internal/authz/middleware_test.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

package authz

import (
	"bytes"
	"context"
	"fmt"
	"io"
	"log"
	"net/http"
	"net/http/httptest"
	"testing"

	"git.ofmax.li/go-git-server/internal/admin"
)

func junkTestHandler() http.HandlerFunc {
	return func(rw http.ResponseWriter, req *http.Request) {
		rw.WriteHeader(http.StatusOK)
		_, err := rw.Write([]byte("Im a body"))
		if err != nil {
			log.Fatalf("couldn't write http body %s", err)
		}
	}
}

func TestAuthentication(t *testing.T) {
	badToken, _, _ := GenerateNewToken()
	token, hash, _ := GenerateNewToken()
	accessID := AccessID("test123")
	okUserName := FriendlyName("tester")
	badUserName := FriendlyName("badb00")

	tm := NewSafeTokenMap()
	tm.Set(accessID, hash)

	im := NewIdentityMap()
	im.Register(accessID, okUserName)

	cases := []struct {
		description string
		username    string
		token       string
		tm          *SafeTokenMap
		im          *IdentityMap
		statusCode  int
		handler     http.HandlerFunc
	}{
		{
			username:    string(okUserName),
			token:       token,
			tm:          tm,
			im:          im,
			statusCode:  http.StatusOK,
			description: "Good Login",
			handler: func(rw http.ResponseWriter, req *http.Request) {
				ctx := req.Context()
				uid := ctx.Value(AuthzUrnKey)
				if uid != fmt.Sprintf("uid:%s", okUserName) {
					t.Fatal("Context UID not set")
				}
			},
		},
		{
			username:    string(badUserName),
			token:       token,
			tm:          tm,
			im:          im,
			statusCode:  http.StatusForbidden,
			description: "Bad username",
			handler:     junkTestHandler(),
		},
		{
			username:    string(okUserName),
			token:       badToken,
			tm:          tm,
			im:          im,
			statusCode:  http.StatusForbidden,
			description: "Bad token",
			handler:     junkTestHandler(),
		},
	}

	for _, tc := range cases {
		authHandler := Authentication(tc.tm, tc.im, tc.handler)
		req := httptest.NewRequest(http.MethodGet, "https://git.ofmax.li", nil)
		req.SetBasicAuth(tc.username, tc.token)
		recorder := httptest.NewRecorder()
		authHandler.ServeHTTP(recorder, req)
		result := recorder.Result()
		defer result.Body.Close()
		if result.StatusCode != tc.statusCode {
			t.Fatalf("Test Case %s failed Expected: %d Found: %d",
				tc.description, tc.statusCode, result.StatusCode)
		}
		t.Logf("Test Case: %s Expected: %d Found: %d",
			tc.description, tc.statusCode, result.StatusCode)
	}
}

func TestAuthorization(t *testing.T) {
	t.Log("Starting authorization tests")
	baseURL := "http://test"
	cases := []struct {
		url            string
		user           string
		expectedStatus int
		description    string
		body           []byte
	}{
		{
			url:            fmt.Sprintf("%s/%s", baseURL, "repo/url"),
			user:           "uid:jack",
			expectedStatus: 200,
			description:    "an authorized action should yield a 200",
			body:           []byte("Im a body"),
		},
		{
			url:            fmt.Sprintf("%s/%s", baseURL, "repo/url/bar"),
			user:           "uid:chumba",
			expectedStatus: 403,
			description:    "an unauthorized action should yield a 403",
			body:           []byte("Access denied\n"),
		},
		{
			url:            fmt.Sprintf("%s/%s", baseURL, "repo/url/bar"),
			user:           "anon",
			expectedStatus: http.StatusUnauthorized,
			description:    "an unauthorized action should yield a 403",
			body:           []byte("Authentication Required\n"),
		},
	}
	svcr, _ := admin.NewService(
		"../../auth_model.ini",
		"../../tests/testpolicy.csv",
		"../../gitserver.yaml",
		"../../repos",
		false)
	for _, tc := range cases {
		t.Logf("test case: %s", tc.description)
		authHandler := Authorization(svcr, junkTestHandler())
		recorder := httptest.NewRecorder()
		req := httptest.NewRequest(http.MethodGet, tc.url, nil)
		ctx := req.Context()
		ctx = context.WithValue(ctx, AuthzUrnKey, tc.user)
		req = req.WithContext(ctx)
		authHandler.ServeHTTP(recorder, req)
		result := recorder.Result()
		defer result.Body.Close()
		body, err := io.ReadAll(result.Body)
		if err != nil {
			t.Fatal("couldn't read response body")
		}

		if result.StatusCode != tc.expectedStatus {
			t.Fatalf("Test Case %s failed Expected: %d Found: %d", tc.description, tc.expectedStatus, result.StatusCode)
		}
		if !bytes.Equal(body, tc.body) {
			t.Fatalf("Test Case %s failed Expected: %d Found: %d", tc.description, tc.body, body)
		}
	}
}