parse-server/spec/SecurityCheckGroups.spec.js at 94de7fa713daa1572bd17ad70151ccb0b4ea0a49 · mtrezza/parse-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
'use strict';

const Config = require('../lib/Config');
const { CheckState } = require('../lib/Security/Check');
const CheckGroupServerConfig = require('../lib/Security/CheckGroups/CheckGroupServerConfig');
const CheckGroupDatabase = require('../lib/Security/CheckGroups/CheckGroupDatabase');

describe('Security Check Groups', () => {
  let config;

  beforeEach(async () => {
    config = {
      appId: 'test',
      appName: 'ExampleAppName',
      publicServerURL: 'http://localhost:8378/1',
      security: {
        enableCheck: true,
        enableCheckLog: false,
      },
    };
    await reconfigureServer(config);
  });

  describe('CheckGroupServerConfig', () => {
    it('is subclassed correctly', async () => {
      const group = new CheckGroupServerConfig();
      expect(group.name()).toBeDefined();
      expect(group.checks().length).toBeGreaterThan(0);
    });

    it('checks succeed correctly', async () => {
      config.masterKey = 'aMoreSecur3Passwor7!';
      config.security.enableCheckLog = false;
      config.allowClientClassCreation = false;
      config.enableInsecureAuthAdapters = false;
      config.graphQLPublicIntrospection = false;
      config.mountPlayground = false;
      config.readOnlyMasterKey = 'someReadOnlyMasterKey';
      config.readOnlyMasterKeyIps = ['127.0.0.1', '::1'];
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
      await group.run();
      expect(group.checks()[0].checkState()).toBe(CheckState.success);
      expect(group.checks()[1].checkState()).toBe(CheckState.success);
      expect(group.checks()[2].checkState()).toBe(CheckState.success);
      expect(group.checks()[4].checkState()).toBe(CheckState.success);
      expect(group.checks()[5].checkState()).toBe(CheckState.success);
      expect(group.checks()[6].checkState()).toBe(CheckState.success);
      expect(group.checks()[8].checkState()).toBe(CheckState.success);
      expect(group.checks()[9].checkState()).toBe(CheckState.success);
      expect(group.checks()[10].checkState()).toBe(CheckState.success);
      expect(group.checks()[11].checkState()).toBe(CheckState.success);
    });

    it('checks fail correctly', async () => {
      config.masterKey = 'insecure';
      config.security.enableCheckLog = true;
      config.allowClientClassCreation = true;
      config.enableInsecureAuthAdapters = true;
      config.graphQLPublicIntrospection = true;
      config.mountPlayground = true;
      config.readOnlyMasterKey = 'someReadOnlyMasterKey';
      config.readOnlyMasterKeyIps = ['0.0.0.0/0'];
      config.requestComplexity = {
        includeDepth: -1,
        includeCount: -1,
        subqueryDepth: -1,
        graphQLDepth: -1,
        graphQLFields: -1,
      };
      config.passwordPolicy = {
        resetPasswordSuccessOnInvalidEmail: false,
      };
      config.emailVerifySuccessOnInvalidEmail = false;
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
      await group.run();
      expect(group.checks()[0].checkState()).toBe(CheckState.fail);
      expect(group.checks()[1].checkState()).toBe(CheckState.fail);
      expect(group.checks()[2].checkState()).toBe(CheckState.fail);
      expect(group.checks()[4].checkState()).toBe(CheckState.fail);
      expect(group.checks()[5].checkState()).toBe(CheckState.fail);
      expect(group.checks()[6].checkState()).toBe(CheckState.fail);
      expect(group.checks()[8].checkState()).toBe(CheckState.fail);
      expect(group.checks()[9].checkState()).toBe(CheckState.fail);
      expect(group.checks()[10].checkState()).toBe(CheckState.fail);
      expect(group.checks()[11].checkState()).toBe(CheckState.fail);
    });

    it_only_db('mongo')('checks succeed correctly (MongoDB specific)', async () => {
      config.databaseAdapter = undefined;
      config.databaseOptions = { allowPublicExplain: false };
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
      await group.run();
      expect(group.checks()[7].checkState()).toBe(CheckState.success);
    });

    it_only_db('mongo')('checks fail correctly (MongoDB specific)', async () => {
      config.databaseAdapter = undefined;
      config.databaseOptions = { allowPublicExplain: true };
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
      await group.run();
      expect(group.checks()[7].checkState()).toBe(CheckState.fail);
    });
  });

  describe('CheckGroupDatabase', () => {
    it('is subclassed correctly', async () => {
      const group = new CheckGroupDatabase();
      expect(group.name()).toBeDefined();
      expect(group.checks().length).toBeGreaterThan(0);
    });

    it('checks succeed correctly', async () => {
      const config = Config.get(Parse.applicationId);
      const uri = config.database.adapter._uri;
      config.database.adapter._uri = 'protocol://user:aMoreSecur3Passwor7!@example.com';
      const group = new CheckGroupDatabase();
      await group.run();
      expect(group.checks()[0].checkState()).toBe(CheckState.success);
      config.database.adapter._uri = uri;
    });

    it('checks fail correctly', async () => {
      const config = Config.get(Parse.applicationId);
      const uri = config.database.adapter._uri;
      config.database.adapter._uri = 'protocol://user:insecure@example.com';
      const group = new CheckGroupDatabase();
      await group.run();
      expect(group.checks()[0].checkState()).toBe(CheckState.fail);
      config.database.adapter._uri = uri;
    });
  });
});