github.com/Tyktechnologies/tyk@v2.9.5+incompatible/gateway/auth_manager_test.go

github.com/Tyktechnologies/tyk@v2.9.5+incompatible/gateway/auth_manager_test.go (about)

     1  package gateway
     2  
     3  import (
     4  	"crypto/x509"
     5  	"net/http"
     6  	"sync"
     7  	"testing"
     8  
     9  	"github.com/TykTechnologies/tyk/apidef"
    10  	"github.com/TykTechnologies/tyk/certs"
    11  	"github.com/TykTechnologies/tyk/headers"
    12  
    13  	"github.com/TykTechnologies/tyk/storage"
    14  
    15  	"github.com/TykTechnologies/tyk/config"
    16  	"github.com/TykTechnologies/tyk/test"
    17  	"github.com/TykTechnologies/tyk/user"
    18  )
    19  
    20  func TestAuthenticationAfterDeleteKey(t *testing.T) {
    21  	assert := func(hashKeys bool) {
    22  		globalConf := config.Global()
    23  		globalConf.HashKeys = hashKeys
    24  		config.SetGlobal(globalConf)
    25  
    26  		ts := StartTest()
    27  		defer ts.Close()
    28  
    29  		api := BuildAndLoadAPI(func(spec *APISpec) {
    30  			spec.UseKeylessAccess = false
    31  			spec.Proxy.ListenPath = "/"
    32  		})[0]
    33  
    34  		key := CreateSession(func(s *user.SessionState) {
    35  			s.SetAccessRights(map[string]user.AccessDefinition{api.APIID: {
    36  				APIID: api.APIID,
    37  			}})
    38  			s.Mutex = &sync.RWMutex{}
    39  		})
    40  		deletePath := "/tyk/keys/" + key
    41  		authHeader := map[string]string{
    42  			"authorization": key,
    43  		}
    44  
    45  		ts.Run(t, []test.TestCase{
    46  			{Path: "/get", Headers: authHeader, Code: http.StatusOK},
    47  			{Method: http.MethodDelete, Path: deletePath, AdminAuth: true, Code: http.StatusOK, BodyMatch: `"action":"deleted"`},
    48  			{Path: "/get", Headers: authHeader, Code: http.StatusForbidden},
    49  		}...)
    50  	}
    51  
    52  	t.Run("HashKeys=false", func(t *testing.T) {
    53  		assert(false)
    54  	})
    55  
    56  	t.Run("HashKeys=true", func(t *testing.T) {
    57  		assert(true)
    58  	})
    59  }
    60  
    61  func TestAuthenticationAfterUpdateKey(t *testing.T) {
    62  	assert := func(hashKeys bool) {
    63  		globalConf := config.Global()
    64  		globalConf.HashKeys = hashKeys
    65  		config.SetGlobal(globalConf)
    66  
    67  		ts := StartTest()
    68  		defer ts.Close()
    69  
    70  		api := BuildAndLoadAPI(func(spec *APISpec) {
    71  			spec.UseKeylessAccess = false
    72  			spec.Proxy.ListenPath = "/"
    73  		})[0]
    74  
    75  		key := generateToken("", "")
    76  
    77  		session := CreateStandardSession()
    78  		session.SetAccessRights(map[string]user.AccessDefinition{api.APIID: {
    79  			APIID: api.APIID,
    80  		}})
    81  
    82  		FallbackKeySesionManager.UpdateSession(storage.HashKey(key), session, 0, config.Global().HashKeys)
    83  
    84  		authHeader := map[string]string{
    85  			"authorization": key,
    86  		}
    87  
    88  		ts.Run(t, []test.TestCase{
    89  			{Path: "/get", Headers: authHeader, Code: http.StatusOK},
    90  		}...)
    91  
    92  		session.SetAccessRights(map[string]user.AccessDefinition{"dummy": {
    93  			APIID: "dummy",
    94  		}})
    95  
    96  		FallbackKeySesionManager.UpdateSession(storage.HashKey(key), session, 0, config.Global().HashKeys)
    97  
    98  		ts.Run(t, []test.TestCase{
    99  			{Path: "/get", Headers: authHeader, Code: http.StatusForbidden},
   100  		}...)
   101  
   102  	}
   103  
   104  	t.Run("HashKeys=false", func(t *testing.T) {
   105  		assert(false)
   106  	})
   107  
   108  	t.Run("HashKeys=true", func(t *testing.T) {
   109  		assert(true)
   110  	})
   111  }
   112  
   113  func TestHashKeyFunctionChanged(t *testing.T) {
   114  	_, _, combinedPEM, _ := genServerCertificate()
   115  	serverCertID, _ := CertificateManager.Add(combinedPEM, "")
   116  	defer CertificateManager.Delete(serverCertID, "")
   117  
   118  	_, _, _, clientCert := genCertificate(&x509.Certificate{})
   119  	clientCertID := certs.HexSHA256(clientCert.Certificate[0])
   120  	client := GetTLSClient(nil, nil)
   121  
   122  	globalConf := config.Global()
   123  	globalConf.HttpServerOptions.UseSSL = true
   124  	globalConf.HttpServerOptions.SSLCertificates = []string{serverCertID}
   125  	globalConf.HashKeys = true
   126  	globalConf.HashKeyFunction = "murmur64"
   127  	globalConf.LocalSessionCache.DisableCacheSessionState = true
   128  	config.SetGlobal(globalConf)
   129  
   130  	defer ResetTestConfig()
   131  
   132  	g := StartTest()
   133  	defer g.Close()
   134  
   135  	api := BuildAndLoadAPI(func(spec *APISpec) {
   136  		spec.Proxy.ListenPath = "/"
   137  		spec.UseKeylessAccess = false
   138  		spec.AuthConfigs = map[string]apidef.AuthConfig{
   139  			authTokenType: {UseCertificate: true},
   140  		}
   141  	})[0]
   142  
   143  	globalConf = config.Global()
   144  
   145  	testChangeHashFunc := func(t *testing.T, authHeader map[string]string, client *http.Client, failCode int) {
   146  		_, _ = g.Run(t, test.TestCase{Headers: authHeader, Client: client, Code: http.StatusOK})
   147  
   148  		globalConf.HashKeyFunction = "sha256"
   149  		config.SetGlobal(globalConf)
   150  
   151  		_, _ = g.Run(t, test.TestCase{Headers: authHeader, Client: client, Code: failCode})
   152  
   153  		globalConf.HashKeyFunctionFallback = []string{"murmur64"}
   154  		config.SetGlobal(globalConf)
   155  
   156  		_, _ = g.Run(t, test.TestCase{Headers: authHeader, Client: client, Code: http.StatusOK})
   157  
   158  		// Reset
   159  		globalConf.HashKeyFunction = "murmur64"
   160  		globalConf.HashKeyFunctionFallback = nil
   161  		config.SetGlobal(globalConf)
   162  	}
   163  
   164  	t.Run("custom key", func(t *testing.T) {
   165  		const customKey = "custom-key"
   166  
   167  		session := CreateStandardSession()
   168  		session.AccessRights = map[string]user.AccessDefinition{"test": {
   169  			APIID: "test", Versions: []string{"v1"},
   170  		}}
   171  
   172  		_, _ = g.Run(t, test.TestCase{AdminAuth: true, Method: http.MethodPost, Path: "/tyk/keys/" + customKey,
   173  			Data: session, Client: client, Code: http.StatusOK})
   174  
   175  		testChangeHashFunc(t, map[string]string{headers.Authorization: customKey}, client, http.StatusForbidden)
   176  	})
   177  
   178  	t.Run("basic auth key", func(t *testing.T) {
   179  		api.UseBasicAuth = true
   180  		LoadAPI(api)
   181  		globalConf = config.Global()
   182  
   183  		session := CreateStandardSession()
   184  		session.BasicAuthData.Password = "password"
   185  		session.AccessRights = map[string]user.AccessDefinition{"test": {
   186  			APIID: "test", Versions: []string{"v1"},
   187  		}}
   188  
   189  		_, _ = g.Run(t, test.TestCase{AdminAuth: true, Method: http.MethodPost, Path: "/tyk/keys/user",
   190  			Data: session, Client: client, Code: http.StatusOK})
   191  
   192  		authHeader := map[string]string{"Authorization": genAuthHeader("user", "password")}
   193  
   194  		testChangeHashFunc(t, authHeader, client, http.StatusUnauthorized)
   195  
   196  		api.UseBasicAuth = false
   197  		LoadAPI(api)
   198  		globalConf = config.Global()
   199  	})
   200  
   201  	t.Run("client certificate", func(t *testing.T) {
   202  		session := CreateStandardSession()
   203  		session.Certificate = clientCertID
   204  		session.BasicAuthData.Password = "password"
   205  		session.AccessRights = map[string]user.AccessDefinition{"test": {
   206  			APIID: "test", Versions: []string{"v1"},
   207  		}}
   208  
   209  		_, _ = g.Run(t, test.TestCase{AdminAuth: true, Method: http.MethodPost, Path: "/tyk/keys/create",
   210  			Data: session, Client: client, Code: http.StatusOK})
   211  
   212  		client = GetTLSClient(&clientCert, nil)
   213  		testChangeHashFunc(t, nil, client, http.StatusForbidden)
   214  	})
   215  }