func TestManagerKeySet(t *testing.T) {
ks, _ := testGenerator.Generate("")
ks.Key("private")
for name, m := range managers {
_, err := m.GetKeySet("foo")
pkg.AssertError(t, true, err, name)
err = m.AddKeySet("bar", ks)
pkg.AssertError(t, false, err, name)
time.Sleep(time.Millisecond * 100)
got, err := m.GetKeySet("bar")
pkg.RequireError(t, false, err, name)
assert.Equal(t, ks.Key("public"), got.Key("public"), name)
assert.Equal(t, ks.Key("private"), got.Key("private"), name)
err = m.DeleteKeySet("bar")
pkg.AssertError(t, false, err, name)
time.Sleep(time.Millisecond * 100)
_, err = m.GetKeySet("bar")
pkg.AssertError(t, true, err, name)
}
err := managers["http"].AddKeySet("nonono", ks)
pkg.AssertError(t, true, err, "%s")
}
func TestCreateGetDeleteOpenIDConnectSession(t *testing.T) {
ctx := context.Background()
for k, m := range clientManagers {
_, err := m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{})
pkg.AssertError(t, true, err, "%s", k)
err = m.CreateOpenIDConnectSession(ctx, "4321", &defaultRequest)
pkg.AssertError(t, false, err, "%s", k)
time.Sleep(100 * time.Millisecond)
res, err := m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{
Session: &testSession{},
})
pkg.RequireError(t, false, err, "%s", k)
c.AssertObjectKeysEqual(t, &defaultRequest, res, "Scopes", "GrantedScopes", "Form", "Session")
err = m.DeleteOpenIDConnectSession(ctx, "4321")
pkg.AssertError(t, false, err, "%s", k)
time.Sleep(100 * time.Millisecond)
_, err = m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{})
pkg.AssertError(t, true, err, "%s", k)
}
}
func TestColdStartRethinkManager(t *testing.T) {
ctx := context.Background()
m := rethinkManager
id := uuid.New()
err := m.CreateAuthorizeCodeSession(ctx, id, &defaultRequest)
pkg.AssertError(t, false, err)
err = m.CreateAccessTokenSession(ctx, id, &defaultRequest)
pkg.AssertError(t, false, err)
time.Sleep(100 * time.Millisecond)
_, err = m.GetAuthorizeCodeSession(ctx, id, &testSession{})
pkg.AssertError(t, false, err)
_, err = m.GetAccessTokenSession(ctx, id, &testSession{})
pkg.AssertError(t, false, err)
delete(rethinkManager.AuthorizeCodes, id)
delete(rethinkManager.AccessTokens, id)
_, err = m.GetAuthorizeCodeSession(ctx, id, &testSession{})
pkg.AssertError(t, true, err)
_, err = m.GetAccessTokenSession(ctx, id, &testSession{})
pkg.AssertError(t, true, err)
err = rethinkManager.ColdStart()
pkg.AssertError(t, false, err)
_, err = m.GetAuthorizeCodeSession(ctx, id, &testSession{})
pkg.AssertError(t, false, err)
_, err = m.GetAccessTokenSession(ctx, id, &testSession{})
pkg.AssertError(t, false, err)
}
func TestAuthorized(t *testing.T) {
for n, w := range wardens {
for k, c := range []struct {
token string
scopes []string
expectErr bool
assert func(*firewall.Context)
}{
{
token: "invalid",
expectErr: true,
},
{
token: "invalid",
expectErr: true,
},
{
token: tokens[0][1],
scopes: []string{"foo"},
expectErr: true,
},
{
token: tokens[0][1],
scopes: []string{"core"},
expectErr: false,
assert: func(c *firewall.Context) {
assert.Equal(t, "alice", c.Subject)
assert.Equal(t, "tests", c.Issuer)
},
},
} {
ctx, err := w.Authorized(context.Background(), c.token, c.scopes...)
pkg.AssertError(t, c.expectErr, err, n, "ActionAllowed", k)
if err == nil && c.assert != nil {
c.assert(ctx)
}
httpreq := &http.Request{Header: http.Header{}}
httpreq.Header.Set("Authorization", "bearer "+c.token)
ctx, err = w.HTTPAuthorized(context.Background(), httpreq, c.scopes...)
pkg.AssertError(t, c.expectErr, err, n, "HTTPActionAllowed", k)
if err == nil && c.assert != nil {
c.assert(ctx)
}
}
}
}
func TestAEAD(t *testing.T) {
key, err := rand.RandomBytes(32)
pkg.AssertError(t, false, err)
a := &AEAD{
Key: key,
}
for i := 0; i < 100; i++ {
plain := []byte(uuid.New())
ct, err := a.Encrypt(plain)
pkg.AssertError(t, false, err)
res, err := a.Decrypt(ct)
pkg.AssertError(t, false, err)
assert.Equal(t, plain, res)
}
}
func TestAuthenticateClient(t *testing.T) {
var mem = &MemoryManager{
Clients: map[string]*fosite.DefaultClient{},
Hasher: &hash.BCrypt{},
}
mem.CreateClient(&fosite.DefaultClient{
ID: "1234",
Secret: []byte("secret"),
RedirectURIs: []string{"http://redirect"},
})
c, err := mem.Authenticate("1234", []byte("secret1"))
pkg.AssertError(t, true, err)
c, err = mem.Authenticate("1234", []byte("secret"))
pkg.AssertError(t, false, err)
assert.Equal(t, "1234", c.ID)
}
func TestGenerator(t *testing.T) {
for _, c := range []struct {
g KeyGenerator
check func(*jose.JsonWebKeySet)
}{
{
g: &RS256Generator{},
check: func(ks *jose.JsonWebKeySet) {
assert.Len(t, ks, 2)
},
},
{
g: &ECDSA521Generator{},
check: func(ks *jose.JsonWebKeySet) {
assert.Len(t, ks, 2)
},
},
{
g: &ECDSA256Generator{},
check: func(ks *jose.JsonWebKeySet) {
assert.Len(t, ks, 2)
},
},
{
g: &HS256Generator{
Length: 32,
},
check: func(ks *jose.JsonWebKeySet) {
assert.Len(t, ks, 1)
},
},
} {
keys, err := c.g.Generate("foo")
pkg.AssertError(t, false, err)
if err != nil {
c.check(keys)
}
}
}
func TestManagerKey(t *testing.T) {
ks, _ := testGenerator.Generate("")
priv := ks.Key("private")
pub := ks.Key("public")
for name, m := range managers {
t.Logf("Running test %s", name)
_, err := m.GetKey("faz", "baz")
pkg.AssertError(t, true, err, name)
err = m.AddKey("faz", First(priv))
pkg.AssertError(t, false, err, name)
time.Sleep(time.Millisecond * 100)
got, err := m.GetKey("faz", "private")
pkg.RequireError(t, false, err, name)
assert.Equal(t, priv, got.Keys, "%s", name)
err = m.AddKey("faz", First(pub))
pkg.AssertError(t, false, err, name)
time.Sleep(time.Millisecond * 100)
got, err = m.GetKey("faz", "private")
pkg.RequireError(t, false, err, name)
assert.Equal(t, priv, got.Keys, "%s", name)
got, err = m.GetKey("faz", "public")
pkg.RequireError(t, false, err, name)
assert.Equal(t, pub, got.Keys, "%s", name)
err = m.DeleteKey("faz", "public")
pkg.AssertError(t, false, err, name)
time.Sleep(time.Millisecond * 100)
ks, err = m.GetKey("faz", "public")
pkg.AssertError(t, true, err, name)
}
err := managers["http"].AddKey("nonono", First(priv))
pkg.AssertError(t, true, err, "%s")
}
func TestManagers(t *testing.T) {
p := &ladon.DefaultPolicy{
ID: uuid.New(),
Description: "description",
Subjects: []string{"<peter>"},
Effect: ladon.AllowAccess,
Resources: []string{"<article|user>"},
Actions: []string{"view"},
Conditions: ladon.Conditions{
"ip": &ladon.CIDRCondition{
CIDR: "1234",
},
"owner": &ladon.EqualsSubjectCondition{},
},
}
for k, m := range managers {
_, err := m.Get(p.ID)
pkg.AssertError(t, true, err, k)
pkg.AssertError(t, false, m.Create(p), k)
time.Sleep(200 * time.Millisecond)
res, err := m.Get(p.ID)
pkg.AssertError(t, false, err, k)
assert.Equal(t, p, res, "%s", k)
ps, err := m.FindPoliciesForSubject("peter")
pkg.RequireError(t, false, err, k)
require.Len(t, ps, 1, "%s", k)
assert.Equal(t, p, ps[0], "%s", k)
ps, err = m.FindPoliciesForSubject("stan")
pkg.AssertError(t, false, err, k)
assert.Len(t, ps, 0, "%s", k)
pkg.AssertError(t, false, m.Delete(p.ID), k)
_, err = m.Get(p.ID)
pkg.AssertError(t, true, err, k)
}
}
func TestCreateGetDeleteClient(t *testing.T) {
for k, m := range clientManagers {
_, err := m.GetClient("4321")
pkg.AssertError(t, true, err, "%s", k)
c := &fosite.DefaultClient{
ID: "1234",
Secret: []byte("secret"),
RedirectURIs: []string{"http://redirect"},
TermsOfServiceURI: "foo",
}
err = m.CreateClient(c)
pkg.AssertError(t, false, err, "%s", k)
if err == nil {
compare(t, c, k)
}
// RethinkDB delay
time.Sleep(500 * time.Millisecond)
d, err := m.GetClient("1234")
pkg.AssertError(t, false, err, "%s", k)
if err == nil {
compare(t, d, k)
}
ds, err := m.GetClients()
pkg.AssertError(t, false, err, "%s", k)
assert.Len(t, ds, 1)
err = m.DeleteClient("1234")
pkg.AssertError(t, false, err, "%s", k)
// RethinkDB delay
time.Sleep(100 * time.Millisecond)
_, err = m.GetClient("1234")
pkg.AssertError(t, true, err, "%s", k)
}
}