summaryrefslogtreecommitdiff
path: root/internal/configuration/validator/access_control_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/configuration/validator/access_control_test.go')
-rw-r--r--internal/configuration/validator/access_control_test.go146
1 files changed, 97 insertions, 49 deletions
diff --git a/internal/configuration/validator/access_control_test.go b/internal/configuration/validator/access_control_test.go
index ad38ec9a0..b288ab9ad 100644
--- a/internal/configuration/validator/access_control_test.go
+++ b/internal/configuration/validator/access_control_test.go
@@ -23,9 +23,7 @@ func (suite *AccessControl) SetupTest() {
suite.config = &schema.Configuration{
AccessControl: schema.AccessControl{
DefaultPolicy: policyDeny,
-
- Networks: schema.DefaultACLNetwork,
- Rules: schema.DefaultACLRule,
+ Rules: schema.DefaultACLRule,
},
}
}
@@ -73,22 +71,6 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidDefaultPolicy() {
suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: option 'default_policy' must be one of 'bypass', 'one_factor', 'two_factor', or 'deny' but it's configured as 'invalid'")
}
-func (suite *AccessControl) TestShouldRaiseErrorInvalidNetworkGroupNetwork() {
- suite.config.AccessControl.Networks = []schema.AccessControlNetwork{
- {
- Name: "internal",
- Networks: []string{"abc.def.ghi.jkl"},
- },
- }
-
- ValidateAccessControl(suite.config, suite.validator)
-
- suite.Assert().Len(suite.validator.Warnings(), 0)
- suite.Require().Len(suite.validator.Errors(), 1)
-
- suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: networks: network group 'internal' is invalid: the network 'abc.def.ghi.jkl' is not a valid IP or CIDR notation")
-}
-
func (suite *AccessControl) TestShouldRaiseWarningOnBadDomain() {
suite.config.AccessControl.Rules = []schema.AccessControlRule{
{
@@ -164,23 +146,6 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidPolicy() {
suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): option 'policy' must be one of 'bypass', 'one_factor', 'two_factor', or 'deny' but it's configured as 'invalid'")
}
-func (suite *AccessControl) TestShouldRaiseErrorInvalidNetwork() {
- suite.config.AccessControl.Rules = []schema.AccessControlRule{
- {
- Domains: []string{"public.example.com"},
- Policy: "bypass",
- Networks: []string{"abc.def.ghi.jkl/32"},
- },
- }
-
- ValidateRules(suite.config, suite.validator)
-
- suite.Assert().Len(suite.validator.Warnings(), 0)
- suite.Require().Len(suite.validator.Errors(), 1)
-
- suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): the network 'abc.def.ghi.jkl/32' is not a valid Group Name, IP, or CIDR notation")
-}
-
func (suite *AccessControl) TestShouldRaiseErrorInvalidMethod() {
suite.config.AccessControl.Rules = []schema.AccessControlRule{
{
@@ -231,10 +196,105 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidSubject() {
suite.Require().Len(suite.validator.Warnings(), 0)
suite.Require().Len(suite.validator.Errors(), 2)
- suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): 'subject' option 'invalid' is invalid: must start with 'user:' or 'group:'")
+ suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): 'subject' option 'invalid' is invalid: must start with 'user:', 'group:', or 'oauth2:client:'")
suite.Assert().EqualError(suite.validator.Errors()[1], fmt.Sprintf(errAccessControlRuleBypassPolicyInvalidWithSubjects, ruleDescriptor(1, suite.config.AccessControl.Rules[0])))
}
+func (suite *AccessControl) TestShouldValidateClientIDSubjectWithoutClient() {
+ domains := []string{"public.example.com"}
+ subjects := [][]string{{"oauth2:client:example"}}
+ suite.config.AccessControl.Rules = []schema.AccessControlRule{
+ {
+ Domains: domains,
+ Policy: "bypass",
+ Subjects: subjects,
+ },
+ }
+
+ ValidateRules(suite.config, suite.validator)
+
+ suite.Require().Len(suite.validator.Warnings(), 0)
+ suite.Require().Len(suite.validator.Errors(), 2)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): option 'subject' with value 'oauth2:client:example' is invalid: the client id 'example' does not belong to a registered client")
+ suite.Assert().EqualError(suite.validator.Errors()[1], fmt.Sprintf(errAccessControlRuleBypassPolicyInvalidWithSubjects, ruleDescriptor(1, suite.config.AccessControl.Rules[0])))
+}
+
+func (suite *AccessControl) TestShouldValidateClientIDSubjectWithoutClientMatchingID() {
+ domains := []string{"public.example.com"}
+ subjects := [][]string{{"oauth2:client:example"}}
+ suite.config.IdentityProviders.OIDC = &schema.IdentityProvidersOpenIDConnect{
+ Clients: []schema.IdentityProvidersOpenIDConnectClient{
+ {
+ ID: "example2",
+ },
+ },
+ }
+ suite.config.AccessControl.Rules = []schema.AccessControlRule{
+ {
+ Domains: domains,
+ Policy: "bypass",
+ Subjects: subjects,
+ },
+ }
+
+ ValidateRules(suite.config, suite.validator)
+
+ suite.Require().Len(suite.validator.Warnings(), 0)
+ suite.Require().Len(suite.validator.Errors(), 2)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "access_control: rule #1 (domain 'public.example.com'): option 'subject' with value 'oauth2:client:example' is invalid: the client id 'example' does not belong to a registered client")
+ suite.Assert().EqualError(suite.validator.Errors()[1], fmt.Sprintf(errAccessControlRuleBypassPolicyInvalidWithSubjects, ruleDescriptor(1, suite.config.AccessControl.Rules[0])))
+}
+
+func (suite *AccessControl) TestShouldValidateClientIDSubject() {
+ domains := []string{"public.example.com"}
+ subjects := [][]string{{"oauth2:client:example"}}
+ suite.config.IdentityProviders.OIDC = &schema.IdentityProvidersOpenIDConnect{
+ Clients: []schema.IdentityProvidersOpenIDConnectClient{
+ {
+ ID: "example",
+ },
+ },
+ }
+ suite.config.AccessControl.Rules = []schema.AccessControlRule{
+ {
+ Domains: domains,
+ Policy: "one_factor",
+ Subjects: subjects,
+ },
+ }
+
+ ValidateRules(suite.config, suite.validator)
+
+ suite.Require().Len(suite.validator.Warnings(), 0)
+ suite.Require().Len(suite.validator.Errors(), 0)
+}
+
+func (suite *AccessControl) TestShouldValidateBasicSubject() {
+ domains := []string{"public.example.com"}
+ subjects := [][]string{{"user:example"}}
+ suite.config.IdentityProviders.OIDC = &schema.IdentityProvidersOpenIDConnect{
+ Clients: []schema.IdentityProvidersOpenIDConnectClient{
+ {
+ ID: "example",
+ },
+ },
+ }
+ suite.config.AccessControl.Rules = []schema.AccessControlRule{
+ {
+ Domains: domains,
+ Policy: "one_factor",
+ Subjects: subjects,
+ },
+ }
+
+ ValidateRules(suite.config, suite.validator)
+
+ suite.Require().Len(suite.validator.Warnings(), 0)
+ suite.Require().Len(suite.validator.Errors(), 0)
+}
+
func (suite *AccessControl) TestShouldRaiseErrorBypassWithSubjectDomainRegexGroup() {
suite.config.AccessControl.Rules = []schema.AccessControlRule{
{
@@ -398,18 +458,6 @@ func TestAccessControl(t *testing.T) {
suite.Run(t, new(AccessControl))
}
-func TestShouldReturnCorrectResultsForValidNetworkGroups(t *testing.T) {
- config := schema.AccessControl{
- Networks: schema.DefaultACLNetwork,
- }
-
- validNetwork := IsNetworkGroupValid(config, "internal")
- invalidNetwork := IsNetworkGroupValid(config, loopback)
-
- assert.True(t, validNetwork)
- assert.False(t, invalidNetwork)
-}
-
func MustCompileRegexps(exps []string) (regexps []regexp.Regexp) {
regexps = make([]regexp.Regexp, len(exps))