feat(3266): add authn for banner list and get endpoints

features/banner.feature

@@ -19,7 +19,7 @@ Feature: Banner
 
     Scenario: Banner with global scope
         When they create new banner with message "Hello World" and "GLOBAL" scope
-        Then they can see that the banner is created with "GLOBAL" scope
+        Then they "can" see that the banner is created with "GLOBAL" scope
         And banner is "updated" when they update the banner with "message" "Some Random Message"
         And banner is "not updated" when they update the banner with "scopeId" "1234"
         And banner is "not updated" when they update the banner with "scope" "PIPELINE"
@@ -29,8 +29,15 @@ Feature: Banner
         Given an existing pipeline
         And there is no banner associated to that pipeline
         When they create new banner with message "Hello World" and "PIPELINE" scope
-        Then they can see that the banner is created with "PIPELINE" scope
+        Then they "can" see that the banner is created with "PIPELINE" scope
         And they can get the banner associated to that pipeline
         And banner is "updated" when they update the banner with "isActive" "false"
         And banner is "not updated" when they update the banner with "scope" "GLOBAL"
-        Then banner is deleted    
+        Then banner is deleted
+
+    Scenario: User without authorization should not see the banner
+        When they create new banner with message "Hello World" and "GLOBAL" scope
+        Then they "can" see that the banner is created with "GLOBAL" scope
+        And "calvin" has expired token
+        Then they "cannot" see that the banner is created with "GLOBAL" scope
+        And they cannot see any banner

features/step_definitions/banner.js

@@ -52,25 +52,36 @@ When(
 );
 
 Then(
-    /^they can see that the banner is created with "(GLOBAL|PIPELINE)" scope$/,
+    /^they "(can|cannot)" see that the banner is created with "(GLOBAL|PIPELINE)" scope$/,
     { timeout: TIMEOUT },
-    function step(scope) {
+    function step(ok, scope) {
         return request({
             url: `${this.instance}/${this.namespace}/banners/${this.bannerId}`,
             method: 'GET',
             context: {
                 token: this.jwt
             }
-        }).then(resp => {
-            Assert.equal(resp.statusCode, 200);
-            if (scope === 'PIPELINE') {
-                Assert.equal(resp.body.scope, scope.toUpperCase());
-                Assert.equal(resp.body.scopeId, this.pipelineId);
+        })
+            .then(resp => {
+                if (ok === 'can') {
+                    Assert.equal(resp.statusCode, 200);
+                    if (scope === 'PIPELINE') {
+                        Assert.equal(resp.body.scope, scope.toUpperCase());
+                        Assert.equal(resp.body.scopeId, this.pipelineId);
 
-                return;
-            }
-            Assert.equal(resp.body.scope, 'GLOBAL');
-        });
+                        return;
+                    }
+                    Assert.equal(resp.body.scope, 'GLOBAL');
+                } else {
+                    throw new Error('User should not be able to see the banner');
+                }
+            })
+            .catch(err => {
+                if (ok === 'can') {
+                    throw new Error('User should be able to see the banner');
+                }
+                Assert.equal(err.statusCode, 401);
+            });
     }
 );
 
@@ -148,3 +159,23 @@ Then(/^they can get the banner associated to that pipeline$/, { timeout: TIMEOUT
         Assert.equal(resp.body[0].scopeId, this.pipelineId);
     });
 });
+
+Then(/^"([^"]*)" has expired token$/, { timeout: TIMEOUT }, function step() {
+    this.jwt = null;
+});
+
+Then(/^they cannot see any banner$/, { timeout: TIMEOUT }, function step() {
+    return request({
+        url: `${this.instance}/${this.namespace}/banners`,
+        method: 'GET',
+        context: {
+            token: this.jwt
+        }
+    })
+        .then(() => {
+            throw new Error('User should not be able to see any banners');
+        })
+        .catch(err => {
+            Assert.equal(err.statusCode, 401);
+        });
+});

plugins/banners/get.js

@@ -13,6 +13,10 @@ module.exports = () => ({
         description: 'Get a single banner',
         notes: 'Return a banner record',
         tags: ['api', 'banners'],
+        auth: {
+            strategies: ['token'],
+            scope: ['user']
+        },
         plugins: {
             'hapi-rate-limit': {
                 enabled: false

plugins/banners/list.js

@@ -10,6 +10,10 @@ module.exports = () => ({
         description: 'Get banners',
         notes: 'Returns all banner records',
         tags: ['api', 'banners'],
+        auth: {
+            strategies: ['token'],
+            scope: ['user']
+        },
         plugins: {
             'hapi-rate-limit': {
                 enabled: false