Adds support for read-only masterKey (#4297)

* Adds support for read-only masterKey * Adds tests to make sure all endpoints are properly protected * Updates readme * nits
2017-10-26 15:35:07 -04:00
parent 87b79cedfa
commit 1dd58b7527
13 changed files with 195 additions and 7 deletions
--- a/spec/helper.js
+++ b/spec/helper.js
@@ -90,6 +90,7 @@ var defaultConfiguration = {
  restAPIKey: 'rest',
  webhookKey: 'hook',
  masterKey: 'test',
+  readOnlyMasterKey: 'read-only-test',
  fileKey: 'test',
  silent,
  logLevel,
--- a/spec/rest.spec.js
+++ b/spec/rest.spec.js
@@ -4,6 +4,7 @@ var auth = require('../src/Auth');
 var Config = require('../src/Config');
 var Parse = require('parse/node').Parse;
 var rest = require('../src/rest');
+var RestWrite = require('../src/RestWrite');
 var request = require('request');
 var rp = require('request-promise');

@@ -623,5 +624,139 @@ describe('rest update', () => {
      done();
    });
  });
-
+});
+
+describe('read-only masterKey', () => {
+  it('properly throws on rest.create, rest.update and rest.del', () => {
+    const config = Config.get('test');
+    const readOnly = auth.readOnly(config);
+    expect(() => {
+      rest.create(config, readOnly, 'AnObject', {})
+    }).toThrow(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, `read-only masterKey isn't allowed to perform the create operation.`));
+    expect(() => {
+      rest.update(config, readOnly, 'AnObject', {})
+    }).toThrow();
+    expect(() => {
+      rest.del(config, readOnly, 'AnObject', {})
+    }).toThrow();
+  });
+
+  it('properly blocks writes', (done) => {
+    reconfigureServer({
+      readOnlyMasterKey: 'yolo-read-only'
+    }).then(() => {
+      return rp.post(`${Parse.serverURL}/classes/MyYolo`, {
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-Master-Key': 'yolo-read-only',
+        },
+        json: { foo: 'bar' }
+      });
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to perform the create operation.');
+      done();
+    });
+  });
+
+  it('should throw when masterKey and readOnlyMasterKey are the same', (done) => {
+    reconfigureServer({
+      masterKey: 'yolo',
+      readOnlyMasterKey: 'yolo'
+    }).then(done.fail).catch((err) => {
+      expect(err).toEqual(new Error('masterKey and readOnlyMasterKey should be different'));
+      done();
+    });
+  });
+
+  it('should throw when trying to create RestWrite', () => {
+    const config = Config.get('test');
+    expect(() => {
+      new RestWrite(config, auth.readOnly(config));
+    }).toThrow(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Cannot perform a write operation when using readOnlyMasterKey'));
+  });
+
+  it('should throw when trying to create schema', (done) => {
+    return rp.post(`${Parse.serverURL}/schemas`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to create a schema.');
+      done();
+    });
+  });
+
+  it('should throw when trying to create schema with a name', (done) => {
+    return rp.post(`${Parse.serverURL}/schemas/MyClass`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to create a schema.');
+      done();
+    });
+  });
+
+  it('should throw when trying to update schema', (done) => {
+    return rp.put(`${Parse.serverURL}/schemas/MyClass`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to update a schema.');
+      done();
+    });
+  });
+
+  it('should throw when trying to delete schema', (done) => {
+    return rp.del(`${Parse.serverURL}/schemas/MyClass`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to delete a schema.');
+      done();
+    });
+  });
+
+  it('should throw when trying to update the global config', (done) => {
+    return rp.put(`${Parse.serverURL}/config`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to update the config.');
+      done();
+    });
+  });
+
+  it('should throw when trying to send push', (done) => {
+    return rp.post(`${Parse.serverURL}/push`, {
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-Master-Key': 'read-only-test',
+      },
+      json: {}
+    }).then(done.fail).catch((res) => {
+      expect(res.error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.error.error).toBe('read-only masterKey isn\'t allowed to send push notifications.');
+      done();
+    });
+  });
 });