Merge pull request #72 from navikt/personlookup

person lookup, not hooked up to any routes yet
navikt · Aug 8, 2019 · 052cfae · 052cfae
2 parents 0b4326f + 89f5a63
commit 052cfae
Show file tree

Hide file tree

Showing 10 changed files with 283 additions and 91 deletions.
diff --git a/.eslintrc b/.eslintrc
@@ -29,7 +29,7 @@
          }
       },
       {
-         "files": ["**/*.test.js"],
+         "files": ["**/*.test.js", "__mocks__/**/*.js"],
          "env": {
             "mocha": true,
             "node": true,

diff --git a/__mocks__/request.js b/__mocks__/request.js
@@ -0,0 +1,29 @@
+'use strict';
+
+jest.genMockFromModule('request');
+
+let stsStatusCode = 0;
+let stsResponseBody = {};
+let personStatusCode = 0;
+let personResponseBody = {};
+
+const setStsStatusCode = code => (stsStatusCode = code);
+const setStsResponseBody = body => (stsResponseBody = body);
+const setPersonStatusCode = code => (personStatusCode = code);
+const setPersonResponseBody = body => (personResponseBody = body);
+
+const get = (url, options, callback) => {
+    if (url.includes('/sts/')) {
+        callback(null, { statusCode: stsStatusCode }, stsResponseBody);
+    } else {
+        callback(null, { statusCode: personStatusCode }, personResponseBody);
+    }
+};
+
+module.exports = {
+    get: get,
+    setStsStatusCode: setStsStatusCode,
+    setStsResponseBody: setStsResponseBody,
+    setPersonStatusCode: setPersonStatusCode,
+    setPersonResponseBody: setPersonResponseBody
+};
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/server/authsupport.js b/src/server/authsupport.js
@@ -1,21 +1,30 @@
 'use strict';
 
-const stillValid = token => {
+const isValidNow = token => {
+    return isValidAt(token, Math.floor(Date.now()) / 1000);
+};
+
+const isValidAt = (token, timeInSeconds) => {
     if (!token) {
         return false;
     }
 
     try {
         const claims = claimsFrom(token);
         const expirationTime = parseInt(claims['exp']);
-        const nowInSeconds = Math.floor(Date.now() / 1000);
-        return expirationTime >= nowInSeconds;
+        return expirationTime >= timeInSeconds;
     } catch (err) {
         console.log(`error while checking token validity: ${err}`);
         return false;
     }
 };
 
+const willExpireInLessThan = (seconds, token) => {
+    const timeToTest = Math.floor(Date.now() / 1000) + seconds;
+    const expirationTime = parseInt(claimsFrom(token)['exp']);
+    return timeToTest > expirationTime;
+};
+
 const validateOidcCallback = (req, azureClient, config) => {
     const params = azureClient.callbackParams(req);
     const nonce = req.session.nonce;
@@ -66,7 +75,9 @@ const nameFrom = token => {
 };
 
 module.exports = {
-    stillValid: stillValid,
+    isValidAt: isValidAt,
+    isValidNow: isValidNow,
+    willExpireInLessThan: willExpireInLessThan,
     validateOidcCallback: validateOidcCallback,
     isMemberOf: isMemberOf,
     nameFrom: nameFrom

diff --git a/src/server/authsupport.test.js b/src/server/authsupport.test.js
@@ -6,9 +6,7 @@ const clgOrig = console.log;
 
 afterEach(cleanup);
 
-afterEach(cleanup);
-
-beforeAll(() => {
+beforeEach(() => {
     // reduce noise in log
     console.log = jest.fn();
 });
@@ -17,51 +15,69 @@ afterAll(() => {
     console.log = clgOrig;
 });
 
-test('valid token has expiry in the future', async () => {
+test('valid token has expiry in the future', () => {
     const nowInSeconds = Math.floor(Date.now() / 1000);
     const token = createToken({ exp: `${nowInSeconds + 10}` });
-    expect(authsupport.stillValid(token)).toEqual(true);
+    expect(authsupport.isValidNow(token)).toEqual(true);
 });
 
-test('invalid token has expiry in the past', async () => {
+test('invalid token has expiry in the past', () => {
     const nowInSeconds = Math.floor(Date.now() / 1000);
     const token = createToken({ exp: `${nowInSeconds - 10}` });
-    expect(authsupport.stillValid(token)).toEqual(false);
+    expect(authsupport.isValidNow(token)).toEqual(false);
+});
+
+test('null token does not validate', () => {
+    expect(authsupport.isValidNow(null)).toEqual(false);
 });
 
-test('null token does not validate', async () => {
-    expect(authsupport.stillValid(null)).toEqual(false);
+test('undefined token does not validate', () => {
+    expect(authsupport.isValidNow(undefined)).toEqual(false);
 });
 
-test('undefined token does not validate', async () => {
-    expect(authsupport.stillValid(undefined)).toEqual(false);
+test('malformed token does not validate', () => {
+    expect(authsupport.isValidNow('bogustext')).toEqual(false);
 });
 
-test('malformed token does not validate', async () => {
-    expect(authsupport.stillValid('bogustext')).toEqual(false);
+test('willExpireInLessThan is false if test time is before exp', () => {
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const token = createToken({ exp: `${nowInSeconds + 30}` });
+    expect(authsupport.willExpireInLessThan(29, token)).toEqual(false);
+});
+
+test('willExpireInLessThan is false if test time is at exp', () => {
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const token = createToken({ exp: `${nowInSeconds + 30}` });
+    expect(authsupport.willExpireInLessThan(30, token)).toEqual(false);
+});
+
+test('willExpireInLessThan is true if test time is after exp', () => {
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const token = createToken({ exp: `${nowInSeconds + 30}` });
+    expect(authsupport.willExpireInLessThan(31, token)).toEqual(true);
 });
 
-test('user is member of required group', async () => {
+test('user is member of required group', () => {
     const token = createToken({ groups: ['group1', 'group2', 'group3'] });
     expect(authsupport.isMemberOf('group3', token)).toEqual(true);
 });
 
-test('user is not member of required group', async () => {
+test('user is not member of required group', () => {
     const token = createToken({ groups: ['group1', 'group2', 'group3'] });
     expect(authsupport.isMemberOf('group4', token)).toEqual(false);
 });
 
-test('name extraction from jwt', async () => {
+test('name extraction from jwt', () => {
     const token = createToken({ name: 'John Doe' });
     expect(authsupport.nameFrom(token)).toEqual('John Doe');
 });
 
-test('name extraction from jwt, name property missing', async () => {
+test('name extraction from jwt, name property missing', () => {
     const token = createToken({});
     expect(authsupport.nameFrom(token)).toEqual('unknown user');
 });
 
-test('name extraction from jwt, malformed token', async () => {
+test('name extraction from jwt, malformed token', () => {
     const token = 'invalid bogus';
     expect(authsupport.nameFrom(token)).toEqual('unknown user');
 });

diff --git a/src/server/config.js b/src/server/config.js
@@ -24,3 +24,10 @@ exports.server = {
     port: 3000,
     sessionSecret: process.env.SESSION_SECRET
 };
+
+exports.nav = {
+    serviceUserName: process.env.SERVICE_USER_NAME,
+    serviceUserPassword: process.env.SERVICE_USER_PASSWORD,
+    stsUrl:
+        process.env.STS_URL || 'http://security-token-service.svc.nais.local'
+};
diff --git a/src/server/personlookup.js b/src/server/personlookup.js
@@ -0,0 +1,83 @@
+'use strict';
+
+const request = require('request');
+const authSupport = require('./authsupport');
+
+let navConfig = null;
+let cachedAccessToken = null;
+
+const init = config => {
+    navConfig = config;
+    cachedAccessToken = null;
+};
+
+const hentPerson = async aktørId => {
+    return new Promise((resolve, reject) => {
+        logonToNav()
+            .then(jwt => {
+                request.get(
+                    `http://sparkel.svc.nais.local/api/person/${aktørId}`,
+                    {
+                        headers: {
+                            Authorization: `Bearer: ${jwt}`
+                        }
+                    },
+                    (error, response, body) => {
+                        if (error || response.statusCode !== 200) {
+                            reject(
+                                `Error during person lookup, got ${
+                                    response.statusCode
+                                } ${error || 'unknown error'}`
+                            );
+                        } else {
+                            resolve(body);
+                        }
+                    }
+                );
+            })
+            .catch(err => {
+                reject(err);
+            });
+    });
+};
+
+const logonToNav = async () => {
+    return new Promise((resolve, reject) => {
+        if (
+            cachedAccessToken &&
+            !authSupport.willExpireInLessThan(30, cachedAccessToken)
+        ) {
+            resolve(cachedAccessToken);
+        } else {
+            request.get(
+                `${navConfig.stsUrl}/rest/v1/sts/token?grant_type=client_credentials&scope=openid`,
+                {
+                    headers: {
+                        Authorization:
+                            'Basic ' +
+                            Buffer.from(
+                                `${navConfig.serviceUserName}:${navConfig.serviceUserPassword}`
+                            ).toString('base64')
+                    }
+                },
+                (error, response, body) => {
+                    if (error || response.statusCode !== 200) {
+                        reject(
+                            `Error during STS login, got ${
+                                response.statusCode
+                            } ${error || 'unknown error'}`
+                        );
+                    } else {
+                        cachedAccessToken = body.access_token;
+                        resolve(body.access_token);
+                    }
+                }
+            );
+        }
+    });
+};
+
+module.exports = {
+    init: init,
+    hentPerson: hentPerson
+};
diff --git a/src/server/personlookup.test.js b/src/server/personlookup.test.js
@@ -0,0 +1,46 @@
+'use strict';
+
+const request = require('request');
+
+const personLookup = require('../../src/server/personlookup');
+
+beforeEach(() => {
+    personLookup.init({
+        serviceUserName: 'da_usah',
+        serviceUserPassword: 'pazzwd',
+        stsUrl: 'http://localhost'
+    });
+});
+
+test('successful person lookup resolves with person object', () => {
+    request.setStsStatusCode(200);
+    request.setStsResponseBody({
+        access_token: 'some_token'
+    });
+    request.setPersonStatusCode(200);
+    request.setPersonResponseBody({ navn: 'Navn Navnesen' });
+
+    expect(personLookup.hentPerson('12345')).resolves.toEqual({
+        navn: 'Navn Navnesen'
+    });
+});
+
+test('logon failure -> rejection', () => {
+    request.setStsStatusCode(500);
+
+    expect(personLookup.hentPerson('12345')).rejects.toMatch(
+        'Error during STS login'
+    );
+});
+
+test('lookup failure -> rejection', () => {
+    request.setStsStatusCode(200);
+    request.setStsResponseBody({
+        access_token: 'some_token'
+    });
+    request.setPersonStatusCode(500);
+
+    expect(personLookup.hentPerson('12345')).rejects.toMatch(
+        'Error during person lookup'
+    );
+});
diff --git a/src/server/server.js b/src/server/server.js
@@ -77,7 +77,7 @@ app.post('/callback', (req, res) => {
 app.use('/*', (req, res, next) => {
     if (
         process.env.NODE_ENV === 'development' ||
-        authsupport.stillValid(req.session.spadeToken)
+        authsupport.isValidNow(req.session.spadeToken)
     ) {
         next();
     } else {

diff --git a/src/server/storage.test.js b/src/server/storage.test.js
@@ -13,7 +13,7 @@ beforeAll(done => {
         setupServer();
         storage
             .init(`localhost:${port}`, 'anAccessKeyId', 'aSecretAccessKey')
-            .then(result => {
+            .then(() => {
                 done();
             })
             .catch(err => {