github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/pkg/auth/auth_test.go

github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/pkg/auth/auth_test.go (about)

     1  // Copyright 2021 syzkaller project authors. All rights reserved.
     2  // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
     3  
     4  package auth
     5  
     6  import (
     7  	"encoding/json"
     8  	"fmt"
     9  	"net/http"
    10  	"net/http/httptest"
    11  	"strings"
    12  	"testing"
    13  	"time"
    14  )
    15  
    16  func reponseFor(t *testing.T, claims jwtClaims) (*httptest.Server, Endpoint) {
    17  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    18  		bytes, err := json.Marshal(jwtClaimsParse{
    19  			Subject:    claims.Subject,
    20  			Audience:   claims.Audience,
    21  			Expiration: fmt.Sprint(claims.Expiration.Unix()),
    22  		})
    23  		if err != nil {
    24  			t.Fatalf("marshal %v", err)
    25  		}
    26  		w.Header()["Content-Type"] = []string{"application/json"}
    27  		w.Write(bytes)
    28  	}))
    29  	return ts, MakeEndpoint(ts.URL)
    30  }
    31  
    32  func TestBearerValid(t *testing.T) {
    33  	tm := time.Now()
    34  	magic := "ValidSubj"
    35  	ts, dut := reponseFor(t, jwtClaims{
    36  		Subject:    magic,
    37  		Audience:   DashboardAudience,
    38  		Expiration: tm.AddDate(0, 0, 1),
    39  	})
    40  	defer ts.Close()
    41  
    42  	got, err := dut.DetermineAuthSubj(tm, []string{"Bearer x"})
    43  	if err != nil {
    44  		t.Errorf("inexpected error %v", err)
    45  	}
    46  	if !strings.HasSuffix(got, magic) {
    47  		t.Errorf("wrong subj %v not suffix of %v", magic, got)
    48  	}
    49  }
    50  
    51  func TestBearerWrongAudience(t *testing.T) {
    52  	tm := time.Now()
    53  	ts, dut := reponseFor(t, jwtClaims{
    54  		Subject:    "irrelevant",
    55  		Expiration: tm.AddDate(0, 0, 1),
    56  		Audience:   "junk",
    57  	})
    58  	defer ts.Close()
    59  
    60  	_, err := dut.DetermineAuthSubj(tm, []string{"Bearer x"})
    61  	if !strings.HasPrefix(err.Error(), "unexpected audience") {
    62  		t.Fatalf("unexpected error %v", err)
    63  	}
    64  }
    65  
    66  func TestBearerExpired(t *testing.T) {
    67  	tm := time.Now()
    68  	ts, dut := reponseFor(t, jwtClaims{
    69  		Subject:    "irrelevant",
    70  		Expiration: tm.AddDate(0, 0, -1),
    71  		Audience:   DashboardAudience,
    72  	})
    73  	defer ts.Close()
    74  
    75  	_, err := dut.DetermineAuthSubj(tm, []string{"Bearer x"})
    76  	if !strings.HasPrefix(err.Error(), "token past expiration") {
    77  		t.Fatalf("unexpected error %v", err)
    78  	}
    79  }
    80  
    81  func TestMissingHeader(t *testing.T) {
    82  	ts, dut := reponseFor(t, jwtClaims{})
    83  	defer ts.Close()
    84  	got, err := dut.DetermineAuthSubj(time.Now(), []string{})
    85  	if err != nil || got != "" {
    86  		t.Errorf("unexpected error %v %v", got, err)
    87  	}
    88  }
    89  
    90  func TestBadHeader(t *testing.T) {
    91  	ts, dut := reponseFor(t, jwtClaims{})
    92  	defer ts.Close()
    93  	got, err := dut.DetermineAuthSubj(time.Now(), []string{"bad"})
    94  	if err != nil || got != "" {
    95  		t.Errorf("unexpected error %v %v", got, err)
    96  	}
    97  }
    98  
    99  func TestBadHttpStatus(t *testing.T) {
   100  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
   101  		w.WriteHeader(400)
   102  	}))
   103  	defer ts.Close()
   104  	dut := MakeEndpoint(ts.URL)
   105  	got, err := dut.DetermineAuthSubj(time.Now(), []string{"Bearer x"})
   106  	if err == nil || !strings.HasSuffix(err.Error(), "400") || got != "" {
   107  		t.Errorf("unexpected error %v %v", got, err)
   108  	}
   109  }