mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
911 lines
22 KiB
Go
911 lines
22 KiB
Go
// Copyright 2015 The etcd Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package v2http
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"path"
|
|
"sort"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/coreos/etcd/etcdserver/api"
|
|
"github.com/coreos/etcd/etcdserver/auth"
|
|
)
|
|
|
|
const goodPassword = "good"
|
|
|
|
func mustJSONRequest(t *testing.T, method string, p string, body string) *http.Request {
|
|
req, err := http.NewRequest(method, path.Join(authPrefix, p), strings.NewReader(body))
|
|
if err != nil {
|
|
t.Fatalf("Error making JSON request: %s %s %s\n", method, p, body)
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
return req
|
|
}
|
|
|
|
type mockAuthStore struct {
|
|
users map[string]*auth.User
|
|
roles map[string]*auth.Role
|
|
err error
|
|
enabled bool
|
|
}
|
|
|
|
func (s *mockAuthStore) AllUsers() ([]string, error) {
|
|
var us []string
|
|
for u := range s.users {
|
|
us = append(us, u)
|
|
}
|
|
sort.Strings(us)
|
|
return us, s.err
|
|
}
|
|
func (s *mockAuthStore) GetUser(name string) (auth.User, error) {
|
|
u, ok := s.users[name]
|
|
if !ok {
|
|
return auth.User{}, s.err
|
|
}
|
|
return *u, s.err
|
|
}
|
|
func (s *mockAuthStore) CreateOrUpdateUser(user auth.User) (out auth.User, created bool, err error) {
|
|
if s.users == nil {
|
|
out, err = s.CreateUser(user)
|
|
return out, true, err
|
|
}
|
|
out, err = s.UpdateUser(user)
|
|
return out, false, err
|
|
}
|
|
func (s *mockAuthStore) CreateUser(user auth.User) (auth.User, error) { return user, s.err }
|
|
func (s *mockAuthStore) DeleteUser(name string) error { return s.err }
|
|
func (s *mockAuthStore) UpdateUser(user auth.User) (auth.User, error) {
|
|
return *s.users[user.User], s.err
|
|
}
|
|
func (s *mockAuthStore) AllRoles() ([]string, error) {
|
|
return []string{"awesome", "guest", "root"}, s.err
|
|
}
|
|
func (s *mockAuthStore) GetRole(name string) (auth.Role, error) {
|
|
r, ok := s.roles[name]
|
|
if ok {
|
|
return *r, s.err
|
|
}
|
|
return auth.Role{}, fmt.Errorf("%q does not exist (%v)", name, s.err)
|
|
}
|
|
func (s *mockAuthStore) CreateRole(role auth.Role) error { return s.err }
|
|
func (s *mockAuthStore) DeleteRole(name string) error { return s.err }
|
|
func (s *mockAuthStore) UpdateRole(role auth.Role) (auth.Role, error) {
|
|
return *s.roles[role.Role], s.err
|
|
}
|
|
func (s *mockAuthStore) AuthEnabled() bool { return s.enabled }
|
|
func (s *mockAuthStore) EnableAuth() error { return s.err }
|
|
func (s *mockAuthStore) DisableAuth() error { return s.err }
|
|
|
|
func (s *mockAuthStore) CheckPassword(user auth.User, password string) bool {
|
|
return user.Password == password
|
|
}
|
|
|
|
func (s *mockAuthStore) HashPassword(password string) (string, error) {
|
|
return password, nil
|
|
}
|
|
|
|
func TestAuthFlow(t *testing.T) {
|
|
api.EnableCapability(api.AuthCapability)
|
|
var testCases = []struct {
|
|
req *http.Request
|
|
store mockAuthStore
|
|
|
|
wcode int
|
|
wbody string
|
|
}{
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "users/alice", `{{{{{{{`),
|
|
store: mockAuthStore{},
|
|
wcode: http.StatusBadRequest,
|
|
wbody: `{"message":"Invalid JSON in request body."}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
|
|
store: mockAuthStore{enabled: true},
|
|
wcode: http.StatusUnauthorized,
|
|
wbody: `{"message":"Insufficient credentials"}`,
|
|
},
|
|
// Users
|
|
{
|
|
req: mustJSONRequest(t, "GET", "users", ""),
|
|
store: mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"alice": {
|
|
User: "alice",
|
|
Roles: []string{"alicerole", "guest"},
|
|
Password: "wheeee",
|
|
},
|
|
"bob": {
|
|
User: "bob",
|
|
Roles: []string{"guest"},
|
|
Password: "wheeee",
|
|
},
|
|
"root": {
|
|
User: "root",
|
|
Roles: []string{"root"},
|
|
Password: "wheeee",
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"alicerole": {
|
|
Role: "alicerole",
|
|
},
|
|
"guest": {
|
|
Role: "guest",
|
|
},
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"users":[` +
|
|
`{"user":"alice","roles":[` +
|
|
`{"role":"alicerole","permissions":{"kv":{"read":null,"write":null}}},` +
|
|
`{"role":"guest","permissions":{"kv":{"read":null,"write":null}}}` +
|
|
`]},` +
|
|
`{"user":"bob","roles":[{"role":"guest","permissions":{"kv":{"read":null,"write":null}}}]},` +
|
|
`{"user":"root","roles":[{"role":"root","permissions":{"kv":{"read":null,"write":null}}}]}]}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "GET", "users/alice", ""),
|
|
store: mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"alice": {
|
|
User: "alice",
|
|
Roles: []string{"alicerole"},
|
|
Password: "wheeee",
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"alicerole": {
|
|
Role: "alicerole",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"user":"alice","roles":[{"role":"alicerole","permissions":{"kv":{"read":null,"write":null}}}]}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
|
|
store: mockAuthStore{},
|
|
wcode: http.StatusCreated,
|
|
wbody: `{"user":"alice","roles":null}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "DELETE", "users/alice", ``),
|
|
store: mockAuthStore{},
|
|
wcode: http.StatusOK,
|
|
wbody: ``,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "password": "goodpassword"}`),
|
|
store: mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"alice": {
|
|
User: "alice",
|
|
Roles: []string{"alicerole", "guest"},
|
|
Password: "wheeee",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"user":"alice","roles":["alicerole","guest"]}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "users/alice", `{"user": "alice", "grant": ["alicerole"]}`),
|
|
store: mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"alice": {
|
|
User: "alice",
|
|
Roles: []string{"alicerole", "guest"},
|
|
Password: "wheeee",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"user":"alice","roles":["alicerole","guest"]}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "GET", "users/alice", ``),
|
|
store: mockAuthStore{
|
|
users: map[string]*auth.User{},
|
|
err: auth.Error{Status: http.StatusNotFound, Errmsg: "auth: User alice doesn't exist."},
|
|
},
|
|
wcode: http.StatusNotFound,
|
|
wbody: `{"message":"auth: User alice doesn't exist."}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "GET", "roles/manager", ""),
|
|
store: mockAuthStore{
|
|
roles: map[string]*auth.Role{
|
|
"manager": {
|
|
Role: "manager",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"role":"manager","permissions":{"kv":{"read":null,"write":null}}}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "DELETE", "roles/manager", ``),
|
|
store: mockAuthStore{},
|
|
wcode: http.StatusOK,
|
|
wbody: ``,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "roles/manager", `{"role":"manager","permissions":{"kv":{"read":[],"write":[]}}}`),
|
|
store: mockAuthStore{},
|
|
wcode: http.StatusCreated,
|
|
wbody: `{"role":"manager","permissions":{"kv":{"read":[],"write":[]}}}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "roles/manager", `{"role":"manager","revoke":{"kv":{"read":["foo"],"write":[]}}}`),
|
|
store: mockAuthStore{
|
|
roles: map[string]*auth.Role{
|
|
"manager": {
|
|
Role: "manager",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"role":"manager","permissions":{"kv":{"read":null,"write":null}}}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "GET", "roles", ""),
|
|
store: mockAuthStore{
|
|
roles: map[string]*auth.Role{
|
|
"awesome": {
|
|
Role: "awesome",
|
|
},
|
|
"guest": {
|
|
Role: "guest",
|
|
},
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"roles":[{"role":"awesome","permissions":{"kv":{"read":null,"write":null}}},` +
|
|
`{"role":"guest","permissions":{"kv":{"read":null,"write":null}}},` +
|
|
`{"role":"root","permissions":{"kv":{"read":null,"write":null}}}]}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "GET", "enable", ""),
|
|
store: mockAuthStore{
|
|
enabled: true,
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: `{"enabled":true}`,
|
|
},
|
|
{
|
|
req: mustJSONRequest(t, "PUT", "enable", ""),
|
|
store: mockAuthStore{
|
|
enabled: false,
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: ``,
|
|
},
|
|
{
|
|
req: (func() *http.Request {
|
|
req := mustJSONRequest(t, "DELETE", "enable", "")
|
|
req.SetBasicAuth("root", "good")
|
|
return req
|
|
})(),
|
|
store: mockAuthStore{
|
|
enabled: true,
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Password: goodPassword,
|
|
Roles: []string{"root"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusOK,
|
|
wbody: ``,
|
|
},
|
|
{
|
|
req: (func() *http.Request {
|
|
req := mustJSONRequest(t, "DELETE", "enable", "")
|
|
req.SetBasicAuth("root", "bad")
|
|
return req
|
|
})(),
|
|
store: mockAuthStore{
|
|
enabled: true,
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Password: goodPassword,
|
|
Roles: []string{"root"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "guest",
|
|
},
|
|
},
|
|
},
|
|
wcode: http.StatusUnauthorized,
|
|
wbody: `{"message":"Insufficient credentials"}`,
|
|
},
|
|
}
|
|
|
|
for i, tt := range testCases {
|
|
mux := http.NewServeMux()
|
|
h := &authHandler{
|
|
sec: &tt.store,
|
|
cluster: &fakeCluster{id: 1},
|
|
}
|
|
handleAuth(mux, h)
|
|
rw := httptest.NewRecorder()
|
|
mux.ServeHTTP(rw, tt.req)
|
|
if rw.Code != tt.wcode {
|
|
t.Errorf("#%d: got code=%d, want %d", i, rw.Code, tt.wcode)
|
|
}
|
|
g := rw.Body.String()
|
|
g = strings.TrimSpace(g)
|
|
if g != tt.wbody {
|
|
t.Errorf("#%d: got body=%s, want %s", i, g, tt.wbody)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestGetUserGrantedWithNonexistingRole(t *testing.T) {
|
|
sh := &authHandler{
|
|
sec: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Roles: []string{"root", "foo"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
},
|
|
cluster: &fakeCluster{id: 1},
|
|
}
|
|
srv := httptest.NewServer(http.HandlerFunc(sh.baseUsers))
|
|
defer srv.Close()
|
|
|
|
req, err := http.NewRequest("GET", "", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req.URL, err = url.Parse(srv.URL)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
cli := http.DefaultClient
|
|
resp, err := cli.Do(req)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
var uc usersCollections
|
|
if err := json.NewDecoder(resp.Body).Decode(&uc); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(uc.Users) != 1 {
|
|
t.Fatalf("expected 1 user, got %+v", uc.Users)
|
|
}
|
|
if uc.Users[0].User != "root" {
|
|
t.Fatalf("expected 'root', got %q", uc.Users[0].User)
|
|
}
|
|
if len(uc.Users[0].Roles) != 1 {
|
|
t.Fatalf("expected 1 role, got %+v", uc.Users[0].Roles)
|
|
}
|
|
if uc.Users[0].Roles[0].Role != "root" {
|
|
t.Fatalf("expected 'root', got %q", uc.Users[0].Roles[0].Role)
|
|
}
|
|
}
|
|
|
|
func mustAuthRequest(method, username, password string) *http.Request {
|
|
req, err := http.NewRequest(method, "path", strings.NewReader(""))
|
|
if err != nil {
|
|
panic("Cannot make auth request: " + err.Error())
|
|
}
|
|
req.SetBasicAuth(username, password)
|
|
return req
|
|
}
|
|
|
|
func unauthedRequest(method string) *http.Request {
|
|
req, err := http.NewRequest(method, "path", strings.NewReader(""))
|
|
if err != nil {
|
|
panic("Cannot make request: " + err.Error())
|
|
}
|
|
return req
|
|
}
|
|
|
|
func tlsAuthedRequest(req *http.Request, certname string) *http.Request {
|
|
bytes, err := ioutil.ReadFile(fmt.Sprintf("testdata/%s.pem", certname))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
block, _ := pem.Decode(bytes)
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
req.TLS = &tls.ConnectionState{
|
|
VerifiedChains: [][]*x509.Certificate{{cert}},
|
|
}
|
|
return req
|
|
}
|
|
|
|
func TestPrefixAccess(t *testing.T) {
|
|
var table = []struct {
|
|
key string
|
|
req *http.Request
|
|
store *mockAuthStore
|
|
hasRoot bool
|
|
hasKeyPrefixAccess bool
|
|
hasRecursiveAccess bool
|
|
}{
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "root", "good"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Password: goodPassword,
|
|
Roles: []string{"root"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: true,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: true,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "user", "good"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"foorole"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"foorole": {
|
|
Role: "foorole",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo"},
|
|
Write: []string{"/foo"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "user", "good"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"foorole"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"foorole": {
|
|
Role: "foorole",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: true,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "user", "bad"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"foorole"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"foorole": {
|
|
Role: "foorole",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: false,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "user", "good"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{},
|
|
err: errors.New("Not the user"),
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: false,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: mustJSONRequest(t, "GET", "somepath", ""),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"foorole"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"guest": {
|
|
Role: "guest",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: true,
|
|
},
|
|
{
|
|
key: "/bar",
|
|
req: mustJSONRequest(t, "GET", "somepath", ""),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"foorole"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"guest": {
|
|
Role: "guest",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: false,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
// check access for multiple roles
|
|
{
|
|
key: "/foo",
|
|
req: mustAuthRequest("GET", "user", "good"),
|
|
store: &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Password: goodPassword,
|
|
Roles: []string{"role1", "role2"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"role1": {
|
|
Role: "role1",
|
|
},
|
|
"role2": {
|
|
Role: "role2",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo"},
|
|
Write: []string{"/foo"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
enabled: true,
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
{
|
|
key: "/foo",
|
|
req: (func() *http.Request {
|
|
req := mustJSONRequest(t, "GET", "somepath", "")
|
|
req.Header.Set("Authorization", "malformedencoding")
|
|
return req
|
|
})(),
|
|
store: &mockAuthStore{
|
|
enabled: true,
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Password: goodPassword,
|
|
Roles: []string{"root"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"guest": {
|
|
Role: "guest",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: false,
|
|
hasRecursiveAccess: false,
|
|
},
|
|
{ // guest access in non-TLS mode
|
|
key: "/foo",
|
|
req: (func() *http.Request {
|
|
return mustJSONRequest(t, "GET", "somepath", "")
|
|
})(),
|
|
store: &mockAuthStore{
|
|
enabled: true,
|
|
users: map[string]*auth.User{
|
|
"root": {
|
|
User: "root",
|
|
Password: goodPassword,
|
|
Roles: []string{"root"},
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"guest": {
|
|
Role: "guest",
|
|
Permissions: auth.Permissions{
|
|
KV: auth.RWPermission{
|
|
Read: []string{"/foo*"},
|
|
Write: []string{"/foo*"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
hasRoot: false,
|
|
hasKeyPrefixAccess: true,
|
|
hasRecursiveAccess: true,
|
|
},
|
|
}
|
|
|
|
for i, tt := range table {
|
|
if tt.hasRoot != hasRootAccess(tt.store, tt.req, true) {
|
|
t.Errorf("#%d: hasRoot doesn't match (expected %v)", i, tt.hasRoot)
|
|
}
|
|
if tt.hasKeyPrefixAccess != hasKeyPrefixAccess(tt.store, tt.req, tt.key, false, true) {
|
|
t.Errorf("#%d: hasKeyPrefixAccess doesn't match (expected %v)", i, tt.hasRoot)
|
|
}
|
|
if tt.hasRecursiveAccess != hasKeyPrefixAccess(tt.store, tt.req, tt.key, true, true) {
|
|
t.Errorf("#%d: hasRecursiveAccess doesn't match (expected %v)", i, tt.hasRoot)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestUserFromClientCertificate(t *testing.T) {
|
|
witherror := &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Roles: []string{"root"},
|
|
Password: "password",
|
|
},
|
|
"basicauth": {
|
|
User: "basicauth",
|
|
Roles: []string{"root"},
|
|
Password: "password",
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
err: errors.New(""),
|
|
}
|
|
|
|
noerror := &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Roles: []string{"root"},
|
|
Password: "password",
|
|
},
|
|
"basicauth": {
|
|
User: "basicauth",
|
|
Roles: []string{"root"},
|
|
Password: "password",
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
}
|
|
|
|
var table = []struct {
|
|
req *http.Request
|
|
userExists bool
|
|
store auth.Store
|
|
username string
|
|
}{
|
|
{
|
|
// non tls request
|
|
req: unauthedRequest("GET"),
|
|
userExists: false,
|
|
store: witherror,
|
|
},
|
|
{
|
|
// cert with cn of existing user
|
|
req: tlsAuthedRequest(unauthedRequest("GET"), "user"),
|
|
userExists: true,
|
|
username: "user",
|
|
store: noerror,
|
|
},
|
|
{
|
|
// cert with cn of non-existing user
|
|
req: tlsAuthedRequest(unauthedRequest("GET"), "otheruser"),
|
|
userExists: false,
|
|
store: witherror,
|
|
},
|
|
}
|
|
|
|
for i, tt := range table {
|
|
user := userFromClientCertificate(tt.store, tt.req)
|
|
userExists := user != nil
|
|
|
|
if tt.userExists != userExists {
|
|
t.Errorf("#%d: userFromClientCertificate doesn't match (expected %v)", i, tt.userExists)
|
|
}
|
|
if user != nil && (tt.username != user.User) {
|
|
t.Errorf("#%d: userFromClientCertificate username doesn't match (expected %s, got %s)", i, tt.username, user.User)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestUserFromBasicAuth(t *testing.T) {
|
|
sec := &mockAuthStore{
|
|
users: map[string]*auth.User{
|
|
"user": {
|
|
User: "user",
|
|
Roles: []string{"root"},
|
|
Password: "password",
|
|
},
|
|
},
|
|
roles: map[string]*auth.Role{
|
|
"root": {
|
|
Role: "root",
|
|
},
|
|
},
|
|
}
|
|
|
|
var table = []struct {
|
|
username string
|
|
req *http.Request
|
|
userExists bool
|
|
}{
|
|
{
|
|
// valid user, valid pass
|
|
username: "user",
|
|
req: mustAuthRequest("GET", "user", "password"),
|
|
userExists: true,
|
|
},
|
|
{
|
|
// valid user, bad pass
|
|
username: "user",
|
|
req: mustAuthRequest("GET", "user", "badpass"),
|
|
userExists: false,
|
|
},
|
|
{
|
|
// valid user, no pass
|
|
username: "user",
|
|
req: mustAuthRequest("GET", "user", ""),
|
|
userExists: false,
|
|
},
|
|
{
|
|
// missing user
|
|
username: "missing",
|
|
req: mustAuthRequest("GET", "missing", "badpass"),
|
|
userExists: false,
|
|
},
|
|
{
|
|
// no basic auth
|
|
req: unauthedRequest("GET"),
|
|
userExists: false,
|
|
},
|
|
}
|
|
|
|
for i, tt := range table {
|
|
user := userFromBasicAuth(sec, tt.req)
|
|
userExists := user != nil
|
|
|
|
if tt.userExists != userExists {
|
|
t.Errorf("#%d: userFromBasicAuth doesn't match (expected %v)", i, tt.userExists)
|
|
}
|
|
if user != nil && (tt.username != user.User) {
|
|
t.Errorf("#%d: userFromBasicAuth username doesn't match (expected %s, got %s)", i, tt.username, user.User)
|
|
}
|
|
}
|
|
}
|