nginx-sso/acl_test.go

package main

import (
	"net/http"
	"testing"
)

var (
	aclTestUser   = "test"
	aclTestGroups = []string{"group_a", "group_b"}
)

func aclTestRequest(headers map[string]string) *http.Request {
	req, _ := http.NewRequest("GET", "http://localhost/auth", nil)
	for k, v := range headers {
		req.Header.Set(k, v)
	}
	return req
}

func aclTestString(in string) *string { return &in }
func aclTestBool(in bool) *bool       { return &in }

func TestEmptyACL(t *testing.T) {
	a := acl{}

	if a.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(map[string]string{})) {
		t.Fatal("Empty ACL (= default action) was ALLOW instead of DENY")
	}
}

func TestRuleSetMatcher(t *testing.T) {
	r := aclRuleSet{
		Rules: []aclRule{
			{
				Field:       "field_a",
				MatchString: aclTestString("expected"),
			},
			{
				Field:       "field_c",
				MatchString: aclTestString("expected"),
			},
		},
		Allow: []string{aclTestUser},
	}
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
		"field_c": "expected",
	}

	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {
		t.Error("Access was denied")
	}

	delete(fields, "field_c")
	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessDunno {
		t.Error("Access was not unknown")
	}
}

func TestGroupAuthenticated(t *testing.T) {
	r := aclRuleSet{
		Rules: []aclRule{
			{
				Field:       "field_a",
				MatchString: aclTestString("expected"),
			},
		},
		Allow: []string{"@_authenticated"},
	}
	fields := map[string]string{
		"field_a": "expected",
	}

	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {
		t.Error("Access was denied")
	}

	r.Allow = []string{"testgroup"}
	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) == accessAllow {
		t.Error("Access was allowed")
	}
}

func TestInvertedRegexMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:      "field_a",
		Invert:     true,
		MatchRegex: aclTestString("^expected$"),
	}

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}

	fields["field_a"] = "unexpected"

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}
}

func TestRegexMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:      "field_a",
		MatchRegex: aclTestString("^expected$"),
	}

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}

	fields["field_a"] = "unexpected"

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}
}

func TestInvertedEqualsMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:       "field_a",
		Invert:      true,
		MatchString: aclTestString("expected"),
	}

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}

	fields["field_a"] = "unexpected"

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}
}

func TestEqualsMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:       "field_a",
		MatchString: aclTestString("expected"),
	}

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}

	fields["field_a"] = "unexpected"

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}
}

func TestInvertedIsPresentMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:     "field_a",
		Invert:    true,
		IsPresent: aclTestBool(true),
	}

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(false)

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(true)
	delete(fields, "field_a")

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(false)
	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}
}

func TestIsPresentMatcher(t *testing.T) {
	fields := map[string]string{
		"field_a": "expected",
		"field_b": "unchecked",
	}

	ar := aclRule{
		Field:     "field_a",
		IsPresent: aclTestBool(true),
	}

	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(false)

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(true)
	delete(fields, "field_a")

	if ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v matches fields %#v", ar, fields)
	}

	ar.IsPresent = aclTestBool(false)
	if !ar.AppliesToFields(fields) {
		t.Errorf("Rule %#v does not match fields %#v", ar, fields)
	}
}
Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`package main`

			`import (`
			`"net/http"`
			`"testing"`
			`)`

			`var (`
			`aclTestUser = "test"`
			`aclTestGroups = []string{"group_a", "group_b"}`
			`)`

			`func aclTestRequest(headers map[string]string) *http.Request {`
			`req, _ := http.NewRequest("GET", "http://localhost/auth", nil)`
			`for k, v := range headers {`
			`req.Header.Set(k, v)`
			`}`
			`return req`
			`}`

			`func aclTestString(in string) *string { return &in }`
			`func aclTestBool(in bool) *bool { return &in }`

			`func TestEmptyACL(t *testing.T) {`
			`a := acl{}`

			`if a.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(map[string]string{})) {`
			`t.Fatal("Empty ACL (= default action) was ALLOW instead of DENY")`
			`}`
			`}`

			`func TestRuleSetMatcher(t *testing.T) {`
			`r := aclRuleSet{`
			`Rules: []aclRule{`
			`{`
			`Field: "field_a",`
			`MatchString: aclTestString("expected"),`
			`},`
			`{`
			`Field: "field_c",`
			`MatchString: aclTestString("expected"),`
			`},`
			`},`
			`Allow: []string{aclTestUser},`
			`}`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`"field_c": "expected",`
			`}`

			`if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {`
			`t.Error("Access was denied")`
			`}`

			`delete(fields, "field_c")`
			`if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessDunno {`
			`t.Error("Access was not unknown")`
			`}`
			`}`

Add special group for all authenticated users Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-04-22 17:54:27 +00:00			`func TestGroupAuthenticated(t *testing.T) {`
			`r := aclRuleSet{`
			`Rules: []aclRule{`
			`{`
			`Field: "field_a",`
			`MatchString: aclTestString("expected"),`
			`},`
			`},`
			`Allow: []string{"@_authenticated"},`
			`}`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`}`

			`if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {`
			`t.Error("Access was denied")`
			`}`

			`r.Allow = []string{"testgroup"}`
			`if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) == accessAllow {`
			`t.Error("Access was allowed")`
			`}`
			`}`

Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`func TestInvertedRegexMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`Invert: true,`
			`MatchRegex: aclTestString("^expected$"),`
			`}`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`

			`fields["field_a"] = "unexpected"`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`
			`}`

			`func TestRegexMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`MatchRegex: aclTestString("^expected$"),`
			`}`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`

			`fields["field_a"] = "unexpected"`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`
			`}`

			`func TestInvertedEqualsMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`Invert: true,`
			`MatchString: aclTestString("expected"),`
			`}`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`

			`fields["field_a"] = "unexpected"`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`
			`}`

			`func TestEqualsMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`MatchString: aclTestString("expected"),`
			`}`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`

			`fields["field_a"] = "unexpected"`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`
			`}`

			`func TestInvertedIsPresentMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`Invert: true,`
			`IsPresent: aclTestBool(true),`
			`}`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(false)`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(true)`
			`delete(fields, "field_a")`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(false)`
			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`
			`}`

			`func TestIsPresentMatcher(t *testing.T) {`
			`fields := map[string]string{`
			`"field_a": "expected",`
			`"field_b": "unchecked",`
			`}`

			`ar := aclRule{`
			`Field: "field_a",`
			`IsPresent: aclTestBool(true),`
			`}`

			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(false)`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(true)`
			`delete(fields, "field_a")`

			`if ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v matches fields %#v", ar, fields)`
			`}`

			`ar.IsPresent = aclTestBool(false)`
			`if !ar.AppliesToFields(fields) {`
			`t.Errorf("Rule %#v does not match fields %#v", ar, fields)`
			`}`
			`}`