2021-01-16 17:05:41 +07:00
package validator
import (
2021-03-05 11:18:31 +07:00
"fmt"
2021-01-16 17:05:41 +07:00
"testing"
"github.com/stretchr/testify/suite"
"github.com/authelia/authelia/internal/configuration/schema"
)
type AccessControl struct {
suite . Suite
configuration schema . AccessControlConfiguration
validator * schema . StructValidator
}
func ( suite * AccessControl ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . configuration . DefaultPolicy = denyPolicy
suite . configuration . Networks = schema . DefaultACLNetwork
suite . configuration . Rules = schema . DefaultACLRule
}
func ( suite * AccessControl ) TestShouldValidateCompleteConfiguration ( ) {
ValidateAccessControl ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Assert ( ) . False ( suite . validator . HasErrors ( ) )
}
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidDefaultPolicy ( ) {
2021-01-20 19:07:40 +07:00
suite . configuration . DefaultPolicy = testInvalidPolicy
2021-01-16 17:05:41 +07:00
ValidateAccessControl ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'" )
}
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidNetworkGroupNetwork ( ) {
suite . configuration . Networks = [ ] schema . ACLNetwork {
{
2021-03-05 11:18:31 +07:00
Name : "internal" ,
2021-01-16 17:05:41 +07:00
Networks : [ ] string { "abc.def.ghi.jkl" } ,
} ,
}
ValidateAccessControl ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2021-03-05 11:18:31 +07:00
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Network [abc.def.ghi.jkl] from network group: internal must be a valid IP or CIDR" )
2021-01-16 17:05:41 +07:00
}
func ( suite * AccessControl ) TestShouldRaiseErrorNoRulesDefined ( ) {
suite . configuration . Rules = [ ] schema . ACLRule { { } }
ValidateRules ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "No access control rules have been defined" )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 1 ] , "Policy [] for domain: [] is invalid, a policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'" )
}
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidPolicy ( ) {
suite . configuration . Rules = [ ] schema . ACLRule {
{
Domains : [ ] string { "public.example.com" } ,
2021-01-20 19:07:40 +07:00
Policy : testInvalidPolicy ,
2021-01-16 17:05:41 +07:00
} ,
}
ValidateRules ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Policy [invalid] for domain: [public.example.com] is invalid, a policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'" )
}
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidNetwork ( ) {
suite . configuration . Rules = [ ] schema . ACLRule {
{
Domains : [ ] string { "public.example.com" } ,
Policy : "bypass" ,
Networks : [ ] string { "abc.def.ghi.jkl/32" } ,
} ,
}
ValidateRules ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Network [abc.def.ghi.jkl/32] for domain: [public.example.com] is not a valid network or network group" )
}
2021-03-05 11:18:31 +07:00
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidMethod ( ) {
suite . configuration . Rules = [ ] schema . ACLRule {
{
Domains : [ ] string { "public.example.com" } ,
Policy : "bypass" ,
Methods : [ ] string { "GET" , "HOP" } ,
} ,
}
ValidateRules ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Method HOP for domain: [public.example.com] is invalid, must be one of the following methods: GET, HEAD, POST, PUT, PATCH, DELETE, TRACE, CONNECT, OPTIONS" )
}
2021-01-16 17:05:41 +07:00
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidResource ( ) {
suite . configuration . Rules = [ ] schema . ACLRule {
{
Domains : [ ] string { "public.example.com" } ,
Policy : "bypass" ,
Resources : [ ] string { "^/(api.*" } ,
} ,
}
ValidateRules ( suite . configuration , suite . validator )
suite . Assert ( ) . False ( suite . validator . HasWarnings ( ) )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Resource [^/(api.*] for domain: [public.example.com] is invalid, error parsing regexp: missing closing ): `^/(api.*`" )
}
func ( suite * AccessControl ) TestShouldRaiseErrorInvalidSubject ( ) {
2021-03-05 11:18:31 +07:00
domains := [ ] string { "public.example.com" }
subjects := [ ] [ ] string { { "invalid" } }
2021-01-16 17:05:41 +07:00
suite . configuration . Rules = [ ] schema . ACLRule {
{
2021-03-05 11:18:31 +07:00
Domains : domains ,
2021-01-16 17:05:41 +07:00
Policy : "bypass" ,
2021-03-05 11:18:31 +07:00
Subjects : subjects ,
2021-01-16 17:05:41 +07:00
} ,
}
ValidateRules ( suite . configuration , suite . validator )
2021-03-05 11:18:31 +07:00
suite . Require ( ) . Len ( suite . validator . Warnings ( ) , 0 )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
2021-01-16 17:05:41 +07:00
2021-03-05 11:18:31 +07:00
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 0 ] , "Subject [invalid] for domain: [public.example.com] is invalid, must start with 'user:' or 'group:'" )
suite . Assert ( ) . EqualError ( suite . validator . Errors ( ) [ 1 ] , fmt . Sprintf ( errAccessControlInvalidPolicyWithSubjects , domains , subjects ) )
2021-01-16 17:05:41 +07:00
}
func TestAccessControl ( t * testing . T ) {
suite . Run ( t , new ( AccessControl ) )
}