mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
108 lines
3.1 KiB
Go
108 lines
3.1 KiB
Go
package api
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/rcourtman/pulse-go-rewrite/internal/config"
|
|
)
|
|
|
|
func TestProxyAuthNonAdminCannotResetLockout(t *testing.T) {
|
|
t.Setenv("PULSE_DATA_DIR", t.TempDir())
|
|
|
|
cfg := &config.Config{
|
|
ProxyAuthSecret: "proxy-secret",
|
|
ProxyAuthUserHeader: "X-Proxy-User",
|
|
ProxyAuthRoleHeader: "X-Proxy-Roles",
|
|
ProxyAuthAdminRole: "admin",
|
|
}
|
|
|
|
router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
|
|
|
|
body, err := json.Marshal(map[string]string{"identifier": "user1"})
|
|
if err != nil {
|
|
t.Fatalf("marshal body: %v", err)
|
|
}
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/security/reset-lockout", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
req.Header.Set("X-Proxy-Secret", "proxy-secret")
|
|
req.Header.Set("X-Proxy-User", "viewer")
|
|
req.Header.Set("X-Proxy-Roles", "viewer|user")
|
|
rec := httptest.NewRecorder()
|
|
|
|
router.Handler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Fatalf("expected status %d, got %d (%s)", http.StatusForbidden, rec.Code, rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestProxyAuthAdminCanResetLockoutWithSettingsScope(t *testing.T) {
|
|
t.Setenv("PULSE_DATA_DIR", t.TempDir())
|
|
|
|
rawToken := "proxy-admin-token-123.12345678"
|
|
record, err := config.NewAPITokenRecord(rawToken, "admin-token", []string{config.ScopeSettingsWrite})
|
|
if err != nil {
|
|
t.Fatalf("new token record: %v", err)
|
|
}
|
|
|
|
cfg := &config.Config{
|
|
ProxyAuthSecret: "proxy-secret",
|
|
ProxyAuthUserHeader: "X-Proxy-User",
|
|
ProxyAuthRoleHeader: "X-Proxy-Roles",
|
|
ProxyAuthAdminRole: "admin",
|
|
APITokens: []config.APITokenRecord{*record},
|
|
}
|
|
cfg.SortAPITokens()
|
|
|
|
router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
|
|
|
|
body, err := json.Marshal(map[string]string{"identifier": "user1"})
|
|
if err != nil {
|
|
t.Fatalf("marshal body: %v", err)
|
|
}
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/security/reset-lockout", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
req.Header.Set("X-Proxy-Secret", "proxy-secret")
|
|
req.Header.Set("X-Proxy-User", "adminuser")
|
|
req.Header.Set("X-Proxy-Roles", "viewer|admin")
|
|
req.Header.Set("X-API-Token", rawToken)
|
|
rec := httptest.NewRecorder()
|
|
|
|
router.Handler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("expected status %d, got %d (%s)", http.StatusOK, rec.Code, rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestSecurityStatusAccessibleWithProxyAuth(t *testing.T) {
|
|
t.Setenv("PULSE_DATA_DIR", t.TempDir())
|
|
|
|
cfg := &config.Config{
|
|
ProxyAuthSecret: "proxy-secret",
|
|
ProxyAuthUserHeader: "X-Proxy-User",
|
|
ProxyAuthRoleHeader: "X-Proxy-Roles",
|
|
ProxyAuthAdminRole: "admin",
|
|
}
|
|
|
|
router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/security/status", nil)
|
|
req.Header.Set("X-Proxy-Secret", "proxy-secret")
|
|
req.Header.Set("X-Proxy-User", "viewer")
|
|
req.Header.Set("X-Proxy-Roles", "viewer|user")
|
|
rec := httptest.NewRecorder()
|
|
|
|
router.Handler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("expected status %d, got %d (%s)", http.StatusOK, rec.Code, rec.Body.String())
|
|
}
|
|
}
|