feat(setup security): started implementing automated testing for setu…

…p functions
quadratic-funding · Mar 29, 2023 · e604a02 · e604a02
1 parent 8617fd5
commit e604a02
Showing 1 changed file with 43 additions and 5 deletions.
diff --git a/packages/actions/test/unit/security.test.ts b/packages/actions/test/unit/security.test.ts
@@ -46,7 +46,7 @@ import { TestingEnvironment } from "../../src/types/enums"
 import { getCircuitsCollectionPath, getDocumentById, queryCollection } from "../../src/helpers/database"
 import { simulateOnVerification } from "../utils/authentication"
 import { generateFakeCircuit } from "../data/generators"
-import { createS3Bucket, openMultiPartUpload } from "../../src/helpers/functions"
+import { createS3Bucket, openMultiPartUpload, setupCeremony } from "../../src/helpers/functions"
 
 chai.use(chaiAsPromised)
 
@@ -153,7 +153,7 @@ describe("Security", () => {
         })
     })
 
-    describe("GeneratePreSignedURL", () => {
+    describe.skip("GeneratePreSignedURL", () => {
         // we need one ceremony
         beforeAll(async () => {
             await createMockCeremony(
@@ -205,7 +205,7 @@ describe("Security", () => {
         })
     })
 
-    describe("Security rules", () => {
+    describe.skip("Security rules", () => {
         /// @note security rules provided with this project prevent access to other users data
         it("should allow a user to retrieve their own data from the firestore db", async () => {
             // login as user1
@@ -275,7 +275,7 @@ describe("Security", () => {
         // any uploaded file will be either overwritten
         // by the next valid contribution or deleted
         // by the verify ceremony cloud function
-        describe("Multipart upload", () => {
+        describe.skip("Multipart upload", () => {
             const participant = fakeParticipantsData.fakeParticipantCurrentContributorUploading
             const ceremonyNotContributor = fakeCeremoniesData.fakeCeremonyOpenedFixed
             const ceremonyContributor = fakeCeremoniesData.fakeCeremonyOpenedDynamic
@@ -381,12 +381,50 @@ describe("Security", () => {
         })
     }
 
+    // Tests related to ceremony setup security
+    // @note 1. we want only users with coordinator privileges to be able to create a ceremony
+    // @note
+    describe("Setup", () => {
+        /// @note prove that a non authenticated user cannot create a ceremony
+        it("should not be possible to call privileged functions related to setup when not authenticated", async () => {
+            // sign out to ensure we are not logged in as any user
+            await signOut(userAuth)
+            // which functions are related to setup?
+            // 1. setupCeremony
+            await expect(
+                setupCeremony(userFunctions, fakeCeremoniesData.fakeCeremonyOpenedDynamic.data, "prefix", [
+                    fakeCircuitsData.fakeCircuitSmallNoContributors.data
+                ])
+            ).to.be.rejectedWith("You do not have privileges to perform this operation.")
+            // 2. createS3Bucket
+            await expect(createS3Bucket(userFunctions, "prefix")).to.be.rejectedWith(
+                "You do not have privileges to perform this operation."
+            )
+        })
+        /// @note prove that a non coordinator user cannot create a ceremony
+        it("should not be possible to call privileged functions related to setup when authenticated as a user without coordinator privileges", async () => {
+            // login as non coordinator
+            await signInWithEmailAndPassword(userAuth, users[0].data.email, passwords[0])
+            const currentUser = getCurrentFirebaseAuthUser(userApp)
+            expect(await isCoordinator(currentUser)).to.be.false
+            await expect(
+                setupCeremony(userFunctions, fakeCeremoniesData.fakeCeremonyOpenedDynamic.data, "prefix", [
+                    fakeCircuitsData.fakeCircuitSmallNoContributors.data
+                ])
+            ).to.be.rejectedWith("You do not have privileges to perform this operation.")
+            // 2. createS3Bucket
+            await expect(createS3Bucket(userFunctions, "prefix")).to.be.rejectedWith(
+                "You do not have privileges to perform this operation."
+            )
+        })
+    })
+
     // Tests related to authentication security
     // @note It is recommended to run these tests
     // on their own, as they take a long time
     // and result in the authentication service being locked
     // which wil affect other test cases
-    describe("Authentication", () => {
+    describe.skip("Authentication", () => {
         const clientType = "oauth-app"
         const tokenType = "oauth"