132 lines
3.3 KiB
Go
132 lines
3.3 KiB
Go
package gitalyauth
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/credentials"
|
|
"google.golang.org/grpc/metadata"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
func TestCheckTokenV1(t *testing.T) {
|
|
secret := "secret 1234"
|
|
|
|
testCases := []struct {
|
|
desc string
|
|
md metadata.MD
|
|
code codes.Code
|
|
}{
|
|
{
|
|
desc: "ok",
|
|
md: credsMD(t, RPCCredentials(secret)),
|
|
code: codes.OK,
|
|
},
|
|
{
|
|
desc: "denied",
|
|
md: credsMD(t, RPCCredentials("wrong secret")),
|
|
code: codes.PermissionDenied,
|
|
},
|
|
{
|
|
desc: "invalid, not bearer",
|
|
md: credsMD(t, &invalidCreds{"foobar"}),
|
|
code: codes.Unauthenticated,
|
|
},
|
|
{
|
|
desc: "invalid, bearer but not base64",
|
|
md: credsMD(t, &invalidCreds{"Bearer foo!!bar"}),
|
|
code: codes.Unauthenticated,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.desc, func(t *testing.T) {
|
|
ctx := metadata.NewIncomingContext(context.Background(), tc.md)
|
|
err := CheckToken(ctx, secret, time.Now())
|
|
require.Equal(t, tc.code, status.Code(err), "expected grpc code in error %v", err)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCheckTokenV2(t *testing.T) {
|
|
targetTime := time.Unix(1535671600, 0)
|
|
secret := []byte("foo")
|
|
|
|
testCases := []struct {
|
|
desc string
|
|
token string
|
|
result error
|
|
}{
|
|
{
|
|
desc: "Valid v2 secret, future time within threshold",
|
|
token: "v2.3346cb25ecdb928defd368e7390522a86764bbdf1e8b21aaef27c4c23ec9c899.1535671615",
|
|
result: nil,
|
|
},
|
|
{
|
|
desc: "Valid v2 secret, past time within threshold",
|
|
token: "v2.b77158328e80be2984eaf08788419d25f3484eae484aec1297af6bdf1a456610.1535671585",
|
|
result: nil,
|
|
},
|
|
{
|
|
desc: "Invalid secret, time within threshold",
|
|
token: "v2.52a3b9016f46853c225c72b87617ac27109bba8a3068002069ab90e28253a911.1535671585",
|
|
result: errDenied,
|
|
},
|
|
{
|
|
desc: "Valid secret, time too much in the future",
|
|
token: "v2.ab9e7315aeecf6815fc0df585370157814131acab376f41797ad4ebc4d9a823c.1535671631",
|
|
result: errDenied,
|
|
},
|
|
{
|
|
desc: "Valid secret, time too much in the past",
|
|
token: "v2.f805bc69ca3aedd99e814b3fb1fc1e6a1094191691480b168a20fad7c2d24557.1535671569",
|
|
result: errDenied,
|
|
},
|
|
{
|
|
desc: "Mismatching signed and clear message",
|
|
token: "v2.319b96a3194c1cb2a2e6f1386161aca1c4cda13257fa9df8a328ab6769649bb0.1535671599",
|
|
result: errDenied,
|
|
},
|
|
{
|
|
desc: "Invalid version",
|
|
token: "v3.6fec98e8fe494284ce545c4b421799f02b9718b0eadfc3772d027e1ac5d6d569.1535671601",
|
|
result: errDenied,
|
|
},
|
|
{
|
|
desc: "Empty token",
|
|
token: "",
|
|
result: errDenied,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.desc, func(t *testing.T) {
|
|
md := metautils.NiceMD{}
|
|
md.Set("authorization", "Bearer "+tc.token)
|
|
result := CheckToken(md.ToIncoming(context.Background()), string(secret), targetTime)
|
|
|
|
require.Equal(t, tc.result, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
func credsMD(t *testing.T, creds credentials.PerRPCCredentials) metadata.MD {
|
|
md, err := creds.GetRequestMetadata(context.Background())
|
|
require.NoError(t, err)
|
|
return metadata.New(md)
|
|
}
|
|
|
|
type invalidCreds struct {
|
|
authHeader string
|
|
}
|
|
|
|
func (invalidCreds) RequireTransportSecurity() bool { return false }
|
|
|
|
func (ic *invalidCreds) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
|
|
return map[string]string{"authorization": ic.authHeader}, nil
|
|
}
|