joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for master key clients to create user sessions (#7406)

Browse Source 
* 6641: Implement support for user impersonation: master key clients can log in as any user, without access to the user's credentials, and without presuming the user already has a session

* reworded changelog

* rebuilt package lock

* fit test

* using lodash flatMap

* bump to node 12 for postgres test

* revert test fit

* add node version to postgres CI

* revert package-lock

Co-authored-by: gormanfletcher <git@gormanfletcher.com>
Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
This commit is contained in:
GormanFletcher
2021-06-04 19:55:00 -04:00
committed by GitHub
parent 754c127d96
commit 129f7bfa9b
6 changed files with 249 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
spec/ParseUser.spec.js
View File

@@ -4032,3 +4032,131 @@ describe('Security Advisory GHSA-8w3j-g983-8jh5', function () {
expect(user.get('authData')).toEqual({ custom: { id: 'linkedID' } });
});
});
describe('login as other user', () => {
it('allows creating a session for another user with the master key', async done => {
await Parse.User.signUp('some_user', 'some_password');
const userId = Parse.User.current().id;
await Parse.User.logOut();
try {
const response = await request({
method: 'POST',
url: 'http://localhost:8378/1/loginAs',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Master-Key': 'test',
},
body: {
userId,
},
});
expect(response.data.sessionToken).toBeDefined();
} catch (err) {
fail(`no request should fail: ${JSON.stringify(err)}`);
done();
}
const sessionsQuery = new Parse.Query(Parse.Session);
const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
expect(sessionsAfterRequest.length).toBe(1);
done();
});
it('rejects creating a session for another user if the user does not exist', async done => {
try {
await request({
method: 'POST',
url: 'http://localhost:8378/1/loginAs',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Master-Key': 'test',
},
body: {
userId: 'bogus-user',
},
});
fail('Request should fail without a valid user ID');
done();
} catch (err) {
expect(err.data.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
expect(err.data.error).toBe('user not found');
}
const sessionsQuery = new Parse.Query(Parse.Session);
const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
expect(sessionsAfterRequest.length).toBe(0);
done();
});
it('rejects creating a session for another user with invalid parameters', async done => {
const invalidUserIds = [undefined, null, ''];
for (const invalidUserId of invalidUserIds) {
try {
await request({
method: 'POST',
url: 'http://localhost:8378/1/loginAs',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Master-Key': 'test',
},
body: {
userId: invalidUserId,
},
});
fail('Request should fail without a valid user ID');
done();
} catch (err) {
expect(err.data.code).toBe(Parse.Error.INVALID_VALUE);
expect(err.data.error).toBe('userId must not be empty, null, or undefined');
}
const sessionsQuery = new Parse.Query(Parse.Session);
const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
expect(sessionsAfterRequest.length).toBe(0);
}
done();
});
it('rejects creating a session for another user without the master key', async done => {
await Parse.User.signUp('some_user', 'some_password');
const userId = Parse.User.current().id;
await Parse.User.logOut();
try {
await request({
method: 'POST',
url: 'http://localhost:8378/1/loginAs',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
},
body: {
userId,
},
});
fail('Request should fail without the master key');
done();
} catch (err) {
expect(err.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
expect(err.data.error).toBe('master key is required');
}
const sessionsQuery = new Parse.Query(Parse.Session);
const sessionsAfterRequest = await sessionsQuery.find({ useMasterKey: true });
expect(sessionsAfterRequest.length).toBe(0);
done();
});
});

60
spec/SecurityCheck.spec.js
View File

@@ -23,14 +23,20 @@ describe('Security Check', () => {
await reconfigureServer(config);
}
const securityRequest = (options) => request(Object.assign({
url: securityUrl,
headers: {
'X-Parse-Master-Key': Parse.masterKey,
'X-Parse-Application-Id': Parse.applicationId,
},
followRedirects: false,
}, options)).catch(e => e);
const securityRequest = options =>
request(
Object.assign(
{
url: securityUrl,
headers: {
'X-Parse-Master-Key': Parse.masterKey,
'X-Parse-Application-Id': Parse.applicationId,
},
followRedirects: false,
},
options
)
).catch(e => e);
beforeEach(async () => {
groupName = 'Example Group Name';
@@ -41,7 +47,7 @@ describe('Security Check', () => {
solution: 'TestSolution',
check: () => {
return true;
}
},
});
checkFail = new Check({
group: 'TestGroup',
@@ -50,14 +56,14 @@ describe('Security Check', () => {
solution: 'TestSolution',
check: () => {
throw 'Fail';
}
},
});
Group = class Group extends CheckGroup {
setName() {
return groupName;
}
setChecks() {
return [ checkSuccess, checkFail ];
return [checkSuccess, checkFail];
}
};
config = {
@@ -154,7 +160,7 @@ describe('Security Check', () => {
title: 'string',
warning: 'string',
solution: 'string',
check: () => {}
check: () => {},
},
{
group: 'string',
@@ -203,7 +209,9 @@ describe('Security Check', () => {
title: 'string',
warning: 'string',
solution: 'string',
check: () => { throw 'error' },
check: () => {
throw 'error';
},
});
expect(check._checkState == CheckState.none);
check.run();
@@ -277,7 +285,7 @@ describe('Security Check', () => {
});
it('runs all checks of all groups', async () => {
const checkGroups = [ Group, Group ];
const checkGroups = [Group, Group];
const runner = new CheckRunner({ checkGroups });
const report = await runner.run();
expect(report.report.groups[0].checks[0].state).toBe(CheckState.success);
@@ -287,27 +295,27 @@ describe('Security Check', () => {
});
it('reports correct default syntax version 1.0.0', async () => {
const checkGroups = [ Group ];
const checkGroups = [Group];
const runner = new CheckRunner({ checkGroups, enableCheckLog: true });
const report = await runner.run();
expect(report).toEqual({
report: {
version: "1.0.0",
state: "fail",
version: '1.0.0',
state: 'fail',
groups: [
{
name: "Example Group Name",
state: "fail",
name: 'Example Group Name',
state: 'fail',
checks: [
{
title: "TestTitleSuccess",
state: "success",
title: 'TestTitleSuccess',
state: 'success',
},
{
title: "TestTitleFail",
state: "fail",
warning: "TestWarning",
solution: "TestSolution",
title: 'TestTitleFail',
state: 'fail',
warning: 'TestWarning',
solution: 'TestSolution',
},
],
},
@@ -319,7 +327,7 @@ describe('Security Check', () => {
it('logs report', async () => {
const logger = require('../lib/logger').logger;
const logSpy = spyOn(logger, 'warn').and.callThrough();
const checkGroups = [ Group ];
const checkGroups = [Group];
const runner = new CheckRunner({ checkGroups, enableCheckLog: true });
const report = await runner.run();
const titles = report.report.groups.flatMap(group => group.checks.map(check => check.title));