access: fix token permissions (#707)

* access: fix token permissions * add test
infrahq · Dec 1, 2021 · 66127aa · 66127aa
1 parent e323389
commit 66127aa
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/internal/access/access.go b/internal/access/access.go
@@ -63,7 +63,6 @@ func RequireAuthorization(c *gin.Context, require Permission) (*gorm.DB, string,
 			}
 		}
 
-		return db, authorization, nil
 	case data.APIKeyLength:
 		apiKey, err := data.GetAPIKey(db, &data.APIKey{Key: authorization})
 		if err != nil {

diff --git a/internal/access/access_test.go b/internal/access/access_test.go
@@ -93,6 +93,16 @@ func TestRequireAuthorization(t *testing.T) {
 				require.EqualError(t, err, "token invalid")
 			},
 		},
+		"TokenNoMatch": {
+			"permission": PermissionAPIKeyList,
+			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
+				authorization := issueToken(t, db, "existing@infrahq.com", "infra.user.read", time.Minute*1)
+				c.Set("authorization", authorization)
+			},
+			"verifyFunc": func(t *testing.T, err error) {
+				require.EqualError(t, err, "forbidden")
+			},
+		},
 		"TokenInvalidSecret": {
 			"permission": PermissionUserRead,
 			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
@@ -187,7 +197,7 @@ func TestRequireAuthorization(t *testing.T) {
 				require.NoError(t, err)
 			},
 		},
-		"APIKeyAuthorizedNoMatch": {
+		"APIKeyNoMatch": {
 			"permission": PermissionUserRead,
 			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
 				authorization := issueAPIKey(t, db, "infra.user.create infra.group.read")