github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/api/auth/check_worker_team_access_handler_test.go (about)

     1  package auth_test
     2  
     3  import (
     4  	"errors"
     5  	"net/http"
     6  	"net/http/httptest"
     7  
     8  	"github.com/pf-qiu/concourse/v6/atc"
     9  	"github.com/pf-qiu/concourse/v6/atc/api/accessor"
    10  	"github.com/pf-qiu/concourse/v6/atc/api/accessor/accessorfakes"
    11  	"github.com/pf-qiu/concourse/v6/atc/api/auth"
    12  	"github.com/pf-qiu/concourse/v6/atc/auditor/auditorfakes"
    13  	"github.com/pf-qiu/concourse/v6/atc/db/dbfakes"
    14  	"github.com/tedsuo/rata"
    15  
    16  	. "github.com/onsi/ginkgo"
    17  	. "github.com/onsi/gomega"
    18  )
    19  
    20  var _ = Describe("CheckWorkerTeamAccessHandler", func() {
    21  	var (
    22  		response      *http.Response
    23  		server        *httptest.Server
    24  		delegate      *workerDelegateHandler
    25  		workerFactory *dbfakes.FakeWorkerFactory
    26  		handler       http.Handler
    27  
    28  		fakeAccessor *accessorfakes.FakeAccessFactory
    29  		fakeaccess   *accessorfakes.FakeAccess
    30  		fakeWorker   *dbfakes.FakeWorker
    31  	)
    32  
    33  	BeforeEach(func() {
    34  		workerFactory = new(dbfakes.FakeWorkerFactory)
    35  		fakeAccessor = new(accessorfakes.FakeAccessFactory)
    36  		fakeaccess = new(accessorfakes.FakeAccess)
    37  
    38  		handlerFactory := auth.NewCheckWorkerTeamAccessHandlerFactory(workerFactory)
    39  
    40  		delegate = &workerDelegateHandler{}
    41  		innerHandler := handlerFactory.HandlerFor(delegate, auth.UnauthorizedRejector{})
    42  
    43  		handler = accessor.NewHandler(
    44  			logger,
    45  			"some-action",
    46  			innerHandler,
    47  			fakeAccessor,
    48  			new(auditorfakes.FakeAuditor),
    49  			map[string]string{},
    50  		)
    51  	})
    52  
    53  	JustBeforeEach(func() {
    54  		fakeAccessor.CreateReturns(fakeaccess, nil)
    55  		routes := rata.Routes{}
    56  		for _, route := range atc.Routes {
    57  			if route.Name == atc.RetireWorker {
    58  				routes = append(routes, route)
    59  			}
    60  		}
    61  
    62  		router, err := rata.NewRouter(routes, map[string]http.Handler{
    63  			atc.RetireWorker: handler,
    64  		})
    65  		Expect(err).NotTo(HaveOccurred())
    66  		server = httptest.NewServer(router)
    67  
    68  		requestGenerator := rata.NewRequestGenerator(server.URL, atc.Routes)
    69  		request, err := requestGenerator.CreateRequest(atc.RetireWorker, rata.Params{
    70  			"worker_name": "some-worker",
    71  			"team_name":   "some-team",
    72  		}, nil)
    73  		Expect(err).NotTo(HaveOccurred())
    74  
    75  		response, err = new(http.Client).Do(request)
    76  		Expect(err).NotTo(HaveOccurred())
    77  	})
    78  
    79  	var _ = AfterEach(func() {
    80  		server.Close()
    81  	})
    82  
    83  	Context("when not authenticated", func() {
    84  		BeforeEach(func() {
    85  			fakeaccess.IsAuthenticatedReturns(false)
    86  		})
    87  
    88  		It("returns 401", func() {
    89  			Expect(response.StatusCode).To(Equal(http.StatusUnauthorized))
    90  		})
    91  
    92  		It("does not call the scoped handler", func() {
    93  			Expect(delegate.IsCalled).To(BeFalse())
    94  		})
    95  	})
    96  
    97  	Context("when authenticated", func() {
    98  		BeforeEach(func() {
    99  			fakeaccess.IsAuthenticatedReturns(true)
   100  			fakeaccess.IsAuthorizedReturns(true)
   101  		})
   102  
   103  		Context("when worker exists and belongs to a team", func() {
   104  			BeforeEach(func() {
   105  				fakeWorker = new(dbfakes.FakeWorker)
   106  				fakeWorker.NameReturns("some-worker")
   107  				fakeWorker.TeamNameReturns("some-team")
   108  
   109  				workerFactory.GetWorkerReturns(fakeWorker, true, nil)
   110  			})
   111  
   112  			Context("when user is admin/system", func() {
   113  				BeforeEach(func() {
   114  					fakeaccess.IsAdminReturns(true)
   115  				})
   116  
   117  				It("calls worker delegate", func() {
   118  					Expect(delegate.IsCalled).To(BeTrue())
   119  					Expect(response.StatusCode).To(Equal(http.StatusOK))
   120  				})
   121  				It("returns 200", func() {
   122  					Expect(response.StatusCode).To(Equal(http.StatusOK))
   123  				})
   124  			})
   125  
   126  			Context("when team in auth matches worker team", func() {
   127  				BeforeEach(func() {
   128  					fakeaccess.IsAuthorizedReturns(true)
   129  				})
   130  
   131  				It("fetches worker by the correct name", func() {
   132  					Expect(workerFactory.GetWorkerArgsForCall(0)).To(Equal("some-worker"))
   133  				})
   134  
   135  				It("calls worker delegate", func() {
   136  					Expect(delegate.IsCalled).To(BeTrue())
   137  					Expect(response.StatusCode).To(Equal(http.StatusOK))
   138  				})
   139  			})
   140  
   141  			Context("when team in auth does not match worker team", func() {
   142  				BeforeEach(func() {
   143  					fakeaccess.IsAuthorizedReturns(false)
   144  				})
   145  
   146  				It("fetches worker by the correct name", func() {
   147  					Expect(workerFactory.GetWorkerArgsForCall(0)).To(Equal("some-worker"))
   148  				})
   149  
   150  				It("does not call worker delegate", func() {
   151  					Expect(delegate.IsCalled).To(BeFalse())
   152  				})
   153  
   154  				It("returns 403 Forbidden", func() {
   155  					Expect(response.StatusCode).To(Equal(http.StatusForbidden))
   156  				})
   157  			})
   158  		})
   159  
   160  		Context("when worker is not owned by a team", func() {
   161  			BeforeEach(func() {
   162  				fakeaccess.IsAuthorizedReturns(false)
   163  				fakeWorker = new(dbfakes.FakeWorker)
   164  				fakeWorker.NameReturns("some-worker")
   165  
   166  				workerFactory.GetWorkerReturns(fakeWorker, true, nil)
   167  			})
   168  
   169  			Context("when user is admin/system", func() {
   170  				BeforeEach(func() {
   171  					fakeaccess.IsAdminReturns(true)
   172  				})
   173  
   174  				It("calls worker delegate", func() {
   175  					Expect(delegate.IsCalled).To(BeTrue())
   176  					Expect(response.StatusCode).To(Equal(http.StatusOK))
   177  				})
   178  				It("returns 200", func() {
   179  					Expect(response.StatusCode).To(Equal(http.StatusOK))
   180  				})
   181  			})
   182  
   183  			Context("when user is not admin/system", func() {
   184  				BeforeEach(func() {
   185  					fakeaccess.IsAdminReturns(false)
   186  				})
   187  
   188  				It("does not call worker delegate", func() {
   189  					Expect(delegate.IsCalled).To(BeFalse())
   190  				})
   191  
   192  				It("returns 403 Forbidden", func() {
   193  					Expect(response.StatusCode).To(Equal(http.StatusForbidden))
   194  				})
   195  			})
   196  		})
   197  
   198  		Context("when worker does not exist", func() {
   199  			BeforeEach(func() {
   200  				workerFactory.GetWorkerReturns(nil, false, nil)
   201  			})
   202  
   203  			It("does not call worker delegate", func() {
   204  				Expect(delegate.IsCalled).To(BeFalse())
   205  			})
   206  
   207  			It("returns 404 Not found", func() {
   208  				Expect(response.StatusCode).To(Equal(http.StatusNotFound))
   209  			})
   210  		})
   211  
   212  		Context("when getting worker fails", func() {
   213  			BeforeEach(func() {
   214  				workerFactory.GetWorkerReturns(nil, false, errors.New("disaster"))
   215  			})
   216  
   217  			It("returns 500", func() {
   218  				Expect(response.StatusCode).To(Equal(http.StatusInternalServerError))
   219  			})
   220  
   221  			It("does not call the scoped handler", func() {
   222  				Expect(delegate.IsCalled).To(BeFalse())
   223  			})
   224  		})
   225  	})
   226  })
   227  
   228  type workerDelegateHandler struct {
   229  	IsCalled bool
   230  }
   231  
   232  func (handler *workerDelegateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
   233  	handler.IsCalled = true
   234  }