func TestGetters(t *testing.T) {
assert.False(t, IsAuthenticatedFromContext(context.Background()))
_, err := PoliciesFromContext(context.Background())
assert.NotNil(t, err)
_, err = SubjectFromContext(context.Background())
assert.NotNil(t, err)
_, err = TokenFromContext(context.Background())
assert.NotNil(t, err)
ctx := context.Background()
claims := hjwt.ClaimsCarrier{"sub": "peter"}
token := &jwt.Token{Valid: true}
policies := []policy.Policy{}
ctx = NewContextFromAuthValues(ctx, claims, token, policies)
assert.True(t, IsAuthenticatedFromContext(ctx))
policiesContext, err := PoliciesFromContext(ctx)
assert.Nil(t, err)
assert.Equal(t, policies, policiesContext)
subjectContext, err := SubjectFromContext(ctx)
assert.Nil(t, err)
assert.Equal(t, claims.GetSubject(), subjectContext)
tokenContext, err := TokenFromContext(ctx)
assert.Nil(t, err)
assert.Equal(t, token, tokenContext)
}
func (h *Handler) SetRoutes(r *mux.Router, extractor func(h hydcon.ContextHandler) hydcon.ContextHandler) {
r.Handle("/oauth2/connections", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
h.m.IsAuthorized(connectionsPermission, "create", nil),
).ThenFunc(h.Create)).Queries("subject", "{subject}").Methods("POST")
r.Handle("/oauth2/connections", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Find)).Queries("subject", "{subject}").Methods("GET")
r.Handle("/oauth2/connections/{id}", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Get)).Methods("GET")
r.Handle("/oauth2/connections/{id}", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Delete)).Methods("DELETE")
}
func (h *Handler) SetRoutes(r *mux.Router, extractor func(h hctx.ContextHandler) hctx.ContextHandler) {
r.Handle("/allowed", hctx.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Granted)).Methods("POST")
r.Handle("/policies", hctx.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
h.m.IsAuthorized("rn:hydra:policies", "create", nil),
).ThenFunc(h.Create)).Methods("POST")
// r.Handle("/policies", hctx.NewContextAdapter(
// context.Background(),
// extractor,
// h.m.IsAuthenticated,
// ).ThenFunc(h.FindBySubject)).Query("subject").Methods("GET")
r.Handle("/policies/{id}", hctx.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Get)).Methods("GET")
r.Handle("/policies/{id}", hctx.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Delete)).Methods("DELETE")
}
func TestMiddleware(t *testing.T) {
m := &Middleware{}
for k, c := range cases {
h := hcon.NewContextAdapter(
context.Background(),
mockContext(c),
m.IsAuthenticated,
).ThenFunc(hcon.ContextHandlerFunc(handler(m, c)))
ts := httptest.NewServer(h)
defer ts.Close()
res, err := http.Get(ts.URL)
require.Nil(t, err)
res.Body.Close()
if !c.expectAuthN {
assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "Authentication failed case %d", k)
} else if !c.expectAuthZ {
assert.Equal(t, http.StatusForbidden, res.StatusCode, "Authorization failed case %d", k)
} else {
assert.Equal(t, http.StatusOK, res.StatusCode, "Case %d should be authorized but wasn't.", k)
}
}
}
func (h *Handler) SetRoutes(r *mux.Router, extractor func(h hydcon.ContextHandler) hydcon.ContextHandler) {
r.Handle("/clients", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
h.m.IsAuthorized("rn:hydra:clients", "create", nil),
).ThenFunc(h.Create)).Methods("POST")
r.Handle("/clients/{id}", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Get)).Methods("GET")
r.Handle("/clients/{id}", hydcon.NewContextAdapter(
context.Background(),
extractor,
h.m.IsAuthenticated,
).ThenFunc(h.Delete)).Methods("DELETE")
}
func TestContextAdapterThenFuncExports(t *testing.T) {
h := NewContextAdapter(context.Background(), middleware).ThenFunc(handler)
recorder := httptest.NewRecorder()
req, err := http.NewRequest("GET", "http://example.com/handler", nil)
require.Nil(t, err)
m := mux.NewRouter()
m.Handle("/handler", h).Methods("GET")
m.ServeHTTP(recorder, req)
assert.Equal(t, 2, called)
called = 0
}
func TestContextAdapter(t *testing.T) {
h := &contextAdapter{
ctx: context.Background(),
final: middleware(ContextHandlerFunc(handler)),
}
recorder := httptest.NewRecorder()
req, err := http.NewRequest("GET", "http://example.com/handler", nil)
require.Nil(t, err)
m := mux.NewRouter()
m.Handle("/handler", h).Methods("GET")
m.ServeHTTP(recorder, req)
assert.Equal(t, 2, called)
called = 0
}
func (d *dropbox) Exchange(code string) (Session, error) {
conf := *d.conf
ctx := context.Background()
token, err := conf.Exchange(ctx, code)
if err != nil {
return nil, err
}
if !token.Valid() {
return nil, errors.Errorf("Token is not valid: %v", token)
}
c := conf.Client(ctx, token)
rawurl := fmt.Sprintf("%s/%s?%s", d.api, "users/get_current_account", nil)
response, err := c.Get(rawurl)
if err != nil {
return nil, err
}
defer response.Body.Close()
body, err := ioutil.ReadAll(response.Body)
if err != nil {
return nil, err
}
var acc Account
if err = json.Unmarshal(body, &acc); err != nil {
return nil, err
}
return &DefaultSession{
RemoteSubject: acc.ID,
Extra: acc,
Token: token,
}, nil
}
func TestNewContextFromAuthorization(t *testing.T) {
for _, c := range []struct {
id string
privateKey []byte
publicKey []byte
authorization string
isAuthenticated bool
}{
{
"1",
[]byte(hjwt.TestCertificates[0][1]),
[]byte(hjwt.TestCertificates[1][1]),
// {"foo": "bar"}
"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
false,
},
{
"2",
[]byte(hjwt.TestCertificates[0][1]),
[]byte(hjwt.TestCertificates[1][1]),
// {"subject": "nonexistent"}
"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWJqZWN0Ijoibm9uZXhpc3RlbnQifQ.jDUnvVMQHrhuIRUr8qAJ0g-ZKArdiJ21LAPDktmV56KFknX712Yxdder78YjEjxvGOvgtxLpCiay0cV5pvcWLuFW65Ys1P1SwdmdebtWfiGQwBy2Ggm3MrHjD_-r5JNAxFZjFZfZ1Fk-JlSZ97r8S7gYfDSAkxhpDmDy5Bm8e5_xsGDNp8dByuXop7QEtJb_igaa0APWa2ZOp3oTgxjD4CP6ZX6N5fGjtwjJWx5wHt7JaKXq8CRG8elm7LnNezYyJxeHECVctQGVv3HUjJxKf0l7wZXbG87BrG2M7otT8Py2sJP8X4wYL0DEsbErkEieV4D-KEBqpkvfXOrDGMFNRQ",
false,
},
{
"3",
[]byte(hjwt.TestCertificates[0][1]),
[]byte(hjwt.TestCertificates[1][1]),
// not a valid token
"Bearer eyJ0eXAaOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWJqZWN0IjoiMTMyIn0.WDC51GK5wIQPd00MqLjFy3AU3gNsvsCpWk5e8RObVxBqcYAdv-UwMfEUAFE6Y50C5pQ1t8_LHfxJYNfcW3fj_x5FXckdbqvpXHi-psxuDwk_rancpjZQegcutqYRH37_lnJ8lIq65ZgxnyYnQKGOMl3w7etK1gOvqEcP_eHn8HG0jeVk0SDZm82x0JXSk0lrVEEjWmWYtXEsLz0E4clNPUW37K9eyjYFKnyVCIPfmGwTlkDLjANsyu0P6kFiV28V1_XedtJXDI3MmG2SxSHogDhZJLb298JBwod0d6wTyygI9mUbX-C0PklTJTxIhSs7Pc6unNlWnbyL8Z4FJrdSEw",
false,
},
{
"4",
[]byte(hjwt.TestCertificates[0][1]),
[]byte(hjwt.TestCertificates[1][1]),
// {
// "exp": "2099-10-31T15:03:52.4620974+01:00",
// "iat": "2014-10-31T13:03:52.4620974+01:00",
// "nbf": "2014-10-31T13:03:52.4620974+01:00",
// "sub": "132"
// }
"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTEwLTMxVDE1OjAzOjUyLjQ2MjA5NzQrMDE6MDAiLCJpYXQiOiIyMDE0LTEwLTMxVDEzOjAzOjUyLjQ2MjA5NzQrMDE6MDAiLCJuYmYiOiIyMDE0LTEwLTMxVDEzOjAzOjUyLjQ2MjA5NzQrMDE6MDAiLCJzdWIiOiIxMzIifQ.qnZr-msiG5GkVTDTyY3g26c5Edho36_E9CaANyCBVOrXWRfRPDMf7E2vrdZubO5tXlfKRgM_1avFQVWZhqrdrGBO8DiBa5OGX9IdAZaclqQFjg7vRSyIFllSs4zP4QREG4YL0qwiYGKS4SBcCS2LNfbaJfrKP_zUReXRAlWNdeFAw6zsGzlAtHQO_O0HnJCEB_wEBIkMIxdI2f-1yyTZJInyvY_wrFDkCkTfkmmW8EHzO2R44FXmaudxDCG1YAeN6WssAwgzBjR8WaQ2M_8VUYWN9TCDc3Fx58XWRTtWL_coDI9R6WtqaPkyr2_qn1Un3y3yLCGdVglRYnhJL1YCXA",
true,
},
{
"5",
[]byte(hjwt.TestCertificates[0][1]),
[]byte(hjwt.TestCertificates[1][1]),
"",
false,
},
} {
message := "ok"
ctx := context.Background()
j := hjwt.New(c.privateKey, c.publicKey)
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx = NewContextFromAuthorization(ctx, r, j, ladonStore)
assert.Equal(t, c.isAuthenticated, IsAuthenticatedFromContext(ctx), "Case %s", c.id)
fmt.Fprintln(w, message)
}))
defer ts.Close()
client := &http.Client{}
req, err := http.NewRequest("GET", ts.URL, nil)
require.Nil(t, err)
req.Header.Set("Authorization", c.authorization)
res, err := client.Do(req)
require.Nil(t, err)
result, err := ioutil.ReadAll(res.Body)
res.Body.Close()
require.Nil(t, err)
assert.Equal(t, message+"\n", string(result))
}
}
