226 lines
5.0 KiB
Go
226 lines
5.0 KiB
Go
package config
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
// validConfig returns a minimal valid TOML config string.
|
|
func validConfig() string {
|
|
return `
|
|
[server]
|
|
listen_addr = "0.0.0.0:8443"
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
|
|
[database]
|
|
path = "/var/lib/mcias/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|
|
`
|
|
}
|
|
|
|
func writeTempConfig(t *testing.T, content string) string {
|
|
t.Helper()
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "mcias.toml")
|
|
if err := os.WriteFile(path, []byte(content), 0600); err != nil {
|
|
t.Fatalf("write temp config: %v", err)
|
|
}
|
|
return path
|
|
}
|
|
|
|
func TestLoadValidConfig(t *testing.T) {
|
|
path := writeTempConfig(t, validConfig())
|
|
cfg, err := Load(path)
|
|
if err != nil {
|
|
t.Fatalf("Load returned error: %v", err)
|
|
}
|
|
|
|
if cfg.Server.ListenAddr != "0.0.0.0:8443" {
|
|
t.Errorf("ListenAddr = %q, want %q", cfg.Server.ListenAddr, "0.0.0.0:8443")
|
|
}
|
|
if cfg.Tokens.Issuer != "https://auth.example.com" {
|
|
t.Errorf("Issuer = %q, want %q", cfg.Tokens.Issuer, "https://auth.example.com")
|
|
}
|
|
if cfg.DefaultExpiry() != 720*time.Hour {
|
|
t.Errorf("DefaultExpiry = %v, want %v", cfg.DefaultExpiry(), 720*time.Hour)
|
|
}
|
|
if cfg.AdminExpiry() != 8*time.Hour {
|
|
t.Errorf("AdminExpiry = %v, want %v", cfg.AdminExpiry(), 8*time.Hour)
|
|
}
|
|
if cfg.ServiceExpiry() != 8760*time.Hour {
|
|
t.Errorf("ServiceExpiry = %v, want %v", cfg.ServiceExpiry(), 8760*time.Hour)
|
|
}
|
|
if cfg.Argon2.Time != 3 {
|
|
t.Errorf("Argon2.Time = %d, want 3", cfg.Argon2.Time)
|
|
}
|
|
if cfg.Argon2.Memory != 65536 {
|
|
t.Errorf("Argon2.Memory = %d, want 65536", cfg.Argon2.Memory)
|
|
}
|
|
if cfg.MasterKey.PassphraseEnv != "MCIAS_MASTER_PASSPHRASE" {
|
|
t.Errorf("MasterKey.PassphraseEnv = %q", cfg.MasterKey.PassphraseEnv)
|
|
}
|
|
}
|
|
|
|
func TestLoadMissingFile(t *testing.T) {
|
|
_, err := Load("/nonexistent/path/mcias.toml")
|
|
if err == nil {
|
|
t.Error("expected error for missing file, got nil")
|
|
}
|
|
}
|
|
|
|
func TestLoadInvalidTOML(t *testing.T) {
|
|
path := writeTempConfig(t, "this is not valid TOML {{{{")
|
|
_, err := Load(path)
|
|
if err == nil {
|
|
t.Error("expected error for invalid TOML, got nil")
|
|
}
|
|
}
|
|
|
|
func TestValidateMissingListenAddr(t *testing.T) {
|
|
path := writeTempConfig(t, `
|
|
[server]
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
|
|
[database]
|
|
path = "/var/lib/mcias/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|
|
`)
|
|
_, err := Load(path)
|
|
if err == nil {
|
|
t.Error("expected error for missing listen_addr, got nil")
|
|
}
|
|
}
|
|
|
|
func TestValidateArgon2TooWeak(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
time uint32
|
|
memory uint32
|
|
}{
|
|
{"time too low", 1, 65536},
|
|
{"memory too low", 3, 32768},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
content := validConfig()
|
|
// Override argon2 section
|
|
path := writeTempConfig(t, content)
|
|
cfg, err := Load(path)
|
|
if err != nil {
|
|
t.Fatalf("baseline load failed: %v", err)
|
|
}
|
|
// Manually set unsafe params and re-validate
|
|
cfg.Argon2.Time = tc.time
|
|
cfg.Argon2.Memory = tc.memory
|
|
if err := cfg.validate(); err == nil {
|
|
t.Errorf("expected validation error for time=%d memory=%d, got nil", tc.time, tc.memory)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidateMasterKeyBothSet(t *testing.T) {
|
|
path := writeTempConfig(t, `
|
|
[server]
|
|
listen_addr = "0.0.0.0:8443"
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
|
|
[database]
|
|
path = "/var/lib/mcias/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|
|
keyfile = "/etc/mcias/master.key"
|
|
`)
|
|
_, err := Load(path)
|
|
if err == nil {
|
|
t.Error("expected error when both passphrase_env and keyfile are set, got nil")
|
|
}
|
|
}
|
|
|
|
func TestValidateMasterKeyNoneSet(t *testing.T) {
|
|
path := writeTempConfig(t, `
|
|
[server]
|
|
listen_addr = "0.0.0.0:8443"
|
|
tls_cert = "/etc/mcias/server.crt"
|
|
tls_key = "/etc/mcias/server.key"
|
|
|
|
[database]
|
|
path = "/var/lib/mcias/mcias.db"
|
|
|
|
[tokens]
|
|
issuer = "https://auth.example.com"
|
|
default_expiry = "720h"
|
|
admin_expiry = "8h"
|
|
service_expiry = "8760h"
|
|
|
|
[argon2]
|
|
time = 3
|
|
memory = 65536
|
|
threads = 4
|
|
|
|
[master_key]
|
|
`)
|
|
_, err := Load(path)
|
|
if err == nil {
|
|
t.Error("expected error when neither passphrase_env nor keyfile is set, got nil")
|
|
}
|
|
}
|
|
|
|
func TestDurationParsing(t *testing.T) {
|
|
var d duration
|
|
if err := d.UnmarshalText([]byte("1h30m")); err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if d.Duration != 90*time.Minute {
|
|
t.Errorf("Duration = %v, want %v", d.Duration, 90*time.Minute)
|
|
}
|
|
|
|
if err := d.UnmarshalText([]byte("not-a-duration")); err == nil {
|
|
t.Error("expected error for invalid duration, got nil")
|
|
}
|
|
}
|