func (as *authSuite) TestNewUserAddsToExistent(c *C) {
as.state.Lock()
firstUser, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
// adding a new one
as.state.Lock()
user, err := auth.NewUser(as.state, "new_username", "new_macaroon", []string{"new_discharge"})
as.state.Unlock()
expected := &auth.UserState{
ID: 2,
Username: "******",
Macaroon: "new_macaroon",
Discharges: []string{"new_discharge"},
StoreMacaroon: "new_macaroon",
StoreDischarges: []string{"new_discharge"},
}
c.Check(err, IsNil)
c.Check(user, DeepEquals, expected)
as.state.Lock()
userFromState, err := auth.User(as.state, 2)
as.state.Unlock()
c.Check(err, IsNil)
c.Check(userFromState, DeepEquals, expected)
// first user is still in the state
as.state.Lock()
userFromState, err = auth.User(as.state, 1)
as.state.Unlock()
c.Check(err, IsNil)
c.Check(userFromState, DeepEquals, firstUser)
}
func (as *authSuite) TestRemove(c *C) {
as.state.Lock()
user, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
_, err = auth.User(as.state, user.ID)
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
err = auth.RemoveUser(as.state, user.ID)
as.state.Unlock()
c.Assert(err, IsNil)
as.state.Lock()
_, err = auth.User(as.state, user.ID)
as.state.Unlock()
c.Check(err, ErrorMatches, "invalid user")
as.state.Lock()
err = auth.RemoveUser(as.state, user.ID)
as.state.Unlock()
c.Assert(err, ErrorMatches, "invalid user")
}
func (as *authSuite) TestGetAuthenticatorFromUser(c *C) {
as.state.Lock()
user, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
authenticator := user.Authenticator()
c.Check(authenticator.Macaroon, Equals, user.Macaroon)
c.Check(authenticator.Discharges, DeepEquals, user.Discharges)
}
func (as *authSuite) TestUserForNonExistent(c *C) {
as.state.Lock()
_, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
userFromState, err := auth.User(as.state, 42)
c.Check(err, ErrorMatches, "invalid user")
c.Check(userFromState, IsNil)
}
func (as *authSuite) TestUser(c *C) {
as.state.Lock()
user, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
userFromState, err := auth.User(as.state, 1)
as.state.Unlock()
c.Check(err, IsNil)
c.Check(userFromState, DeepEquals, user)
}
func (as *authSuite) TestAuthenticatorSetHeaders(c *C) {
as.state.Lock()
user, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
req, _ := http.NewRequest("GET", "http://example.com", nil)
authenticator := user.Authenticator()
authenticator.Authenticate(req)
authorization := req.Header.Get("Authorization")
c.Check(authorization, Equals, `Macaroon root="macaroon", discharge="discharge"`)
}
func (as *authSuite) TestCheckMacaroonValidUser(c *C) {
as.state.Lock()
expectedUser, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
c.Check(user, DeepEquals, expectedUser)
}
func loginUser(c *Command, r *http.Request) Response {
var loginData struct {
Username string `json:"username"`
Password string `json:"password"`
Otp string `json:"otp"`
}
decoder := json.NewDecoder(r.Body)
if err := decoder.Decode(&loginData); err != nil {
return BadRequest("cannot decode login data from request body: %v", err)
}
macaroon, err := store.RequestPackageAccessMacaroon()
if err != nil {
return InternalError(err.Error())
}
discharge, err := store.DischargeAuthCaveat(loginData.Username, loginData.Password, macaroon, loginData.Otp)
if err == store.ErrAuthenticationNeeds2fa {
twofactorRequiredResponse := &resp{
Type: ResponseTypeError,
Result: &errorResult{
Kind: errorKindTwoFactorRequired,
Message: store.ErrAuthenticationNeeds2fa.Error(),
},
Status: http.StatusUnauthorized,
}
return SyncResponse(twofactorRequiredResponse, nil)
}
if err != nil {
return Unauthorized(err.Error())
}
overlord := c.d.overlord
state := overlord.State()
state.Lock()
_, err = auth.NewUser(state, loginData.Username, macaroon, []string{discharge})
state.Unlock()
if err != nil {
return InternalError("cannot persist authentication details: %v", err)
}
result := loginResponseData{
Macaroon: macaroon,
Discharges: []string{discharge},
}
return SyncResponse(result, nil)
}
func (s *daemonSuite) TestAutherValidUser(c *check.C) {
d := newTestDaemon(c)
state := d.overlord.State()
state.Lock()
expectedUser, err := auth.NewUser(state, "username", "macaroon", []string{"discharge"})
state.Unlock()
c.Check(err, check.IsNil)
req, _ := http.NewRequest("GET", "http://example.com", nil)
req.Header.Set("Authorization", `Macaroon root="macaroon", discharge="discharge"`)
user, err := d.auther(req)
c.Check(err, check.IsNil)
c.Check(user, check.DeepEquals, expectedUser.Authenticator())
}
func (as *authSuite) TestCheckMacaroonInvalidAuth(c *C) {
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, "other-macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
as.state.Lock()
_, err = auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
user, err = auth.CheckMacaroon(as.state, "other-macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
}
func (as *authSuite) TestNewUserSortsDischarges(c *C) {
as.state.Lock()
user, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge2", "discharge1"})
as.state.Unlock()
expected := &auth.UserState{
ID: 1,
Username: "******",
Macaroon: "macaroon",
Discharges: []string{"discharge1", "discharge2"},
StoreMacaroon: "macaroon",
StoreDischarges: []string{"discharge1", "discharge2"},
}
c.Check(err, IsNil)
c.Check(user, DeepEquals, expected)
as.state.Lock()
userFromState, err := auth.User(as.state, 1)
as.state.Unlock()
c.Check(err, IsNil)
c.Check(userFromState, DeepEquals, expected)
}
func (s *snapmgrTestSuite) SetUpTest(c *C) {
s.fakeBackend = &fakeSnappyBackend{
fakeCurrentProgress: 75,
fakeTotalProgress: 100,
}
s.state = state.New(nil)
var err error
s.snapmgr, err = snapstate.Manager(s.state)
c.Assert(err, IsNil)
s.snapmgr.AddForeignTaskHandlers()
// XXX: have just one, reset!
snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
snapstate.SetSnapstateBackend(s.fakeBackend)
s.reset = snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
s.state.Lock()
s.user, err = auth.NewUser(s.state, "username", "macaroon", []string{"discharge"})
c.Assert(err, IsNil)
s.state.Unlock()
}
