2014-08-29 17:49:50 +00:00
|
|
|
// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
|
|
|
|
// Use of this source code is governed by a MIT style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
2014-08-12 09:32:06 +00:00
|
|
|
package gin
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"testing"
|
2015-04-08 13:17:41 +00:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2014-08-12 09:32:06 +00:00
|
|
|
)
|
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
func TestBasicAuth(t *testing.T) {
|
2015-05-19 20:19:25 +00:00
|
|
|
pairs := processAccounts(Accounts{
|
2015-04-08 13:17:41 +00:00
|
|
|
"admin": "password",
|
|
|
|
"foo": "bar",
|
|
|
|
"bar": "foo",
|
2015-05-19 20:19:25 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
assert.Len(t, pairs, 3)
|
|
|
|
assert.Contains(t, pairs, authPair{
|
2017-12-17 05:02:33 +00:00
|
|
|
user: "bar",
|
|
|
|
value: "Basic YmFyOmZvbw==",
|
2015-05-19 20:19:25 +00:00
|
|
|
})
|
|
|
|
assert.Contains(t, pairs, authPair{
|
2017-12-17 05:02:33 +00:00
|
|
|
user: "foo",
|
|
|
|
value: "Basic Zm9vOmJhcg==",
|
2015-05-19 20:19:25 +00:00
|
|
|
})
|
|
|
|
assert.Contains(t, pairs, authPair{
|
2017-12-17 05:02:33 +00:00
|
|
|
user: "admin",
|
|
|
|
value: "Basic YWRtaW46cGFzc3dvcmQ=",
|
2015-05-19 20:19:25 +00:00
|
|
|
})
|
2015-04-08 13:17:41 +00:00
|
|
|
}
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
func TestBasicAuthFails(t *testing.T) {
|
|
|
|
assert.Panics(t, func() { processAccounts(nil) })
|
|
|
|
assert.Panics(t, func() {
|
|
|
|
processAccounts(Accounts{
|
|
|
|
"": "password",
|
|
|
|
"foo": "bar",
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
func TestBasicAuthSearchCredential(t *testing.T) {
|
|
|
|
pairs := processAccounts(Accounts{
|
|
|
|
"admin": "password",
|
|
|
|
"foo": "bar",
|
|
|
|
"bar": "foo",
|
2014-08-12 09:32:06 +00:00
|
|
|
})
|
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
user, found := pairs.searchCredential(authorizationHeader("admin", "password"))
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "admin", user)
|
2015-04-08 13:17:41 +00:00
|
|
|
assert.True(t, found)
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
user, found = pairs.searchCredential(authorizationHeader("foo", "bar"))
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "foo", user)
|
2015-04-08 13:17:41 +00:00
|
|
|
assert.True(t, found)
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
user, found = pairs.searchCredential(authorizationHeader("bar", "foo"))
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "bar", user)
|
2015-04-08 13:17:41 +00:00
|
|
|
assert.True(t, found)
|
|
|
|
|
|
|
|
user, found = pairs.searchCredential(authorizationHeader("admins", "password"))
|
|
|
|
assert.Empty(t, user)
|
|
|
|
assert.False(t, found)
|
|
|
|
|
|
|
|
user, found = pairs.searchCredential(authorizationHeader("foo", "bar "))
|
|
|
|
assert.Empty(t, user)
|
|
|
|
assert.False(t, found)
|
2015-04-09 10:15:02 +00:00
|
|
|
|
|
|
|
user, found = pairs.searchCredential("")
|
|
|
|
assert.Empty(t, user)
|
|
|
|
assert.False(t, found)
|
2014-08-12 09:32:06 +00:00
|
|
|
}
|
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
func TestBasicAuthAuthorizationHeader(t *testing.T) {
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "Basic YWRtaW46cGFzc3dvcmQ=", authorizationHeader("admin", "password"))
|
2015-04-08 13:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestBasicAuthSecureCompare(t *testing.T) {
|
|
|
|
assert.True(t, secureCompare("1234567890", "1234567890"))
|
|
|
|
assert.False(t, secureCompare("123456789", "1234567890"))
|
|
|
|
assert.False(t, secureCompare("12345678900", "1234567890"))
|
|
|
|
assert.False(t, secureCompare("1234567891", "1234567890"))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestBasicAuthSucceed(t *testing.T) {
|
|
|
|
accounts := Accounts{"admin": "password"}
|
|
|
|
router := New()
|
|
|
|
router.Use(BasicAuth(accounts))
|
|
|
|
router.GET("/login", func(c *Context) {
|
2018-08-14 01:51:56 +00:00
|
|
|
c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
|
2015-04-08 13:17:41 +00:00
|
|
|
})
|
|
|
|
|
2014-08-12 09:32:06 +00:00
|
|
|
w := httptest.NewRecorder()
|
2015-04-08 13:17:41 +00:00
|
|
|
req, _ := http.NewRequest("GET", "/login", nil)
|
|
|
|
req.Header.Set("Authorization", authorizationHeader("admin", "password"))
|
|
|
|
router.ServeHTTP(w, req)
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2018-08-14 01:51:56 +00:00
|
|
|
assert.Equal(t, http.StatusOK, w.Code)
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "admin", w.Body.String())
|
2015-04-08 13:17:41 +00:00
|
|
|
}
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
func TestBasicAuth401(t *testing.T) {
|
|
|
|
called := false
|
|
|
|
accounts := Accounts{"foo": "bar"}
|
|
|
|
router := New()
|
|
|
|
router.Use(BasicAuth(accounts))
|
|
|
|
router.GET("/login", func(c *Context) {
|
|
|
|
called = true
|
2018-08-14 01:51:56 +00:00
|
|
|
c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
|
2014-08-12 09:32:06 +00:00
|
|
|
})
|
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
w := httptest.NewRecorder()
|
|
|
|
req, _ := http.NewRequest("GET", "/login", nil)
|
2014-08-12 09:32:06 +00:00
|
|
|
req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))
|
2015-04-08 13:17:41 +00:00
|
|
|
router.ServeHTTP(w, req)
|
2014-08-12 09:32:06 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
assert.False(t, called)
|
2018-08-14 01:51:56 +00:00
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "Basic realm=\"Authorization Required\"", w.HeaderMap.Get("WWW-Authenticate"))
|
2014-08-12 09:32:06 +00:00
|
|
|
}
|
2015-03-04 22:38:17 +00:00
|
|
|
|
|
|
|
func TestBasicAuth401WithCustomRealm(t *testing.T) {
|
2015-04-08 13:17:41 +00:00
|
|
|
called := false
|
2015-03-04 22:38:17 +00:00
|
|
|
accounts := Accounts{"foo": "bar"}
|
2015-04-08 13:17:41 +00:00
|
|
|
router := New()
|
2015-05-19 18:15:28 +00:00
|
|
|
router.Use(BasicAuthForRealm(accounts, "My Custom \"Realm\""))
|
2015-04-08 13:17:41 +00:00
|
|
|
router.GET("/login", func(c *Context) {
|
|
|
|
called = true
|
2018-08-14 01:51:56 +00:00
|
|
|
c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
|
2015-03-04 22:38:17 +00:00
|
|
|
})
|
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
w := httptest.NewRecorder()
|
|
|
|
req, _ := http.NewRequest("GET", "/login", nil)
|
2015-03-04 22:38:17 +00:00
|
|
|
req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))
|
2015-04-08 13:17:41 +00:00
|
|
|
router.ServeHTTP(w, req)
|
2015-03-04 22:38:17 +00:00
|
|
|
|
2015-04-08 13:17:41 +00:00
|
|
|
assert.False(t, called)
|
2018-08-14 01:51:56 +00:00
|
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code)
|
2017-08-04 05:45:59 +00:00
|
|
|
assert.Equal(t, "Basic realm=\"My Custom \\\"Realm\\\"\"", w.HeaderMap.Get("WWW-Authenticate"))
|
2015-03-04 22:38:17 +00:00
|
|
|
}
|