auth
auth/client_test.go
Test our GetClientHandler function, add isAuthError helper. Add a helper that identifies whether the error passed to it is an authentication error or is some other type of error. This is useful fo checking whether or not an internal error occurred while authenticating users. Update all instances where we call our authentication helper to make them use the new error helper. All tests continue to pass. Add a new test case for retrieving a client as an unauthenticated user. This clears the client's secret from the response before sending it. Update the GetClientHandler function to return the secret when the owner of the client used Basic Auth in the request. Add a new test case for retrieving a client as an authenticated user, both the owner and a non-owner user. This makes sure the secret is divulged only in the appropriate cases.
1.1 --- a/client_test.go Fri Mar 06 19:27:19 2015 -0500 1.2 +++ b/client_test.go Sat Mar 07 01:06:04 2015 -0500 1.3 @@ -4,6 +4,7 @@ 1.4 "bytes" 1.5 "encoding/json" 1.6 "fmt" 1.7 + "github.com/gorilla/mux" 1.8 "io/ioutil" 1.9 "net/http" 1.10 "net/http/httptest" 1.11 @@ -800,6 +801,364 @@ 1.12 } 1.13 } 1.14 1.15 +func TestGetClientHandler(t *testing.T) { 1.16 + t.Parallel() 1.17 + memstore := NewMemstore() 1.18 + c := Context{ 1.19 + clients: memstore, 1.20 + profiles: memstore, 1.21 + } 1.22 + client := Client{ 1.23 + ID: uuid.NewID(), 1.24 + Secret: "myawesomesecret", 1.25 + OwnerID: uuid.NewID(), 1.26 + Name: "Test Client", 1.27 + Logo: "https://auth.secondbit.org/logo.png", 1.28 + Website: "https://code.secondbit.org", 1.29 + Type: clientTypeConfidential, 1.30 + } 1.31 + err := c.SaveClient(client) 1.32 + if err != nil { 1.33 + t.Fatal("Can't store client in memstore:", err) 1.34 + } 1.35 + profile := Profile{ 1.36 + ID: uuid.NewID(), 1.37 + Name: "Test User", 1.38 + Passphrase: "f3a4ac4f1d657b2e6e776d24213e39406d50a87a52691a2a78891425af1271d0", 1.39 + Iterations: 1, 1.40 + Salt: "d82d92cfa8bfb5a08270ebbf39a3710d24b352b937fcc8959ebcb40384cc616b", 1.41 + PassphraseScheme: 1, 1.42 + Compromised: false, 1.43 + LockedUntil: time.Time{}, 1.44 + PassphraseReset: "", 1.45 + PassphraseResetCreated: time.Time{}, 1.46 + Created: time.Now(), 1.47 + LastSeen: time.Time{}, 1.48 + } 1.49 + login := Login{ 1.50 + Type: "email", 1.51 + Value: "test@example.com", 1.52 + ProfileID: profile.ID, 1.53 + Created: time.Now(), 1.54 + LastUsed: time.Time{}, 1.55 + } 1.56 + err = c.SaveProfile(profile) 1.57 + if err != nil { 1.58 + t.Error("Error saving profile:", err) 1.59 + } 1.60 + err = c.AddLogin(login) 1.61 + if err != nil { 1.62 + t.Error("Error adding login:", err) 1.63 + } 1.64 + router := mux.NewRouter() 1.65 + RegisterClientHandlers(router, c) 1.66 + w := httptest.NewRecorder() 1.67 + u := "https://test.auth.secondbit.org/clients/" + client.ID.String() 1.68 + r, err := http.NewRequest("GET", u, nil) 1.69 + if err != nil { 1.70 + t.Fatal("Can't build request:", err) 1.71 + } 1.72 + r.Header.Set("Content-Type", "application/json") 1.73 + router.ServeHTTP(w, r) 1.74 + if w.Code != http.StatusOK { 1.75 + t.Errorf("Expected response code to be %d, got %d", http.StatusOK, w.Code) 1.76 + } 1.77 + t.Logf("Response: %s", w.Body.String()) 1.78 + var res response 1.79 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.80 + if err != nil { 1.81 + t.Error("Unexpected error unmarshalling response:", err) 1.82 + } 1.83 + if len(res.Clients) != 1 { 1.84 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Clients)) 1.85 + } 1.86 + if res.Clients[0].Secret != "" { 1.87 + t.Error("Expected secret not to be set, but was set to", res.Clients[0].Secret) 1.88 + } 1.89 + // fill in the secret, which was omitted in the response 1.90 + res.Clients[0].Secret = client.Secret 1.91 + success, field, expectation, result := compareClients(client, res.Clients[0]) 1.92 + if !success { 1.93 + t.Errorf("Unexpected result for %s in response: expected %v, got %v", field, expectation, result) 1.94 + } 1.95 + 1.96 + // test for improperly formatted ID 1.97 + u = "https://test.auth.secondbit.org/clients/notanID" 1.98 + w = httptest.NewRecorder() 1.99 + r, err = http.NewRequest("GET", u, nil) 1.100 + if err != nil { 1.101 + t.Fatal("Can't build request:", err) 1.102 + } 1.103 + r.Header.Set("Content-Type", "application/json") 1.104 + router.ServeHTTP(w, r) 1.105 + if w.Code != http.StatusBadRequest { 1.106 + t.Errorf("Expected response code to be %d, got %d", http.StatusBadRequest, w.Code) 1.107 + } 1.108 + t.Logf("Response: %s", w.Body.String()) 1.109 + res = response{} 1.110 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.111 + if err != nil { 1.112 + t.Error("Unexpected error unmarshalling response:", err) 1.113 + } 1.114 + if len(res.Errors) != 1 { 1.115 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Errors)) 1.116 + } 1.117 + e := requestError{Slug: requestErrInvalidFormat, Param: "id"} 1.118 + success, field, expectation, result = compareErrors(e, res.Errors[0]) 1.119 + if !success { 1.120 + t.Errorf("Unexpected result for %s in error response: expected %v, got %v", field, expectation, result) 1.121 + } 1.122 + 1.123 + // test for a non-existent client 1.124 + u = "https://test.auth.secondbit.org/clients/" + uuid.NewID().String() 1.125 + w = httptest.NewRecorder() 1.126 + r, err = http.NewRequest("GET", u, nil) 1.127 + if err != nil { 1.128 + t.Fatal("Can't build request:", err) 1.129 + } 1.130 + r.Header.Set("Content-Type", "application/json") 1.131 + router.ServeHTTP(w, r) 1.132 + if w.Code != http.StatusNotFound { 1.133 + t.Errorf("Expected response code to be %d, got %d", http.StatusNotFound, w.Code) 1.134 + } 1.135 + t.Logf("Response: %s", w.Body.String()) 1.136 + res = response{} 1.137 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.138 + if err != nil { 1.139 + t.Error("Unexpected error unmarshalling response:", err) 1.140 + } 1.141 + if len(res.Errors) != 1 { 1.142 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Errors)) 1.143 + } 1.144 + e = requestError{Slug: requestErrNotFound, Param: "id"} 1.145 + success, field, expectation, result = compareErrors(e, res.Errors[0]) 1.146 + if !success { 1.147 + t.Errorf("Unexpected result for %s in error response: expected %v, got %v", field, expectation, result) 1.148 + } 1.149 +} 1.150 + 1.151 +func TestAuthenticatedGetClientHandler(t *testing.T) { 1.152 + t.Parallel() 1.153 + memstore := NewMemstore() 1.154 + c := Context{ 1.155 + clients: memstore, 1.156 + profiles: memstore, 1.157 + } 1.158 + client := Client{ 1.159 + ID: uuid.NewID(), 1.160 + Secret: "myawesomesecret", 1.161 + OwnerID: uuid.NewID(), 1.162 + Name: "Test Client", 1.163 + Logo: "https://auth.secondbit.org/logo.png", 1.164 + Website: "https://code.secondbit.org", 1.165 + Type: clientTypeConfidential, 1.166 + } 1.167 + err := c.SaveClient(client) 1.168 + if err != nil { 1.169 + t.Fatal("Can't store client in memstore:", err) 1.170 + } 1.171 + profile := Profile{ 1.172 + ID: client.OwnerID, 1.173 + Name: "Test User", 1.174 + Passphrase: "f3a4ac4f1d657b2e6e776d24213e39406d50a87a52691a2a78891425af1271d0", 1.175 + Iterations: 1, 1.176 + Salt: "d82d92cfa8bfb5a08270ebbf39a3710d24b352b937fcc8959ebcb40384cc616b", 1.177 + PassphraseScheme: 1, 1.178 + Compromised: false, 1.179 + LockedUntil: time.Time{}, 1.180 + PassphraseReset: "", 1.181 + PassphraseResetCreated: time.Time{}, 1.182 + Created: time.Now(), 1.183 + LastSeen: time.Time{}, 1.184 + } 1.185 + login := Login{ 1.186 + Type: "email", 1.187 + Value: "test@example.com", 1.188 + ProfileID: profile.ID, 1.189 + Created: time.Now(), 1.190 + LastUsed: time.Time{}, 1.191 + } 1.192 + err = c.SaveProfile(profile) 1.193 + if err != nil { 1.194 + t.Error("Error saving profile:", err) 1.195 + } 1.196 + err = c.AddLogin(login) 1.197 + if err != nil { 1.198 + t.Error("Error adding login:", err) 1.199 + } 1.200 + profile2 := Profile{ 1.201 + ID: uuid.NewID(), 1.202 + Name: "Test User", 1.203 + Passphrase: "f3a4ac4f1d657b2e6e776d24213e39406d50a87a52691a2a78891425af1271d0", 1.204 + Iterations: 1, 1.205 + Salt: "d82d92cfa8bfb5a08270ebbf39a3710d24b352b937fcc8959ebcb40384cc616b", 1.206 + PassphraseScheme: 1, 1.207 + Compromised: false, 1.208 + LockedUntil: time.Time{}, 1.209 + PassphraseReset: "", 1.210 + PassphraseResetCreated: time.Time{}, 1.211 + Created: time.Now(), 1.212 + LastSeen: time.Time{}, 1.213 + } 1.214 + login2 := Login{ 1.215 + Type: "email", 1.216 + Value: "test2@example.com", 1.217 + ProfileID: profile2.ID, 1.218 + Created: time.Now(), 1.219 + LastUsed: time.Time{}, 1.220 + } 1.221 + err = c.SaveProfile(profile2) 1.222 + if err != nil { 1.223 + t.Error("Error saving profile:", err) 1.224 + } 1.225 + err = c.AddLogin(login2) 1.226 + if err != nil { 1.227 + t.Error("Error adding login:", err) 1.228 + } 1.229 + router := mux.NewRouter() 1.230 + RegisterClientHandlers(router, c) 1.231 + w := httptest.NewRecorder() 1.232 + u := "https://test.auth.secondbit.org/clients/" + client.ID.String() 1.233 + r, err := http.NewRequest("GET", u, nil) 1.234 + if err != nil { 1.235 + t.Fatal("Can't build request:", err) 1.236 + } 1.237 + r.Header.Set("Content-Type", "application/json") 1.238 + r.SetBasicAuth(login.Value, "mysecurepassphrase") 1.239 + router.ServeHTTP(w, r) 1.240 + if w.Code != http.StatusOK { 1.241 + t.Errorf("Expected response code to be %d, got %d", http.StatusOK, w.Code) 1.242 + } 1.243 + t.Logf("Response: %s", w.Body.String()) 1.244 + var res response 1.245 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.246 + if err != nil { 1.247 + t.Error("Unexpected error unmarshalling response:", err) 1.248 + } 1.249 + if len(res.Clients) != 1 { 1.250 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Clients)) 1.251 + } 1.252 + success, field, expectation, result := compareClients(client, res.Clients[0]) 1.253 + if !success { 1.254 + t.Errorf("Unexpected result for %s in response: expected %v, got %v", field, expectation, result) 1.255 + } 1.256 + 1.257 + // test for improperly formatted ID 1.258 + u = "https://test.auth.secondbit.org/clients/notanID" 1.259 + w = httptest.NewRecorder() 1.260 + r, err = http.NewRequest("GET", u, nil) 1.261 + if err != nil { 1.262 + t.Fatal("Can't build request:", err) 1.263 + } 1.264 + r.Header.Set("Content-Type", "application/json") 1.265 + r.SetBasicAuth(login.Value, "mysecurepassphrase") 1.266 + router.ServeHTTP(w, r) 1.267 + if w.Code != http.StatusBadRequest { 1.268 + t.Errorf("Expected response code to be %d, got %d", http.StatusBadRequest, w.Code) 1.269 + } 1.270 + t.Logf("Response: %s", w.Body.String()) 1.271 + res = response{} 1.272 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.273 + if err != nil { 1.274 + t.Error("Unexpected error unmarshalling response:", err) 1.275 + } 1.276 + if len(res.Errors) != 1 { 1.277 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Errors)) 1.278 + } 1.279 + e := requestError{Slug: requestErrInvalidFormat, Param: "id"} 1.280 + success, field, expectation, result = compareErrors(e, res.Errors[0]) 1.281 + if !success { 1.282 + t.Errorf("Unexpected result for %s in error response: expected %v, got %v", field, expectation, result) 1.283 + } 1.284 + 1.285 + // test for a non-existent client 1.286 + u = "https://test.auth.secondbit.org/clients/" + uuid.NewID().String() 1.287 + w = httptest.NewRecorder() 1.288 + r, err = http.NewRequest("GET", u, nil) 1.289 + if err != nil { 1.290 + t.Fatal("Can't build request:", err) 1.291 + } 1.292 + r.Header.Set("Content-Type", "application/json") 1.293 + r.SetBasicAuth(login.Value, "mysecurepassphrase") 1.294 + router.ServeHTTP(w, r) 1.295 + if w.Code != http.StatusNotFound { 1.296 + t.Errorf("Expected response code to be %d, got %d", http.StatusNotFound, w.Code) 1.297 + } 1.298 + t.Logf("Response: %s", w.Body.String()) 1.299 + res = response{} 1.300 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.301 + if err != nil { 1.302 + t.Error("Unexpected error unmarshalling response:", err) 1.303 + } 1.304 + if len(res.Errors) != 1 { 1.305 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Errors)) 1.306 + } 1.307 + e = requestError{Slug: requestErrNotFound, Param: "id"} 1.308 + success, field, expectation, result = compareErrors(e, res.Errors[0]) 1.309 + if !success { 1.310 + t.Errorf("Unexpected result for %s in error response: expected %v, got %v", field, expectation, result) 1.311 + } 1.312 + 1.313 + // test for a wrong password 1.314 + u = "https://test.auth.secondbit.org/clients/" + client.ID.String() 1.315 + w = httptest.NewRecorder() 1.316 + r, err = http.NewRequest("GET", u, nil) 1.317 + if err != nil { 1.318 + t.Fatal("Can't build request:", err) 1.319 + } 1.320 + r.Header.Set("Content-Type", "application/json") 1.321 + r.SetBasicAuth(login.Value, "notmypassphrase") 1.322 + router.ServeHTTP(w, r) 1.323 + if w.Code != http.StatusUnauthorized { 1.324 + t.Errorf("Expected response code to be %d, got %d", http.StatusUnauthorized, w.Code) 1.325 + } 1.326 + t.Logf("Response: %s", w.Body.String()) 1.327 + res = response{} 1.328 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.329 + if err != nil { 1.330 + t.Error("Unexpected error unmarshalling response:", err) 1.331 + } 1.332 + if len(res.Errors) != 1 { 1.333 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Errors)) 1.334 + } 1.335 + e = requestError{Slug: requestErrAccessDenied} 1.336 + success, field, expectation, result = compareErrors(e, res.Errors[0]) 1.337 + if !success { 1.338 + t.Errorf("Unexpected result for %s in error response: expected %v, got %v", field, expectation, result) 1.339 + } 1.340 + 1.341 + // test for a wrong account 1.342 + u = "https://test.auth.secondbit.org/clients/" + client.ID.String() 1.343 + w = httptest.NewRecorder() 1.344 + r, err = http.NewRequest("GET", u, nil) 1.345 + if err != nil { 1.346 + t.Fatal("Can't build request:", err) 1.347 + } 1.348 + r.Header.Set("Content-Type", "application/json") 1.349 + r.SetBasicAuth(login2.Value, "mysecurepassphrase") 1.350 + router.ServeHTTP(w, r) 1.351 + if w.Code != http.StatusOK { 1.352 + t.Errorf("Expected response code to be %d, got %d", http.StatusOK, w.Code) 1.353 + } 1.354 + t.Logf("Response: %s", w.Body.String()) 1.355 + res = response{} 1.356 + err = json.Unmarshal(w.Body.Bytes(), &res) 1.357 + if err != nil { 1.358 + t.Error("Unexpected error unmarshalling response:", err) 1.359 + } 1.360 + if len(res.Clients) != 1 { 1.361 + t.Errorf("Expected %d results in response, got %d", 1, len(res.Clients)) 1.362 + } 1.363 + if res.Clients[0].Secret != "" { 1.364 + t.Errorf("Expected client secret to be empty, got %s", res.Clients[0].Secret) 1.365 + } 1.366 + // fill the client's secret for comparison 1.367 + res.Clients[0].Secret = client.Secret 1.368 + success, field, expectation, result = compareClients(client, res.Clients[0]) 1.369 + if !success { 1.370 + t.Errorf("Unexpected result for %s in response: expected %v, got %v", field, expectation, result) 1.371 + } 1.372 +} 1.373 + 1.374 // BUG(paddy): We need to test the clientCredentialsValidate function. 1.375 -// BUG(paddy): We need to test the GetClientHandler. 1.376 // BUG(paddy): We need to test the ListClientsHandler.