fix(auth): port testing from helix-admin (#32)

* chore(test): auth (wip)

* fix(auth): cover and fix testing

Author: dominique-pfister

src/auth/support.js

@@ -209,11 +209,11 @@ export async function detectTokenIDP(token) {
  * Returns the site auth token if the project is configured as such.
  *
  * @param {import('../support/AdminContext').AdminContext} context context
- * @param {import('../support/RequestInfo').RequestInfo} info request info
+ * @param {string} partition partition
  * @returns {Promise<string|null>} the auth token
  */
-export async function getSiteAuthToken(context, info) {
-  const accessConfig = await context.getSiteAccessConfig(info.partition);
+export async function getSiteAuthToken(context, partition) {
+  const accessConfig = await context.getSiteAccessConfig(partition);
 
   if (!accessConfig.allow.length
     && !accessConfig.apiKeyId.length
@@ -399,12 +399,17 @@ export async function getAuthInfo(context, info) {
         //   return AuthInfo.Default();
         // }
 
-        const { attributes: { config } } = context;
-        let apiKeyId = config?.data?.admin?.apiKeyId || [];
-        if (!Array.isArray(apiKeyId)) {
-          apiKeyId = [apiKeyId];
+        const { attributes: { config, orgConfig } } = context;
+        let siteApiKeyId = config?.access?.admin?.apiKeyId || [];
+        if (!Array.isArray(siteApiKeyId)) {
+          siteApiKeyId = [siteApiKeyId];
+        }
+        let orgApiKeyId = orgConfig?.access?.admin?.apiKeyId || [];
+        if (!Array.isArray(orgApiKeyId)) {
+          orgApiKeyId = [orgApiKeyId];
         }
-        if (apiKeyId.indexOf(profile.jti) < 0) {
+        if (siteApiKeyId.indexOf(profile.jti) < 0 && orgApiKeyId.indexOf(profile.jti) < 0) {
+          const apiKeyId = [...siteApiKeyId, ...orgApiKeyId];
           log.warn(`auth: api token invalid: jti ${profile.jti} does not match configured id [${apiKeyId}] in ${info.org}/${info.site || '*'}`);
           return AuthInfo.Default();
         }

src/index.js

@@ -70,6 +70,7 @@ export const router = new Router(nameSelector)
   .add('/:org/profiles/:profile/versions', notImplemented)
   .add('/:org/sites', notImplemented)
   .add('/:org/sites/:site/status/*', status)
+  .add('/:org/sites/:site/config', notImplemented)
   .add('/:org/sites/:site/config/da', notImplemented)
   .add('/:org/sites/:site/config/sidekick', notImplemented)
   .add('/:org/sites/:site/config/access', notImplemented)

src/support/AdminContext.js

@@ -73,12 +73,12 @@ export class AdminContext {
   }
 
   /**
-   * Loads the site configuration.
+   * Loads the site and org configuration.
    *
    * @param {import('./RequestInfo.js').RequestInfo} info info
    * @returns {Promise<object>} configuration
    */
-  async getConfig(info) {
+  async loadConfig(info) {
     if (this.attributes.config === undefined) {
       const { org, site } = info;
       if (org && site) {
@@ -91,18 +91,10 @@ export class AdminContext {
         this.attributes.config = config;
       }
     }
-    return this.attributes.config;
-  }
-
-  async getOrgConfig(info) {
     if (this.attributes.orgConfig === undefined) {
       const { org } = info;
       if (org) {
-        const config = await loadOrgConfig(this, org);
-        if (config === null) {
-          throw new StatusCodeError('', 404);
-        }
-        this.attributes.orgConfig = config;
+        this.attributes.orgConfig = await loadOrgConfig(this, org);
       }
     }
     return this.attributes.orgConfig;
@@ -131,7 +123,7 @@ export class AdminContext {
   async authenticate(info) {
     const { attributes } = this;
 
-    await this.getConfig(info);
+    await this.loadConfig(info);
 
     if (attributes.authInfo === undefined) {
       attributes.authInfo = await getAuthInfo(this, info);
@@ -146,9 +138,6 @@ export class AdminContext {
    * @returns {Promise<void>}
    */
   async authorize(info) {
-    // eslint-disable-next-line no-unused-vars
-    const orgConfig = await this.getOrgConfig(info);
-
     return authorize(this, info);
   }
 

test/auth/auth-info.test.js

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+/* eslint-env mocha */
+import assert from 'assert';
+import { AccessDeniedError } from '../../src/auth/AccessDeniedError.js';
+import { AuthInfo } from '../../src/auth/auth-info.js';
+
+describe('AuthInfo Test', () => {
+  it('auth info can assert for permissions', async () => {
+    const authInfo = new AuthInfo()
+      .withRole('publish');
+    authInfo.assertPermissions('live:read');
+    assert.throws(() => authInfo.assertPermissions('system:exit'), new AccessDeniedError('system:exit'));
+
+    authInfo.assertAnyPermission('live:read', 'system:exit');
+    assert.throws(() => authInfo.assertAnyPermission('system:exit', 'config:read'), new AccessDeniedError('system:exit or config:read'));
+  });
+
+  it('auth info can filter permissions', async () => {
+    const authInfo = new AuthInfo()
+      .withRole('admin');
+    assert.deepStrictEqual(authInfo.getPermissions('live:'), ['delete', 'delete-forced', 'list', 'read', 'write']);
+  });
+
+  it('auth info can remove permissions', async () => {
+    const authInfo = new AuthInfo()
+      .withRole('publish')
+      .removePermissions('live:read', 'preview:read');
+
+    assert.deepStrictEqual(authInfo.getPermissions(), [
+      'cache:write',
+      'code:delete',
+      'code:read',
+      'code:write',
+      'cron:read',
+      'cron:write',
+      'discover:peek',
+      'edit:list',
+      'edit:read',
+      'index:read',
+      'index:write',
+      'job:list',
+      'job:read',
+      'job:write',
+      'live:delete',
+      'live:delete-forced',
+      'live:list',
+      'live:write',
+      'log:read',
+      'preview:delete',
+      'preview:delete-forced',
+      'preview:list',
+      'preview:write',
+      'snapshot:delete',
+      'snapshot:read',
+      'snapshot:write',
+    ]);
+  });
+});