1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
package suites
import (
"crypto/tls"
"fmt"
"io"
"net/http"
"testing"
"github.com/stretchr/testify/suite"
"github.com/valyala/fasthttp"
)
// WARNING: This scenario is intended to be used with TLS enabled in the authelia backend.
type BackendProtectionScenario struct {
suite.Suite
client *http.Client
}
func NewBackendProtectionScenario() *BackendProtectionScenario {
return &BackendProtectionScenario{}
}
func (s *BackendProtectionScenario) SetupSuite() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.
}
s.client = &http.Client{
Transport: tr,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
}
func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, expectedStatusCode int) {
s.Run(fmt.Sprintf("%s/%s", method, url), func() {
req, err := http.NewRequest(method, url, nil)
s.Assert().NoError(err)
res, err := s.client.Do(req)
s.Assert().NoError(err)
s.Assert().Equal(expectedStatusCode, res.StatusCode)
})
}
func (s *BackendProtectionScenario) AssertRequestStatusCodeBody(method, url, body string, expectedStatusCode int) {
s.Run(fmt.Sprintf("%s/%s", method, url), func() {
req, err := http.NewRequest(method, url, nil)
s.Assert().NoError(err)
res, err := s.client.Do(req)
s.Assert().NoError(err)
s.Assert().Equal(expectedStatusCode, res.StatusCode)
data, err := io.ReadAll(res.Body)
s.Require().NoError(err)
s.Assert().Equal(body, string(data))
})
}
func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() {
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodDelete, fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/secondfactor/totp/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/secondfactor/totp/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/totp/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodDelete, fmt.Sprintf("%s/api/secondfactor/totp/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/secondfactor/webauthn", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/webauthn", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/secondfactor/webauthn/credentials", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/register", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/1", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodDelete, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/1", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/user/info/2fa_method", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/user/info", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/user/session/elevation", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/user/session/elevation", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/user/session/elevation", AutheliaBaseURL), fasthttp.StatusForbidden)
s.AssertRequestStatusCodeBody(fasthttp.MethodDelete, fmt.Sprintf("%s/api/user/session/elevation/1", AutheliaBaseURL), `{"status":"KO","message":"Operation failed."}`, fasthttp.StatusOK)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), fasthttp.StatusForbidden)
}
func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
s.AssertRequestStatusCode(fasthttp.MethodHead, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
s.AssertRequestStatusCode(fasthttp.MethodHead, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
}
func (s *BackendProtectionScenario) TestInvalidEndpointsReturn405() {
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), fasthttp.StatusMethodNotAllowed)
}
func TestRunBackendProtection(t *testing.T) {
if testing.Short() {
t.Skip("skipping suite test in short mode")
}
suite.Run(t, NewBackendProtectionScenario())
}
|
