func Test_NewUser(t *testing.T) {
privs := map[string][]auth.Privilege{
"/simple/path/": []auth.Privilege{auth.ReadPrivilege, auth.WritePrivilege},
"/../messy/./path": []auth.Privilege{auth.DeletePrivilege, auth.WritePrivilege},
"/another/path/and/some/more": []auth.Privilege{auth.AllPrivileges},
"/blocked/path": []auth.Privilege{auth.NoPrivileges},
}
hash := []byte("hash")
u := auth.NewUser("username", hash, false, privs)
if exp, got := "username", u.Name(); got != exp {
t.Errorf("unexpected username: got %s exp %s", got, exp)
}
if exp, got := false, u.IsAdmin(); got != exp {
t.Errorf("unexpected admin: got %t exp %t", got, exp)
}
// Manipulate hash to test user has its own copy
hash[0] = 'b'
if exp, got := "hash", string(u.Hash()); got != exp {
t.Errorf("unexpected hash: got %s exp %s", got, exp)
}
// Manipulate privileges to test user has its own copy
privs["/blocked/path"] = []auth.Privilege{auth.AllPrivileges}
expPrivileges := map[string][]auth.Privilege{
"/simple/path": []auth.Privilege{auth.ReadPrivilege, auth.WritePrivilege},
"/messy/path": []auth.Privilege{auth.DeletePrivilege, auth.WritePrivilege},
"/another/path/and/some/more": []auth.Privilege{auth.AllPrivileges},
"/blocked/path": []auth.Privilege{auth.NoPrivileges},
}
gotPrivileges := u.Privileges()
if got, exp := len(gotPrivileges), len(expPrivileges); got != exp {
t.Errorf("unexpected privileges count: got %d exp %d", got, exp)
}
for r, expPs := range expPrivileges {
gotPs, ok := gotPrivileges[r]
if !ok {
t.Errorf("missing privilege: %s", r)
continue
}
if got, exp := len(gotPs), len(expPs); got != exp {
t.Errorf("unexpected privileges list count for resource %s: got %d exp %d", r, got, exp)
}
for _, ep := range expPs {
found := false
for _, gp := range gotPs {
if ep == gp {
found = true
break
}
}
if !found {
t.Errorf("missing privilege %v from list for resource %s", ep, r)
}
}
}
a := auth.NewUser("admin", nil, true, nil)
if exp, got := "admin", a.Name(); got != exp {
t.Errorf("unexpected username: got %s exp %s", got, exp)
}
if exp, got := true, a.IsAdmin(); got != exp {
t.Errorf("unexpected admin: got %t exp %t", got, exp)
}
}
// Return a user will all privileges.
func (s *Service) SubscriptionUser(token string) (auth.User, error) {
s.logger.Println("W! using noauth auth backend. Faked authentication for subscription user token")
return auth.NewUser("subscription-user", nil, true, nil), nil
}
func Test_User_AuthorizeAction(t *testing.T) {
testCases := []struct {
username string
admin bool
privileges map[string][]auth.Privilege
action auth.Action
authorized bool
err error
}{
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b/c": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b/": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/b": []auth.Privilege{auth.WritePrivilege},
"/c": []auth.Privilege{auth.WritePrivilege},
"/d": []auth.Privilege{auth.WritePrivilege},
"/a": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/c/": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user nick does not have "write" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b/c/": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b/c": []auth.Privilege{auth.ReadPrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user fred does not have "write" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b/c": []auth.Privilege{auth.ReadPrivilege},
},
action: auth.Action{
Resource: "a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`invalid action resource: "a/b/c", must be an absolute path`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.AllPrivileges},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user natalie does not have "write" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.NoPrivileges},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user katherine does not have "write" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/d/e/f": []auth.Privilege{auth.ReadPrivilege},
},
action: auth.Action{
Resource: "/a/b/c/../../d/e/f",
Privilege: auth.ReadPrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c/../../d/e/f",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user hackerbob does not have "write" privilege for resource "/a/b/c/../../d/e/f"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/a/b": []auth.Privilege{auth.WritePrivilege},
},
action: auth.Action{
Resource: "/a/b/c/../../../../d/e/f",
Privilege: auth.WritePrivilege,
},
authorized: false,
err: errors.New(`user hackerjim does not have "write" privilege for resource "/a/b/c/../../../../d/e/f"`),
},
{
username: "******",
admin: true,
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.ReadPrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.ReadPrivilege,
},
authorized: false,
err: errors.New(`user ellie does not have "read" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.ReadPrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.AllPrivileges},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.WritePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.DeletePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.WritePrivilege, auth.ReadPrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.DeletePrivilege,
},
authorized: false,
err: errors.New(`user joel does not have "delete" privilege for resource "/a/b/c"`),
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.ReadPrivilege, auth.DeletePrivilege},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.DeletePrivilege,
},
authorized: true,
err: nil,
},
{
username: "******",
privileges: map[string][]auth.Privilege{
"/": []auth.Privilege{auth.AllPrivileges},
},
action: auth.Action{
Resource: "/a/b/c",
Privilege: auth.DeletePrivilege,
},
authorized: true,
err: nil,
},
}
for _, tc := range testCases {
u := auth.NewUser(tc.username, nil, tc.admin, tc.privileges)
err := u.AuthorizeAction(tc.action)
if err != nil {
if tc.err == nil {
t.Errorf("%s: unexpected error authorizing action: got %q", tc.username, err.Error())
} else if err.Error() != tc.err.Error() {
t.Errorf("%s: unexpected error message: got %q exp %q", tc.username, err.Error(), tc.err.Error())
}
} else {
if tc.err != nil {
t.Errorf("%s: AUTH BREACH: expected error authorizing action: %q", tc.username, tc.err.Error())
}
}
}
}
// Return a user will all privileges and given username.
func (s *Service) User(username string) (auth.User, error) {
s.logger.Println("W! using noauth auth backend. Faked authentication for user", username)
return auth.NewUser(username, nil, true, nil), nil
}
