123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910 |
- // Copyright 2015 The etcd Authors
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- package v2http
- import (
- "crypto/tls"
- "crypto/x509"
- "encoding/json"
- "encoding/pem"
- "errors"
- "fmt"
- "io/ioutil"
- "net/http"
- "net/http/httptest"
- "net/url"
- "path"
- "sort"
- "strings"
- "testing"
- "github.com/coreos/etcd/etcdserver/api"
- "github.com/coreos/etcd/etcdserver/auth"
- )
- const goodPassword = "good"
- func mustJSONRequest(t *testing.T, method string, p string, body string) *http.Request {
- req, err := http.NewRequest(method, path.Join(authPrefix, p), strings.NewReader(body))
- if err != nil {
- t.Fatalf("Error making JSON request: %s %s %s\n", method, p, body)
- }
- req.Header.Set("Content-Type", "application/json")
- return req
- }
- type mockAuthStore struct {
- users map[string]*auth.User
- roles map[string]*auth.Role
- err error
- enabled bool
- }
- func (s *mockAuthStore) AllUsers() ([]string, error) {
- var us []string
- for u := range s.users {
- us = append(us, u)
- }
- sort.Strings(us)
- return us, s.err
- }
- func (s *mockAuthStore) GetUser(name string) (auth.User, error) {
- u, ok := s.users[name]
- if !ok {
- return auth.User{}, s.err
- }
- return *u, s.err
- }
- func (s *mockAuthStore) CreateOrUpdateUser(user auth.User) (out auth.User, created bool, err error) {
- if s.users == nil {
- out, err = s.CreateUser(user)
- return out, true, err
- }
- out, err = s.UpdateUser(user)
- return out, false, err
- }
- func (s *mockAuthStore) CreateUser(user auth.User) (auth.User, error) { return user, s.err }
- func (s *mockAuthStore) DeleteUser(name string) error { return s.err }
- func (s *mockAuthStore) UpdateUser(user auth.User) (auth.User, error) {
- return *s.users[user.User], s.err
- }
- func (s *mockAuthStore) AllRoles() ([]string, error) {
- return []string{"awesome", "guest", "root"}, s.err
- }
- func (s *mockAuthStore) GetRole(name string) (auth.Role, error) {
- r, ok := s.roles[name]
- if ok {
- return *r, s.err
- }
- return auth.Role{}, fmt.Errorf("%q does not exist (%v)", name, s.err)
- }
- func (s *mockAuthStore) CreateRole(role auth.Role) error { return s.err }
- func (s *mockAuthStore) DeleteRole(name string) error { return s.err }
- func (s *mockAuthStore) UpdateRole(role auth.Role) (auth.Role, error) {
- return *s.roles[role.Role], s.err
- }
- func (s *mockAuthStore) AuthEnabled() bool { return s.enabled }
- func (s *mockAuthStore) EnableAuth() error { return s.err }
- func (s *mockAuthStore) DisableAuth() error { return s.err }
- func (s *mockAuthStore) CheckPassword(user auth.User, password string) bool {
- return user.Password == password
- }
- func (s *mockAuthStore) HashPassword(password string) (string, error) {
- return password, nil
- }
- func TestAuthFlow(t *testing.T) {
- api.EnableCapability(api.AuthCapability)
- var testCases = []struct {
- req *http.Request
- store mockAuthStore
- wcode int
- wbody string
- }{
- {
- req: mustJSONRequest(t, "PUT", "users/alice", `{{{{{{{`),
- store: mockAuthStore{},
- wcode: http.StatusBadRequest,
- wbody: `{"message":"Invalid JSON in request body."}`,
- },
- {
- req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
- store: mockAuthStore{enabled: true},
- wcode: http.StatusUnauthorized,
- wbody: `{"message":"Insufficient credentials"}`,
- },
- // Users
- {
- req: mustJSONRequest(t, "GET", "users", ""),
- store: mockAuthStore{
- users: map[string]*auth.User{
- "alice": {
- User: "alice",
- Roles: []string{"alicerole", "guest"},
- Password: "wheeee",
- },
- "bob": {
- User: "bob",
- Roles: []string{"guest"},
- Password: "wheeee",
- },
- "root": {
- User: "root",
- Roles: []string{"root"},
- Password: "wheeee",
- },
- },
- roles: map[string]*auth.Role{
- "alicerole": {
- Role: "alicerole",
- },
- "guest": {
- Role: "guest",
- },
- "root": {
- Role: "root",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"users":[` +
- `{"user":"alice","roles":[` +
- `{"role":"alicerole","permissions":{"kv":{"read":null,"write":null}}},` +
- `{"role":"guest","permissions":{"kv":{"read":null,"write":null}}}` +
- `]},` +
- `{"user":"bob","roles":[{"role":"guest","permissions":{"kv":{"read":null,"write":null}}}]},` +
- `{"user":"root","roles":[{"role":"root","permissions":{"kv":{"read":null,"write":null}}}]}]}`,
- },
- {
- req: mustJSONRequest(t, "GET", "users/alice", ""),
- store: mockAuthStore{
- users: map[string]*auth.User{
- "alice": {
- User: "alice",
- Roles: []string{"alicerole"},
- Password: "wheeee",
- },
- },
- roles: map[string]*auth.Role{
- "alicerole": {
- Role: "alicerole",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"user":"alice","roles":[{"role":"alicerole","permissions":{"kv":{"read":null,"write":null}}}]}`,
- },
- {
- req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
- store: mockAuthStore{},
- wcode: http.StatusCreated,
- wbody: `{"user":"alice","roles":null}`,
- },
- {
- req: mustJSONRequest(t, "DELETE", "users/alice", ``),
- store: mockAuthStore{},
- wcode: http.StatusOK,
- wbody: ``,
- },
- {
- req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
- store: mockAuthStore{
- users: map[string]*auth.User{
- "alice": {
- User: "alice",
- Roles: []string{"alicerole", "guest"},
- Password: "wheeee",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"user":"alice","roles":["alicerole","guest"]}`,
- },
- {
- req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "grant": ["alicerole"]}`),
- store: mockAuthStore{
- users: map[string]*auth.User{
- "alice": {
- User: "alice",
- Roles: []string{"alicerole", "guest"},
- Password: "wheeee",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"user":"alice","roles":["alicerole","guest"]}`,
- },
- {
- req: mustJSONRequest(t, "GET", "users/alice", ``),
- store: mockAuthStore{
- users: map[string]*auth.User{},
- err: auth.Error{Status: http.StatusNotFound, Errmsg: "auth: User alice doesn't exist."},
- },
- wcode: http.StatusNotFound,
- wbody: `{"message":"auth: User alice doesn't exist."}`,
- },
- {
- req: mustJSONRequest(t, "GET", "roles/manager", ""),
- store: mockAuthStore{
- roles: map[string]*auth.Role{
- "manager": {
- Role: "manager",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"role":"manager","permissions":{"kv":{"read":null,"write":null}}}`,
- },
- {
- req: mustJSONRequest(t, "DELETE", "roles/manager", ``),
- store: mockAuthStore{},
- wcode: http.StatusOK,
- wbody: ``,
- },
- {
- req: mustJSONRequest(t, "PUT", "roles/manager", `{"role":"manager","permissions":{"kv":{"read":[],"write":[]}}}`),
- store: mockAuthStore{},
- wcode: http.StatusCreated,
- wbody: `{"role":"manager","permissions":{"kv":{"read":[],"write":[]}}}`,
- },
- {
- req: mustJSONRequest(t, "PUT", "roles/manager", `{"role":"manager","revoke":{"kv":{"read":["foo"],"write":[]}}}`),
- store: mockAuthStore{
- roles: map[string]*auth.Role{
- "manager": {
- Role: "manager",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"role":"manager","permissions":{"kv":{"read":null,"write":null}}}`,
- },
- {
- req: mustJSONRequest(t, "GET", "roles", ""),
- store: mockAuthStore{
- roles: map[string]*auth.Role{
- "awesome": {
- Role: "awesome",
- },
- "guest": {
- Role: "guest",
- },
- "root": {
- Role: "root",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: `{"roles":[{"role":"awesome","permissions":{"kv":{"read":null,"write":null}}},` +
- `{"role":"guest","permissions":{"kv":{"read":null,"write":null}}},` +
- `{"role":"root","permissions":{"kv":{"read":null,"write":null}}}]}`,
- },
- {
- req: mustJSONRequest(t, "GET", "enable", ""),
- store: mockAuthStore{
- enabled: true,
- },
- wcode: http.StatusOK,
- wbody: `{"enabled":true}`,
- },
- {
- req: mustJSONRequest(t, "PUT", "enable", ""),
- store: mockAuthStore{
- enabled: false,
- },
- wcode: http.StatusOK,
- wbody: ``,
- },
- {
- req: (func() *http.Request {
- req := mustJSONRequest(t, "DELETE", "enable", "")
- req.SetBasicAuth("root", "good")
- return req
- })(),
- store: mockAuthStore{
- enabled: true,
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Password: goodPassword,
- Roles: []string{"root"},
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- },
- wcode: http.StatusOK,
- wbody: ``,
- },
- {
- req: (func() *http.Request {
- req := mustJSONRequest(t, "DELETE", "enable", "")
- req.SetBasicAuth("root", "bad")
- return req
- })(),
- store: mockAuthStore{
- enabled: true,
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Password: goodPassword,
- Roles: []string{"root"},
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "guest",
- },
- },
- },
- wcode: http.StatusUnauthorized,
- wbody: `{"message":"Insufficient credentials"}`,
- },
- }
- for i, tt := range testCases {
- mux := http.NewServeMux()
- h := &authHandler{
- sec: &tt.store,
- cluster: &fakeCluster{id: 1},
- }
- handleAuth(mux, h)
- rw := httptest.NewRecorder()
- mux.ServeHTTP(rw, tt.req)
- if rw.Code != tt.wcode {
- t.Errorf("#%d: got code=%d, want %d", i, rw.Code, tt.wcode)
- }
- g := rw.Body.String()
- g = strings.TrimSpace(g)
- if g != tt.wbody {
- t.Errorf("#%d: got body=%s, want %s", i, g, tt.wbody)
- }
- }
- }
- func TestGetUserGrantedWithNonexistingRole(t *testing.T) {
- sh := &authHandler{
- sec: &mockAuthStore{
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Roles: []string{"root", "foo"},
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- },
- cluster: &fakeCluster{id: 1},
- }
- srv := httptest.NewServer(http.HandlerFunc(sh.baseUsers))
- defer srv.Close()
- req, err := http.NewRequest("GET", "", nil)
- if err != nil {
- t.Fatal(err)
- }
- req.URL, err = url.Parse(srv.URL)
- if err != nil {
- t.Fatal(err)
- }
- req.Header.Set("Content-Type", "application/json")
- cli := http.DefaultClient
- resp, err := cli.Do(req)
- if err != nil {
- t.Fatal(err)
- }
- defer resp.Body.Close()
- var uc usersCollections
- if err := json.NewDecoder(resp.Body).Decode(&uc); err != nil {
- t.Fatal(err)
- }
- if len(uc.Users) != 1 {
- t.Fatalf("expected 1 user, got %+v", uc.Users)
- }
- if uc.Users[0].User != "root" {
- t.Fatalf("expected 'root', got %q", uc.Users[0].User)
- }
- if len(uc.Users[0].Roles) != 1 {
- t.Fatalf("expected 1 role, got %+v", uc.Users[0].Roles)
- }
- if uc.Users[0].Roles[0].Role != "root" {
- t.Fatalf("expected 'root', got %q", uc.Users[0].Roles[0].Role)
- }
- }
- func mustAuthRequest(method, username, password string) *http.Request {
- req, err := http.NewRequest(method, "path", strings.NewReader(""))
- if err != nil {
- panic("Cannot make auth request: " + err.Error())
- }
- req.SetBasicAuth(username, password)
- return req
- }
- func unauthedRequest(method string) *http.Request {
- req, err := http.NewRequest(method, "path", strings.NewReader(""))
- if err != nil {
- panic("Cannot make request: " + err.Error())
- }
- return req
- }
- func tlsAuthedRequest(req *http.Request, certname string) *http.Request {
- bytes, err := ioutil.ReadFile(fmt.Sprintf("testdata/%s.pem", certname))
- if err != nil {
- panic(err)
- }
- block, _ := pem.Decode(bytes)
- cert, err := x509.ParseCertificate(block.Bytes)
- if err != nil {
- panic(err)
- }
- req.TLS = &tls.ConnectionState{
- VerifiedChains: [][]*x509.Certificate{{cert}},
- }
- return req
- }
- func TestPrefixAccess(t *testing.T) {
- var table = []struct {
- key string
- req *http.Request
- store *mockAuthStore
- hasRoot bool
- hasKeyPrefixAccess bool
- hasRecursiveAccess bool
- }{
- {
- key: "/foo",
- req: mustAuthRequest("GET", "root", "good"),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Password: goodPassword,
- Roles: []string{"root"},
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- enabled: true,
- },
- hasRoot: true,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: true,
- },
- {
- key: "/foo",
- req: mustAuthRequest("GET", "user", "good"),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"foorole"},
- },
- },
- roles: map[string]*auth.Role{
- "foorole": {
- Role: "foorole",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo"},
- Write: []string{"/foo"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: false,
- },
- {
- key: "/foo",
- req: mustAuthRequest("GET", "user", "good"),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"foorole"},
- },
- },
- roles: map[string]*auth.Role{
- "foorole": {
- Role: "foorole",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: true,
- },
- {
- key: "/foo",
- req: mustAuthRequest("GET", "user", "bad"),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"foorole"},
- },
- },
- roles: map[string]*auth.Role{
- "foorole": {
- Role: "foorole",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: false,
- hasRecursiveAccess: false,
- },
- {
- key: "/foo",
- req: mustAuthRequest("GET", "user", "good"),
- store: &mockAuthStore{
- users: map[string]*auth.User{},
- err: errors.New("Not the user"),
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: false,
- hasRecursiveAccess: false,
- },
- {
- key: "/foo",
- req: mustJSONRequest(t, "GET", "somepath", ""),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"foorole"},
- },
- },
- roles: map[string]*auth.Role{
- "guest": {
- Role: "guest",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: true,
- },
- {
- key: "/bar",
- req: mustJSONRequest(t, "GET", "somepath", ""),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"foorole"},
- },
- },
- roles: map[string]*auth.Role{
- "guest": {
- Role: "guest",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: false,
- hasRecursiveAccess: false,
- },
- // check access for multiple roles
- {
- key: "/foo",
- req: mustAuthRequest("GET", "user", "good"),
- store: &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Password: goodPassword,
- Roles: []string{"role1", "role2"},
- },
- },
- roles: map[string]*auth.Role{
- "role1": {
- Role: "role1",
- },
- "role2": {
- Role: "role2",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo"},
- Write: []string{"/foo"},
- },
- },
- },
- },
- enabled: true,
- },
- hasRoot: false,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: false,
- },
- {
- key: "/foo",
- req: (func() *http.Request {
- req := mustJSONRequest(t, "GET", "somepath", "")
- req.Header.Set("Authorization", "malformedencoding")
- return req
- })(),
- store: &mockAuthStore{
- enabled: true,
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Password: goodPassword,
- Roles: []string{"root"},
- },
- },
- roles: map[string]*auth.Role{
- "guest": {
- Role: "guest",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- },
- hasRoot: false,
- hasKeyPrefixAccess: false,
- hasRecursiveAccess: false,
- },
- { // guest access in non-TLS mode
- key: "/foo",
- req: (func() *http.Request {
- return mustJSONRequest(t, "GET", "somepath", "")
- })(),
- store: &mockAuthStore{
- enabled: true,
- users: map[string]*auth.User{
- "root": {
- User: "root",
- Password: goodPassword,
- Roles: []string{"root"},
- },
- },
- roles: map[string]*auth.Role{
- "guest": {
- Role: "guest",
- Permissions: auth.Permissions{
- KV: auth.RWPermission{
- Read: []string{"/foo*"},
- Write: []string{"/foo*"},
- },
- },
- },
- },
- },
- hasRoot: false,
- hasKeyPrefixAccess: true,
- hasRecursiveAccess: true,
- },
- }
- for i, tt := range table {
- if tt.hasRoot != hasRootAccess(tt.store, tt.req, true) {
- t.Errorf("#%d: hasRoot doesn't match (expected %v)", i, tt.hasRoot)
- }
- if tt.hasKeyPrefixAccess != hasKeyPrefixAccess(tt.store, tt.req, tt.key, false, true) {
- t.Errorf("#%d: hasKeyPrefixAccess doesn't match (expected %v)", i, tt.hasRoot)
- }
- if tt.hasRecursiveAccess != hasKeyPrefixAccess(tt.store, tt.req, tt.key, true, true) {
- t.Errorf("#%d: hasRecursiveAccess doesn't match (expected %v)", i, tt.hasRoot)
- }
- }
- }
- func TestUserFromClientCertificate(t *testing.T) {
- witherror := &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Roles: []string{"root"},
- Password: "password",
- },
- "basicauth": {
- User: "basicauth",
- Roles: []string{"root"},
- Password: "password",
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- err: errors.New(""),
- }
- noerror := &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Roles: []string{"root"},
- Password: "password",
- },
- "basicauth": {
- User: "basicauth",
- Roles: []string{"root"},
- Password: "password",
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- }
- var table = []struct {
- req *http.Request
- userExists bool
- store auth.Store
- username string
- }{
- {
- // non tls request
- req: unauthedRequest("GET"),
- userExists: false,
- store: witherror,
- },
- {
- // cert with cn of existing user
- req: tlsAuthedRequest(unauthedRequest("GET"), "user"),
- userExists: true,
- username: "user",
- store: noerror,
- },
- {
- // cert with cn of non-existing user
- req: tlsAuthedRequest(unauthedRequest("GET"), "otheruser"),
- userExists: false,
- store: witherror,
- },
- }
- for i, tt := range table {
- user := userFromClientCertificate(tt.store, tt.req)
- userExists := user != nil
- if tt.userExists != userExists {
- t.Errorf("#%d: userFromClientCertificate doesn't match (expected %v)", i, tt.userExists)
- }
- if user != nil && (tt.username != user.User) {
- t.Errorf("#%d: userFromClientCertificate username doesn't match (expected %s, got %s)", i, tt.username, user.User)
- }
- }
- }
- func TestUserFromBasicAuth(t *testing.T) {
- sec := &mockAuthStore{
- users: map[string]*auth.User{
- "user": {
- User: "user",
- Roles: []string{"root"},
- Password: "password",
- },
- },
- roles: map[string]*auth.Role{
- "root": {
- Role: "root",
- },
- },
- }
- var table = []struct {
- username string
- req *http.Request
- userExists bool
- }{
- {
- // valid user, valid pass
- username: "user",
- req: mustAuthRequest("GET", "user", "password"),
- userExists: true,
- },
- {
- // valid user, bad pass
- username: "user",
- req: mustAuthRequest("GET", "user", "badpass"),
- userExists: false,
- },
- {
- // valid user, no pass
- username: "user",
- req: mustAuthRequest("GET", "user", ""),
- userExists: false,
- },
- {
- // missing user
- username: "missing",
- req: mustAuthRequest("GET", "missing", "badpass"),
- userExists: false,
- },
- {
- // no basic auth
- req: unauthedRequest("GET"),
- userExists: false,
- },
- }
- for i, tt := range table {
- user := userFromBasicAuth(sec, tt.req)
- userExists := user != nil
- if tt.userExists != userExists {
- t.Errorf("#%d: userFromBasicAuth doesn't match (expected %v)", i, tt.userExists)
- }
- if user != nil && (tt.username != user.User) {
- t.Errorf("#%d: userFromBasicAuth username doesn't match (expected %s, got %s)", i, tt.username, user.User)
- }
- }
- }
|