db/auth_test.go at main · peer/db · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
package peerdb_test

import (
	"encoding/base64"
	"net/http"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"gitlab.com/tozd/waf"

	"gitlab.com/peerdb/peerdb"
)

const (
	testUsername      = "testuser"
	testWrongUsername = "wronguser"
	testPassword      = "testpass"
	testWrongPassword = "wrongpass"
)

func TestBasicAuth(t *testing.T) {
	t.Parallel()

	tests := []struct {
		name           string
		username       string
		password       string
		expectedStatus int
		expectedRealm  string
	}{
		{`valid credentials`, testUsername, testPassword, http.StatusOK, ""},
		{
			`invalid username`, testWrongUsername, testPassword, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
		{
			`invalid password`, testUsername, testWrongPassword, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
		{
			`invalid both`, testWrongUsername, testWrongPassword, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
		{
			`invalid w/ username space`, `testuser `, testPassword, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
		{
			`invalid w/ password space`, testUsername, `testpass `, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
		{
			`invalid no credentials`, ``, ``, http.StatusUnauthorized,
			peerdb.DefaultTitle,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			ts, _ := startTestServer(t, func(_ *peerdb.Globals, serve *peerdb.ServeCommand) {
				serve.Username = testUsername
				serve.Password = []byte(testPassword)
			})

			req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, ts.URL, nil)
			require.NoError(t, err)

			if tt.username != "" || tt.password != "" {
				// RFC 7617 construct username:password and base64 encode it - mimic browser behavior.
				auth := tt.username + ":" + tt.password
				encoded := base64.StdEncoding.EncodeToString([]byte(auth))
				req.Header.Set("Authorization", "Basic "+encoded)
			}

			resp, err := ts.Client().Do(req) //nolint:bodyclose
			require.NoError(t, err)
			t.Cleanup(func(r *http.Response) func() { return func() { r.Body.Close() } }(resp)) //nolint:errcheck,gosec

			assert.Equal(t, tt.expectedStatus, resp.StatusCode)

			if tt.expectedStatus == http.StatusUnauthorized {
				authHeader := resp.Header.Get("WWW-Authenticate")
				require.NotEmpty(t, authHeader)
				assert.Contains(t, authHeader, `Basic realm="`+tt.expectedRealm+`"`)
			}
		})
	}
}

func TestBasicAuthWithSiteContext(t *testing.T) {
	t.Parallel()

	tests := []struct {
		name          string
		domain        string
		siteTitle     string
		expectedRealm string
	}{
		{`site with localhost domain`, `localhost`, `Example Site`, `Example Site`},
		{`site with custom title`, `example.com`, `Example Site`, `Example Site`},
		{`site with default title`, `test.com`, peerdb.DefaultTitle, peerdb.DefaultTitle},
		{`site with empty title`, `fallback.com`, ``, peerdb.DefaultTitle},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			ts, _ := startTestServer(t, func(globals *peerdb.Globals, serve *peerdb.ServeCommand) {
				globals.Sites = []peerdb.Site{
					{
						Site: waf.Site{
							Domain:   tt.domain,
							CertFile: "",
							KeyFile:  "",
						},
						Build:                nil,
						Index:                "",
						Schema:               "",
						Title:                tt.siteTitle,
						Logo:                 "",
						LanguagePriority:     nil,
						DefaultLanguage:      "",
						LanguageCodes:        nil,
						Features:             peerdb.SiteFeatures{},
						Roles:                nil,
						Auth:                 peerdb.SiteAuthConfig{},
						MetadataHeaderPrefix: "",
						Base:                 nil,
						DBPool:               nil,
						ESClient:             nil,
						RiverClient:          nil,
					},
				}
				serve.Username = testUsername
				serve.Password = []byte(testPassword)
			})
			// We only test unauthorized responses here to verify the realm.
			req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, ts.URL, nil)
			require.NoError(t, err)
			req.Host = tt.domain

			resp, err := ts.Client().Do(req) //nolint:bodyclose
			require.NoError(t, err)
			t.Cleanup(func(r *http.Response) func() { return func() { r.Body.Close() } }(resp)) //nolint:errcheck,gosec

			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
			authHeader := resp.Header.Get("WWW-Authenticate")
			require.NotEmpty(t, authHeader)
			assert.Contains(t, authHeader, `Basic realm="`+tt.expectedRealm+`"`)
		})
	}
}