diff --git a/internal/acl/acl_test.go b/internal/acl/acl_test.go index 8d44176dd..757afa41c 100644 --- a/internal/acl/acl_test.go +++ b/internal/acl/acl_test.go @@ -25,6 +25,12 @@ func TestACL_Allow(t *testing.T) { t.Run("ResourceAlbumsRoleVisitorActionDefault", func(t *testing.T) { assert.False(t, Resources.Allow(ResourceAlbums, RoleVisitor, FullAccess)) }) + t.Run("WrongResourceRoleAdminActionDefault", func(t *testing.T) { + assert.True(t, Resources.Allow("wrong", RoleAdmin, FullAccess)) + }) + t.Run("WrongResourceRoleVisitorActionDefault", func(t *testing.T) { + assert.False(t, Resources.Allow("wrong", RoleVisitor, FullAccess)) + }) } func TestACL_AllowAny(t *testing.T) { @@ -105,3 +111,12 @@ func TestACL_Deny(t *testing.T) { assert.True(t, Resources.Deny(ResourceAlbums, RoleVisitor, FullAccess)) }) } + +func TestACL_DenyAll(t *testing.T) { + t.Run("ResourceFilesRoleVisitorActionDefault", func(t *testing.T) { + assert.True(t, Resources.DenyAll(ResourceFiles, RoleVisitor, Permissions{FullAccess, AccessShared, ActionView})) + }) + t.Run("ResourceFilesRoleAdminActionDefault", func(t *testing.T) { + assert.False(t, Resources.DenyAll(ResourceFiles, RoleAdmin, Permissions{FullAccess, AccessShared, ActionView})) + }) +} diff --git a/internal/api/oauth_test.go b/internal/api/oauth_test.go index 8dbdd6c50..c9a481ff0 100644 --- a/internal/api/oauth_test.go +++ b/internal/api/oauth_test.go @@ -35,4 +35,129 @@ func TestCreateOauthToken(t *testing.T) { t.Logf("BODY: %s", w.Body.String()) assert.Equal(t, http.StatusOK, w.Code) }) + + t.Run("InvalidClientID", func(t *testing.T) { + app, router, _ := NewApiTest() + CreateOauthToken(router) + + var method = "POST" + var path = "/api/v1/oauth/token" + + data := url.Values{ + "grant_type": {"client_credentials"}, + "client_id": {"123"}, + "client_secret": {"xcCbOrw6I0vcoXzhnOmXhjpVSyFq0l0e"}, + "scope": {"metrics"}, + } + + req, _ := http.NewRequest(method, path, strings.NewReader(data.Encode())) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + w := httptest.NewRecorder() + app.ServeHTTP(w, req) + + t.Logf("Header: %s", w.Header()) + t.Logf("BODY: %s", w.Body.String()) + assert.Equal(t, http.StatusUnauthorized, w.Code) + }) + + t.Run("WrongClient", func(t *testing.T) { + app, router, _ := NewApiTest() + CreateOauthToken(router) + + var method = "POST" + var path = "/api/v1/oauth/token" + + data := url.Values{ + "grant_type": {"client_credentials"}, + "client_id": {"cs5cpu17n6gj2yy6"}, + "client_secret": {"xcCbOrw6I0vcoXzhnOmXhjpVSyFq0l0e"}, + "scope": {"metrics"}, + } + + req, _ := http.NewRequest(method, path, strings.NewReader(data.Encode())) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + w := httptest.NewRecorder() + app.ServeHTTP(w, req) + + t.Logf("Header: %s", w.Header()) + t.Logf("BODY: %s", w.Body.String()) + assert.Equal(t, http.StatusUnauthorized, w.Code) + }) + + t.Run("WrongSecret", func(t *testing.T) { + app, router, _ := NewApiTest() + CreateOauthToken(router) + + var method = "POST" + var path = "/api/v1/oauth/token" + + data := url.Values{ + "grant_type": {"client_credentials"}, + "client_id": {"cs5cpu17n6gj2qo5"}, + "client_secret": {"xcCbOrw6I0vcoXzhnOmXhjpVSyFq0l0f"}, + "scope": {"metrics"}, + } + + req, _ := http.NewRequest(method, path, strings.NewReader(data.Encode())) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + w := httptest.NewRecorder() + app.ServeHTTP(w, req) + + t.Logf("Header: %s", w.Header()) + t.Logf("BODY: %s", w.Body.String()) + assert.Equal(t, http.StatusUnauthorized, w.Code) + }) + + t.Run("AuthNotEnabled", func(t *testing.T) { + app, router, _ := NewApiTest() + CreateOauthToken(router) + + var method = "POST" + var path = "/api/v1/oauth/token" + + data := url.Values{ + "grant_type": {"client_credentials"}, + "client_id": {"cs5gfsvbd7ejzn8m"}, + "client_secret": {"aaCbOrw6I0vcoXzhnOmXhjpVSyFq0l0e"}, + "scope": {"metrics"}, + } + + req, _ := http.NewRequest(method, path, strings.NewReader(data.Encode())) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + w := httptest.NewRecorder() + app.ServeHTTP(w, req) + + t.Logf("Header: %s", w.Header()) + t.Logf("BODY: %s", w.Body.String()) + assert.Equal(t, http.StatusUnauthorized, w.Code) + }) + + t.Run("UnknownAuthMethod", func(t *testing.T) { + app, router, _ := NewApiTest() + CreateOauthToken(router) + + var method = "POST" + var path = "/api/v1/oauth/token" + + data := url.Values{ + "grant_type": {"client_credentials"}, + "client_id": {"cs5cpu17n6gj2jh6"}, + "client_secret": {"aaCbOrw6I0vcoXzhnOmXhjpVSyFq0l0e"}, + "scope": {"*"}, + } + + req, _ := http.NewRequest(method, path, strings.NewReader(data.Encode())) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + w := httptest.NewRecorder() + app.ServeHTTP(w, req) + + t.Logf("Header: %s", w.Header()) + t.Logf("BODY: %s", w.Body.String()) + assert.Equal(t, http.StatusUnauthorized, w.Code) + }) } diff --git a/internal/entity/auth_client_fixtures.go b/internal/entity/auth_client_fixtures.go index 71b00bf26..653cb378d 100644 --- a/internal/entity/auth_client_fixtures.go +++ b/internal/entity/auth_client_fixtures.go @@ -69,6 +69,22 @@ var ClientFixtures = ClientMap{ AuthEnabled: true, LastActive: 0, }, + "Unknown": { + ClientUID: "cs5cpu17n6gj2jh6", + UserUID: "", + UserName: "", + user: nil, + ClientName: "Unknown", + ClientType: authn.ClientUnknown, + ClientURL: "", + CallbackURL: "", + AuthMethod: authn.MethodUnknown.String(), + AuthScope: "*", + AuthExpires: UnixHour, + AuthTokens: 2, + AuthEnabled: true, + LastActive: 0, + }, } // CreateClientFixtures inserts known entities into the database for testing.