Exemple #1
0
func Test_NewUser(t *testing.T) {
	privs := map[string][]auth.Privilege{
		"/simple/path/":               []auth.Privilege{auth.ReadPrivilege, auth.WritePrivilege},
		"/../messy/./path":            []auth.Privilege{auth.DeletePrivilege, auth.WritePrivilege},
		"/another/path/and/some/more": []auth.Privilege{auth.AllPrivileges},
		"/blocked/path":               []auth.Privilege{auth.NoPrivileges},
	}
	hash := []byte("hash")
	u := auth.NewUser("username", hash, false, privs)

	if exp, got := "username", u.Name(); got != exp {
		t.Errorf("unexpected username: got %s exp %s", got, exp)
	}
	if exp, got := false, u.IsAdmin(); got != exp {
		t.Errorf("unexpected admin: got %t exp %t", got, exp)
	}

	// Manipulate hash to test user has its own copy
	hash[0] = 'b'
	if exp, got := "hash", string(u.Hash()); got != exp {
		t.Errorf("unexpected hash: got %s exp %s", got, exp)
	}

	// Manipulate privileges to test user has its own copy
	privs["/blocked/path"] = []auth.Privilege{auth.AllPrivileges}

	expPrivileges := map[string][]auth.Privilege{
		"/simple/path":                []auth.Privilege{auth.ReadPrivilege, auth.WritePrivilege},
		"/messy/path":                 []auth.Privilege{auth.DeletePrivilege, auth.WritePrivilege},
		"/another/path/and/some/more": []auth.Privilege{auth.AllPrivileges},
		"/blocked/path":               []auth.Privilege{auth.NoPrivileges},
	}
	gotPrivileges := u.Privileges()
	if got, exp := len(gotPrivileges), len(expPrivileges); got != exp {
		t.Errorf("unexpected privileges count: got %d exp %d", got, exp)
	}
	for r, expPs := range expPrivileges {
		gotPs, ok := gotPrivileges[r]
		if !ok {
			t.Errorf("missing privilege: %s", r)
			continue
		}
		if got, exp := len(gotPs), len(expPs); got != exp {
			t.Errorf("unexpected privileges list count for resource %s: got %d exp %d", r, got, exp)
		}

		for _, ep := range expPs {
			found := false
			for _, gp := range gotPs {
				if ep == gp {
					found = true
					break
				}
			}
			if !found {
				t.Errorf("missing privilege %v from list for resource %s", ep, r)
			}
		}
	}

	a := auth.NewUser("admin", nil, true, nil)
	if exp, got := "admin", a.Name(); got != exp {
		t.Errorf("unexpected username: got %s exp %s", got, exp)
	}
	if exp, got := true, a.IsAdmin(); got != exp {
		t.Errorf("unexpected admin: got %t exp %t", got, exp)
	}
}
Exemple #2
0
// Return a user will all privileges.
func (s *Service) SubscriptionUser(token string) (auth.User, error) {
	s.logger.Println("W! using noauth auth backend. Faked authentication for subscription user token")
	return auth.NewUser("subscription-user", nil, true, nil), nil
}
Exemple #3
0
func Test_User_AuthorizeAction(t *testing.T) {
	testCases := []struct {
		username   string
		admin      bool
		privileges map[string][]auth.Privilege
		action     auth.Action
		authorized bool
		err        error
	}{
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b/c": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b/": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/b": []auth.Privilege{auth.WritePrivilege},
				"/c": []auth.Privilege{auth.WritePrivilege},
				"/d": []auth.Privilege{auth.WritePrivilege},
				"/a": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/c/": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user nick does not have "write" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b/c/": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b/c": []auth.Privilege{auth.ReadPrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user fred does not have "write" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b/c": []auth.Privilege{auth.ReadPrivilege},
			},
			action: auth.Action{
				Resource:  "a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`invalid action resource: "a/b/c", must be an absolute path`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.AllPrivileges},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user natalie does not have "write" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.NoPrivileges},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user katherine does not have "write" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/d/e/f": []auth.Privilege{auth.ReadPrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c/../../d/e/f",
				Privilege: auth.ReadPrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c/../../d/e/f",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user hackerbob does not have "write" privilege for resource "/a/b/c/../../d/e/f"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/a/b": []auth.Privilege{auth.WritePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c/../../../../d/e/f",
				Privilege: auth.WritePrivilege,
			},
			authorized: false,
			err:        errors.New(`user hackerjim does not have "write" privilege for resource "/a/b/c/../../../../d/e/f"`),
		},
		{
			username: "******",
			admin:    true,
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.ReadPrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.ReadPrivilege,
			},
			authorized: false,
			err:        errors.New(`user ellie does not have "read" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.ReadPrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.AllPrivileges},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.WritePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.DeletePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.DeletePrivilege,
			},
			authorized: false,
			err:        errors.New(`user joel does not have "delete" privilege for resource "/a/b/c"`),
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.DeletePrivilege,
			},
			authorized: true,
			err:        nil,
		},
		{
			username: "******",
			privileges: map[string][]auth.Privilege{
				"/": []auth.Privilege{auth.AllPrivileges},
			},
			action: auth.Action{
				Resource:  "/a/b/c",
				Privilege: auth.DeletePrivilege,
			},
			authorized: true,
			err:        nil,
		},
	}
	for _, tc := range testCases {
		u := auth.NewUser(tc.username, nil, tc.admin, tc.privileges)
		err := u.AuthorizeAction(tc.action)
		if err != nil {
			if tc.err == nil {
				t.Errorf("%s: unexpected error authorizing action: got %q", tc.username, err.Error())
			} else if err.Error() != tc.err.Error() {
				t.Errorf("%s: unexpected error message: got %q exp %q", tc.username, err.Error(), tc.err.Error())
			}
		} else {
			if tc.err != nil {
				t.Errorf("%s: AUTH BREACH: expected error authorizing action: %q", tc.username, tc.err.Error())
			}
		}
	}
}
Exemple #4
0
// Return a user will all privileges and given username.
func (s *Service) User(username string) (auth.User, error) {
	s.logger.Println("W! using noauth auth backend. Faked authentication for user", username)
	return auth.NewUser(username, nil, true, nil), nil
}