mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
fcac438637
This expands the functionality of the certificates and rsa commands and merges them into one command called cypto which can either use the cert or pair subcommands to generate certificates or key-pairs respectively. The rsa, ecdsa, and ed25519 subcommands exist for both the cert and pair commands. A new --ca-path argument for the cert subcommand allows Authelia to sign other certs with CA certs. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
1109 lines
62 KiB
Go
1109 lines
62 KiB
Go
package suites
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"regexp"
|
|
"strconv"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/suite"
|
|
"gopkg.in/yaml.v3"
|
|
|
|
"github.com/authelia/authelia/v4/internal/model"
|
|
"github.com/authelia/authelia/v4/internal/storage"
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
|
)
|
|
|
|
type CLISuite struct {
|
|
*CommandSuite
|
|
}
|
|
|
|
func NewCLISuite() *CLISuite {
|
|
return &CLISuite{CommandSuite: new(CommandSuite)}
|
|
}
|
|
|
|
func (s *CLISuite) SetupSuite() {
|
|
dockerEnvironment := NewDockerEnvironment([]string{
|
|
"internal/suites/docker-compose.yml",
|
|
"internal/suites/CLI/docker-compose.yml",
|
|
"internal/suites/example/compose/authelia/docker-compose.backend.{}.yml",
|
|
})
|
|
s.DockerEnvironment = dockerEnvironment
|
|
}
|
|
|
|
func (s *CLISuite) SetupTest() {
|
|
testArg := ""
|
|
coverageArg := ""
|
|
|
|
if os.Getenv("CI") == t {
|
|
testArg = "-test.coverprofile=/authelia/coverage-$(cat /proc/sys/kernel/random/uuid).txt"
|
|
coverageArg = "COVERAGE"
|
|
}
|
|
|
|
s.testArg = testArg
|
|
s.coverageArg = coverageArg
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldPrintBuildInformation() {
|
|
if os.Getenv("CI") == "false" {
|
|
s.T().Skip("Skipping testing in dev environment")
|
|
}
|
|
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "build-info"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Last Tag: ")
|
|
s.Assert().Contains(output, "State: ")
|
|
s.Assert().Contains(output, "Branch: ")
|
|
s.Assert().Contains(output, "Build Number: ")
|
|
s.Assert().Contains(output, "Build OS: ")
|
|
s.Assert().Contains(output, "Build Arch: ")
|
|
s.Assert().Contains(output, "Build Date: ")
|
|
|
|
r := regexp.MustCompile(`^Last Tag: v\d+\.\d+\.\d+\nState: (tagged|untagged) (clean|dirty)\nBranch: [^\s\n]+\nCommit: [0-9a-f]{40}\nBuild Number: \d+\nBuild OS: (linux|darwin|windows|freebsd)\nBuild Arch: (amd64|arm|arm64)\nBuild Date: (Sun|Mon|Tue|Wed|Thu|Fri|Sat), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} [+-]\d{4}\nExtra: \n`)
|
|
s.Assert().Regexp(r, output)
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldPrintVersion() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "--version"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "authelia version")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldValidateConfig() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "validate-config", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Configuration parsed and loaded successfully without errors.")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldFailValidateConfig() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "validate-config", "--config=/config/invalid.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "failed to load configuration from yaml file(/config/invalid.yml) source: open /config/invalid.yml: no such file or directory")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldHashPasswordArgon2id() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "hash-password", "test", "-m", "32", "-s", "test1234"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Password hash: $argon2id$v=19$m=32768,t=3,p=4$")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldHashPasswordSHA512() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "hash-password", "test", "-z"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Password hash: $6$rounds=50000")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateRSACertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "request", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSACurveP224CertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "request", "--curve=P224", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-224")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSACurveP256CertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "request", "--curve=P256", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-256")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSACurveP384CertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "request", "--curve=P384", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-384")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSACurveP521CertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "request", "--curve=P521", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-521")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateEd25519CertificateRequest() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ed25519", "request", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate Request")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tSignature Algorithm: Ed25519, Public Key Algorithm: Ed25519")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate Request: /tmp/request.csr")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateRSA() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateRSAWithIPAddress() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans", "*.example.com,127.0.0.1", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com, IP.1:127.0.0.1")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateRSAWithNotBefore() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans='*.example.com'", "--not-before", "'Jan 1 15:04:05 2011'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tNot Before: 2011-01-01T15:04:05Z, Not After: 2012-01-01T15:04:05Z")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldFailGenerateCertificateRSAWithInvalidNotBefore() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans='*.example.com'", "--not-before", "Jan", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: failed to parse not before: parsing time \"Jan\" as \"Jan 2 15:04:05 2006\": cannot parse \"\" as \"2\"")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateRSAWith4096Bits() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--bits=4096", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 4096")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateWithCustomizedSubject() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans='*.example.com'", "--country=Australia", "--organization='Acme Co.'", "--organizational-unit=Tech", "--province=QLD", "--street-address='123 Smith St'", "--postcode=4000", "--locality=Internet", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Acme Co.], Organizational Unit: [Tech]")
|
|
s.Assert().Contains(output, "\tCountry: [Australia], Province: [QLD], Street Address: [123 Smith St], Postal Code: [4000], Locality: [Internet]")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateCA() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name='Authelia Standalone Root Certificate Authority'", "--ca", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: Authelia Standalone Root Certificate Authority, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: true, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: ")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/ca.private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/ca.public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateCAAndSignCertificate() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name='Authelia Standalone Root Certificate Authority'", "--ca", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: Authelia Standalone Root Certificate Authority, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: true, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: ")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/ca.private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/ca.public.crt")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name=example.com", "--sans='*.example.com'", "--path.ca", "/tmp/", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tAuthelia Standalone Root Certificate Authority")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, ", Expires: ")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: SHA256-RSA, Public Key Algorithm: RSA, Bits: 2048")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
|
|
// Check the certificates look fine.
|
|
privateKeyData, err := os.ReadFile("/tmp/private.pem")
|
|
s.Assert().NoError(err)
|
|
|
|
certificateData, err := os.ReadFile("/tmp/public.crt")
|
|
s.Assert().NoError(err)
|
|
|
|
privateKeyCAData, err := os.ReadFile("/tmp/ca.private.pem")
|
|
s.Assert().NoError(err)
|
|
|
|
certificateCAData, err := os.ReadFile("/tmp/ca.public.crt")
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().False(bytes.Equal(privateKeyData, privateKeyCAData))
|
|
s.Assert().False(bytes.Equal(certificateData, certificateCAData))
|
|
|
|
privateKey, err := utils.ParseX509FromPEM(privateKeyData)
|
|
s.Assert().NoError(err)
|
|
s.Assert().True(utils.IsX509PrivateKey(privateKey))
|
|
|
|
privateCAKey, err := utils.ParseX509FromPEM(privateKeyCAData)
|
|
s.Assert().NoError(err)
|
|
s.Assert().True(utils.IsX509PrivateKey(privateCAKey))
|
|
|
|
c, err := utils.ParseX509FromPEM(certificateData)
|
|
s.Assert().NoError(err)
|
|
s.Assert().False(utils.IsX509PrivateKey(c))
|
|
|
|
cCA, err := utils.ParseX509FromPEM(certificateCAData)
|
|
s.Assert().NoError(err)
|
|
s.Assert().False(utils.IsX509PrivateKey(cCA))
|
|
|
|
certificate, ok := utils.CastX509AsCertificate(c)
|
|
s.Assert().True(ok)
|
|
|
|
certificateCA, ok := utils.CastX509AsCertificate(cCA)
|
|
s.Assert().True(ok)
|
|
|
|
s.Require().NotNil(certificate)
|
|
s.Require().NotNil(certificateCA)
|
|
|
|
err = certificate.CheckSignatureFrom(certificateCA)
|
|
|
|
s.Assert().NoError(err)
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateEd25519() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ed25519", "generate", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: Ed25519, Public Key Algorithm: Ed25519")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldFailGenerateCertificateParseNotBefore() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--not-before=invalid", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: failed to parse not before: parsing time \"invalid\" as \"Jan 2 15:04:05 2006\": cannot parse \"invalid\" as \"Jan\"")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldFailGenerateCertificateECDSA() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--curve=invalid", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: invalid curve 'invalid' was specified: curve must be P224, P256, P384, or P521")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateECDSACurveP224() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--curve=P224", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-224")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateECDSACurveP256() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--curve=P256", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-256")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateECDSACurveP384() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--curve=P384", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-384")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateCertificateECDSACurveP521() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "ecdsa", "generate", "--curve=P521", "--common-name=example.com", "--sans='*.example.com'", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating Certificate")
|
|
s.Assert().Contains(output, "\tSerial: ")
|
|
s.Assert().Contains(output, "Signed By:\n\tSelf-Signed")
|
|
|
|
s.Assert().Contains(output, "\tCommon Name: example.com, Organization: [Authelia], Organizational Unit: []")
|
|
s.Assert().Contains(output, "\tCountry: [], Province: [], Street Address: [], Postal Code: [], Locality: []")
|
|
s.Assert().Contains(output, "\tCA: false, CSR: false, Signature Algorithm: ECDSA-SHA256, Public Key Algorithm: ECDSA, Elliptic Curve: P-521")
|
|
s.Assert().Contains(output, "\tSubject Alternative Names: DNS.1:*.example.com")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tCertificate: /tmp/public.crt")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateRSAKeyPair() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "rsa", "generate", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: RSA-256 2048 bits\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateRSAKeyPairWith4069Bits() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "rsa", "generate", "--bits=4096", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: RSA-512 4096 bits\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSAKeyPair() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: ECDSA Curve P-256\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSAKeyPairCurveP224() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--curve=P224", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: ECDSA Curve P-224\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSAKeyPairCurveP256() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--curve=P256", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: ECDSA Curve P-256\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSAKeyPairCurveP384() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--curve=P384", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: ECDSA Curve P-384\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateECDSAKeyPairCurveP521() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--curve=P521", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: ECDSA Curve P-521\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldGenerateEd25519KeyPair() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ed25519", "generate", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Generating key pair")
|
|
|
|
s.Assert().Contains(output, "Algorithm: Ed25519\n\n")
|
|
|
|
s.Assert().Contains(output, "Output Paths:")
|
|
s.Assert().Contains(output, "\tPrivate Key: /tmp/private.pem")
|
|
s.Assert().Contains(output, "\tPublic Key: /tmp/public.pem")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldNotGenerateECDSAKeyPairCurveInvalid() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "pair", "ecdsa", "generate", "--curve=invalid", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: invalid curve 'invalid' was specified: curve must be P224, P256, P384, or P521")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldNotGenerateRSAWithBadCAPath() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--path.ca=/tmp/invalid", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: could not read private key file '/tmp/invalid/ca.private.pem': open /tmp/invalid/ca.private.pem: no such file or directory\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldNotGenerateRSAWithBadCAFileNames() {
|
|
var (
|
|
err error
|
|
output string
|
|
)
|
|
|
|
_, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name='Authelia Standalone Root Certificate Authority'", "--ca", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--path.ca=/tmp/", "--file.ca-private-key=invalid.pem", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: could not read private key file '/tmp/invalid.pem': open /tmp/invalid.pem: no such file or directory\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--path.ca=/tmp/", "--file.ca-certificate=invalid.crt", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: could not read certificate file '/tmp/invalid.crt': open /tmp/invalid.crt: no such file or directory\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestShouldNotGenerateRSAWithBadCAFileContent() {
|
|
var (
|
|
err error
|
|
output string
|
|
)
|
|
|
|
_, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--common-name='Authelia Standalone Root Certificate Authority'", "--ca", "--directory=/tmp/"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Require().NoError(os.WriteFile("/tmp/ca.private.bad.pem", []byte("INVALID"), 0600)) //nolint:gosec
|
|
s.Require().NoError(os.WriteFile("/tmp/ca.public.bad.crt", []byte("INVALID"), 0600)) //nolint:gosec
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--path.ca=/tmp/", "--file.ca-private-key=ca.private.bad.pem", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: could not parse private key from file '/tmp/ca.private.bad.pem': failed to parse PEM block containing the key\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "crypto", "certificate", "rsa", "generate", "--path.ca=/tmp/", "--file.ca-certificate=ca.public.bad.crt", "--directory=/tmp/"})
|
|
s.Assert().NotNil(err)
|
|
s.Assert().Contains(output, "Error: could not parse certificate from file '/tmp/ca.public.bad.crt': failed to parse PEM block containing the key\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorageShouldShowErrWithoutConfig() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "schema-info"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
|
|
s.Assert().Contains(output, "Error: storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided, storage: option 'encryption_key' must is required\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "history"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
|
|
s.Assert().Contains(output, "Error: storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided, storage: option 'encryption_key' must is required\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage00ShouldShowCorrectPreInitInformation() {
|
|
_ = os.Remove("/tmp/db.sqlite3")
|
|
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "schema-info", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
pattern := regexp.MustCompile(`^Schema Version: N/A\nSchema Upgrade Available: yes - version \d+\nSchema Tables: N/A\nSchema Encryption Key: unsupported \(schema version\)`)
|
|
|
|
s.Assert().Regexp(pattern, output)
|
|
|
|
patternOutdated := regexp.MustCompile(`Error: schema is version \d+ which is outdated please migrate to version \d+ in order to use this command or use an older binary`)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "export", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Regexp(patternOutdated, output)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Regexp(patternOutdated, output)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Could not check encryption key for validity. The schema version doesn't support encryption.")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "down", "--target=0", "--destroy-data", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: schema migration target version 0 is the same current version 0")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "up", "--target=2147483640", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: schema up migration target version 2147483640 is greater then the latest version ")
|
|
s.Assert().Contains(output, " which indicates it doesn't exist")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "history", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "No migration history is available for schemas that not version 1 or above.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "list-up", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Storage Schema Migration List (Up)\n\nVersion\t\tDescription\n1\t\tInitial Schema\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "list-down", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Storage Schema Migration List (Down)\n\nNo Migrations Available\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage01ShouldMigrateUp() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "up", "--config=/config/configuration.storage.yml"})
|
|
s.Require().NoError(err)
|
|
|
|
pattern0 := regexp.MustCompile(`"Storage schema migration from \d+ to \d+ is being attempted"`)
|
|
pattern1 := regexp.MustCompile(`"Storage schema migration from \d+ to \d+ is complete"`)
|
|
|
|
s.Regexp(pattern0, output)
|
|
s.Regexp(pattern1, output)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "up", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
|
|
s.Assert().Contains(output, "Error: schema already up to date\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "history", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Migration History:\n\nID\tDate\t\t\t\tBefore\tAfter\tAuthelia Version\n")
|
|
s.Assert().Contains(output, "0\t1")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "list-up", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Storage Schema Migration List (Up)\n\nNo Migrations Available")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "list-down", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Storage Schema Migration List (Down)\n\nVersion\t\tDescription\n")
|
|
s.Assert().Contains(output, "1\t\tInitial Schema")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage02ShouldShowSchemaInfo() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "schema-info", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Schema Version: ")
|
|
s.Assert().Contains(output, "authentication_logs")
|
|
s.Assert().Contains(output, "identity_verification")
|
|
s.Assert().Contains(output, "duo_devices")
|
|
s.Assert().Contains(output, "user_preferences")
|
|
s.Assert().Contains(output, "migrations")
|
|
s.Assert().Contains(output, "encryption")
|
|
s.Assert().Contains(output, "encryption")
|
|
s.Assert().Contains(output, "webauthn_devices")
|
|
s.Assert().Contains(output, "totp_configurations")
|
|
s.Assert().Contains(output, "Schema Encryption Key: valid")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage03ShouldExportTOTP() {
|
|
storageProvider := storage.NewSQLiteProvider(&storageLocalTmpConfig)
|
|
|
|
ctx := context.Background()
|
|
|
|
var (
|
|
err error
|
|
)
|
|
|
|
var (
|
|
expectedLines = make([]string, 0, 3)
|
|
expectedLinesCSV = make([]string, 0, 4)
|
|
output string
|
|
)
|
|
|
|
expectedLinesCSV = append(expectedLinesCSV, "issuer,username,algorithm,digits,period,secret")
|
|
|
|
testCases := []struct {
|
|
config model.TOTPConfiguration
|
|
png bool
|
|
}{
|
|
{
|
|
config: model.TOTPConfiguration{
|
|
Username: "john",
|
|
Period: 30,
|
|
Digits: 6,
|
|
Algorithm: "SHA1",
|
|
},
|
|
},
|
|
{
|
|
config: model.TOTPConfiguration{
|
|
Username: "mary",
|
|
Period: 45,
|
|
Digits: 6,
|
|
Algorithm: "SHA1",
|
|
},
|
|
},
|
|
{
|
|
config: model.TOTPConfiguration{
|
|
Username: "fred",
|
|
Period: 30,
|
|
Digits: 8,
|
|
Algorithm: "SHA1",
|
|
},
|
|
},
|
|
{
|
|
config: model.TOTPConfiguration{
|
|
Username: "jone",
|
|
Period: 30,
|
|
Digits: 6,
|
|
Algorithm: "SHA512",
|
|
},
|
|
png: true,
|
|
},
|
|
}
|
|
|
|
var (
|
|
config *model.TOTPConfiguration
|
|
fileInfo os.FileInfo
|
|
)
|
|
|
|
for _, testCase := range testCases {
|
|
if testCase.png {
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "generate", testCase.config.Username, "--period", strconv.Itoa(int(testCase.config.Period)), "--algorithm", testCase.config.Algorithm, "--digits", strconv.Itoa(int(testCase.config.Digits)), "--path=/tmp/qr.png", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, " and saved it as a PNG image at the path '/tmp/qr.png'")
|
|
|
|
fileInfo, err = os.Stat("/tmp/qr.png")
|
|
s.Assert().NoError(err)
|
|
s.Require().NotNil(fileInfo)
|
|
s.Assert().False(fileInfo.IsDir())
|
|
s.Assert().Greater(fileInfo.Size(), int64(1000))
|
|
} else {
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "generate", testCase.config.Username, "--period", strconv.Itoa(int(testCase.config.Period)), "--algorithm", testCase.config.Algorithm, "--digits", strconv.Itoa(int(testCase.config.Digits)), "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
}
|
|
|
|
config, err = storageProvider.LoadTOTPConfiguration(ctx, testCase.config.Username)
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, config.URI())
|
|
|
|
expectedLinesCSV = append(expectedLinesCSV, fmt.Sprintf("%s,%s,%s,%d,%d,%s", "Authelia", config.Username, config.Algorithm, config.Digits, config.Period, string(config.Secret)))
|
|
expectedLines = append(expectedLines, config.URI())
|
|
}
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "export", "--format=uri", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
for _, expectedLine := range expectedLines {
|
|
s.Assert().Contains(output, expectedLine)
|
|
}
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "export", "--format=csv", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
for _, expectedLine := range expectedLinesCSV {
|
|
s.Assert().Contains(output, expectedLine)
|
|
}
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "export", "--format=wrong", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: format must be csv, uri, or png")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "export", "--format=png", "--dir=/tmp/qr", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Exported TOTP QR codes in PNG format in the '/tmp/qr' directory")
|
|
|
|
for _, testCase := range testCases {
|
|
fileInfo, err = os.Stat(fmt.Sprintf("/tmp/qr/%s.png", testCase.config.Username))
|
|
|
|
s.Assert().NoError(err)
|
|
s.Require().NotNil(fileInfo)
|
|
|
|
s.Assert().False(fileInfo.IsDir())
|
|
s.Assert().Greater(fileInfo.Size(), int64(1000))
|
|
}
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "totp", "generate", "test", "--period=30", "--algorithm=SHA1", "--digits=6", "--path=/tmp/qr.png", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: image output filepath already exists")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage04ShouldManageUniqueID() {
|
|
_ = os.Mkdir("/tmp/out", 0777)
|
|
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=out.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: no data to export")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=webauthn", "--sector=''", "--identifier=1097c8f8-83f2-4506-8138-5f40e83a1285", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: the service name 'webauthn' is invalid, the valid values are: 'openid'")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector=''", "--identifier=1097c8f8-83f2-4506-8138-5f40e83a1285", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Added User Opaque Identifier:\n\tService: openid\n\tSector: \n\tUsername: john\n\tIdentifier: 1097c8f8-83f2-4506-8138-5f40e83a1285\n\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=/a/no/path/fileout.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: error occurred writing to file '/a/no/path/fileout.yml': open /a/no/path/fileout.yml: no such file or directory")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=out.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: error occurred writing to file 'out.yml': open out.yml: permission denied")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=/tmp/out/1.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Exported 1 User Opaque Identifiers to /tmp/out/1.yml")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=/tmp/out/1.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: must specify a file that doesn't exist but '/tmp/out/1.yml' exists")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector=''", "--identifier=1097c8f8-83f2-4506-8138-5f40e83a1285", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: error inserting user opaque id for user 'john' with opaque id '1097c8f8-83f2-4506-8138-5f40e83a1285':")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector=''", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: error inserting user opaque id for user 'john' with opaque id")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector='openidconnect.com'", "--identifier=1097c8f8-83f2-4506-8138-5f40e83a1285", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: error inserting user opaque id for user 'john' with opaque id '1097c8f8-83f2-4506-8138-5f40e83a1285':")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector='openidconnect.net'", "--identifier=b0e17f48-933c-4cba-8509-ee9bfadf8ce5", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Added User Opaque Identifier:\n\tService: openid\n\tSector: openidconnect.net\n\tUsername: john\n\tIdentifier: b0e17f48-933c-4cba-8509-ee9bfadf8ce5\n\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector='bad-uuid.com'", "--identifier=d49564dc-b7a1-11ec-8429-fcaa147128ea", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: the identifier providerd 'd49564dc-b7a1-11ec-8429-fcaa147128ea' is a version 1 UUID but only version 4 UUID's accepted as identifiers")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "add", "john", "--service=openid", "--sector='bad-uuid.com'", "--identifier=asdmklasdm", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
s.Assert().Contains(output, "Error: the identifier provided 'asdmklasdm' is invalid as it must be a version 4 UUID but parsing it had an error: invalid UUID length: 10")
|
|
|
|
data, err := os.ReadFile("/tmp/out/1.yml")
|
|
s.Assert().NoError(err)
|
|
|
|
var export model.UserOpaqueIdentifiersExport
|
|
|
|
s.Assert().NoError(yaml.Unmarshal(data, &export))
|
|
|
|
s.Require().Len(export.Identifiers, 1)
|
|
|
|
s.Assert().Equal(1, export.Identifiers[0].ID)
|
|
s.Assert().Equal("1097c8f8-83f2-4506-8138-5f40e83a1285", export.Identifiers[0].Identifier.String())
|
|
s.Assert().Equal("john", export.Identifiers[0].Username)
|
|
s.Assert().Equal("", export.Identifiers[0].SectorID)
|
|
s.Assert().Equal("openid", export.Identifiers[0].Service)
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "user", "identifiers", "export", "--file=/tmp/out/2.yml", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
s.Assert().Contains(output, "Exported 2 User Opaque Identifiers to /tmp/out/2.yml")
|
|
|
|
export = model.UserOpaqueIdentifiersExport{}
|
|
|
|
data, err = os.ReadFile("/tmp/out/2.yml")
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().NoError(yaml.Unmarshal(data, &export))
|
|
|
|
s.Require().Len(export.Identifiers, 2)
|
|
|
|
s.Assert().Equal(1, export.Identifiers[0].ID)
|
|
s.Assert().Equal("1097c8f8-83f2-4506-8138-5f40e83a1285", export.Identifiers[0].Identifier.String())
|
|
s.Assert().Equal("john", export.Identifiers[0].Username)
|
|
s.Assert().Equal("", export.Identifiers[0].SectorID)
|
|
s.Assert().Equal("openid", export.Identifiers[0].Service)
|
|
|
|
s.Assert().Equal(2, export.Identifiers[1].ID)
|
|
s.Assert().Equal("b0e17f48-933c-4cba-8509-ee9bfadf8ce5", export.Identifiers[1].Identifier.String())
|
|
s.Assert().Equal("john", export.Identifiers[1].Username)
|
|
s.Assert().Equal("openidconnect.net", export.Identifiers[1].SectorID)
|
|
s.Assert().Equal("openid", export.Identifiers[1].Service)
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage05ShouldChangeEncryptionKey() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--new-encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Completed the encryption key change. Please adjust your configuration to use the new key.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "schema-info", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Schema Version: ")
|
|
s.Assert().Contains(output, "authentication_logs")
|
|
s.Assert().Contains(output, "identity_verification")
|
|
s.Assert().Contains(output, "duo_devices")
|
|
s.Assert().Contains(output, "user_preferences")
|
|
s.Assert().Contains(output, "migrations")
|
|
s.Assert().Contains(output, "encryption")
|
|
s.Assert().Contains(output, "encryption")
|
|
s.Assert().Contains(output, "webauthn_devices")
|
|
s.Assert().Contains(output, "totp_configurations")
|
|
s.Assert().Contains(output, "Schema Encryption Key: invalid")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value, 4 of 4 total TOTP secrets were invalid.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Encryption key validation: success.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
s.Assert().Contains(output, "Encryption key validation: success.\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
|
|
s.Assert().Contains(output, "Error: you must set the --new-encryption-key flag\n")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--new-encryption-key=abc", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().EqualError(err, "exit status 1")
|
|
|
|
s.Assert().Contains(output, "Error: the new encryption key must be at least 20 characters\n")
|
|
}
|
|
|
|
func (s *CLISuite) TestStorage06ShouldMigrateDown() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "down", "--target=0", "--destroy-data", "--config=/config/configuration.storage.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
pattern0 := regexp.MustCompile(`"Storage schema migration from \d+ to \d+ is being attempted"`)
|
|
pattern1 := regexp.MustCompile(`"Storage schema migration from \d+ to \d+ is complete"`)
|
|
|
|
s.Regexp(pattern0, output)
|
|
s.Regexp(pattern1, output)
|
|
}
|
|
|
|
func (s *CLISuite) TestACLPolicyCheckVerbose() {
|
|
output, err := s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "access-control", "check-policy", "--url=https://public.example.com", "--verbose", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
// This is an example of `authelia access-control check-policy --config .\internal\suites\CLI\configuration.yml --url=https://public.example.com --verbose`.
|
|
s.Contains(output, "Performing policy check for request to 'https://public.example.com' method 'GET'.\n\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, "* 1\thit\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 2\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 3\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 4\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 5\tmiss\tmiss\t\thit\thit\thit\n")
|
|
s.Contains(output, " 6\tmiss\thit\t\tmiss\thit\thit\n")
|
|
s.Contains(output, " 7\tmiss\thit\t\thit\tmiss\thit\n")
|
|
s.Contains(output, " 8\tmiss\thit\t\thit\thit\tmay\n")
|
|
s.Contains(output, " 9\tmiss\thit\t\thit\thit\tmay\n")
|
|
s.Contains(output, "The policy 'bypass' from rule #1 will be applied to this request.")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "access-control", "check-policy", "--url=https://admin.example.com", "--method=HEAD", "--username=tom", "--groups=basic,test", "--ip=192.168.2.3", "--verbose", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
// This is an example of `authelia access-control check-policy --config .\internal\suites\CLI\configuration.yml --url=https://admin.example.com --method=HEAD --username=tom --groups=basic,test --ip=192.168.2.3 --verbose`.
|
|
s.Contains(output, "Performing policy check for request to 'https://admin.example.com' method 'HEAD' username 'tom' groups 'basic,test' from IP '192.168.2.3'.\n\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, " 1\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, "* 2\thit\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 3\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 4\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 5\tmiss\tmiss\t\thit\thit\thit\n")
|
|
s.Contains(output, " 6\tmiss\thit\t\tmiss\thit\thit\n")
|
|
s.Contains(output, " 7\tmiss\thit\t\thit\tmiss\thit\n")
|
|
s.Contains(output, " 8\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 9\tmiss\thit\t\thit\thit\tmiss\n")
|
|
s.Contains(output, "The policy 'two_factor' from rule #2 will be applied to this request.")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "access-control", "check-policy", "--url=https://resources.example.com/resources/test", "--method=POST", "--username=john", "--groups=admin,test", "--ip=192.168.1.3", "--verbose", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
// This is an example of `authelia access-control check-policy --config .\internal\suites\CLI\configuration.yml --url=https://resources.example.com/resources/test --method=POST --username=john --groups=admin,test --ip=192.168.1.3 --verbose`.
|
|
s.Contains(output, "Performing policy check for request to 'https://resources.example.com/resources/test' method 'POST' username 'john' groups 'admin,test' from IP '192.168.1.3'.\n\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, " 1\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 2\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 3\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 4\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, "* 5\thit\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 6\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 7\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 8\tmiss\thit\t\thit\thit\tmiss\n")
|
|
s.Contains(output, " 9\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, "The policy 'one_factor' from rule #5 will be applied to this request.")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "access-control", "check-policy", "--url=https://user.example.com/resources/test", "--method=HEAD", "--username=john", "--groups=admin,test", "--ip=192.168.1.3", "--verbose", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
// This is an example of `access-control check-policy --config .\internal\suites\CLI\configuration.yml --url=https://user.example.com --method=HEAD --username=john --groups=admin,test --ip=192.168.1.3 --verbose`.
|
|
s.Contains(output, "Performing policy check for request to 'https://user.example.com/resources/test' method 'HEAD' username 'john' groups 'admin,test' from IP '192.168.1.3'.\n\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, " 1\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 2\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 3\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 4\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 5\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 6\tmiss\thit\t\tmiss\thit\thit\n")
|
|
s.Contains(output, " 7\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 8\tmiss\thit\t\thit\thit\tmiss\n")
|
|
s.Contains(output, "* 9\thit\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, "The policy 'one_factor' from rule #9 will be applied to this request.")
|
|
|
|
output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "access-control", "check-policy", "--url=https://user.example.com", "--method=HEAD", "--ip=192.168.1.3", "--verbose", "--config=/config/configuration.yml"})
|
|
s.Assert().NoError(err)
|
|
|
|
// This is an example of `authelia access-control check-policy --config .\internal\suites\CLI\configuration.yml --url=https://user.example.com --method=HEAD --ip=192.168.1.3 --verbose`.
|
|
s.Contains(output, "Performing policy check for request to 'https://user.example.com' method 'HEAD' from IP '192.168.1.3'.\n\n")
|
|
s.Contains(output, " #\tDomain\tResource\tMethod\tNetwork\tSubject\n")
|
|
s.Contains(output, " 1\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 2\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 3\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 4\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 5\tmiss\tmiss\t\thit\thit\thit\n")
|
|
s.Contains(output, " 6\tmiss\thit\t\tmiss\thit\thit\n")
|
|
s.Contains(output, " 7\tmiss\thit\t\thit\thit\thit\n")
|
|
s.Contains(output, " 8\tmiss\thit\t\thit\thit\tmay\n")
|
|
s.Contains(output, "~ 9\thit\thit\t\thit\thit\tmay\n")
|
|
s.Contains(output, "The policy 'one_factor' from rule #9 will potentially be applied to this request. Otherwise the policy 'bypass' from the default policy will be.")
|
|
}
|
|
|
|
func TestCLISuite(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping suite test in short mode")
|
|
}
|
|
|
|
suite.Run(t, NewCLISuite())
|
|
}
|