github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/cmd/editauthorization_test.go (about) 1 /* 2 * Copyright 2018-2023 The NATS Authors 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 package cmd 16 17 import ( 18 "fmt" 19 "testing" 20 21 "github.com/nats-io/jwt/v2" 22 23 "github.com/nats-io/nkeys" 24 "github.com/stretchr/testify/assert" 25 26 "github.com/stretchr/testify/require" 27 ) 28 29 func Test_EditAuthorizationNoFlags(t *testing.T) { 30 ts := NewTestStore(t, "test") 31 defer ts.Done(t) 32 33 ts.AddAccount(t, "A") 34 35 _, _, err := ExecuteCmd(createEditAuthorizationCallout()) 36 require.Error(t, err) 37 require.Equal(t, "please specify some options", err.Error()) 38 } 39 40 func Test_EditAuthorizationBadUser(t *testing.T) { 41 ts := NewTestStore(t, "test") 42 defer ts.Done(t) 43 44 ts.AddAccount(t, "A") 45 46 _, aPK, _ := CreateAccountKey(t) 47 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--auth-user", aPK) 48 require.Error(t, err) 49 require.Equal(t, fmt.Sprintf("%q is not a valid user key", aPK), err.Error()) 50 } 51 52 func Test_EditAuthorizationBadAccount(t *testing.T) { 53 ts := NewTestStore(t, "test") 54 defer ts.Done(t) 55 56 ts.AddAccount(t, "A") 57 58 _, aPK, _ := CreateUserKey(t) 59 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--allowed-account", aPK) 60 require.Error(t, err) 61 require.Equal(t, fmt.Sprintf("%q is not a valid account key", aPK), err.Error()) 62 } 63 64 func Test_EditAuthorizationBadNonNkey(t *testing.T) { 65 ts := NewTestStore(t, "test") 66 defer ts.Done(t) 67 68 ts.AddAccount(t, "A") 69 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--allowed-account", "hello") 70 require.Error(t, err) 71 require.Equal(t, fmt.Sprintf("%q is not a valid account key", "hello"), err.Error()) 72 } 73 74 func Test_EditAuthorizationJustUser(t *testing.T) { 75 ts := NewTestStore(t, "test") 76 defer ts.Done(t) 77 78 ts.AddAccount(t, "A") 79 80 _, uPK, _ := CreateUserKey(t) 81 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--auth-user", uPK) 82 require.NoError(t, err) 83 84 ac, err := ts.Store.ReadAccountClaim("A") 85 require.NoError(t, err) 86 require.Contains(t, ac.Authorization.AuthUsers, uPK) 87 } 88 89 func Test_EditAuthorizationJustAccount(t *testing.T) { 90 ts := NewTestStore(t, "test") 91 defer ts.Done(t) 92 93 ts.AddAccount(t, "A") 94 95 _, aPK, _ := CreateAccountKey(t) 96 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--allowed-account", aPK) 97 require.Error(t, err) 98 require.Contains(t, err.Error(), "External authorization cannot have accounts without users specified") 99 } 100 101 func Test_EditAuthorizationDelete(t *testing.T) { 102 ts := NewTestStore(t, "test") 103 defer ts.Done(t) 104 105 ts.AddAccount(t, "A") 106 107 _, uPK, _ := CreateUserKey(t) 108 _, aPK, _ := CreateAccountKey(t) 109 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--auth-user", uPK, "--allowed-account", aPK) 110 require.NoError(t, err) 111 112 ac, err := ts.Store.ReadAccountClaim("A") 113 require.NoError(t, err) 114 require.Contains(t, ac.Authorization.AuthUsers, uPK) 115 require.Contains(t, ac.Authorization.AllowedAccounts, aPK) 116 117 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), "--disable") 118 require.NoError(t, err) 119 120 ac, err = ts.Store.ReadAccountClaim("A") 121 require.NoError(t, err) 122 require.Empty(t, ac.Authorization.AuthUsers) 123 require.Empty(t, ac.Authorization.AllowedAccounts) 124 } 125 126 func Test_EditAuthorizationWildcardBasics(t *testing.T) { 127 ts := NewTestStore(t, "O") 128 defer ts.Done(t) 129 130 ts.AddAccount(t, "A") 131 132 _, uPK, _ := CreateUserKey(t) 133 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), "--auth-user", uPK, "--allowed-account", jwt.AnyAccount) 134 require.NoError(t, err) 135 136 _, aPK, _ := CreateAccountKey(t) 137 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), "--allowed-account", aPK) 138 require.Error(t, err) 139 require.Contains(t, err.Error(), "AllowedAccounts can only be a list of accounts or \"*\"") 140 141 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), "--rm-allowed-account", jwt.AnyAccount) 142 require.NoError(t, err) 143 144 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), "--allowed-account", aPK) 145 require.NoError(t, err) 146 } 147 148 func Test_EditAuthorizationDeleteUser(t *testing.T) { 149 ts := NewTestStore(t, "test") 150 defer ts.Done(t) 151 152 ts.AddAccount(t, "A") 153 154 _, uPK, _ := CreateUserKey(t) 155 _, u2PK, _ := CreateUserKey(t) 156 _, aPK, _ := CreateAccountKey(t) 157 _, a2PK, _ := CreateAccountKey(t) 158 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), 159 "--auth-user", fmt.Sprintf("%s,%s", uPK, u2PK), 160 "--allowed-account", fmt.Sprintf("%s,%s", aPK, a2PK)) 161 require.NoError(t, err) 162 163 ac, err := ts.Store.ReadAccountClaim("A") 164 require.NoError(t, err) 165 require.Contains(t, ac.Authorization.AuthUsers, uPK) 166 require.Contains(t, ac.Authorization.AuthUsers, u2PK) 167 require.Contains(t, ac.Authorization.AllowedAccounts, aPK) 168 require.Contains(t, ac.Authorization.AllowedAccounts, a2PK) 169 170 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), 171 "--rm-auth-user", u2PK, 172 "--rm-allowed-account", a2PK) 173 require.NoError(t, err) 174 175 ac, err = ts.Store.ReadAccountClaim("A") 176 require.NoError(t, err) 177 require.Contains(t, ac.Authorization.AuthUsers, uPK) 178 require.NotContains(t, ac.Authorization.AuthUsers, u2PK) 179 require.Contains(t, ac.Authorization.AllowedAccounts, aPK) 180 require.NotContains(t, ac.Authorization.AllowedAccounts, a2PK) 181 } 182 183 func Test_EditAuthorizationCurveKey(t *testing.T) { 184 ts := NewTestStore(t, "test") 185 defer ts.Done(t) 186 187 ts.AddAccount(t, "A") 188 189 _, uPK, _ := CreateUserKey(t) 190 _, u2PK, _ := CreateUserKey(t) 191 _, aPK, _ := CreateAccountKey(t) 192 _, a2PK, _ := CreateAccountKey(t) 193 _, _, err := ExecuteCmd(createEditAuthorizationCallout(), 194 "--auth-user", fmt.Sprintf("%s,%s", uPK, u2PK), 195 "--allowed-account", fmt.Sprintf("%s,%s", aPK, a2PK), 196 "--curve", "generate") 197 require.NoError(t, err) 198 199 ac, err := ts.Store.ReadAccountClaim("A") 200 require.NoError(t, err) 201 require.Contains(t, ac.Authorization.AuthUsers, uPK) 202 require.Contains(t, ac.Authorization.AuthUsers, u2PK) 203 require.Contains(t, ac.Authorization.AllowedAccounts, aPK) 204 require.Contains(t, ac.Authorization.AllowedAccounts, a2PK) 205 require.NotEmpty(t, ac.Authorization.XKey) 206 require.True(t, nkeys.IsValidPublicCurveKey(ac.Authorization.XKey)) 207 208 // find the key in the store 209 kp, err := ts.KeyStore.GetKeyPair(ac.Authorization.XKey) 210 require.NoError(t, err) 211 sx, err := kp.Seed() 212 require.NoError(t, err) 213 assert.Equal(t, "SX", string(sx[0:2])) 214 215 _, _, err = ExecuteCmd(createEditAuthorizationCallout(), 216 "--rm-auth-user", u2PK, 217 "--rm-allowed-account", a2PK, 218 "--rm-curve") 219 require.NoError(t, err) 220 221 ac, err = ts.Store.ReadAccountClaim("A") 222 require.NoError(t, err) 223 require.Contains(t, ac.Authorization.AuthUsers, uPK) 224 require.NotContains(t, ac.Authorization.AuthUsers, u2PK) 225 require.Contains(t, ac.Authorization.AllowedAccounts, aPK) 226 require.NotContains(t, ac.Authorization.AllowedAccounts, a2PK) 227 require.Empty(t, ac.Authorization.XKey) 228 }