From c466542990455c341a8d0431d9f814a8e28296ef Mon Sep 17 00:00:00 2001 From: TwiN Date: Sat, 8 Jan 2022 19:52:55 -0500 Subject: [PATCH] test(security): Add tests for basic auth with bcrypt --- security/basic_test.go | 24 ++++++++++++++++++++++-- security/config_test.go | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 4 deletions(-) diff --git a/security/basic_test.go b/security/basic_test.go index 3579c1ab..28467044 100644 --- a/security/basic_test.go +++ b/security/basic_test.go @@ -2,7 +2,7 @@ package security import "testing" -func TestBasicConfig_IsValid(t *testing.T) { +func TestBasicConfig_IsValidUsingSHA512(t *testing.T) { basicConfig := &BasicConfig{ Username: "admin", PasswordSha512Hash: Sha512("test"), @@ -12,7 +12,7 @@ func TestBasicConfig_IsValid(t *testing.T) { } } -func TestBasicConfig_IsValidWhenPasswordIsInvalid(t *testing.T) { +func TestBasicConfig_IsValidWhenPasswordIsInvalidUsingSHA512(t *testing.T) { basicConfig := &BasicConfig{ Username: "admin", PasswordSha512Hash: "", @@ -21,3 +21,23 @@ func TestBasicConfig_IsValidWhenPasswordIsInvalid(t *testing.T) { t.Error("basicConfig shouldn't have been valid") } } + +func TestBasicConfig_IsValidUsingBcrypt(t *testing.T) { + basicConfig := &BasicConfig{ + Username: "admin", + PasswordBcryptHashBase64Encoded: "JDJhJDA4JDFoRnpPY1hnaFl1OC9ISlFsa21VS09wOGlPU1ZOTDlHZG1qeTFvb3dIckRBUnlHUmNIRWlT", + } + if !basicConfig.isValid() { + t.Error("basicConfig should've been valid") + } +} + +func TestBasicConfig_IsValidWhenPasswordIsInvalidUsingBcrypt(t *testing.T) { + basicConfig := &BasicConfig{ + Username: "admin", + PasswordBcryptHashBase64Encoded: "", + } + if basicConfig.isValid() { + t.Error("basicConfig shouldn't have been valid") + } +} diff --git a/security/config_test.go b/security/config_test.go index 5678da6e..42285dfb 100644 --- a/security/config_test.go +++ b/security/config_test.go @@ -23,6 +23,7 @@ func TestConfig_ApplySecurityMiddleware(t *testing.T) { /////////// // BASIC // /////////// + // SHA512 (DEPRECATED) c := &Config{Basic: &BasicConfig{ Username: "john.doe", PasswordSha512Hash: "6b97ed68d14eb3f1aa959ce5d49c7dc612e1eb1dafd73b1e705847483fd6a6c809f2ceb4e8df6ff9984c6298ff0285cace6614bf8daa9f0070101b6c89899e22", @@ -31,7 +32,9 @@ func TestConfig_ApplySecurityMiddleware(t *testing.T) { api.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) }) - c.ApplySecurityMiddleware(api) + if err := c.ApplySecurityMiddleware(api); err != nil { + t.Error("expected no error, but was", err) + } // Try to access the route without basic auth request, _ := http.NewRequest("GET", "/test", http.NoBody) responseRecorder := httptest.NewRecorder() @@ -47,6 +50,33 @@ func TestConfig_ApplySecurityMiddleware(t *testing.T) { if responseRecorder.Code != http.StatusOK { t.Error("expected code to be 200, but was", responseRecorder.Code) } + // Bcrypt + c = &Config{Basic: &BasicConfig{ + Username: "john.doe", + PasswordBcryptHashBase64Encoded: "JDJhJDA4JDFoRnpPY1hnaFl1OC9ISlFsa21VS09wOGlPU1ZOTDlHZG1qeTFvb3dIckRBUnlHUmNIRWlT", + }} + api = mux.NewRouter() + api.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + if err := c.ApplySecurityMiddleware(api); err != nil { + t.Error("expected no error, but was", err) + } + // Try to access the route without basic auth + request, _ = http.NewRequest("GET", "/test", http.NoBody) + responseRecorder = httptest.NewRecorder() + api.ServeHTTP(responseRecorder, request) + if responseRecorder.Code != http.StatusUnauthorized { + t.Error("expected code to be 401, but was", responseRecorder.Code) + } + // Try again, but with basic auth + request, _ = http.NewRequest("GET", "/test", http.NoBody) + responseRecorder = httptest.NewRecorder() + request.SetBasicAuth("john.doe", "hunter2") + api.ServeHTTP(responseRecorder, request) + if responseRecorder.Code != http.StatusOK { + t.Error("expected code to be 200, but was", responseRecorder.Code) + } ////////// // OIDC // ////////// @@ -63,7 +93,9 @@ func TestConfig_ApplySecurityMiddleware(t *testing.T) { verifier: nil, } c.Basic = nil - c.ApplySecurityMiddleware(api) + if err := c.ApplySecurityMiddleware(api); err != nil { + t.Error("expected no error, but was", err) + } // Try without any session cookie request, _ = http.NewRequest("GET", "/test", http.NoBody) responseRecorder = httptest.NewRecorder()