mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 12:51:17 +00:00
243 lines
5 KiB
Go
243 lines
5 KiB
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
)
|
|
|
|
var (
|
|
aclTestUser = "test"
|
|
aclTestGroups = []string{"group_a", "group_b"}
|
|
)
|
|
|
|
func aclTestRequest(headers map[string]string) *http.Request {
|
|
req, _ := http.NewRequest("GET", "http://localhost/auth", nil)
|
|
for k, v := range headers {
|
|
req.Header.Set(k, v)
|
|
}
|
|
return req
|
|
}
|
|
|
|
func aclTestString(in string) *string { return &in }
|
|
func aclTestBool(in bool) *bool { return &in }
|
|
|
|
func TestEmptyACL(t *testing.T) {
|
|
a := acl{}
|
|
|
|
if a.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(map[string]string{})) {
|
|
t.Fatal("Empty ACL (= default action) was ALLOW instead of DENY")
|
|
}
|
|
}
|
|
|
|
func TestRuleSetMatcher(t *testing.T) {
|
|
r := aclRuleSet{
|
|
Rules: []aclRule{
|
|
{
|
|
Field: "field_a",
|
|
MatchString: aclTestString("expected"),
|
|
},
|
|
{
|
|
Field: "field_c",
|
|
MatchString: aclTestString("expected"),
|
|
},
|
|
},
|
|
Allow: []string{aclTestUser},
|
|
}
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
"field_c": "expected",
|
|
}
|
|
|
|
if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {
|
|
t.Error("Access was denied")
|
|
}
|
|
|
|
delete(fields, "field_c")
|
|
if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessDunno {
|
|
t.Error("Access was not unknown")
|
|
}
|
|
}
|
|
|
|
func TestGroupAuthenticated(t *testing.T) {
|
|
r := aclRuleSet{
|
|
Rules: []aclRule{
|
|
{
|
|
Field: "field_a",
|
|
MatchString: aclTestString("expected"),
|
|
},
|
|
},
|
|
Allow: []string{"@_authenticated"},
|
|
}
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
}
|
|
|
|
if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {
|
|
t.Error("Access was denied")
|
|
}
|
|
|
|
r.Allow = []string{"testgroup"}
|
|
if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) == accessAllow {
|
|
t.Error("Access was allowed")
|
|
}
|
|
}
|
|
|
|
func TestInvertedRegexMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
Invert: true,
|
|
MatchRegex: aclTestString("^expected$"),
|
|
}
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
|
|
fields["field_a"] = "unexpected"
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
}
|
|
|
|
func TestRegexMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
MatchRegex: aclTestString("^expected$"),
|
|
}
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
|
|
fields["field_a"] = "unexpected"
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
}
|
|
|
|
func TestInvertedEqualsMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
Invert: true,
|
|
MatchString: aclTestString("expected"),
|
|
}
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
|
|
fields["field_a"] = "unexpected"
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
}
|
|
|
|
func TestEqualsMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
MatchString: aclTestString("expected"),
|
|
}
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
|
|
fields["field_a"] = "unexpected"
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
}
|
|
|
|
func TestInvertedIsPresentMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
Invert: true,
|
|
IsPresent: aclTestBool(true),
|
|
}
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(false)
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(true)
|
|
delete(fields, "field_a")
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(false)
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
}
|
|
|
|
func TestIsPresentMatcher(t *testing.T) {
|
|
fields := map[string]string{
|
|
"field_a": "expected",
|
|
"field_b": "unchecked",
|
|
}
|
|
|
|
ar := aclRule{
|
|
Field: "field_a",
|
|
IsPresent: aclTestBool(true),
|
|
}
|
|
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(false)
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(true)
|
|
delete(fields, "field_a")
|
|
|
|
if ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v matches fields %#v", ar, fields)
|
|
}
|
|
|
|
ar.IsPresent = aclTestBool(false)
|
|
if !ar.AppliesToFields(fields) {
|
|
t.Errorf("Rule %#v does not match fields %#v", ar, fields)
|
|
}
|
|
}
|