Merge pull request #26 from screwdriver-cd/security

fix(858): Enable auth for artifact reads
screwdriver-cd · Jan 31, 2018 · 03a6a72 · 03a6a72
2 parents 803f9cd + 1dfac62
commit 03a6a72
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/plugins/builds.js b/plugins/builds.js
@@ -31,6 +31,15 @@ exports.register = (server, options, next) => {
             description: 'Read build artifacts',
             notes: 'Get an artifact from a specific build',
             tags: ['api', 'builds'],
+            auth: {
+                strategies: ['token'],
+                scope: ['user']
+            },
+            plugins: {
+                'hapi-swagger': {
+                    security: [{ token: [] }]
+                }
+            },
             handler: (request, reply) => {
                 const buildId = request.params.id;
                 const artifact = request.params.artifact;

diff --git a/test/plugins/builds.test.js b/test/plugins/builds.test.js
@@ -71,6 +71,13 @@ describe('builds plugin test', () => {
     describe('GET /builds/:id/:artifact', () => {
         it('returns 404 if not found', () => (
             server.inject({
+                headers: {
+                    'x-foo': 'bar'
+                },
+                credentials: {
+                    username: mockBuildID,
+                    scope: ['user']
+                },
                 url: `/builds/${mockBuildID}/foo`
             }).then((reply) => {
                 assert.equal(reply.statusCode, 404);
@@ -109,6 +116,13 @@ describe('builds plugin test', () => {
 
             it('returns 500 if caching fails', () => (
                 badServer.inject({
+                    headers: {
+                        'x-foo': 'bar'
+                    },
+                    credentials: {
+                        username: mockBuildID,
+                        scope: ['user']
+                    },
                     url: `/builds/${mockBuildID}/foo`
                 }).then((reply) => {
                     assert.equal(reply.statusCode, 500);
@@ -162,7 +176,14 @@ describe('builds plugin test', () => {
                 assert.equal(reply.statusCode, 202);
 
                 return server.inject({
-                    url: `/builds/${mockBuildID}/foo`
+                    url: `/builds/${mockBuildID}/foo`,
+                    headers: {
+                        'x-foo': 'bar'
+                    },
+                    credentials: {
+                        username: mockBuildID,
+                        scope: ['user']
+                    }
                 }).then((reply2) => {
                     assert.equal(reply2.statusCode, 200);
                     assert.equal(reply2.headers['x-foo'], 'bar');