get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/test/auth_test.go (about) 1 // Copyright 2012-2019 The NATS Authors 2 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // you may not use this file except in compliance with the License. 4 // You may obtain a copy of the License at 5 // 6 // http://www.apache.org/licenses/LICENSE-2.0 7 // 8 // Unless required by applicable law or agreed to in writing, software 9 // distributed under the License is distributed on an "AS IS" BASIS, 10 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 // See the License for the specific language governing permissions and 12 // limitations under the License. 13 14 package test 15 16 import ( 17 "encoding/json" 18 "fmt" 19 "net" 20 "testing" 21 "time" 22 23 "get.pme.sh/pnats/server" 24 ) 25 26 func doAuthConnect(t tLogger, c net.Conn, token, user, pass string) { 27 cs := fmt.Sprintf("CONNECT {\"verbose\":true,\"auth_token\":\"%s\",\"user\":\"%s\",\"pass\":\"%s\"}\r\n", token, user, pass) 28 sendProto(t, c, cs) 29 } 30 31 func testInfoForAuth(t tLogger, infojs []byte) bool { 32 var sinfo server.Info 33 err := json.Unmarshal(infojs, &sinfo) 34 if err != nil { 35 t.Fatalf("Could not unmarshal INFO json: %v\n", err) 36 } 37 return sinfo.AuthRequired 38 } 39 40 func expectAuthRequired(t tLogger, c net.Conn) { 41 buf := expectResult(t, c, infoRe) 42 infojs := infoRe.FindAllSubmatch(buf, 1)[0][1] 43 if !testInfoForAuth(t, infojs) { 44 t.Fatalf("Expected server to require authorization: '%s'", infojs) 45 } 46 } 47 48 //////////////////////////////////////////////////////////// 49 // The authorization token version 50 //////////////////////////////////////////////////////////// 51 52 const AUTH_PORT = 10422 53 const AUTH_TOKEN = "_YZZ22_" 54 55 func runAuthServerWithToken() *server.Server { 56 opts := DefaultTestOptions 57 opts.Port = AUTH_PORT 58 opts.Authorization = AUTH_TOKEN 59 return RunServer(&opts) 60 } 61 62 func TestNoAuthClient(t *testing.T) { 63 s := runAuthServerWithToken() 64 defer s.Shutdown() 65 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 66 defer c.Close() 67 expectAuthRequired(t, c) 68 doAuthConnect(t, c, "", "", "") 69 expectResult(t, c, errRe) 70 } 71 72 func TestAuthClientBadToken(t *testing.T) { 73 s := runAuthServerWithToken() 74 defer s.Shutdown() 75 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 76 defer c.Close() 77 expectAuthRequired(t, c) 78 doAuthConnect(t, c, "ZZZ", "", "") 79 expectResult(t, c, errRe) 80 } 81 82 func TestAuthClientNoConnect(t *testing.T) { 83 s := runAuthServerWithToken() 84 defer s.Shutdown() 85 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 86 defer c.Close() 87 expectAuthRequired(t, c) 88 // This is timing dependent.. 89 time.Sleep(server.AUTH_TIMEOUT) 90 expectResult(t, c, errRe) 91 } 92 93 func TestAuthClientGoodConnect(t *testing.T) { 94 s := runAuthServerWithToken() 95 defer s.Shutdown() 96 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 97 defer c.Close() 98 expectAuthRequired(t, c) 99 doAuthConnect(t, c, AUTH_TOKEN, "", "") 100 expectResult(t, c, okRe) 101 } 102 103 func TestAuthClientFailOnEverythingElse(t *testing.T) { 104 s := runAuthServerWithToken() 105 defer s.Shutdown() 106 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 107 defer c.Close() 108 expectAuthRequired(t, c) 109 sendProto(t, c, "PUB foo 2\r\nok\r\n") 110 expectResult(t, c, errRe) 111 } 112 113 //////////////////////////////////////////////////////////// 114 // The username/password version 115 //////////////////////////////////////////////////////////// 116 117 const AUTH_USER = "derek" 118 const AUTH_PASS = "foobar" 119 120 func runAuthServerWithUserPass() *server.Server { 121 opts := DefaultTestOptions 122 opts.Port = AUTH_PORT 123 opts.Username = AUTH_USER 124 opts.Password = AUTH_PASS 125 return RunServer(&opts) 126 } 127 128 func TestNoUserOrPasswordClient(t *testing.T) { 129 s := runAuthServerWithUserPass() 130 defer s.Shutdown() 131 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 132 defer c.Close() 133 expectAuthRequired(t, c) 134 doAuthConnect(t, c, "", "", "") 135 expectResult(t, c, errRe) 136 } 137 138 func TestBadUserClient(t *testing.T) { 139 s := runAuthServerWithUserPass() 140 defer s.Shutdown() 141 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 142 defer c.Close() 143 expectAuthRequired(t, c) 144 doAuthConnect(t, c, "", "derekzz", AUTH_PASS) 145 expectResult(t, c, errRe) 146 } 147 148 func TestBadPasswordClient(t *testing.T) { 149 s := runAuthServerWithUserPass() 150 defer s.Shutdown() 151 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 152 defer c.Close() 153 expectAuthRequired(t, c) 154 doAuthConnect(t, c, "", AUTH_USER, "ZZ") 155 expectResult(t, c, errRe) 156 } 157 158 func TestPasswordClientGoodConnect(t *testing.T) { 159 s := runAuthServerWithUserPass() 160 defer s.Shutdown() 161 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 162 defer c.Close() 163 expectAuthRequired(t, c) 164 doAuthConnect(t, c, "", AUTH_USER, AUTH_PASS) 165 expectResult(t, c, okRe) 166 } 167 168 //////////////////////////////////////////////////////////// 169 // The bcrypt username/password version 170 //////////////////////////////////////////////////////////// 171 172 // Generated with nats server passwd (Cost 4 because of cost of --race, default is 11) 173 const BCRYPT_AUTH_PASS = "IW@$6v(y1(t@fhPDvf!5^%" 174 const BCRYPT_AUTH_HASH = "$2a$04$Q.CgCP2Sl9pkcTXEZHazaeMwPaAkSHk7AI51HkyMt5iJQQyUA4qxq" 175 176 func runAuthServerWithBcryptUserPass() *server.Server { 177 opts := DefaultTestOptions 178 opts.Port = AUTH_PORT 179 opts.Username = AUTH_USER 180 opts.Password = BCRYPT_AUTH_HASH 181 return RunServer(&opts) 182 } 183 184 func TestBadBcryptPassword(t *testing.T) { 185 s := runAuthServerWithBcryptUserPass() 186 defer s.Shutdown() 187 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 188 defer c.Close() 189 expectAuthRequired(t, c) 190 doAuthConnect(t, c, "", AUTH_USER, BCRYPT_AUTH_HASH) 191 expectResult(t, c, errRe) 192 } 193 194 func TestGoodBcryptPassword(t *testing.T) { 195 s := runAuthServerWithBcryptUserPass() 196 defer s.Shutdown() 197 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 198 defer c.Close() 199 expectAuthRequired(t, c) 200 doAuthConnect(t, c, "", AUTH_USER, BCRYPT_AUTH_PASS) 201 expectResult(t, c, okRe) 202 } 203 204 //////////////////////////////////////////////////////////// 205 // The bcrypt authorization token version 206 //////////////////////////////////////////////////////////// 207 208 const BCRYPT_AUTH_TOKEN = "0uhJOSr3GW7xvHvtd^K6pa" 209 const BCRYPT_AUTH_TOKEN_HASH = "$2a$04$u5ZClXpcjHgpfc61Ee0VKuwI1K3vTC4zq7SjphjnlHMeb1Llkb5Y6" 210 211 func runAuthServerWithBcryptToken() *server.Server { 212 opts := DefaultTestOptions 213 opts.Port = AUTH_PORT 214 opts.Authorization = BCRYPT_AUTH_TOKEN_HASH 215 return RunServer(&opts) 216 } 217 218 func TestBadBcryptToken(t *testing.T) { 219 s := runAuthServerWithBcryptToken() 220 defer s.Shutdown() 221 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 222 defer c.Close() 223 expectAuthRequired(t, c) 224 doAuthConnect(t, c, BCRYPT_AUTH_TOKEN_HASH, "", "") 225 expectResult(t, c, errRe) 226 } 227 228 func TestGoodBcryptToken(t *testing.T) { 229 s := runAuthServerWithBcryptToken() 230 defer s.Shutdown() 231 c := createClientConn(t, "127.0.0.1", AUTH_PORT) 232 defer c.Close() 233 expectAuthRequired(t, c) 234 doAuthConnect(t, c, BCRYPT_AUTH_TOKEN, "", "") 235 expectResult(t, c, okRe) 236 }