mirror of
https://github.com/go-micro/go-micro.git
synced 2024-12-24 10:07:04 +02:00
Auth wrapper tests
This commit is contained in:
parent
b2cf501952
commit
fbb91c6cb7
@ -2,9 +2,13 @@ package wrapper
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"net/http"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/micro/go-micro/v2/auth"
|
||||||
|
"github.com/micro/go-micro/v2/errors"
|
||||||
"github.com/micro/go-micro/v2/metadata"
|
"github.com/micro/go-micro/v2/metadata"
|
||||||
|
"github.com/micro/go-micro/v2/server"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestWrapper(t *testing.T) {
|
func TestWrapper(t *testing.T) {
|
||||||
@ -49,5 +53,311 @@ func TestWrapper(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type testAuth struct {
|
||||||
|
verifyCount int
|
||||||
|
inspectCount int
|
||||||
|
namespace string
|
||||||
|
inspectAccount *auth.Account
|
||||||
|
verifyError error
|
||||||
|
|
||||||
|
auth.Auth
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *testAuth) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
||||||
|
a.verifyCount = a.verifyCount + 1
|
||||||
|
return a.verifyError
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *testAuth) Inspect(token string) (*auth.Account, error) {
|
||||||
|
a.inspectCount = a.inspectCount + 1
|
||||||
|
return a.inspectAccount, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *testAuth) Options() auth.Options {
|
||||||
|
return auth.Options{Namespace: a.namespace}
|
||||||
|
}
|
||||||
|
|
||||||
|
type testRequest struct {
|
||||||
|
service string
|
||||||
|
endpoint string
|
||||||
|
|
||||||
|
server.Request
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r testRequest) Service() string {
|
||||||
|
return r.service
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r testRequest) Endpoint() string {
|
||||||
|
return r.endpoint
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAuthHandler(t *testing.T) {
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
debugReq := testRequest{service: "go.micro.service.foo", endpoint: "Debug.Foo"}
|
||||||
|
serviceReq := testRequest{service: "go.micro.service.foo", endpoint: "Foo.Bar"}
|
||||||
|
|
||||||
|
// Debug endpoints should be excluded from auth so auth.Verify should never get called
|
||||||
|
t.Run("DebugEndpoint", func(t *testing.T) {
|
||||||
|
a := testAuth{}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
err := handler(h)(context.TODO(), debugReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if a.verifyCount != 0 {
|
||||||
|
t.Errorf("Did not expect verify to be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the Authorization header is blank, no error should be returned and verify not called
|
||||||
|
t.Run("BlankAuthorizationHeader", func(t *testing.T) {
|
||||||
|
a := testAuth{}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
err := handler(h)(context.TODO(), serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if a.inspectCount != 0 {
|
||||||
|
t.Errorf("Did not expect inspect to be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the Authorization header is invalid, an error should be returned and verify not called
|
||||||
|
t.Run("InvalidAuthorizationHeader", func(t *testing.T) {
|
||||||
|
a := testAuth{}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", "Invalid")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if verr, ok := err.(*errors.Error); !ok || verr.Code != http.StatusUnauthorized {
|
||||||
|
t.Errorf("Expected unauthorized error but got %v", err)
|
||||||
|
}
|
||||||
|
if a.inspectCount != 0 {
|
||||||
|
t.Errorf("Did not expect inspect to be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the Authorization header is valid, no error should be returned and verify should called
|
||||||
|
t.Run("ValidAuthorizationHeader", func(t *testing.T) {
|
||||||
|
a := testAuth{}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if a.inspectCount != 1 {
|
||||||
|
t.Errorf("Expected inspect to be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the namespace header was not set on the request, the wrapper should set it to the auths
|
||||||
|
// own namespace
|
||||||
|
t.Run("BlankNamespaceHeader", func(t *testing.T) {
|
||||||
|
a := testAuth{namespace: "mynamespace"}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
inCtx := context.TODO()
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
inCtx = ctx
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
err := handler(h)(inCtx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if ns, _ := metadata.Get(inCtx, "Micro-Namespace"); ns != a.namespace {
|
||||||
|
t.Errorf("Expected namespace to be set to %v but was %v", a.namespace, ns)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
t.Run("ValidNamespaceHeader", func(t *testing.T) {
|
||||||
|
a := testAuth{namespace: "mynamespace"}
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
inNs := "reqnamespace"
|
||||||
|
inCtx := metadata.Set(context.TODO(), "Micro-Namespace", inNs)
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
inCtx = ctx
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
err := handler(h)(inCtx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if ns, _ := metadata.Get(inCtx, "Micro-Namespace"); ns != inNs {
|
||||||
|
t.Errorf("Expected namespace to remain as %v but was set to %v", inNs, ns)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the callers account was set but the issuer didn't match that of the request, the request
|
||||||
|
// should be forbidden
|
||||||
|
t.Run("InvalidAccountIssuer", func(t *testing.T) {
|
||||||
|
a := testAuth{
|
||||||
|
namespace: "validnamespace",
|
||||||
|
inspectAccount: &auth.Account{Issuer: "invalidnamespace"},
|
||||||
|
}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if verr, ok := err.(*errors.Error); !ok || verr.Code != http.StatusForbidden {
|
||||||
|
t.Errorf("Expected forbidden error but got %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
t.Run("ValidAccountIssuer", func(t *testing.T) {
|
||||||
|
a := testAuth{
|
||||||
|
namespace: "validnamespace",
|
||||||
|
inspectAccount: &auth.Account{Issuer: "validnamespace"},
|
||||||
|
}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If the caller had a nil account and verify returns an error, the request should be unauthorised
|
||||||
|
t.Run("NilAccountUnauthorized", func(t *testing.T) {
|
||||||
|
a := testAuth{verifyError: auth.ErrForbidden}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
err := handler(h)(context.TODO(), serviceReq, nil)
|
||||||
|
if verr, ok := err.(*errors.Error); !ok || verr.Code != http.StatusUnauthorized {
|
||||||
|
t.Errorf("Expected unauthorizard error but got %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
t.Run("AccountForbidden", func(t *testing.T) {
|
||||||
|
a := testAuth{verifyError: auth.ErrForbidden, inspectAccount: &auth.Account{}}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if verr, ok := err.(*errors.Error); !ok || verr.Code != http.StatusForbidden {
|
||||||
|
t.Errorf("Expected forbidden error but got %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
t.Run("AccountValid", func(t *testing.T) {
|
||||||
|
a := testAuth{inspectAccount: &auth.Account{}}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If an account is returned from inspecting the token, it should be set in the context
|
||||||
|
t.Run("ContextWithAccount", func(t *testing.T) {
|
||||||
|
accID := "myaccountid"
|
||||||
|
a := testAuth{inspectAccount: &auth.Account{ID: accID}}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
inCtx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
inCtx = ctx
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
err := handler(h)(inCtx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if acc, ok := auth.AccountFromContext(inCtx); !ok {
|
||||||
|
t.Errorf("Expected an account to be set in the context")
|
||||||
|
} else if acc.ID != accID {
|
||||||
|
t.Errorf("Expected the account in the context to have the ID %v but it actually had %v", accID, acc.ID)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If verify returns an error the handler should not be called
|
||||||
|
t.Run("HandlerNotCalled", func(t *testing.T) {
|
||||||
|
a := testAuth{verifyError: auth.ErrForbidden}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
var handlerCalled bool
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
handlerCalled = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if verr, ok := err.(*errors.Error); !ok || verr.Code != http.StatusUnauthorized {
|
||||||
|
t.Errorf("Expected unauthorizard error but got %v", err)
|
||||||
|
}
|
||||||
|
if handlerCalled {
|
||||||
|
t.Errorf("Expected the handler to not be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// If verify does not return an error the handler should be called
|
||||||
|
t.Run("HandlerNotCalled", func(t *testing.T) {
|
||||||
|
a := testAuth{}
|
||||||
|
|
||||||
|
handler := AuthHandler(func() auth.Auth {
|
||||||
|
return &a
|
||||||
|
})
|
||||||
|
|
||||||
|
var handlerCalled bool
|
||||||
|
h := func(ctx context.Context, req server.Request, rsp interface{}) error {
|
||||||
|
handlerCalled = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx := metadata.Set(context.TODO(), "Authorization", auth.BearerScheme+"Token")
|
||||||
|
err := handler(h)(ctx, serviceReq, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Expected nil error but got %v", err)
|
||||||
|
}
|
||||||
|
if !handlerCalled {
|
||||||
|
t.Errorf("Expected the handler be called")
|
||||||
|
}
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user