File: bearer_auth_test.go

package info (click to toggle)
golang-github-go-openapi-runtime 0.0~git20160704.0.11e322e-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 896 kB
  • ctags: 802
  • sloc: sh: 16; makefile: 4
file content (143 lines) | stat: -rw-r--r-- 4,304 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
 
package security

import (
	"bytes"
	"mime/multipart"
	"net/http"
	"net/url"
	"strings"
	"testing"

	"github.com/go-openapi/errors"
	"github.com/stretchr/testify/assert"
)

var bearerAuth = ScopedTokenAuthentication(func(token string, requiredScopes []string) (interface{}, error) {
	if token == "token123" {
		return "admin", nil
	}
	return nil, errors.Unauthenticated("bearer")
})

func TestValidBearerAuth(t *testing.T) {
	ba := BearerAuth("owners_auth", bearerAuth)

	req1, _ := http.NewRequest("GET", "/blah?access_token=token123", nil)

	ok, usr, err := ba.Authenticate(&ScopedAuthRequest{Request: req1})
	assert.True(t, ok)
	assert.Equal(t, "admin", usr)
	assert.NoError(t, err)

	req2, _ := http.NewRequest("GET", "/blah", nil)
	req2.Header.Set("Authorization", "Bearer token123")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req2})
	assert.True(t, ok)
	assert.Equal(t, "admin", usr)
	assert.NoError(t, err)

	body := url.Values(map[string][]string{})
	body.Set("access_token", "token123")
	req3, _ := http.NewRequest("POST", "/blah", strings.NewReader(body.Encode()))
	req3.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req3})
	assert.True(t, ok)
	assert.Equal(t, "admin", usr)
	assert.NoError(t, err)

	mpbody := bytes.NewBuffer(nil)
	writer := multipart.NewWriter(mpbody)
	writer.WriteField("access_token", "token123")
	writer.Close()
	req4, _ := http.NewRequest("POST", "/blah", mpbody)
	req4.Header.Set("Content-Type", writer.FormDataContentType())

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req4})
	assert.True(t, ok)
	assert.Equal(t, "admin", usr)
	assert.NoError(t, err)
}

func TestInvalidBearerAuth(t *testing.T) {
	ba := BearerAuth("owners_auth", bearerAuth)

	req1, _ := http.NewRequest("GET", "/blah?access_token=token124", nil)

	ok, usr, err := ba.Authenticate(&ScopedAuthRequest{Request: req1})
	assert.True(t, ok)
	assert.Equal(t, nil, usr)
	assert.Error(t, err)

	req2, _ := http.NewRequest("GET", "/blah", nil)
	req2.Header.Set("Authorization", "Bearer token124")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req2})
	assert.True(t, ok)
	assert.Equal(t, nil, usr)
	assert.Error(t, err)

	body := url.Values(map[string][]string{})
	body.Set("access_token", "token124")
	req3, _ := http.NewRequest("POST", "/blah", strings.NewReader(body.Encode()))
	req3.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req3})
	assert.True(t, ok)
	assert.Equal(t, nil, usr)
	assert.Error(t, err)

	mpbody := bytes.NewBuffer(nil)
	writer := multipart.NewWriter(mpbody)
	writer.WriteField("access_token", "token124")
	writer.Close()
	req4, _ := http.NewRequest("POST", "/blah", mpbody)
	req4.Header.Set("Content-Type", writer.FormDataContentType())

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req4})
	assert.True(t, ok)
	assert.Equal(t, nil, usr)
	assert.Error(t, err)
}

func TestMissingBearerAuth(t *testing.T) {
	ba := BearerAuth("owners_auth", bearerAuth)

	req1, _ := http.NewRequest("GET", "/blah?access_toke=token123", nil)

	ok, usr, err := ba.Authenticate(&ScopedAuthRequest{Request: req1})
	assert.False(t, ok)
	assert.Equal(t, nil, usr)
	assert.NoError(t, err)

	req2, _ := http.NewRequest("GET", "/blah", nil)
	req2.Header.Set("Authorization", "Beare token123")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req2})
	assert.False(t, ok)
	assert.Equal(t, nil, usr)
	assert.NoError(t, err)

	body := url.Values(map[string][]string{})
	body.Set("access_toke", "token123")
	req3, _ := http.NewRequest("POST", "/blah", strings.NewReader(body.Encode()))
	req3.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req3})
	assert.False(t, ok)
	assert.Equal(t, nil, usr)
	assert.NoError(t, err)

	mpbody := bytes.NewBuffer(nil)
	writer := multipart.NewWriter(mpbody)
	writer.WriteField("access_toke", "token123")
	writer.Close()
	req4, _ := http.NewRequest("POST", "/blah", mpbody)
	req4.Header.Set("Content-Type", writer.FormDataContentType())

	ok, usr, err = ba.Authenticate(&ScopedAuthRequest{Request: req4})
	assert.False(t, ok)
	assert.Equal(t, nil, usr)
	assert.NoError(t, err)
}