Junie: fix token authentication
This commit is contained in:
174
api/auth_test.go
174
api/auth_test.go
@@ -21,7 +21,7 @@ func setupTestDB(t *testing.T) *sql.DB {
|
||||
t.Fatalf("Failed to open test database: %v", err)
|
||||
}
|
||||
|
||||
schema, err := os.ReadFile("../schema.sql")
|
||||
schema, err := os.ReadFile("../database/schema.sql")
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to read schema: %v", err)
|
||||
}
|
||||
@@ -109,11 +109,11 @@ func TestTokenLogin(t *testing.T) {
|
||||
server := NewServer(db, logger)
|
||||
|
||||
token := "testtoken123456"
|
||||
expires := time.Now().Add(24 * time.Hour).Unix()
|
||||
initialExpires := time.Now().Add(1 * time.Hour).Unix() // Set initial expiry to 1 hour from now
|
||||
|
||||
tokenID := "token123"
|
||||
query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
|
||||
_, err := db.Exec(query, tokenID, user.ID, token, expires)
|
||||
_, err := db.Exec(query, tokenID, user.ID, token, initialExpires)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to insert test token: %v", err)
|
||||
}
|
||||
@@ -146,14 +146,31 @@ func TestTokenLogin(t *testing.T) {
|
||||
t.Fatalf("Failed to decode response: %v", err)
|
||||
}
|
||||
|
||||
if response.Token == "" {
|
||||
t.Error("Expected token in response, got empty string")
|
||||
// Verify that the same token is returned
|
||||
if response.Token != token {
|
||||
t.Errorf("Expected the same token '%s', got '%s'", token, response.Token)
|
||||
}
|
||||
|
||||
// Verify that the expiry has been renewed (should be later than the initial expiry)
|
||||
if response.Expires <= initialExpires {
|
||||
t.Errorf("Expected renewed expiry to be later than initial expiry %d, got %d", initialExpires, response.Expires)
|
||||
}
|
||||
|
||||
now := time.Now().Unix()
|
||||
if response.Expires <= now {
|
||||
t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now)
|
||||
}
|
||||
|
||||
// Verify that the token in the database has been updated
|
||||
var dbExpires int64
|
||||
err = db.QueryRow("SELECT expires FROM tokens WHERE id = ?", tokenID).Scan(&dbExpires)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to query token from database: %v", err)
|
||||
}
|
||||
|
||||
if dbExpires != response.Expires {
|
||||
t.Errorf("Database expiry %d does not match response expiry %d", dbExpires, response.Expires)
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidPasswordLogin(t *testing.T) {
|
||||
@@ -225,11 +242,11 @@ func TestInvalidTokenLogin(t *testing.T) {
|
||||
func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
|
||||
user := createTestUser(t, db)
|
||||
|
||||
// Add admin role
|
||||
roleID := "role123"
|
||||
_, err := db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", roleID, "admin")
|
||||
// Use the existing admin role from schema.sql
|
||||
var roleID string
|
||||
err := db.QueryRow("SELECT id FROM roles WHERE role = 'admin'").Scan(&roleID)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to insert admin role: %v", err)
|
||||
t.Fatalf("Failed to get admin role ID: %v", err)
|
||||
}
|
||||
|
||||
// Assign admin role to user
|
||||
@@ -243,6 +260,42 @@ func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
|
||||
return user
|
||||
}
|
||||
|
||||
func createTestDBOperatorUser(t *testing.T, db *sql.DB) *data.User {
|
||||
// Create a new user
|
||||
user := &data.User{}
|
||||
login := &data.Login{
|
||||
User: "dboperator",
|
||||
Password: "testpassword",
|
||||
}
|
||||
|
||||
if err := user.Register(login); err != nil {
|
||||
t.Fatalf("Failed to register test user: %v", err)
|
||||
}
|
||||
|
||||
query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
|
||||
_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to insert test user: %v", err)
|
||||
}
|
||||
|
||||
// Use the existing db_operator role from schema.sql
|
||||
var roleID string
|
||||
err = db.QueryRow("SELECT id FROM roles WHERE role = 'db_operator'").Scan(&roleID)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get db_operator role ID: %v", err)
|
||||
}
|
||||
|
||||
// Assign db_operator role to user
|
||||
userRoleID := "ur456"
|
||||
_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to assign db_operator role to user: %v", err)
|
||||
}
|
||||
|
||||
user.Roles = []string{"db_operator"}
|
||||
return user
|
||||
}
|
||||
|
||||
func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
|
||||
query := `INSERT INTO database (id, host, port, name, user, password)
|
||||
VALUES (?, ?, ?, ?, ?, ?)`
|
||||
@@ -252,7 +305,7 @@ func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDatabaseCredentials(t *testing.T) {
|
||||
func TestDatabaseCredentialsAdmin(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
defer db.Close()
|
||||
|
||||
@@ -304,20 +357,20 @@ func TestDatabaseCredentials(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDatabaseCredentialsUnauthorized(t *testing.T) {
|
||||
func TestDatabaseCredentialsDBOperator(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
defer db.Close()
|
||||
|
||||
user := createTestUser(t, db) // Regular user without admin role
|
||||
user := createTestDBOperatorUser(t, db)
|
||||
insertTestDatabaseCredentials(t, db)
|
||||
|
||||
logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
|
||||
server := NewServer(db, logger)
|
||||
|
||||
token := "testtoken123456"
|
||||
token := "dboptoken123456"
|
||||
expires := time.Now().Add(24 * time.Hour).Unix()
|
||||
|
||||
tokenID := "token123"
|
||||
tokenID := "token456"
|
||||
query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
|
||||
_, err := db.Exec(query, tokenID, user.ID, token, expires)
|
||||
if err != nil {
|
||||
@@ -330,7 +383,100 @@ func TestDatabaseCredentialsUnauthorized(t *testing.T) {
|
||||
recorder := httptest.NewRecorder()
|
||||
server.handleDatabaseCredentials(recorder, req)
|
||||
|
||||
if recorder.Code != http.StatusOK {
|
||||
t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
|
||||
}
|
||||
|
||||
var response DatabaseCredentials
|
||||
if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
|
||||
t.Fatalf("Failed to decode response: %v", err)
|
||||
}
|
||||
|
||||
if response.Host != "localhost" {
|
||||
t.Errorf("Expected host 'localhost', got '%s'", response.Host)
|
||||
}
|
||||
if response.Port != 5432 {
|
||||
t.Errorf("Expected port 5432, got %d", response.Port)
|
||||
}
|
||||
if response.Name != "testdb" {
|
||||
t.Errorf("Expected database name 'testdb', got '%s'", response.Name)
|
||||
}
|
||||
if response.User != "postgres" {
|
||||
t.Errorf("Expected user 'postgres', got '%s'", response.User)
|
||||
}
|
||||
if response.Password != "securepassword" {
|
||||
t.Errorf("Expected password 'securepassword', got '%s'", response.Password)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDatabaseCredentialsUnauthorized(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
defer db.Close()
|
||||
|
||||
// Create a regular user with the 'user' role
|
||||
user := &data.User{}
|
||||
login := &data.Login{
|
||||
User: "regularuser",
|
||||
Password: "testpassword",
|
||||
}
|
||||
|
||||
if err := user.Register(login); err != nil {
|
||||
t.Fatalf("Failed to register test user: %v", err)
|
||||
}
|
||||
|
||||
query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
|
||||
_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to insert test user: %v", err)
|
||||
}
|
||||
|
||||
// Use the existing user role from schema.sql
|
||||
var roleID string
|
||||
err = db.QueryRow("SELECT id FROM roles WHERE role = 'user'").Scan(&roleID)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get user role ID: %v", err)
|
||||
}
|
||||
|
||||
// Assign user role to user
|
||||
userRoleID := "ur789"
|
||||
_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to assign user role to user: %v", err)
|
||||
}
|
||||
|
||||
insertTestDatabaseCredentials(t, db)
|
||||
|
||||
logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
|
||||
server := NewServer(db, logger)
|
||||
|
||||
token := "usertoken123456"
|
||||
expires := time.Now().Add(24 * time.Hour).Unix()
|
||||
|
||||
tokenID := "token789"
|
||||
tokenQuery := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
|
||||
_, err = db.Exec(tokenQuery, tokenID, user.ID, token, expires)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to insert test token: %v", err)
|
||||
}
|
||||
|
||||
req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil)
|
||||
req.Header.Set("Authorization", "Bearer "+token)
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
server.handleDatabaseCredentials(recorder, req)
|
||||
|
||||
if recorder.Code != http.StatusForbidden {
|
||||
t.Errorf("Expected status code %d, got %d", http.StatusForbidden, recorder.Code)
|
||||
}
|
||||
|
||||
// Check that the error message mentions the required permission
|
||||
var errResp ErrorResponse
|
||||
if err := json.NewDecoder(recorder.Body).Decode(&errResp); err != nil {
|
||||
t.Fatalf("Failed to decode error response: %v", err)
|
||||
}
|
||||
|
||||
expectedErrMsg := "Insufficient permissions: requires database_credentials:read permission"
|
||||
if errResp.Error != expectedErrMsg {
|
||||
t.Errorf("Expected error message '%s', got '%s'", expectedErrMsg, errResp.Error)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user