mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-23 15:41:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/ui/tests/integration/components/auth/form-template-test.js
claire bontempo 45fee5c225
UI: (Enterprise) Login form customization feature (#30700) 
* add request for custom login settings to auth route

* add tests to page integration before updating logic

* make tab component tests

* move form state logic to parent page component

* test updates for sanitizing query param in auth route

* add custom login feature

* add test for fetching login settings on ent only

* add changelog

* reword changelog

* rename variable from showOtherMethods to showAlternateView

* cleanup store

* cleanup comments per PR feedback

* abc

* VAULT-34672 render line breaks in description

* update endpoints after testing with live api

* add test coverage

* word

* remove backup types from test-ns for testing

* change to manually log in

* add error handling for no login settings

* add inheritance badge and make list item linkable
2025-05-22 15:13:14 -07:00

414 lines
18 KiB
JavaScript
Raw Blame History

/**
* Copyright (c) HashiCorp, Inc.
* SPDX-License-Identifier: BUSL-1.1
*/
import { module, test } from 'qunit';
import { setupRenderingTest } from 'ember-qunit';
import { click, fillIn, find, findAll, render } from '@ember/test-helpers';
import hbs from 'htmlbars-inline-precompile';
import sinon from 'sinon';
import { setupMirage } from 'ember-cli-mirage/test-support';
import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
import { AUTH_METHOD_MAP } from 'vault/tests/helpers/auth/auth-helpers';
import { GENERAL } from 'vault/tests/helpers/general-selectors';
import {
ALL_LOGIN_METHODS,
BASE_LOGIN_METHODS,
ENTERPRISE_LOGIN_METHODS,
} from 'vault/utils/supported-login-methods';
import { overrideResponse } from 'vault/tests/helpers/stubs';
import { ERROR_JWT_LOGIN } from 'vault/components/auth/form/oidc-jwt';
module('Integration | Component | auth | form template', function (hooks) {
setupRenderingTest(hooks);
setupMirage(hooks);
hooks.beforeEach(function () {
window.localStorage.clear();
this.version = this.owner.lookup('service:version');
this.cluster = { id: '1' };
this.alternateView = null;
this.defaultView = { view: 'dropdown', tabData: null };
this.handleNamespaceUpdate = sinon.spy();
this.initialFormState = { initialAuthType: 'token', showAlternate: false };
this.namespaceQueryParam = '';
this.oidcProviderQueryParam = '';
this.onSuccess = sinon.spy();
this.visibleMountTypes = null;
this.renderComponent = () => {
return render(hbs`
<Auth::FormTemplate
@alternateView={{this.alternateView}}
@cluster={{this.cluster}}
@defaultView={{this.defaultView}}
@handleNamespaceUpdate={{this.handleNamespaceUpdate}}
@initialFormState={{this.initialFormState}}
@namespaceQueryParam={{this.namespaceQueryParam}}
@oidcProviderQueryParam={{this.oidcProviderQueryParam}}
@onSuccess={{this.onSuccess}}
@visibleMountTypes={{this.visibleMountTypes}}
/>`);
};
});
// test to select each method is in "ent" module to include enterprise methods
test('it selects token by default', async function (assert) {
await this.renderComponent();
assert.dom(GENERAL.selectByAttr('auth type')).hasValue('token');
});
test('it does not show toggle buttons if @alternateView does not exist', async function (assert) {
await this.renderComponent();
assert.dom(GENERAL.backButton).doesNotExist('"Back" button does not render');
assert.dom(AUTH_FORM.otherMethodsBtn).doesNotExist('"Sign in with other methods" does not render');
});
test('it initializes with preset auth type', async function (assert) {
this.initialFormState = { initialAuthType: 'userpass' };
await this.renderComponent();
assert.dom(GENERAL.selectByAttr('auth type')).hasValue('userpass');
});
test('it displays errors', async function (assert) {
const authenticateStub = sinon.stub(this.owner.lookup('service:auth'), 'authenticate');
authenticateStub.throws('permission denied');
await this.renderComponent();
await click(AUTH_FORM.login);
assert
.dom(GENERAL.messageError)
.hasText('Error Authentication failed: permission denied: Sinon-provided permission denied');
authenticateStub.restore();
});
module('listing visibility', function (hooks) {
hooks.beforeEach(function () {
const defaultTabs = {
userpass: [
{
path: 'userpass/',
description: '',
options: {},
type: 'userpass',
},
{
path: 'userpass2/',
description: '',
options: {},
type: 'userpass',
},
],
oidc: [
{
path: 'my-oidc/',
description: '',
options: {},
type: 'oidc',
},
],
token: [
{
path: 'token/',
description: 'token based credentials',
options: null,
type: 'token',
},
],
};
// all computed by the parent, in this case the initial tabs are the same as visible mount types
// but that isn't always the case
this.visibleMountTypes = Object.keys(defaultTabs);
this.defaultView = { type: 'tabs', tabData: defaultTabs };
this.alternateView = { type: 'dropdown', tabData: null };
this.initialFormState = { initialAuthType: 'userpass', showAlternate: false };
});
test('it selects each auth tab and renders form for that type', async function (assert) {
await this.renderComponent();
const assertSelected = (type) => {
assert.dom(AUTH_FORM.authForm(type)).exists(`${type}: form renders when tab is selected`);
assert.dom(AUTH_FORM.tabBtn(type)).hasAttribute('aria-selected', 'true');
};
const assertUnselected = (type) => {
assert.dom(AUTH_FORM.authForm(type)).doesNotExist(`${type}: form does NOT render`);
assert.dom(AUTH_FORM.tabBtn(type)).hasAttribute('aria-selected', 'false');
};
// click through each tab
await click(AUTH_FORM.tabBtn('userpass'));
assertSelected('userpass');
assertUnselected('oidc');
assertUnselected('token');
assert.dom(AUTH_FORM.advancedSettings).doesNotExist();
await click(AUTH_FORM.tabBtn('oidc'));
assertSelected('oidc');
assertUnselected('token');
assertUnselected('userpass');
assert.dom(AUTH_FORM.advancedSettings).doesNotExist();
await click(AUTH_FORM.tabBtn('token'));
assertSelected('token');
assertUnselected('oidc');
assertUnselected('userpass');
assert.dom(AUTH_FORM.advancedSettings).doesNotExist();
});
test('it clicks "Sign in with other methods" and toggles to other view', async function (assert) {
await this.renderComponent();
assert.dom(AUTH_FORM.tabs).exists({ count: 3 }, 'tabs render by default');
assert.dom(GENERAL.backButton).doesNotExist();
await click(AUTH_FORM.otherMethodsBtn);
assert
.dom(AUTH_FORM.otherMethodsBtn)
.doesNotExist('"Sign in with other methods" does not render after it is clicked');
assert
.dom(GENERAL.selectByAttr('auth type'))
.exists('clicking "Sign in with other methods" renders dropdown instead of tabs');
await click(GENERAL.backButton);
assert.dom(GENERAL.backButton).doesNotExist('"Back" button does not render after it is clicked');
assert.dom(AUTH_FORM.tabs).exists({ count: 3 }, 'clicking "Back" renders tabs again');
assert.dom(AUTH_FORM.otherMethodsBtn).exists('"Sign in with other methods" renders again');
});
test('it resets selected tab after clicking "Sign in with other methods" and then "Back"', async function (assert) {
await this.renderComponent();
assert.dom(AUTH_FORM.tabBtn('userpass')).hasAttribute('aria-selected', 'true');
assert.dom(AUTH_FORM.tabBtn('oidc')).hasAttribute('aria-selected', 'false');
assert.dom(AUTH_FORM.tabBtn('token')).hasAttribute('aria-selected', 'false');
// select a different tab before clicking "Sign in with other methods"
await click(AUTH_FORM.tabBtn('oidc'));
assert.dom(AUTH_FORM.tabBtn('oidc')).hasAttribute('aria-selected', 'true');
assert.dom(AUTH_FORM.tabBtn('userpass')).hasAttribute('aria-selected', 'false');
await click(AUTH_FORM.otherMethodsBtn);
assert.dom(GENERAL.selectByAttr('auth type')).exists('it renders dropdown instead of tabs');
await click(GENERAL.backButton);
// assert tab selection is reset
assert.dom(AUTH_FORM.tabBtn('userpass')).hasAttribute('aria-selected', 'true');
assert.dom(AUTH_FORM.tabBtn('oidc')).hasAttribute('aria-selected', 'false');
assert.dom(AUTH_FORM.tabBtn('token')).hasAttribute('aria-selected', 'false');
});
test('it preselects tab from initialFormState', async function (assert) {
this.initialFormState = { initialAuthType: 'oidc', showAlternate: false };
await this.renderComponent();
assert.dom(AUTH_FORM.authForm('oidc')).exists('oidc form renders');
assert.dom(AUTH_FORM.tabBtn('oidc')).hasAttribute('aria-selected', 'true');
});
test('it renders dropdown and preselects type if initialFormState is not a tab', async function (assert) {
this.initialFormState = { initialAuthType: 'ldap', showAlternate: true };
await this.renderComponent();
assert.dom(GENERAL.selectByAttr('auth type')).hasValue('ldap');
assert.dom(GENERAL.inputByAttr('username')).exists();
assert.dom(GENERAL.inputByAttr('password')).exists();
assert.dom(GENERAL.backButton).exists('"Back" button renders');
assert.dom(AUTH_FORM.otherMethodsBtn).doesNotExist('"Sign in with other methods" does not render');
});
});
module('community', function (hooks) {
hooks.beforeEach(function () {
this.version.type = 'community';
});
test('it does not render the namespace input on community', async function (assert) {
await this.renderComponent();
assert.dom(GENERAL.inputByAttr('namespace')).doesNotExist();
});
test('dropdown does not include enterprise methods', async function (assert) {
const supported = BASE_LOGIN_METHODS.map((m) => m.type);
const unsupported = ENTERPRISE_LOGIN_METHODS.map((m) => m.type);
assert.expect(supported.length + unsupported.length);
await this.renderComponent();
const dropdownOptions = findAll(`${GENERAL.selectByAttr('auth type')} option`).map((o) => o.value);
supported.forEach((m) => {
assert.true(dropdownOptions.includes(m), `dropdown includes supported method: ${m}`);
});
unsupported.forEach((m) => {
assert.false(dropdownOptions.includes(m), `dropdown does NOT include unsupported method: ${m}`);
});
});
});
// tests with "enterprise" in the title are filtered out from CE test runs
// naming the module 'ent' so these tests still run on the CE repo
module('ent', function (hooks) {
hooks.beforeEach(function () {
this.version.type = 'enterprise';
this.version.features = ['Namespaces'];
this.namespaceQueryParam = '';
});
test('it does not render the namespace input if version does not include feature', async function (assert) {
this.version.features = [];
await this.renderComponent();
assert.dom(GENERAL.inputByAttr('namespace')).doesNotExist();
});
// in th ent module to test ALL supported login methods
// iterating in tests should generally be avoided, but purposefully wanted to test the component
// renders as expected as auth types change
test('it selects each supported auth type and renders its form and relevant fields', async function (assert) {
const fieldCount = AUTH_METHOD_MAP.map((m) => Object.keys(m.options.loginData).length);
const sum = fieldCount.reduce((a, b) => a + b, 0);
const methodCount = AUTH_METHOD_MAP.length;
// 3 assertions per method, plus an assertion for each expected field
assert.expect(3 * methodCount + sum); // count at time of writing is 40
await this.renderComponent();
for (const method of AUTH_METHOD_MAP) {
const { authType, options } = method;
const fields = Object.keys(options.loginData);
await fillIn(GENERAL.selectByAttr('auth type'), authType);
assert.dom(GENERAL.selectByAttr('auth type')).hasValue(authType), `${authType}: it selects type`;
assert.dom(AUTH_FORM.authForm(authType)).exists(`${authType}: it renders form component`);
// token is the only method that does not support a custom mount path
if (authType !== 'token') {
// jwt and oidc render the same component so the toggle remains open switching between those types
const element = find(AUTH_FORM.advancedSettings);
if (element.ariaExpanded === 'false') {
await click(AUTH_FORM.advancedSettings);
}
}
const assertion = authType === 'token' ? 'doesNotExist' : 'exists';
assert.dom(GENERAL.inputByAttr('path'))[assertion](`${authType}: mount path input ${assertion}`);
fields.forEach((field) => {
assert.dom(GENERAL.inputByAttr(field)).exists(`${authType}: ${field} input renders`);
});
}
});
test('it disables namespace input when an oidc provider query param exists', async function (assert) {
this.oidcProviderQueryParam = 'myprovider';
await this.renderComponent();
assert.dom(GENERAL.inputByAttr('namespace')).isDisabled();
});
test('dropdown includes enterprise methods', async function (assert) {
const supported = ALL_LOGIN_METHODS.map((m) => m.type);
assert.expect(supported.length);
await this.renderComponent();
const dropdownOptions = findAll(`${GENERAL.selectByAttr('auth type')} option`).map((o) => o.value);
supported.forEach((m) => {
assert.true(dropdownOptions.includes(m), `dropdown includes supported method: ${m}`);
});
});
test('it sets namespace for hvd managed clusters', async function (assert) {
this.owner.lookup('service:flags').featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
this.namespaceQueryParam = 'admin/west-coast';
await this.renderComponent();
assert.dom(AUTH_FORM.managedNsRoot).hasValue('/admin');
assert.dom(AUTH_FORM.managedNsRoot).hasAttribute('readonly');
assert.dom(GENERAL.inputByAttr('namespace')).hasValue('/west-coast');
});
});
// AUTH METHOD SPECIFIC TESTS
// since the template yields each auth <form> some assertions are best done here instead of
// in the corresponding the Auth::Form::<Type> integration tests
module('oidc-jwt', function (hooks) {
hooks.beforeEach(async function () {
this.store = this.owner.lookup('service:store');
this.routerStub = (path) =>
sinon.stub(this.owner.lookup('service:router'), 'urlFor').returns(`/auth/${path}/oidc/callback`);
});
test('it re-requests the auth_url when authType changes', async function (assert) {
this.routerStub('oidc');
assert.expect(2); // auth_url should be hit twice, one for each type selection
let expectedType = 'oidc';
this.server.post(`/auth/:path/oidc/auth_url`, (_, req) => {
assert.strictEqual(
req.params.path,
expectedType,
`it makes request to auth_url for selected type: ${expectedType}`
);
return { data: { auth_url: '123-example.com' } };
});
await this.renderComponent();
// auth_url should be requested once when "oidc" is selected
await fillIn(GENERAL.selectByAttr('auth type'), 'oidc');
// auth_url should be requested again when "jwt" is selected
expectedType = 'jwt';
await fillIn(GENERAL.selectByAttr('auth type'), 'jwt');
});
// for simplicity the auth types are configured as their namesake but type isn't relevant.
// these tests assert that CONFIG changes from OIDC -> JWT render correctly and vice versa
// so the order the requests are hit is what matters.
test('"OIDC" to "JWT" configuration: it updates the form when the auth_url response changes', async function (assert) {
this.routerStub('oidc');
this.server.post(`/auth/oidc/oidc/auth_url`, () => ({ data: { auth_url: '123-example.com' } })); // this return means mount is configured as oidc
this.server.post(`/auth/jwt/oidc/auth_url`, () => overrideResponse(400, { errors: [ERROR_JWT_LOGIN] })); // this return means the mount is configured as jwt
await this.renderComponent();
// select mount configured for OIDC first
await fillIn(GENERAL.selectByAttr('auth type'), 'oidc');
assert.dom(GENERAL.inputByAttr('jwt')).doesNotExist();
// then select mount configured for JWT
await fillIn(GENERAL.selectByAttr('auth type'), 'jwt');
assert.dom(GENERAL.inputByAttr('jwt')).exists();
});
test('"JWT" to "OIDC" configuration: it updates the form when the auth_url response changes', async function (assert) {
this.routerStub('oidc');
this.server.post(`/auth/jwt/oidc/auth_url`, () => overrideResponse(400, { errors: [ERROR_JWT_LOGIN] })); // this return means the mount is configured as jwt
this.server.post(`/auth/oidc/oidc/auth_url`, () => ({ data: { auth_url: '123-example.com' } })); // this return means mount is configured as oidc
await this.renderComponent();
// select mount configured for JWT first
await fillIn(GENERAL.selectByAttr('auth type'), 'jwt');
assert.dom(GENERAL.inputByAttr('jwt')).exists();
// then select mount configured for OIDC
await fillIn(GENERAL.selectByAttr('auth type'), 'oidc');
assert.dom(GENERAL.inputByAttr('jwt')).doesNotExist();
});
test('it should retain role input value when mount path changes', async function (assert) {
assert.expect(2);
this.routerStub('foo-oidc');
const auth_url = 'http://dev-foo-bar.com';
this.server.post('/auth/:path/oidc/auth_url', (_, req) => {
const { role, redirect_uri } = JSON.parse(req.requestBody);
const goodRequest =
req.params.path === 'foo-oidc' &&
role === 'foo' &&
redirect_uri.includes('/auth/foo-oidc/oidc/callback');
if (goodRequest) {
return { data: { auth_url } };
} else {
return overrideResponse(400, { errors: [ERROR_JWT_LOGIN] });
}
});
window.open = (url) => {
assert.strictEqual(url, auth_url, 'auth_url is returned when required params are passed');
};
await this.renderComponent();
await fillIn(GENERAL.selectByAttr('auth type'), 'oidc');
await fillIn(GENERAL.inputByAttr('role'), 'foo');
await click(AUTH_FORM.advancedSettings);
await fillIn(GENERAL.inputByAttr('role'), 'foo');
await fillIn(GENERAL.inputByAttr('path'), 'foo-oidc');
assert.dom(GENERAL.inputByAttr('role')).hasValue('foo', 'role is retained when mount path is changed');
await click(AUTH_FORM.login);
});
});
});
Reference in New Issue View Git Blame Copy Permalink