gin/auth_test.go

// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
// Use of this source code is governed by a MIT style
// license that can be found in the LICENSE file.

package gin

import (
	"encoding/base64"
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestBasicAuth(t *testing.T) {
	pairs := processAccounts(Accounts{
		"admin": "password",
		"foo":   "bar",
		"bar":   "foo",
	})

	assert.Len(t, pairs, 3)
	assert.Contains(t, pairs, authPair{
		user:  "bar",
		value: "Basic YmFyOmZvbw==",
	})
	assert.Contains(t, pairs, authPair{
		user:  "foo",
		value: "Basic Zm9vOmJhcg==",
	})
	assert.Contains(t, pairs, authPair{
		user:  "admin",
		value: "Basic YWRtaW46cGFzc3dvcmQ=",
	})
}

func TestBasicAuthFails(t *testing.T) {
	assert.Panics(t, func() { processAccounts(nil) })
	assert.Panics(t, func() {
		processAccounts(Accounts{
			"":    "password",
			"foo": "bar",
		})
	})
}

func TestBasicAuthSearchCredential(t *testing.T) {
	pairs := processAccounts(Accounts{
		"admin": "password",
		"foo":   "bar",
		"bar":   "foo",
	})

	user, found := pairs.searchCredential(authorizationHeader("admin", "password"))
	assert.Equal(t, "admin", user)
	assert.True(t, found)

	user, found = pairs.searchCredential(authorizationHeader("foo", "bar"))
	assert.Equal(t, "foo", user)
	assert.True(t, found)

	user, found = pairs.searchCredential(authorizationHeader("bar", "foo"))
	assert.Equal(t, "bar", user)
	assert.True(t, found)

	user, found = pairs.searchCredential(authorizationHeader("admins", "password"))
	assert.Empty(t, user)
	assert.False(t, found)

	user, found = pairs.searchCredential(authorizationHeader("foo", "bar "))
	assert.Empty(t, user)
	assert.False(t, found)

	user, found = pairs.searchCredential("")
	assert.Empty(t, user)
	assert.False(t, found)
}

func TestBasicAuthAuthorizationHeader(t *testing.T) {
	assert.Equal(t, "Basic YWRtaW46cGFzc3dvcmQ=", authorizationHeader("admin", "password"))
}

func TestBasicAuthSucceed(t *testing.T) {
	accounts := Accounts{"admin": "password"}
	router := New()
	router.Use(BasicAuth(accounts))
	router.GET("/login", func(c *Context) {
		c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
	})

	w := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/login", nil)
	req.Header.Set("Authorization", authorizationHeader("admin", "password"))
	router.ServeHTTP(w, req)

	assert.Equal(t, http.StatusOK, w.Code)
	assert.Equal(t, "admin", w.Body.String())
}

func TestBasicAuth401(t *testing.T) {
	called := false
	accounts := Accounts{"foo": "bar"}
	router := New()
	router.Use(BasicAuth(accounts))
	router.GET("/login", func(c *Context) {
		called = true
		c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
	})

	w := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/login", nil)
	req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))
	router.ServeHTTP(w, req)

	assert.False(t, called)
	assert.Equal(t, http.StatusUnauthorized, w.Code)
	assert.Equal(t, "Basic realm=\"Authorization Required\"", w.Header().Get("WWW-Authenticate"))
}

func TestBasicAuth401WithCustomRealm(t *testing.T) {
	called := false
	accounts := Accounts{"foo": "bar"}
	router := New()
	router.Use(BasicAuthForRealm(accounts, "My Custom \"Realm\""))
	router.GET("/login", func(c *Context) {
		called = true
		c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))
	})

	w := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/login", nil)
	req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))
	router.ServeHTTP(w, req)

	assert.False(t, called)
	assert.Equal(t, http.StatusUnauthorized, w.Code)
	assert.Equal(t, "Basic realm=\"My Custom \\\"Realm\\\"\"", w.Header().Get("WWW-Authenticate"))
}

func TestBasicAuthForProxySucceed(t *testing.T) {
	accounts := Accounts{"admin": "password"}
	router := New()
	router.Use(BasicAuthForProxy(accounts, ""))
	router.Any("/*proxyPath", func(c *Context) {
		c.String(http.StatusOK, c.MustGet(AuthProxyUserKey).(string))
	})

	w := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/test", nil)
	req.Header.Set("Proxy-Authorization", authorizationHeader("admin", "password"))
	router.ServeHTTP(w, req)

	assert.Equal(t, http.StatusOK, w.Code)
	assert.Equal(t, "admin", w.Body.String())
}

func TestBasicAuthForProxy407(t *testing.T) {
	called := false
	accounts := Accounts{"foo": "bar"}
	router := New()
	router.Use(BasicAuthForProxy(accounts, ""))
	router.Any("/*proxyPath", func(c *Context) {
		called = true
		c.String(http.StatusOK, c.MustGet(AuthProxyUserKey).(string))
	})

	w := httptest.NewRecorder()
	req, _ := http.NewRequest("GET", "/test", nil)
	req.Header.Set("Proxy-Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))
	router.ServeHTTP(w, req)

	assert.False(t, called)
	assert.Equal(t, http.StatusProxyAuthRequired, w.Code)
	assert.Equal(t, "Basic realm=\"Proxy Authorization Required\"", w.Header().Get("Proxy-Authenticate"))
}
chore: update go.mod and remove space from copyright (#3158) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-28 05:42:28 +03:00			`// Copyright 2014 Manu Martinez-Almeida. All rights reserved.`
Adds in-code license 2014-08-29 21:49:50 +04:00			`// Use of this source code is governed by a MIT style`
			`// license that can be found in the LICENSE file.`

Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`package gin`

			`import (`
			`"encoding/base64"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00
			`"github.com/stretchr/testify/assert"`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`)`

Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`func TestBasicAuth(t *testing.T) {`
Fixes auth test 2015-05-19 23:19:25 +03:00			`pairs := processAccounts(Accounts{`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`"admin": "password",`
			`"foo": "bar",`
			`"bar": "foo",`
Fixes auth test 2015-05-19 23:19:25 +03:00			`})`

			`assert.Len(t, pairs, 3)`
			`assert.Contains(t, pairs, authPair{`
use lower if the struct is private (#1185) 2017-12-17 08:02:33 +03:00			`user: "bar",`
			`value: "Basic YmFyOmZvbw==",`
Fixes auth test 2015-05-19 23:19:25 +03:00			`})`
			`assert.Contains(t, pairs, authPair{`
use lower if the struct is private (#1185) 2017-12-17 08:02:33 +03:00			`user: "foo",`
			`value: "Basic Zm9vOmJhcg==",`
Fixes auth test 2015-05-19 23:19:25 +03:00			`})`
			`assert.Contains(t, pairs, authPair{`
use lower if the struct is private (#1185) 2017-12-17 08:02:33 +03:00			`user: "admin",`
			`value: "Basic YWRtaW46cGFzc3dvcmQ=",`
Fixes auth test 2015-05-19 23:19:25 +03:00			`})`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`}`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`func TestBasicAuthFails(t *testing.T) {`
			`assert.Panics(t, func() { processAccounts(nil) })`
			`assert.Panics(t, func() {`
			`processAccounts(Accounts{`
			`"": "password",`
			`"foo": "bar",`
			`})`
			`})`
			`}`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`func TestBasicAuthSearchCredential(t *testing.T) {`
			`pairs := processAccounts(Accounts{`
			`"admin": "password",`
			`"foo": "bar",`
			`"bar": "foo",`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`})`

Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`user, found := pairs.searchCredential(authorizationHeader("admin", "password"))`
refactor(test): unify assert.Equal usage (#1054) 2017-08-04 08:45:59 +03:00			`assert.Equal(t, "admin", user)`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`assert.True(t, found)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`user, found = pairs.searchCredential(authorizationHeader("foo", "bar"))`
refactor(test): unify assert.Equal usage (#1054) 2017-08-04 08:45:59 +03:00			`assert.Equal(t, "foo", user)`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`assert.True(t, found)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`user, found = pairs.searchCredential(authorizationHeader("bar", "foo"))`
refactor(test): unify assert.Equal usage (#1054) 2017-08-04 08:45:59 +03:00			`assert.Equal(t, "bar", user)`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`assert.True(t, found)`

			`user, found = pairs.searchCredential(authorizationHeader("admins", "password"))`
			`assert.Empty(t, user)`
			`assert.False(t, found)`

			`user, found = pairs.searchCredential(authorizationHeader("foo", "bar "))`
			`assert.Empty(t, user)`
			`assert.False(t, found)`
Tons of unit tests 2015-04-09 13:15:02 +03:00
			`user, found = pairs.searchCredential("")`
			`assert.Empty(t, user)`
			`assert.False(t, found)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`}`

Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`func TestBasicAuthAuthorizationHeader(t *testing.T) {`
refactor(test): unify assert.Equal usage (#1054) 2017-08-04 08:45:59 +03:00			`assert.Equal(t, "Basic YWRtaW46cGFzc3dvcmQ=", authorizationHeader("admin", "password"))`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`}`

			`func TestBasicAuthSucceed(t *testing.T) {`
			`accounts := Accounts{"admin": "password"}`
			`router := New()`
			`router.Use(BasicAuth(accounts))`
			`router.GET("/login", func(c *Context) {`
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`})`

Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`w := httptest.NewRecorder()`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`req, _ := http.NewRequest("GET", "/login", nil)`
			`req.Header.Set("Authorization", authorizationHeader("admin", "password"))`
			`router.ServeHTTP(w, req)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`assert.Equal(t, http.StatusOK, w.Code)`
refactor(test): unify assert.Equal usage (#1054) 2017-08-04 08:45:59 +03:00			`assert.Equal(t, "admin", w.Body.String())`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`}`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`func TestBasicAuth401(t *testing.T) {`
			`called := false`
			`accounts := Accounts{"foo": "bar"}`
			`router := New()`
			`router.Use(BasicAuth(accounts))`
			`router.GET("/login", func(c *Context) {`
			`called = true`
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`})`

Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`w := httptest.NewRecorder()`
			`req, _ := http.NewRequest("GET", "/login", nil)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`router.ServeHTTP(w, req)`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`assert.False(t, called)`
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`assert.Equal(t, http.StatusUnauthorized, w.Code)`
replace deprecated HeaderMap with Header() (#1585) 2018-10-12 02:31:31 +03:00			`assert.Equal(t, "Basic realm=\"Authorization Required\"", w.Header().Get("WWW-Authenticate"))`
Added tests for basic auth. 2014-08-12 13:32:06 +04:00			`}`
Added test for custom realm 2015-03-05 01:38:17 +03:00
			`func TestBasicAuth401WithCustomRealm(t *testing.T) {`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`called := false`
Added test for custom realm 2015-03-05 01:38:17 +03:00			`accounts := Accounts{"foo": "bar"}`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`router := New()`
Fixes important bug in Basic Auth when using custom realm. 2015-05-19 21:15:28 +03:00			`router.Use(BasicAuthForRealm(accounts, "My Custom \"Realm\""))`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`router.GET("/login", func(c *Context) {`
			`called = true`
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`c.String(http.StatusOK, c.MustGet(AuthUserKey).(string))`
Added test for custom realm 2015-03-05 01:38:17 +03:00			`})`

Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`w := httptest.NewRecorder()`
			`req, _ := http.NewRequest("GET", "/login", nil)`
Added test for custom realm 2015-03-05 01:38:17 +03:00			`req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))`
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`router.ServeHTTP(w, req)`
Added test for custom realm 2015-03-05 01:38:17 +03:00
Better unit tests for BasicAuth middleware 2015-04-08 16:17:41 +03:00			`assert.False(t, called)`
chore: use http.Status* instead of hard code (#1482) 2018-08-14 04:51:56 +03:00			`assert.Equal(t, http.StatusUnauthorized, w.Code)`
replace deprecated HeaderMap with Header() (#1585) 2018-10-12 02:31:31 +03:00			`assert.Equal(t, "Basic realm=\"My Custom \\\"Realm\\\"\"", w.Header().Get("WWW-Authenticate"))`
Added test for custom realm 2015-03-05 01:38:17 +03:00			`}`
feat(auth): add proxy-server authentication (#3877) 2024-03-11 17:22:58 +03:00
			`func TestBasicAuthForProxySucceed(t *testing.T) {`
			`accounts := Accounts{"admin": "password"}`
			`router := New()`
			`router.Use(BasicAuthForProxy(accounts, ""))`
			`router.Any("/proxyPath", func(c Context) {`
			`c.String(http.StatusOK, c.MustGet(AuthProxyUserKey).(string))`
			`})`

			`w := httptest.NewRecorder()`
			`req, _ := http.NewRequest("GET", "/test", nil)`
			`req.Header.Set("Proxy-Authorization", authorizationHeader("admin", "password"))`
			`router.ServeHTTP(w, req)`

			`assert.Equal(t, http.StatusOK, w.Code)`
			`assert.Equal(t, "admin", w.Body.String())`
			`}`

			`func TestBasicAuthForProxy407(t *testing.T) {`
			`called := false`
			`accounts := Accounts{"foo": "bar"}`
			`router := New()`
			`router.Use(BasicAuthForProxy(accounts, ""))`
			`router.Any("/proxyPath", func(c Context) {`
			`called = true`
			`c.String(http.StatusOK, c.MustGet(AuthProxyUserKey).(string))`
			`})`

			`w := httptest.NewRecorder()`
			`req, _ := http.NewRequest("GET", "/test", nil)`
			`req.Header.Set("Proxy-Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("admin:password")))`
			`router.ServeHTTP(w, req)`

			`assert.False(t, called)`
			`assert.Equal(t, http.StatusProxyAuthRequired, w.Code)`
			`assert.Equal(t, "Basic realm=\"Proxy Authorization Required\"", w.Header().Get("Proxy-Authenticate"))`
			`}`