Merge branch 'crypto-refactor'

Author: Hans Kristian Flaatten

src/auth.coffee

@@ -1,4 +1,4 @@
-crypto = require 'crypto'
+crypto = require './crypto'
 request = require 'request'
 async = require 'async'
 
@@ -41,7 +41,7 @@ TurbasenAuth.prototype._authUser = (email, password, user, cb) ->
     return cb hash.toString('base64') is user.pbkdf2.hash
 
 TurbasenAuth.prototype._authUsers = (email, password, users, cb) ->
-  iterator = async.apply @_authUser.bind(@), email, password
+  iterator = async.apply crypto.authenticate, email, password
   async.detect users, iterator, (user) ->
     delete user.pbkdf2 if user?.pbkdf2
 
@@ -74,4 +74,3 @@ TurbasenAuth.prototype.authenticate = (email, password, cb) ->
     @_authGroups email, password, body.documents, cb
 
 module.exports = TurbasenAuth
-

src/crypto.coffee

@@ -0,0 +1,31 @@
+crypto = require 'crypto'
+
+module.exports.pbkdf2 = (pwd, salt, itrs, dkLen, cb) ->
+  pwd = new Buffer pwd, 'utf8'
+  salt = new Buffer salt, 'base64'
+
+  try
+    crypto.pbkdf2 pwd, salt, itrs, dkLen, (err, hash) ->
+      cb err, hash?.toString 'base64'
+  catch err
+    process.nextTick -> cb err
+
+module.exports.authenticate = (email, pass, user, cb) ->
+  if email isnt user.epost
+    return process.nextTick ->
+      cb false, 'AUTH001', 'User email did not match'
+
+  if user.pbkdf2?.prf isnt 'HMAC-SHA1'
+    return process.nextTick ->
+      cb false, 'AUTH002', 'Unknown authentication schema'
+
+  salt = user.pbkdf2.salt
+  itrs = user.pbkdf2.itrs
+  dkLen = user.pbkdf2.dkLen
+
+  module.exports.pbkdf2 pass, salt, itrs, dkLen, (err, hash) ->
+    return cb false, 'AUTH003', err if err
+    if hash isnt user.pbkdf2.hash
+      return cb false, 'AUTH004', 'User password hash did not match'
+
+    return cb true

test/auth-spec.coffee

@@ -0,0 +1,225 @@
+assert = require 'assert'
+TurbasenAuth = require '../src/auth'
+
+auth = groups = _getGroups = _getGroup = null
+
+beforeEach ->
+  auth = new TurbasenAuth('node-turbasen-auth/v1.0.0', process.env.NTB_API_KEY)
+  groups = [{
+    _id: '507f1f77bcf86cd799439011'
+    navn: 'Foo Group'
+    privat:
+      brukere: [{
+        _password: 'Pa$w0rd'
+        navn: 'Foo Bar'
+        epost: '[email protected]'
+        pbkdf2:
+          prf: 'HMAC-SHA1'
+          itrs: 100
+          salt: 'XO6rZj9WG1UsLEsAGQH16qgZpCM9D7VylFQzwpSmOEo='
+          dkLen: 32
+          hash: 'Ir/5WTFgyBJoI3pJ8SaH8qWxdgZ0my6qcOPVPHnYJQ4='
+      },{
+        _password: 'Pik4chu'
+        navn: 'Bar Foo'
+        epost: '[email protected]'
+        pbkdf2:
+          prf: 'HMAC-SHA1'
+          itrs: 100
+          salt: 'XO6rZj9WG1UsLEsAGQH16qgZpCM9D7VylFQzwpSmOEa='
+          dkLen: 32
+          hash: '7oVtqDGrHf48OUYXwY/3qJks1q40Wg8f+bo+FFAI7oA='
+      },{
+        navn: 'Baz Bar'
+        epost: '[email protected]'
+      }]
+  },{
+    _id: '507f191e810c19729de860ea'
+    navn: 'Bar Group'
+    privat:
+      brukere: [{
+        _password: 'Pik4chu'
+        navn: 'Baz Bar'
+        epost: '[email protected]'
+        pbkdf2:
+          prf: 'HMAC-SHA1'
+          itrs: 100
+          salt: 'XO6rZj9WG1UsLEsAGQH16qgZpCM9D7VylFQzwpSmOEa='
+          dkLen: 32
+          hash: '7oVtqDGrHf48OUYXwY/3qJks1q40Wg8f+bo+FFAI7oA='
+      }]
+  }]
+
+  _getGroup = auth._getGroup
+  _getGroups = auth._getGroups
+
+  auth._getGroups = (email, cb) ->
+    res = statusCode: 200
+    body = documents: [], count: 0, total: 0
+
+    switch email
+      when "[email protected]" then body.documents.push groups[0]
+      when "[email protected]" then body.documents.push groups[0]
+      when "[email protected]"
+        body.documents.push groups[0]
+        body.documents.push groups[1]
+
+    # @TODO remove private data from view
+
+    body.count = body.total = body.documents.length
+
+    cb null, res, body
+
+  auth._getGroup = (id, cb) ->
+    res = statusCode: 200
+    body = {}
+
+    switch id
+      when "507f1f77bcf86cd799439011" then body = groups[0]
+      when "507f191e810c19729de860ea" then body = groups[1]
+      else
+        res.statusCode = 404
+
+    if Object.keys(body).length isnt 0
+      delete body.privat.brukere[key]._password for _, key in body.privat.brukere
+
+    cb null, res, body
+
+describe 'Constructor', ->
+  it 'should make new instance', ->
+    assert auth instanceof TurbasenAuth
+
+describe '#_authUsers()', ->
+  users = []
+  passwords = []
+
+  beforeEach ->
+    users = groups[0].privat.brukere
+    for user, key in users
+      passwords.push user._password
+      delete users[key]._password
+
+  it 'should return false if no match is found', (done) ->
+    auth._authUsers '[email protected]', 'P4s$word', users, (err, user) ->
+      assert.equal user, false
+      done()
+
+  it 'should return true if a match is found', (done) ->
+    auth._authUsers users[1].epost, passwords[1], users, (err, user) ->
+      assert.deepEqual user,
+        navn: users[1].navn
+        epost: users[1].epost
+      done()
+
+describe '#_authGroup()', ->
+  group = null
+  beforeEach -> group = _id: 'abc123', navn: 'Awesome group'
+
+  it 'should return error for non 404 error code', (done) ->
+    auth._getGroup = (id, cb) -> cb null, statusCode: 501, {}
+    auth._authGroup 'email', 'pass', group, (err, match) ->
+      assert /HTTP_ERR GET \/gruppe\/abc123 - 501/.test err
+      done()
+
+  it 'should return false for HTTP error code is 404', (done) ->
+    auth._getGroup = (id, cb) -> cb null, statusCode: 404, {}
+    auth._authGroup 'email', 'pass', group, (err, match) ->
+      assert.ifError err
+      assert.equal match, false
+      done()
+
+  it 'should return false for no group user object', (done) ->
+    auth._authGroup 'email', 'pass', group, (err, match) ->
+      assert.ifError err
+      assert.equal match, false
+      done()
+
+  #it 'should return false for unknown email', (done) ->
+  #  email = groups[0].privat.brukere[0].epost + 'A'
+  #  passw = groups[0].privat.brukere[0]._password
+  #  group = _id: groups[0]._id
+
+  #  auth._authGroup email, passw, group, (err, match) ->
+  #    assert.ifError err
+  #    assert.equal match, false
+  #    done()
+
+  #it 'should return false for invalid password', (done) ->
+  #  email = groups[0].privat.brukere[0].epost
+  #  passw = groups[0].privat.brukere[0]._password + 'A'
+  #  group = _id: groups[0]._id
+
+  #  auth._authGroup email, passw, group, (err, match) ->
+  #    assert.ifError err
+  #    assert.equal match, false
+  #    done()
+
+  it 'should return user credentials for matching email and password', (done) ->
+    name  = groups[0].privat.brukere[0].navn
+    email = groups[0].privat.brukere[0].epost
+    passw = groups[0].privat.brukere[0]._password
+    group = _id: groups[0]._id, navn: groups[0].navn
+
+    auth._authGroup email, passw, group, (err, match) ->
+      assert.ifError err
+      assert.deepEqual match,
+        navn: name
+        epost: email
+        gruppe: group
+      done()
+
+describe '_authGroups()', ->
+  it 'should authenticate user ammong one matching group', (done) ->
+    name  = groups[0].privat.brukere[0].navn
+    email = groups[0].privat.brukere[0].epost
+    passw = groups[0].privat.brukere[0]._password
+    group = _id: groups[0]._id, navn: groups[0].navn
+
+    auth._authGroups email, passw, [groups[0]], (err, user) ->
+      assert.ifError err
+      assert.deepEqual user,
+        navn: name
+        epost: email
+        gruppe: group
+      done()
+
+  it 'should authenticate user ammong several matching groups', (done) ->
+    name  = groups[0].privat.brukere[0].navn
+    email = groups[0].privat.brukere[0].epost
+    passw = groups[0].privat.brukere[0]._password
+    group = _id: groups[0]._id, navn: groups[0].navn
+
+    auth._authGroups email, passw, groups, (err, user) ->
+      assert.ifError err
+      assert.deepEqual user,
+        navn: name
+        epost: email
+        gruppe: group
+      done()
+
+describe '#authenticate()', ->
+  it 'should authenticate user with valid credentials', (done) ->
+    if process.env.INTEGRATION_TEST is 'true'
+      @timeout 10000
+
+      auth._getGroups = _getGroups
+      auth._getGroup = _getGroup
+
+      name  = 'Destinasjon Trysil'
+      email = process.env.INTEGRATION_TEST_EMAIL
+      passw = process.env.INTEGRATION_TEST_PASSW
+      group = _id: '52407f3c4ec4a138150001d7', navn: 'Destinasjon Trysil'
+
+    else
+      name  = groups[0].privat.brukere[0].navn
+      email = groups[0].privat.brukere[0].epost
+      passw = groups[0].privat.brukere[0]._password
+      group = _id: groups[0]._id, navn: groups[0].navn
+
+    auth.authenticate email, passw, (err, user) ->
+      assert.ifError err
+      assert.deepEqual user,
+        navn: name
+        epost: email
+        gruppe: group
+      done()

test/crypto-spec.coffee

@@ -0,0 +1,86 @@
+assert = require 'assert'
+crypto = require '../src/crypto'
+
+user = null
+
+beforeEach ->
+  user =
+    _password: 'Pa$w0rd'
+    navn: 'Foo Bar'
+    epost: '[email protected]'
+    pbkdf2:
+      prf: 'HMAC-SHA1'
+      itrs: 100
+      salt: 'XO6rZj9WG1UsLEsAGQH16qgZpCM9D7VylFQzwpSmOEo='
+      dkLen: 32
+      hash: 'Ir/5WTFgyBJoI3pJ8SaH8qWxdgZ0my6qcOPVPHnYJQ4='
+
+describe 'pbkdf2()', ->
+  it 'returns pbkdf2 hash', (done) ->
+    pwd     = user._password
+    itrs    = user.pbkdf2.itrs
+    dkLen   = user.pbkdf2.dkLen
+    salt    = user.pbkdf2.salt
+    hash    = user.pbkdf2.hash
+
+    crypto.pbkdf2 pwd, salt, itrs, dkLen, (err, h) ->
+      assert.ifError err
+      assert.equal h, hash
+      done()
+
+describe 'authenticate()', ->
+  it 'returns true for correct email and password', (done) ->
+    email = user.epost
+    pass  = user._password
+
+    crypto.authenticate email, pass, user, (isAuth, code, msg) ->
+      assert.equal isAuth, true
+      assert.equal code, undefined
+      assert.equal msg, undefined
+
+      done()
+
+  it 'returns code AUTH001 when email does not match', (done) ->
+    email = 'foo'
+    pass  = user._password
+
+    crypto.authenticate email, pass, user, (isAuth, code, msg) ->
+      assert.equal isAuth, false
+      assert.equal code, 'AUTH001'
+      assert.equal msg, 'User email did not match'
+
+      done()
+
+  it 'returns code AUTH002 for invalid auth schema', (done) ->
+    email = user.epost
+    pass  = user._password
+    user.pbkdf2 = undefined
+
+    crypto.authenticate email, pass, user, (isAuth, code, msg) ->
+      assert.equal isAuth, false
+      assert.equal code, 'AUTH002'
+      assert.equal msg, 'Unknown authentication schema'
+
+      done()
+
+  it 'returns code AUTH003 when pbkdf2 fails', (done) ->
+    email = user.epost
+    pass  = user._password
+    user.pbkdf2.dkLen = -1
+
+    crypto.authenticate email, pass, user, (isAuth, code, msg) ->
+      assert.equal isAuth, false
+      assert.equal code, 'AUTH003'
+      assert /TypeError: Bad key length/.test msg
+      done()
+
+  it 'returns code AUTH004 when hash does not match', (done) ->
+    email = user.epost
+    pass  = 'foo'
+
+    crypto.authenticate email, pass, user, (isAuth, code, msg) ->
+      assert.equal isAuth, false
+      assert.equal code, 'AUTH004'
+      assert.equal msg, 'User password hash did not match'
+
+      done()