auth
auth/profile_test.go
Clean up after Client deletion, finish cleaning up after Profile deletion. 6f473576c6ae started cleaning up after Profiles when they're deleted, but didn't clean up the Clients created by that Profile. This fixes that, and also fixes a BUG note about cleaning up after a Client when it's deleted. Extend the authorizationCodeStore to have a deleteAuthorizationCodesByClientID method that will delete the AuthorizationCodes that have been granted by the Client specified by the passed ID. We also implemented this in memstore and postgres, so tests continue to pass. Extend the clientStore to have a deleteClientsByOwner method that will delete the Clients that were created by the Profile specified by the passed ID. We also implemented this in memstore and postgres, so tests continue to pass. Extend the clientStore to have a removeEndpointsByClientID method that will delete the Endpoints that belong(ed) to a the Client specified by the passed ID. We also implemented this in memstore and postgres, so tests continue to pass. Extend the tokenStore to have a revokeTokensByClientID method that will revoke all the Tokens that were granted to the Client specified by the passed ID. We also implemented this in memstore and postgres, so tests continue to pass. When listing Clients by their owner, allow setting the num argument (which controls how many to return) to 0 or lower, and using that to signal "return all Clients belonging to this owner", instead of paging. This is useful when deleting the Clients belonging to a Profile as part of the cleanup after deleting the Profile. Create a cleanUpAfterClientDeletion helper function that will delete the Endpoints and AuthorizationCodes belonging to a Client, and revoke the Tokens belonging to a Client, as part of cleaning up after a Client has been deleted. Add a check in the handler for listing Clients owned by a Profile to disallow the num argument to be lower than 1, because the API should be forced to page. Call our cleanUpAfterClientDeletion once the Client has been deleted in the appropriate handler. Fill out our Context with new methods to wrap all the new methods we're adding to our *Stores. In cleanUpAfterProfileDeletion, obtain a list of clients belonging to the owner, use our new DeleteClientsByOwner method to remove all of them, and then use the list to run our new cleanUpAfterClientDeletion function to clear away the final remnants of a Profile when it's deleted.
1 package auth
3 import (
4 "fmt"
5 "os"
6 "testing"
7 "time"
9 "code.secondbit.org/uuid.hg"
10 )
12 const (
13 profileChangeName = 1 << iota
14 profileChangePassphrase
15 profileChangeIterations
16 profileChangeSalt
17 profileChangePassphraseScheme
18 profileChangeCompromised
19 profileChangeLockedUntil
20 profileChangePassphraseReset
21 profileChangePassphraseResetCreated
22 profileChangeLastSeen
23 )
25 func init() {
26 if os.Getenv("PG_TEST_DB") != "" {
27 p, err := NewPostgres(os.Getenv("PG_TEST_DB"))
28 if err != nil {
29 panic(err)
30 }
31 profileStores = append(profileStores, &p)
32 }
33 }
35 var profileStores = []profileStore{NewMemstore()}
37 func compareProfiles(profile1, profile2 Profile) (success bool, field string, val1, val2 interface{}) {
38 if !profile1.ID.Equal(profile2.ID) {
39 return false, "ID", profile1.ID, profile2.ID
40 }
41 if profile1.Name != profile2.Name {
42 return false, "name", profile1.Name, profile2.Name
43 }
44 if profile1.Passphrase != profile2.Passphrase {
45 return false, "passphrase", profile1.Passphrase, profile2.Passphrase
46 }
47 if profile1.Iterations != profile2.Iterations {
48 return false, "iterations", profile1.Iterations, profile2.Iterations
49 }
50 if profile1.Salt != profile2.Salt {
51 return false, "salt", profile1.Salt, profile2.Salt
52 }
53 if profile1.PassphraseScheme != profile2.PassphraseScheme {
54 return false, "passphrase scheme", profile1.PassphraseScheme, profile2.PassphraseScheme
55 }
56 if profile1.Compromised != profile2.Compromised {
57 return false, "compromised", profile1.Compromised, profile2.Compromised
58 }
59 if !profile1.LockedUntil.Equal(profile2.LockedUntil) {
60 return false, "locked until", profile1.LockedUntil, profile2.LockedUntil
61 }
62 if profile1.PassphraseReset != profile2.PassphraseReset {
63 return false, "passphrase reset", profile1.PassphraseReset, profile2.PassphraseReset
64 }
65 if !profile1.PassphraseResetCreated.Equal(profile2.PassphraseResetCreated) {
66 return false, "passphrase reset created", profile1.PassphraseResetCreated, profile2.PassphraseResetCreated
67 }
68 if !profile1.Created.Equal(profile2.Created) {
69 return false, "created", profile1.Created, profile2.Created
70 }
71 if !profile1.LastSeen.Equal(profile2.LastSeen) {
72 return false, "last seen", profile1.LastSeen, profile2.LastSeen
73 }
74 return true, "", nil, nil
75 }
77 func compareLogins(login1, login2 Login) (success bool, field string, val1, val2 interface{}) {
78 if login1.Type != login2.Type {
79 return false, "Type", login1.Type, login2.Type
80 }
81 if login1.Value != login2.Value {
82 return false, "Value", login1.Value, login2.Value
83 }
84 if !login1.ProfileID.Equal(login2.ProfileID) {
85 return false, "ProfileID", login1.ProfileID, login2.ProfileID
86 }
87 if !login1.Created.Equal(login2.Created) {
88 return false, "Created", login1.Created, login2.Created
89 }
90 if !login1.LastUsed.Equal(login2.LastUsed) {
91 return false, "LastUsed", login1.LastUsed, login2.LastUsed
92 }
93 return true, "", nil, nil
94 }
96 func TestProfileStoreSuccess(t *testing.T) {
97 t.Parallel()
98 profile := Profile{
99 ID: uuid.NewID(),
100 Name: "name",
101 Passphrase: "passphrase",
102 Iterations: 10000,
103 Salt: "salt",
104 PassphraseScheme: 1,
105 Compromised: false,
106 LockedUntil: time.Now().Add(time.Hour).Round(time.Millisecond),
107 PassphraseReset: "passphrase reset",
108 PassphraseResetCreated: time.Now().Round(time.Millisecond),
109 Created: time.Now().Round(time.Millisecond),
110 LastSeen: time.Now().Round(time.Millisecond),
111 }
112 for _, store := range profileStores {
113 context := Context{profiles: store}
114 err := context.SaveProfile(profile)
115 if err != nil {
116 t.Errorf("Error saving profile to %T: %s", store, err)
117 }
118 err = context.SaveProfile(profile)
119 if err != ErrProfileAlreadyExists {
120 t.Errorf("Expected ErrProfileAlreadyExists from %T, got %+v", store, err)
121 }
122 retrieved, err := context.GetProfileByID(profile.ID)
123 if err != nil {
124 t.Errorf("Error retrieving profile from %T: %s", store, err)
125 }
126 match, field, expectation, result := compareProfiles(profile, retrieved)
127 if !match {
128 t.Errorf("Expected `%v` in the `%s` field of profile retrieved from %T, got `%v`", expectation, field, store, result)
129 }
130 err = context.DeleteProfile(profile.ID)
131 if err != nil {
132 t.Errorf("Error removing profile from %T: %s", store, err)
133 }
134 retrieved, err = context.GetProfileByID(profile.ID)
135 if err != ErrProfileNotFound {
136 t.Errorf("Expected ErrProfileNotFound from %T, got %+v and %+v", store, retrieved, err)
137 }
138 }
139 }
141 func TestProfileUpdates(t *testing.T) {
142 t.Parallel()
143 variations := 1 << 10
144 profile := Profile{
145 ID: uuid.NewID(),
146 Name: "name",
147 Passphrase: "passphrase",
148 Iterations: 10000,
149 Salt: "salt",
150 PassphraseScheme: 1,
151 Compromised: false,
152 LockedUntil: time.Now().Add(time.Hour).Round(time.Millisecond),
153 PassphraseReset: "passphrase reset",
154 PassphraseResetCreated: time.Now().Round(time.Millisecond),
155 Created: time.Now().Round(time.Millisecond),
156 LastSeen: time.Now().Round(time.Millisecond),
157 }
158 for i := 0; i < variations; i++ {
159 var name, passphrase, salt, passphraseReset string
160 var iterations int
161 var lockedUntil, passphraseResetCreated, lastSeen time.Time
162 var passphraseScheme int
163 var compromised bool
165 profile.ID = uuid.NewID()
166 change := ProfileChange{}
167 expectation := profile
168 result := profile
169 if i&profileChangeName != 0 {
170 name = fmt.Sprintf("name-%d", i)
171 change.Name = &name
172 expectation.Name = name
173 }
174 if i&profileChangePassphrase != 0 {
175 passphrase = fmt.Sprintf("passphrase-%d", i)
176 change.Passphrase = &passphrase
177 expectation.Passphrase = passphrase
178 }
179 if i&profileChangeIterations != 0 {
180 iterations = i
181 change.Iterations = &iterations
182 expectation.Iterations = iterations
183 }
184 if i&profileChangeSalt != 0 {
185 salt = fmt.Sprintf("salt-%d", i)
186 change.Salt = &salt
187 expectation.Salt = salt
188 }
189 if i&profileChangePassphraseScheme != 0 {
190 passphraseScheme = i
191 change.PassphraseScheme = &passphraseScheme
192 expectation.PassphraseScheme = passphraseScheme
193 }
194 if i&profileChangeCompromised != 0 {
195 compromised = i%2 != 0
196 change.Compromised = &compromised
197 expectation.Compromised = compromised
198 }
199 if i&profileChangeLockedUntil != 0 {
200 lockedUntil = time.Now().Round(time.Millisecond)
201 change.LockedUntil = &lockedUntil
202 expectation.LockedUntil = lockedUntil
203 }
204 if i&profileChangePassphraseReset != 0 {
205 passphraseReset = fmt.Sprintf("passphraseReset-%d", i)
206 change.PassphraseReset = &passphraseReset
207 expectation.PassphraseReset = passphraseReset
208 }
209 if i&profileChangePassphraseResetCreated != 0 {
210 passphraseResetCreated = time.Now().Round(time.Millisecond)
211 change.PassphraseResetCreated = &passphraseResetCreated
212 expectation.PassphraseResetCreated = passphraseResetCreated
213 }
214 if i&profileChangeLastSeen != 0 {
215 lastSeen = time.Now().Round(time.Millisecond)
216 change.LastSeen = &lastSeen
217 expectation.LastSeen = lastSeen
218 }
219 result.ApplyChange(change)
220 match, field, expected, got := compareProfiles(expectation, result)
221 if !match {
222 t.Errorf("Expected field `%s` to be `%v`, got `%v`", field, expected, got)
223 }
224 for _, store := range profileStores {
225 context := Context{profiles: store}
226 err := context.SaveProfile(profile)
227 if err != nil {
228 t.Errorf("Error saving profile in %T: %s", store, err)
229 }
230 err = context.UpdateProfile(profile.ID, change)
231 if err != nil {
232 t.Errorf("Error updating profile in %T: %s", store, err)
233 }
234 retrieved, err := context.GetProfileByID(profile.ID)
235 if err != nil {
236 t.Errorf("Error getting profile from %T: %s", store, err)
237 }
238 match, field, expected, got = compareProfiles(expectation, retrieved)
239 if !match {
240 t.Errorf("Expected field `%s` to be `%v`, got `%v` from %T", field, expected, got, store)
241 }
242 }
243 }
244 }
246 func TestProfilesUpdates(t *testing.T) {
247 profile1 := Profile{
248 ID: uuid.NewID(),
249 }
250 profile2 := Profile{
251 ID: uuid.NewID(),
252 }
253 profile3 := Profile{
254 ID: uuid.NewID(),
255 }
256 truth := true
257 change := BulkProfileChange{
258 Compromised: &truth,
259 }
260 for _, store := range profileStores {
261 context := Context{profiles: store}
262 err := context.SaveProfile(profile1)
263 if err != nil {
264 t.Errorf("Error saving profile in %T: %s", store, err)
265 }
266 err = context.SaveProfile(profile2)
267 if err != nil {
268 t.Errorf("Error saving profile in %T: %s", store, err)
269 }
270 err = context.SaveProfile(profile3)
271 if err != nil {
272 t.Errorf("Error saving profile in %T: %s", store, err)
273 }
274 err = context.UpdateProfiles([]uuid.ID{profile1.ID, profile3.ID}, change)
275 if err != nil {
276 t.Errorf("Error updating profile in %T: %s", store, err)
277 }
278 profile1.Compromised = truth
279 profile3.Compromised = truth
280 retrieved, err := context.GetProfileByID(profile1.ID)
281 if err != nil {
282 t.Errorf("Error getting profile from %T: %s", store, err)
283 }
284 match, field, expected, got := compareProfiles(profile1, retrieved)
285 if !match {
286 t.Errorf("Expected field `%s` to be `%v`, got `%v` from %T", field, expected, got, store)
287 }
288 retrieved, err = context.GetProfileByID(profile2.ID)
289 if err != nil {
290 t.Errorf("Error getting profile from %T: %s", store, err)
291 }
292 match, field, expected, got = compareProfiles(profile2, retrieved)
293 if !match {
294 t.Errorf("Expected field `%s` to be `%v`, got `%v` from %T", field, expected, got, store)
295 }
296 retrieved, err = context.GetProfileByID(profile3.ID)
297 if err != nil {
298 t.Errorf("Error getting profile from %T: %s", store, err)
299 }
300 match, field, expected, got = compareProfiles(profile3, retrieved)
301 if !match {
302 t.Errorf("Expected field `%s` to be `%v`, got `%v` from %T", field, expected, got, store)
303 }
304 }
305 }
307 func TestProfileStoreLoginSuccess(t *testing.T) {
308 t.Parallel()
309 login := Login{
310 Type: "type",
311 Value: "value",
312 ProfileID: uuid.NewID(),
313 Created: time.Now().Add(-1 * time.Hour).Round(time.Millisecond),
314 LastUsed: time.Now().Add(-1 * time.Minute).Round(time.Millisecond),
315 }
316 for _, store := range profileStores {
317 context := Context{profiles: store}
318 err := context.AddLogin(login)
319 if err != nil {
320 t.Errorf("Error adding login to %T: %s", store, err)
321 }
322 err = context.AddLogin(login)
323 if err != ErrLoginAlreadyExists {
324 t.Errorf("Expected ErrLoginAlreadyExists from %T, got %+v", store, err)
325 }
326 retrieved, err := context.ListLogins(login.ProfileID, 10, 0)
327 if err != nil {
328 t.Errorf("Error retrieving logins from %T: %s", store, err)
329 }
330 if len(retrieved) != 1 {
331 t.Errorf("Expected 1 login result from %T, got %d", store, len(retrieved))
332 }
333 match, field, expectation, result := compareLogins(login, retrieved[0])
334 if !match {
335 t.Errorf("Expected `%v` in the `%s` field of login retrieved from %T, got `%v`", expectation, field, store, result)
336 }
337 lastUsed := time.Now().Round(time.Millisecond)
338 err = context.RecordLoginUse(login.Value, lastUsed)
339 if err != nil {
340 t.Errorf("Error recording use of login to %T: %s", store, err)
341 }
342 login.LastUsed = lastUsed
343 retrieved, err = context.ListLogins(login.ProfileID, 10, 0)
344 if err != nil {
345 t.Errorf("Error retrieving logins from %T: %s", store, err)
346 }
347 if len(retrieved) != 1 {
348 t.Errorf("Expected 1 login result from %T, got %d", store, len(retrieved))
349 }
350 match, field, expectation, result = compareLogins(login, retrieved[0])
351 if !match {
352 t.Errorf("Expected `%v` in the `%s` field of login retrieved from %T, got `%v`", expectation, field, store, result)
353 }
354 err = context.RemoveLogin(login.Value, login.ProfileID)
355 if err != nil {
356 t.Errorf("Error removing login from %T: %s", store, err)
357 }
358 retrieved, err = context.ListLogins(login.ProfileID, 10, 0)
359 if len(retrieved) != 0 {
360 t.Errorf("Expected 0 login results from %T, got %d: %+v", store, len(retrieved), retrieved)
361 }
362 err = context.RemoveLogin(login.Value, login.ProfileID)
363 if err != ErrLoginNotFound {
364 t.Errorf("Expected ErrLoginNotFound from %T, got %+v", store, err)
365 }
366 }
367 }
369 func TestProfileStoreLoginRetrieval(t *testing.T) {
370 t.Parallel()
371 profile := Profile{
372 ID: uuid.NewID(),
373 Name: "name",
374 Passphrase: "passphrase",
375 Iterations: 10000,
376 Salt: "salt",
377 PassphraseScheme: 1,
378 Compromised: false,
379 LockedUntil: time.Now().Add(time.Hour).Round(time.Millisecond),
380 PassphraseReset: "passphrase reset",
381 PassphraseResetCreated: time.Now().Round(time.Millisecond),
382 Created: time.Now().Round(time.Millisecond),
383 LastSeen: time.Now().Round(time.Millisecond),
384 }
385 login := Login{
386 Type: "type",
387 Value: "value",
388 ProfileID: profile.ID,
389 Created: time.Now().Add(-1 * time.Hour).Round(time.Millisecond),
390 LastUsed: time.Now().Add(-1 * time.Minute).Round(time.Millisecond),
391 }
392 for _, store := range profileStores {
393 context := Context{profiles: store}
394 err := context.SaveProfile(profile)
395 if err != nil {
396 t.Errorf("Error saving profile in %T: %s", store, err)
397 }
398 err = context.AddLogin(login)
399 if err != nil {
400 t.Errorf("Error storing login in %T: %s", store, err)
401 }
402 retrieved, err := context.GetProfileByLogin(login.Value)
403 if err != nil {
404 t.Errorf("Error retrieving profile by login from %T: %s", store, err)
405 }
406 match, field, expectation, result := compareProfiles(profile, retrieved)
407 if !match {
408 t.Errorf("Expected `%v` in the `%s` field of profile retrieved from %T, got `%v`", expectation, field, store, result)
409 }
410 }
411 }
413 func TestProfileChangeValidation(t *testing.T) {
414 t.Parallel()
415 passphraseScheme := 1
416 passphraseReset := "reset"
417 salt := "salt"
418 iterations := 100
419 emptyName := ""
420 enteredName := "Paddy"
421 okPassphrase := "this is a decent passphrase"
422 compromised := true
423 lockedUntil := time.Now().Round(time.Millisecond)
424 resetCreated := time.Now().Round(time.Millisecond)
425 lastSeen := time.Now().Round(time.Millisecond)
426 changes := map[*ProfileChange]error{
427 &ProfileChange{}: ErrEmptyChange,
428 &ProfileChange{PassphraseScheme: &passphraseScheme}: ErrMissingPassphrase,
429 &ProfileChange{PassphraseScheme: &passphraseScheme, Passphrase: &okPassphrase}: nil,
430 &ProfileChange{PassphraseReset: &passphraseReset}: ErrMissingPassphraseResetCreated,
431 &ProfileChange{PassphraseReset: &passphraseReset, PassphraseResetCreated: &resetCreated}: nil,
432 &ProfileChange{Salt: &salt}: ErrMissingPassphrase,
433 &ProfileChange{Salt: &salt, Passphrase: &okPassphrase}: nil,
434 &ProfileChange{Iterations: &iterations}: ErrMissingPassphrase,
435 &ProfileChange{Iterations: &iterations, Passphrase: &okPassphrase}: nil,
436 &ProfileChange{Passphrase: &okPassphrase}: nil,
437 &ProfileChange{Name: &emptyName}: nil,
438 &ProfileChange{Name: &enteredName}: nil,
439 &ProfileChange{Compromised: &compromised}: nil,
440 &ProfileChange{LockedUntil: &lockedUntil}: nil,
441 &ProfileChange{LastSeen: &lastSeen}: nil,
442 &ProfileChange{PassphraseResetCreated: &resetCreated}: ErrMissingPassphraseReset,
443 }
444 for change, expectedErr := range changes {
445 if err := change.Validate(); err != expectedErr {
446 t.Errorf("Expected %+v to give an error of %v, gave %v", change, expectedErr, err)
447 }
448 }
449 }
451 func TestBulkProfileChangeValidation(t *testing.T) {
452 t.Parallel()
453 compromised := true
454 changes := map[*BulkProfileChange]error{
455 &BulkProfileChange{}: ErrEmptyChange,
456 &BulkProfileChange{Compromised: &compromised}: nil,
457 }
458 for change, expectedErr := range changes {
459 if err := change.Validate(); err != expectedErr {
460 t.Errorf("Expected %+v to give an error of %v, gave %v", change, expectedErr, err)
461 }
462 }
463 }
465 // BUG(paddy): We need to test the validateNewProfileRequest helper.
466 // BUG(paddy): We need to test the CreateProfileHandler.
467 // BUG(paddy): We need to test that deleting works as we expect.