud/auth/cloud-auth.analytics';
 import { CloudAuthIdpType, CloudAuthStatus } from 'src/modules/cloud/auth/models';
 import {
+  CloudOauthMisconfigurationException,
   CloudOauthMissedRequiredDataException,
   CloudOauthUnexpectedErrorException,
   CloudOauthUnknownAuthorizationRequestException,
 } from 'src/modules/cloud/auth/exceptions';
 import { InternalServerErrorException } from '@nestjs/common';
 import { CloudSsoFeatureStrategy } from 'src/modules/cloud/cloud-sso.feature.flag';
 import { CloudApiUnauthorizedException } from 'src/modules/cloud/common/exceptions';
+import { SsoIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy';
+import {
+  CloudOauthSsoUnsupportedEmailException
+} from 'src/modules/cloud/auth/exceptions/cloud-oauth.sso-unsupported-email.exception';
 
 const mockedAxios = axios as jest.Mocked<typeof axios>;
 jest.mock('axios');
@@ -46,6 +51,7 @@ describe('CloudAuthService', () => {
   let service: CloudAuthService;
   let analytics: MockType<CloudAuthAnalytics>;
   let sessionService: MockType<CloudSessionService>;
+  let ssoIdpCLoudAuthStrategy: MockType<SsoIdpCloudAuthStrategy>;
 
   beforeEach(async () => {
     jest.clearAllMocks();
@@ -66,6 +72,10 @@ describe('CloudAuthService', () => {
           provide: GoogleIdpCloudAuthStrategy,
           useFactory: mockGoogleIdpCloudAuthStrategy,
         },
+        {
+          provide: SsoIdpCloudAuthStrategy,
+          useFactory: mockSsoIdpCloudAuthStrategy,
+        },
         {
           provide: CloudAuthAnalytics,
           useFactory: mockCloudAuthAnalytics,
@@ -76,6 +86,7 @@ describe('CloudAuthService', () => {
     service = await module.get(CloudAuthService);
     analytics = await module.get(CloudAuthAnalytics);
     sessionService = await module.get(CloudSessionService);
+    ssoIdpCLoudAuthStrategy = await module.get(SsoIdpCloudAuthStrategy);
   });
 
   describe('getAuthStrategy', () => {
@@ -85,6 +96,9 @@ describe('CloudAuthService', () => {
     it('should get GitHub auth strategy', async () => {
       expect(service.getAuthStrategy(CloudAuthIdpType.GitHub)).toEqual(service['githubIdpCloudAuthStrategy']);
     });
+    it('should get Sso auth strategy', async () => {
+      expect(service.getAuthStrategy(CloudAuthIdpType.Sso)).toEqual(service['ssoIdpCloudAuthStrategy']);
+    });
     it('should throw CloudOauthUnknownAuthorizationRequestException error for unsupported strategy', async () => {
       try {
         service.getAuthStrategy('cognito' as CloudAuthIdpType);
@@ -134,12 +148,27 @@ describe('CloudAuthService', () => {
         {
           strategy: CloudAuthIdpType.GitHub,
         },
-      )).rejects.toThrow(Error);
+      )).rejects.toThrow(CloudOauthMisconfigurationException);
       expect(logoutSpy).toHaveBeenCalled();
       // previous request should stay
       expect(service['authRequests'].size).toEqual(1);
       expect(service['authRequests'].get(mockCloudAuthGoogleRequest.state)).toEqual(mockCloudAuthGoogleRequest);
     });
+    it('should throw CloudOauthSsoUnsupportedEmailException when no email assign to SAML config', async () => {
+      ssoIdpCLoudAuthStrategy.generateAuthRequest.mockRejectedValueOnce(new CloudOauthSsoUnsupportedEmailException());
+      service['authRequests'].set(mockCloudAuthGoogleRequest.state, mockCloudAuthGoogleRequest);
+      expect(service['authRequests'].size).toEqual(1);
+      await expect(service.getAuthorizationUrl(
+        mockSessionMetadata,
+        {
+          strategy: CloudAuthIdpType.Sso,
+        },
+      )).rejects.toThrow(CloudOauthSsoUnsupportedEmailException);
+      expect(logoutSpy).not.toHaveBeenCalled();
+      // previous request should stay
+      expect(service['authRequests'].size).toEqual(1);
+      expect(service['authRequests'].get(mockCloudAuthGoogleRequest.state)).toEqual(mockCloudAuthGoogleRequest);
+    });
   });
   describe('exchangeCode', () => {
     it('should exchange auth code to access token', async () => {

redisinsight/api/src/modules/cloud/user/cloud-user.api.service.spec.ts

@@ -23,6 +23,7 @@ import { CloudAuthService } from 'src/modules/cloud/auth/cloud-auth.service';
 import { mockCloudAuthService } from 'src/__mocks__/cloud-auth';
 import axios from 'axios';
 import { ServerService } from 'src/modules/server/server.service';
+import { CloudAuthIdpType } from 'src/modules/cloud/auth/models';
 
 const mockedAxios = axios as jest.Mocked<typeof axios>;
 jest.mock('axios');
@@ -231,6 +232,21 @@ describe('CloudUserApiService', () => {
       expect(mockedAxios.post).toHaveBeenCalledTimes(1);
       expect(mockedAxios.post).toHaveBeenNthCalledWith(1, 'login', expect.anything(), expect.anything());
     });
+    it('should login and get csrf when no apiSessionId login should be sent with "auth_mode"', async () => {
+      sessionService.getSession.mockResolvedValueOnce({ idpType: CloudAuthIdpType.Sso });
+
+      expect(await service['ensureLogin'](mockSessionMetadata)).toEqual(undefined);
+      expect(spyEnsureAccessToken).toHaveBeenCalledTimes(1);
+      expect(spyEnsureCsrf).toHaveBeenCalledTimes(1);
+      expect(sessionService.getSession).toHaveBeenCalledWith(mockSessionMetadata.sessionId);
+      expect(sessionService.updateSessionData).toHaveBeenCalledWith(mockSessionMetadata.sessionId, {
+        apiSessionId: mockCloudApiAuthDto.apiSessionId,
+      });
+      expect(mockedAxios.post).toHaveBeenCalledTimes(1);
+      expect(mockedAxios.post).toHaveBeenNthCalledWith(1, 'login', expect.objectContaining({
+        auth_mode: CloudAuthIdpType.Sso,
+      }), expect.anything());
+    });
     it('should throw unauthorized error when no session id successfully fetched', async () => {
       when(mockedAxios.post).calledWith('login', expect.anything(), expect.anything())
         .mockResolvedValue({

redisinsight/api/src/modules/cloud/user/providers/cloud-user.api.provider.spec.ts

@@ -64,7 +64,9 @@ describe('CloudUserApiProvider', () => {
       mockedAxios.post.mockResolvedValue(response);
 
       expect(await service.getApiSessionId(mockCloudSession)).toEqual(mockCloudApiAuthDto.apiSessionId);
-      expect(mockedAxios.post).toHaveBeenCalledWith('login', {}, {
+      expect(mockedAxios.post).toHaveBeenCalledWith('login', {
+        auth_mode: mockCloudSession.idpType,
+      }, {
         ...mockCloudApiHeaders,
       });
     });
@@ -81,6 +83,7 @@ describe('CloudUserApiProvider', () => {
       )).toEqual(mockCloudApiAuthDto.apiSessionId);
 
       expect(mockedAxios.post).toHaveBeenCalledWith('login', {
+        auth_mode: mockCloudSession.idpType,
         utm_source: 's',
         utm_medium: 'm',
         utm_campaign: 'c',
@@ -101,6 +104,7 @@ describe('CloudUserApiProvider', () => {
       )).toEqual(mockCloudApiAuthDto.apiSessionId);
 
       expect(mockedAxios.post).toHaveBeenCalledWith('login', {
+        auth_mode: mockCloudSession.idpType,
         utm_medium: 'm',
       }, {
         ...mockCloudApiHeaders,

redisinsight/api/src/modules/cloud/user/providers/cloud-user.api.provider.ts

@@ -41,7 +41,7 @@ export class CloudUserApiProvider extends CloudApiProvider {
         'login',
         {
           ...CloudApiProvider.generateUtmBody(utm),
-          auth_mode: credentials.idpType,
+          auth_mode: credentials?.idpType,
         },
         {
           ...CloudApiProvider.getHeaders(credentials),