diff options
| author | Amir Zarrinkafsh <nightah@me.com> | 2021-01-16 21:05:41 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-16 21:05:41 +1100 |
| commit | 81e34d84de55b34e2734731b8aab6ad7dd188e57 (patch) | |
| tree | 109e25edeb296bb38123188486820dd932f0c626 /internal/configuration/validator/access_control_test.go | |
| parent | 57c339bb963d59a347a1de9c51af51ad7e906eaf (diff) | |
[MISC] Validate all sections of ACLs on startup (#1595)
* [MISC] Validate all sections of ACLs on startup
This change ensure that all sections of the `access_control` key are validated on startup.
* Change error format to clearly identify values
Diffstat (limited to 'internal/configuration/validator/access_control_test.go')
| -rw-r--r-- | internal/configuration/validator/access_control_test.go | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/internal/configuration/validator/access_control_test.go b/internal/configuration/validator/access_control_test.go new file mode 100644 index 000000000..34bf057ac --- /dev/null +++ b/internal/configuration/validator/access_control_test.go @@ -0,0 +1,139 @@ +package validator + +import ( + "testing" + + "github.com/stretchr/testify/suite" + + "github.com/authelia/authelia/internal/configuration/schema" +) + +type AccessControl struct { + suite.Suite + configuration schema.AccessControlConfiguration + validator *schema.StructValidator +} + +func (suite *AccessControl) SetupTest() { + suite.validator = schema.NewStructValidator() + suite.configuration.DefaultPolicy = denyPolicy + suite.configuration.Networks = schema.DefaultACLNetwork + suite.configuration.Rules = schema.DefaultACLRule +} + +func (suite *AccessControl) TestShouldValidateCompleteConfiguration() { + ValidateAccessControl(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Assert().False(suite.validator.HasErrors()) +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidDefaultPolicy() { + suite.configuration.DefaultPolicy = "invalid" + + ValidateAccessControl(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'") +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidNetworkGroupNetwork() { + suite.configuration.Networks = []schema.ACLNetwork{ + { + Name: []string{"internal"}, + Networks: []string{"abc.def.ghi.jkl"}, + }, + } + + ValidateAccessControl(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "Network [abc.def.ghi.jkl] from network group: [internal] must be a valid IP or CIDR") +} + +func (suite *AccessControl) TestShouldRaiseErrorNoRulesDefined() { + suite.configuration.Rules = []schema.ACLRule{{}} + + ValidateRules(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 2) + + suite.Assert().EqualError(suite.validator.Errors()[0], "No access control rules have been defined") + suite.Assert().EqualError(suite.validator.Errors()[1], "Policy [] for domain: [] is invalid, a policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'") +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidPolicy() { + suite.configuration.Rules = []schema.ACLRule{ + { + Domains: []string{"public.example.com"}, + Policy: "invalid", + }, + } + + ValidateRules(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "Policy [invalid] for domain: [public.example.com] is invalid, a policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'") +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidNetwork() { + suite.configuration.Rules = []schema.ACLRule{ + { + Domains: []string{"public.example.com"}, + Policy: "bypass", + Networks: []string{"abc.def.ghi.jkl/32"}, + }, + } + + ValidateRules(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "Network [abc.def.ghi.jkl/32] for domain: [public.example.com] is not a valid network or network group") +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() { + suite.configuration.Rules = []schema.ACLRule{ + { + Domains: []string{"public.example.com"}, + Policy: "bypass", + Resources: []string{"^/(api.*"}, + }, + } + + ValidateRules(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "Resource [^/(api.*] for domain: [public.example.com] is invalid, error parsing regexp: missing closing ): `^/(api.*`") +} + +func (suite *AccessControl) TestShouldRaiseErrorInvalidSubject() { + suite.configuration.Rules = []schema.ACLRule{ + { + Domains: []string{"public.example.com"}, + Policy: "bypass", + Subjects: [][]string{{"invalid"}}, + }, + } + + ValidateRules(suite.configuration, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + suite.Assert().EqualError(suite.validator.Errors()[0], "Subject [invalid] for domain: [public.example.com] must start with 'user:' or 'group:'") +} + +func TestAccessControl(t *testing.T) { + suite.Run(t, new(AccessControl)) +} |