Code coverage report for lib\authentication-parameters.js

Statements: 100% (79 / 79)      Branches: 100% (24 / 24)      Functions: 100% (9 / 9)      Lines: 100% (79 / 79)      Ignored: none     

All files » lib/ » authentication-parameters.js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263                                              1   1 1 1 1         1                           1 8 8                   1   16                       1   16       1                                                                 1       24     24       24     24 15     9 9       26     9     1               1 24   24   9 9 1     8   8                     1 11 1     10 1     9 1       8 1     7 7 3     4     1 2 1                                       1 6 6 6 1 1   5 5 3   2 1     4 4   4 4 4 4 1 1 1   3 3 3   1 1 1   2     1 1       1
/*
 * @copyright
 * Copyright © Microsoft Open Technologies, Inc.
 *
 * All Rights Reserved
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http: *www.apache.org/licenses/LICENSE-2.0
 *
 * THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS
 * OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
 * ANY IMPLIED WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A
 * PARTICULAR PURPOSE, MERCHANTABILITY OR NON-INFRINGEMENT.
 *
 * See the Apache License, Version 2.0 for the specific language
 * governing permissions and limitations under the License.
 */
 
'use strict';
 
var request = require('request');
 
var argument = require('./argument');
var log = require('./log');
var util = require('./util');
var HttpErrorCode = require('./constants').HttpError;
 
/*
 * Constants
 */
var consts = {
  AUTHORIZATION_URI : 'authorization_uri',
  RESOURCE : 'resource',
  WWW_AUTHENTICATE_HEADER : 'www-authenticate'
};
 
/**
 * The AuthenticationParameters class holds the parameters that are parsed from an OAuth challenge
 * in the www-authenticate header.
 * @constructor
 * @param {string} authorizationUri The URI of an authority that can issues tokens for the
 *                                  resource that issued the challenge.
 * @param {string} resource         The resource for a which a token should be requested from the authority.
 */
function AuthenticationParameters(authorizationUri, resource) {
  this._authorizationUri = authorizationUri;
  this._resource = resource;
}
 
/**
 * The URI of an authority that can issues tokens for the resource that issued the challenge.
 * @instance
 * @memberOf AuthenticationParameters
 * @type {string}
 * @name authorizationUri
 */
Object.defineProperty(AuthenticationParameters.prototype, 'authorizationUri', {
  get : function() {
    return this._authorizationUri;
  }
});
 
/**
 * The resource for a which a token should be requested from the authority.
 * This property may be undefined if the resource was not returned in the challenge.
 * @instance
 * @memberOf AuthenticationParameters
 * @type {string}
 * @name authorizationUri
 */
Object.defineProperty(AuthenticationParameters.prototype, 'resource', {
  get : function() {
    return this._resource;
  }
});
 
var exports = {};
 
// The 401 challenge is a standard defined in RFC6750, which is based in part on RFC2617.
// The challenge has the following form.
// WWW-Authenticate : Bearer authorization_uri="https://login.windows.net/mytenant.com/oauth2/authorize",Resource_id="00000002-0000-0000-c000-000000000000"
 
// This regex is used to validate the structure of the challenge header.
// Match whole structure: ^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*(,\s*([^,\s="]+?)="([^"]*?)"\s*)*$
// ^                        Start at the beginning of the string.
// \s*Bearer\s+             Match 'Bearer' surrounded by one or more amount of whitespace.
// ([^,\s="]+?)             This cpatures the key which is composed of any characters except comma, whitespace or a quotes.
// =                        Match the = sign.
// "([^"]*?)"               Captures the value can be any number of non quote characters.  At this point only the first key value pair as been captured.
// \s*                      There can be any amount of white space after the first key value pair.
// (                        Start a capture group to retrieve the rest of the key value pairs that are separated by commas.
//    \s*                   There can be any amount of whitespace before the comma.
//    ,                     There must be a comma.
//    \s*                   There can be any amount of whitespace after the comma.
//    (([^,\s="]+?)         This will capture the key that comes after the comma.  It's made of a series of any character excpet comma, whitespace or quotes.
//    =                     Match the equal sign between the key and value.
//    "                     Match the opening quote of the value.
//    ([^"]*?)              This will capture the value which can be any number of non quote characters.
//    "                     Match the values closing quote.
//    \s*                   There can be any amount of whitespace before the next comma.
// )*                       Close the capture group for key value pairs.  There can be any number of these.
// $                      The rest of the string can be whitespace but nothing else up to the end of the string.
//
//
// In other some other languages the regex above would be all that was needed. However, in JavaScript the RegExp object does not
// return all of the captures in one go.  So the regex above needs to be broken up so that captures can be retrieved
// iteratively.
//
 
function parseChallenge(challenge) {
  // This regex checks the structure of the whole challenge header.  The complete
  // header needs to be checked for validity before we can be certain that
  // we will succeed in pulling out the individual parts.
  var bearerChallengeStructureValidation = /^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*(,\s*([^,\s="]+?)="([^"]*?)"\s*)*$/;
 
  // This regex pulls out the key and value from the very first pair.
  var firstKeyValuePairRegex = /^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*/;
 
  // This regex is used to pull out all of the key value pairs after the first one.
  // All of these begin with a comma.
  var allOtherKeyValuePairRegex = /(?:,\s*([^,\s="]+?)="([^"]*?)"\s*)/g;
 
 
  if (!bearerChallengeStructureValidation.test(challenge)) {
    throw new Error('The challenge is not parseable as an RFC6750 OAuth2 challenge');
  }
 
  var challengeParameters = {};
  for(var match = firstKeyValuePairRegex.exec(challenge);
      match;
      match = allOtherKeyValuePairRegex.exec(challenge)) {
 
    challengeParameters[match[1]] = match[2];
  }
 
  return challengeParameters;
}
 
exports.AuthenticationParameters = AuthenticationParameters;
 
/**
 * Creates an {@link AuthenticationParameters} object from the contents of a
 * www-authenticate header recieved from a HTTP 401 response from a resource server.
 * @param  {string} challenge The content fo the www-authenticate header.
 * @return {AuthenticationParameters}           An AuthenticationParameters object containing the parsed values from the header.
 */
exports.createAuthenticationParametersFromHeader = function(challenge) {
  argument.validateStringParameter(challenge, 'challenge');
 
  var challengeParameters = parseChallenge(challenge);
 
  var authorizationUri = challengeParameters[consts.AUTHORIZATION_URI];
  if (!authorizationUri) {
    throw new Error('Could not find \'authorization_uri\' in challenge header.');
  }
 
  var resource = challengeParameters[consts.RESOURCE];
 
  return new AuthenticationParameters(authorizationUri, resource);
};
 
/**
 * Create an {@link AuthenticationParameters} object from a node http.IncomingMessage
 * object that was created as a result of a request to a resource server.  This function
 * expects the response to contain a HTTP 401 error code with a www-authenticate
 * header.
 * @param  {http.IncomingMessage} response A response from a http request to a resource server.
 * @return {AuthenticationParameters}
 */
exports.createAuthenticationParametersFromResponse = function(response) {
  if (!response) {
    throw new Error('Mising required parameter: response');
  }
 
  if (!response.statusCode) {
    throw new Error('The response parameter does not have the expected HTTP statusCode field');
  }
 
  if (HttpErrorCode.UNAUTHORIZED !== response.statusCode) {
    throw new Error('The response status code does not correspond to an OAuth challenge.  ' +
      'The statusCode is expected to be 401 but is: ' + response.statusCode);
  }
 
  if (!response.headers) {
    throw new Error('There were no headers found in the response.');
  }
 
  var challenge = response.headers[consts.WWW_AUTHENTICATE_HEADER];
  if (!challenge) {
    throw new Error('The response does not contain a WWW-Authenticate header that can be used to determine the authority_uri and resource.');
  }
 
  return exports.createAuthenticationParametersFromHeader(challenge);
};
 
function validateUrlObject(url) {
  if (!url || !url.href) {
    throw new Error('Parameter is of wrong type: url');
  }
}
 
/**
 * This is the callback that is passed to all acquireToken variants below.
 * @callback CreateAuthenticationParametersCallback
 * @memberOf AuthenticationContext
 * @param {Error}  [error]           If the request fails this parameter will contain an Error object.
 * @param {AuthenticationParameters} [parameters]   On a succesful request returns a {@link AuthenticationParameters}.
 */
 
/**
 * Creates an {@link AuthenticationParameters} object by sending a get request
 * to the url passed to this function, and parsing the resulting http 401
 * response.
 * @param  {string|url}               url               The url of a resource server.
 * @param  {AuthenticationParameters} callback          Called on error or request completion.
 * @param  {string}                   [correlationId]   An optional correlationId to pass along with the request and to include in any logs.
 */
exports.createAuthenticationParametersFromUrl = function(url, callback, correlationId) {
  argument.validateCallbackType(callback);
  try {
    if (!url) {
      callback(new Error('Missing required parameter: url'));
      return;
    }
    var challengeUrl;
    if ('string' === typeof(url)) {
      challengeUrl = url;
    } else {
      validateUrlObject(url);
      challengeUrl = url.href;
    }
 
    var logContext = log.createLogContext(correlationId);
    var logger = new log.Logger('AuthenticationParameters', logContext);
 
    logger.verbose('Attempting to retrieve authentication parameters from: ' + challengeUrl);
    var options = util.createRequestOptions( { _callContext : { _logContext: logContext } } );
    request.get(challengeUrl, options, function(err, response) {
      if (err) {
        logger.error('Authentication parameters http get failed.', err);
        callback(err);
        return;
      }
      var parameters;
      try {
        parameters = exports.createAuthenticationParametersFromResponse(response);
      } catch(creationErr) {
        logger.error('Unable to parse response in to authentication paramaters.', creationErr);
        callback(creationErr);
        return;
      }
      callback(null, parameters);
    });
  } catch(err) {
    callback(err);
    return;
  }
};
 
module.exports = exports;