Add a 'two pods plus external web app' integration test

Author: dmitrizagidulin

package.json

@@ -55,7 +55,7 @@
     "mime-types": "^2.1.11",
     "moment": "^2.18.1",
     "negotiator": "^0.6.0",
-    "node-fetch": "^1.6.3",
+    "node-fetch": "^1.7.1",
     "node-forge": "^0.6.38",
     "nodemailer": "^3.1.4",
     "nomnom": "^1.8.1",
@@ -84,13 +84,15 @@
     "chai-as-promised": "^6.0.0",
     "dirty-chai": "^1.2.2",
     "hippie": "^0.5.0",
+    "localstorage-memory": "^1.0.2",
     "mocha": "^3.2.0",
     "nock": "^9.0.14",
     "node-mocks-http": "^1.5.6",
     "nyc": "^10.1.2",
     "proxyquire": "^1.7.10",
     "sinon": "^2.1.0",
     "sinon-chai": "^2.8.0",
+    "solid-auth-oidc": "^0.1.3",
     "standard": "^8.6.0",
     "supertest": "^3.0.0"
   },

test/integration/acl-oidc-test.js

@@ -3,6 +3,7 @@ const fs = require('fs-extra')
 const request = require('request')
 const path = require('path')
 const rm = require('../utils').rm
+const nock = require('nock')
 
 const ldnode = require('../../index')
 

test/integration/authentication-oidc-test.js

@@ -1,11 +1,21 @@
 const Solid = require('../../index')
 const path = require('path')
-const supertest = require('supertest')
-const expect = require('chai').expect
-const nock = require('nock')
 const fs = require('fs-extra')
 const { UserStore } = require('oidc-auth-manager')
 const UserAccount = require('../../lib/models/user-account')
+const SolidAuthOIDC = require('solid-auth-oidc')
+
+const fetch = require('node-fetch')
+const localStorage = require('localstorage-memory')
+const url = require('url')
+const { URL } = url
+global.URL = URL
+
+const supertest = require('supertest')
+const nock = require('nock')
+const chai = require('chai')
+const expect = chai.expect
+chai.use(require('dirty-chai'))
 
 // In this test we always assume that we are Alice
 
@@ -270,11 +280,11 @@ describe('Authentication API (OIDC)', () => {
     })
   })
 
-  describe('Login workflow', () => {
-    // Step 1: Alice tries to access bob.com/foo, and
+  describe('Two Pods + Browser Login workflow', () => {
+    // Step 1: Alice tries to access bob.com/shared-with-alice.txt, and
     //   gets redirected to bob.com's Provider Discovery endpoint
     it('401 Unauthorized -> redirect to provider discovery', (done) => {
-      bob.get('/foo')
+      bob.get('/shared-with-alice.txt')
         .expect(401)
         .end((err, res) => {
           if (err) return done(err)
@@ -285,15 +295,178 @@ describe('Authentication API (OIDC)', () => {
         })
     })
 
-    // Step 2: Alice enters her WebID URI to the Provider Discovery endpoint
-    it('Enter webId -> redirect to provider login', (done) => {
-      bob.post('/api/auth/select-provider')
+    // Step 2: Alice enters her pod's URI to Bob's Provider Discovery endpoint
+    it('Enter webId -> redirect to provider login', () => {
+      return bob.post('/api/auth/select-provider')
         .send('webid=' + aliceServerUri)
         .expect(302)
-        .end((err, res) => {
+        .then(res => {
+          // Submitting select-provider form redirects to Alice's pod's /authorize
+          let authorizeUri = res.header.location
+          expect(authorizeUri.startsWith(aliceServerUri + '/authorize'))
+
+          // Follow the redirect to /authorize
+          let authorizePath = url.parse(authorizeUri).path
+          return alice.get(authorizePath)
+        })
+        .then(res => {
+          // Since alice not logged in to her pod, /authorize redirects to /login
           let loginUri = res.header.location
-          expect(loginUri.startsWith(aliceServerUri + '/authorize'))
-          done(err)
+          expect(loginUri.startsWith('/login'))
+        })
+    })
+  })
+
+  describe('Two Pods + Web App Login Workflow', () => {
+    let aliceAccount = UserAccount.from({ webId: aliceWebId })
+    let alicePassword = '12345'
+
+    let auth
+    let authorizationUri, loginUri, authParams, callbackUri
+    let loginFormFields = ''
+
+    before(() => {
+      auth = new SolidAuthOIDC({ store: localStorage, window: { location: {} } })
+      let appOptions = {
+        redirectUri: 'https://app.example.com/callback'
+      }
+
+      aliceUserStore.initCollections()
+
+      return aliceUserStore.createUser(aliceAccount, alicePassword)
+        .then(() => {
+          return auth.registerClient(aliceServerUri, appOptions)
+        })
+        .then(registeredClient => {
+          auth.currentClient = registeredClient
+        })
+    })
+
+    after(() => {
+      fs.removeSync(path.join(aliceDbPath, 'users/users'))
+      fs.removeSync(path.join(aliceDbPath, 'oidc/op/tokens'))
+
+      let clientId = auth.currentClient.registration['client_id']
+      let registration = `_key_${clientId}.json`
+      fs.removeSync(path.join(aliceDbPath, 'oidc/op/clients', registration))
+    })
+
+    // Step 1: An app makes a GET request and receives a 401
+    it('should get a 401 error on a REST request to a protected resource', () => {
+      return fetch(bobServerUri + '/shared-with-alice.txt')
+        .then(res => {
+          expect(res.status).to.equal(401)
+
+          expect(res.headers.get('www-authenticate'))
+            .to.equal(`Bearer realm="${bobServerUri}", scope="openid"`)
+        })
+    })
+
+    // Step 2: App presents the Select Provider UI to user, determine the
+    //   preferred provider uri (here, aliceServerUri), and constructs
+    //   an authorization uri for that provider
+    it('should determine the authorization uri for a preferred provider', () => {
+      return auth.currentClient.createRequest({}, auth.store)
+        .then(authUri => {
+          authorizationUri = authUri
+
+          expect(authUri.startsWith(aliceServerUri + '/authorize')).to.be.true()
+        })
+    })
+
+    // Step 3: App redirects user to the authorization uri for login
+    it('should redirect user to /authorize and /login', () => {
+      return fetch(authorizationUri, { redirect: 'manual' })
+        .then(res => {
+          // Since user is not logged in, /authorize redirects to /login
+          expect(res.status).to.equal(302)
+
+          loginUri = new URL(res.headers.get('location'))
+          expect(loginUri.toString().startsWith(aliceServerUri + '/login'))
+            .to.be.true()
+
+          authParams = loginUri.searchParams
+        })
+    })
+
+    // Step 4: Pod returns a /login page with appropriate hidden form fields
+    it('should display the /login form', () => {
+      return fetch(loginUri.toString())
+        .then(loginPage => {
+          return loginPage.text()
+        })
+        .then(pageText => {
+          // Login page should contain the relevant auth params as hidden fields
+
+          authParams.forEach((value, key) => {
+            let hiddenField = `<input type="hidden" name="${key}" id="${key}" value="${value}" />`
+
+            expect(pageText).to.match(new RegExp(hiddenField))
+
+            loginFormFields += `${key}=` + encodeURIComponent(value) + '&'
+          })
+        })
+    })
+
+    // Step 5: User submits their username & password via the /login form
+    it('should login via the /login form', () => {
+      loginFormFields += `username=${'alice'}&password=${alicePassword}`
+
+      return fetch(aliceServerUri + '/login/password', {
+        method: 'POST',
+        body: loginFormFields,
+        redirect: 'manual',
+        headers: {
+          'content-type': 'application/x-www-form-urlencoded'
+        },
+        credentials: 'include'
+      })
+        .then(res => {
+          expect(res.status).to.equal(302)
+          let postLoginUri = res.headers.get('location')
+          let cookie = res.headers.get('set-cookie')
+
+          // Successful login gets redirected back to /authorize and then
+          // back to app
+          expect(postLoginUri.startsWith(aliceServerUri + '/authorize'))
+            .to.be.true()
+
+          return fetch(postLoginUri, { redirect: 'manual', headers: { cookie } })
+        })
+        .then(res => {
+          // User gets redirected back to original app
+          expect(res.status).to.equal(302)
+          callbackUri = res.headers.get('location')
+          expect(callbackUri.startsWith('https://app.example.com#'))
+
+          expect(res.headers.get('user')).to.equal(aliceWebId)
+        })
+    })
+
+    // Step 6: Web App extracts tokens from the uri hash fragment, uses
+    //  them to access protected resource
+    it('should use id token from the callback uri to access shared resource', () => {
+      auth.window.location.href = callbackUri
+
+      return auth.initUserFromResponse(auth.currentClient)
+        .then(webId => {
+          expect(webId).to.equal(aliceWebId)
+
+          let idToken = auth.idToken
+
+          return fetch(bobServerUri + '/shared-with-alice.txt', {
+            headers: {
+              'Authorization': 'Bearer ' + idToken
+            }
+          })
+        })
+        .then(res => {
+          expect(res.status).to.equal(200)
+
+          return res.text()
+        })
+        .then(contents => {
+          expect(contents).to.equal('protected contents\n')
         })
     })
   })

test/resources/accounts-acl/tim.localhost/multi-server/protected.txt

@@ -0,0 +1 @@
+protected resource

test/resources/accounts-acl/tim.localhost/multi-server/protected.txt.acl

@@ -0,0 +1,8 @@
+<#0>
+  a <http://www.w3.org/ns/auth/acl#Authorization>;
+  <http://www.w3.org/ns/auth/acl#accessTo> <./protected.txt> ;
+
+  <http://www.w3.org/ns/auth/acl#agent> <https://alice.example.com/profile/card#me> ;
+
+  <http://www.w3.org/ns/auth/acl#mode>
+    <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Read>.

test/resources/accounts-scenario/bob/foo

@@ -0,0 +1 @@
+protected contents

test/resources/accounts-scenario/bob/foo.acl

@@ -0,0 +1,15 @@
+<#Alice>
+ a <http://www.w3.org/ns/auth/acl#Authorization> ;
+
+ <http://www.w3.org/ns/auth/acl#accessTo> <./shared-with-alice.txt>;
+
+ # Alice web id
+ <http://www.w3.org/ns/auth/acl#agent> <https://localhost:7000/profile/card#me>;
+
+ # Bob web id
+ <http://www.w3.org/ns/auth/acl#agent> <https://localhost:7001/profile/card#me>;
+
+ <http://www.w3.org/ns/auth/acl#mode>
+   <http://www.w3.org/ns/auth/acl#Read>,
+   <http://www.w3.org/ns/auth/acl#Write>,
+   <http://www.w3.org/ns/auth/acl#Control> .

test/resources/accounts-scenario/bob/shared-with-alice.txt

@@ -0,0 +1,81 @@
+{
+  "keys": [
+    {
+      "kid": "2koDA6QjhXU",
+      "kty": "RSA",
+      "alg": "RS256",
+      "n": "wcO-8ub-aAf1LoH3TjX1HtlYhc_AHkIxgSwFJKjF8eY3sUpkzfS_lsBYoerG-1gJVP-j5vrGNfre7lFjUd-TukKMBnONZBnER8RSbbIC2MuoUpEj6cWoL5gD1WIkznFw_tO5w6bf2kqL2GR1_GbWAYmfOJFd_lJwg6eciNzYqvDwx-hZniNqTAD63y4od1mcKJBxFXY83VdFcCCWitg37Uxeyw8qTAQgOkR258a5juU9n8y3GDWYeWKkpr9dLWJaWomI6x-dL_tROwSMcuISMpGftGf7pYN83DQBDSwXPkaQnd1g7ExSb3slSdf_Z1kTH5eRoGJdXuA7lmRpUHDrUw",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "9CdpWhTmRwQ",
+      "kty": "RSA",
+      "alg": "RS384",
+      "n": "riNXxT2bQG17gV8Gp28f1fZvBoA-iO85lfZncMflXJNbkTR69rbqsYOPbJ02BIvdbBk9cdCSHDDO_yH2FAnY1N0WONRcQdVkyKcfCS8gLpFDRnP7sa5_WOwnrnY00VEHpPUhcUWzTK2pNSZemGY14fPgNDW7vH8dipMfVMr9bgmvPzefgEIeANOMKA6PHx_0WcT9k8NYjDdpuo6loFmVTj5ulWNO4rVTLFCMtyTB1cwNeIeN0Kwmqcuta5Y_FiEMpP_Hw8MBdoIZfH2P7qa6lkbw_jExY1suyP5BxU6cUndzjcIeiBiVbJEPCvR1zBuxNUADFqOCEF-8fIsY8AL6fw",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "lVZq8jBYVa4",
+      "kty": "RSA",
+      "alg": "RS512",
+      "n": "tQz5GDyEZQdJlPq4aiKHlu9_gEft8ozIbi-tbmx_0JPUHOvZwPaWkPERu27MHNp7Z4XvftkyUXH243Prtetjq6cUd4FiYyOz6MpbktxOXfl8oSfbe89Dava4PqgolJaTBfp21WsMM9OvweOgto1Rv9do7oUsoRQIuHl17T2RmMXx4AE2CDyPA7JQCDtw6zk6erLdIZtUrF0J1UrGFHRHjsFexRIPc07X9IIMqzQlESlJXCbiVEvCteMCZbYuhbvvNqiTlNLUh4_jO_7NP6zkhwnRm5bJ4pXGrEMUi9FypRiVABkRZigvK19RDrsUA3AXt7VMkVRtXSsmv_YtmzVJgw",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "Zr1pAM5uXRI",
+      "kty": "RSA",
+      "alg": "RS256",
+      "n": "4nLfuOakIfP4YRrVGopRNszYlcnw4GhYwedQvt-CgAc5-1fLqi7n4Dr2vyeNB79h9cIVk_i4ehB5M8EcZN0OHHpDcTrYJOS0gyOILDwQhQezc6VRcor6g0jq-VuMFWNCXcnlowAWJ09d8c_CgNFoJsIvFji4cIeBIFYh3bpJMKQpxccYh8D12jRYQckTvmhZQhifFPYSu_YFk7R2eOFu4nuf-xZqzBKp2zFE28VPgBX_i4BV0vR5Mdl1UmnZ_LZbyseH9sIzZmVHGTCQ-5DYqFlXXBNPGs4q5qku9hN6qSmgT0yypYwwZYRG-XAx79ZSZMIFUiG_hWrc3SWPlgV9SQ",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "C_ZedndjY2M",
+      "kty": "RSA",
+      "alg": "RS384",
+      "n": "vxCys4nxNi56-VtzYdiH7xYhT95CC2oaLDlFIY216O5VoQYrMQvwdZvRPGpKepxyY6xKILki7jB3BjbF3honf5M7MK-i6oQRXS6HCdruBGp6XZSAw7yemn1sP4f8MRrhJ2B130YIvhKLuQekdCLR--_n6-WfZZuUF7AXKcs5XdPW3vSy_XLAtnso8axmYASfhNK6DwOwXTA-uJTHW1HVfALUfgtzxAt7Z92ySnuI_CzXnr6lt-vDd52leaCS8yso8Anpa7xXJC3czkRFFrN20k5m6olhUpssnSVJDLyWup7PInfRQCNzuQgpomWFh9r3hwyrQMKSrliTIOiSRq7l6Q",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "rB8CEEEM6qI",
+      "kty": "RSA",
+      "alg": "RS512",
+      "n": "s760vqQPvEf82T4LHPby9hxFFIKUda0G79xuDmseWJgeMWlU3yv6uDPPJ2Nx-4prXC_fiFlNsEEx8p6GjKpAi32Mb1vehqTNJEmluxLrBeYYY5-mA5d8-2BE_5jLSkDEQ8pFwWICP-LbI95U7aytMqnuTqPr8cC4N2Sac2P4r8lGrzT6F276DB2Meshf00lJ9o_7ta77rLTVBCo9Ws5D9V7JiT86mx8hia_6JbvcmfgH_6NAitGMD6tvXNWH-i7o8ZLywBJO4U35wU_woduTFmj_ZFDrBgMRNMVBrvnwk_5XDfbrVkRLaunnQMadKgCMkryj4RXNqms08wF8N59uLQ",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    },
+    {
+      "kid": "Muh91OOgi5Q",
+      "kty": "RSA",
+      "alg": "RS256",
+      "n": "wbiBktBKqfKFnXHuBrxeN09D006kX6C9VUykaQayPZJCmSv8X8zpCclOXCYHboGtkJ9y5E9iCCK0V7kFvSXOWl562tWHlNzZfZM6xZU1hS-1jFc3Hjk66yIkeocFpAdb3pUCzFmSNrQsDWoJSJa-ly6AkmPahPe2A7UzFeEjUiWKossssOhgvo3TFCB6D7kkU7DujShm74FqzjXEPmcgc3ZDzpALu7N_HqxIbuQv0TJ7yIY8cqzyTmDahy0cKGn1Z4ViVwCCZsgVniDLbcLcsXkhPWKAtM2FMLbSIJvEZrLlPFTWWsc82oky5u2aeO0hEodihkwVl-w_Xaiv3RZVmQ",
+      "e": "AQAB",
+      "key_ops": [
+        "verify"
+      ],
+      "ext": true
+    }
+  ]
+}