diff options
author | Alejandro Rodríguez <alejorro70@gmail.com> | 2018-09-06 23:02:27 +0300 |
---|---|---|
committer | Zeger-Jan van de Weg <zegerjan@gitlab.com> | 2018-09-06 23:02:27 +0300 |
commit | c75e0ede557cb79f0e668a6750081bbb4fa1fc15 (patch) | |
tree | 2702a0a94edf547a08ecaf6cabe2c63edcf938e4 /auth/extract_test.go | |
parent | d0950eb3f98d342fd17da7ec4dffbcb0fc82027e (diff) |
Allow server to receive an hmac token with the client timestamp for auth
Diffstat (limited to 'auth/extract_test.go')
-rw-r--r-- | auth/extract_test.go | 68 |
1 files changed, 66 insertions, 2 deletions
diff --git a/auth/extract_test.go b/auth/extract_test.go index f2cc3f773..7d6df8fb0 100644 --- a/auth/extract_test.go +++ b/auth/extract_test.go @@ -2,7 +2,9 @@ package gitalyauth import ( "testing" + "time" + "github.com/grpc-ecosystem/go-grpc-middleware/util/metautils" "github.com/stretchr/testify/require" "golang.org/x/net/context" "google.golang.org/grpc/codes" @@ -11,7 +13,7 @@ import ( "google.golang.org/grpc/status" ) -func TestCheckToken(t *testing.T) { +func TestCheckTokenV1(t *testing.T) { secret := "secret 1234" testCases := []struct { @@ -44,13 +46,75 @@ func TestCheckToken(t *testing.T) { for _, tc := range testCases { t.Run(tc.desc, func(t *testing.T) { ctx := metadata.NewIncomingContext(context.Background(), tc.md) - err := CheckToken(ctx, secret) + err := CheckToken(ctx, secret, time.Now()) require.Equal(t, tc.code, status.Code(err), "expected grpc code in error %v", err) }) } } +func TestCheckTokenV2(t *testing.T) { + targetTime := time.Unix(1535671600, 0) + secret := []byte("foo") + + testCases := []struct { + desc string + token string + result error + }{ + { + desc: "Valid v2 secret, future time within threshold", + token: "v2.3346cb25ecdb928defd368e7390522a86764bbdf1e8b21aaef27c4c23ec9c899.1535671615", + result: nil, + }, + { + desc: "Valid v2 secret, past time within threshold", + token: "v2.b77158328e80be2984eaf08788419d25f3484eae484aec1297af6bdf1a456610.1535671585", + result: nil, + }, + { + desc: "Invalid secret, time within threshold", + token: "v2.52a3b9016f46853c225c72b87617ac27109bba8a3068002069ab90e28253a911.1535671585", + result: errDenied, + }, + { + desc: "Valid secret, time too much in the future", + token: "v2.ab9e7315aeecf6815fc0df585370157814131acab376f41797ad4ebc4d9a823c.1535671631", + result: errDenied, + }, + { + desc: "Valid secret, time too much in the past", + token: "v2.f805bc69ca3aedd99e814b3fb1fc1e6a1094191691480b168a20fad7c2d24557.1535671569", + result: errDenied, + }, + { + desc: "Mismatching signed and clear message", + token: "v2.319b96a3194c1cb2a2e6f1386161aca1c4cda13257fa9df8a328ab6769649bb0.1535671599", + result: errDenied, + }, + { + desc: "Invalid version", + token: "v3.6fec98e8fe494284ce545c4b421799f02b9718b0eadfc3772d027e1ac5d6d569.1535671601", + result: errDenied, + }, + { + desc: "Empty token", + token: "", + result: errDenied, + }, + } + + for _, tc := range testCases { + t.Run(tc.desc, func(t *testing.T) { + md := metautils.NiceMD{} + md.Set("authorization", "Bearer "+tc.token) + result := CheckToken(md.ToIncoming(context.Background()), string(secret), targetTime) + + require.Equal(t, tc.result, result) + }) + } +} + func credsMD(t *testing.T, creds credentials.PerRPCCredentials) metadata.MD { md, err := creds.GetRequestMetadata(context.Background()) require.NoError(t, err) |