Skip to content

Commit

Permalink
broker: Test refreshing of groups
Browse files Browse the repository at this point in the history
  • Loading branch information
adombeck committed Nov 18, 2024
1 parent 14cf192 commit 0ebefc3
Show file tree
Hide file tree
Showing 11 changed files with 69 additions and 7 deletions.
57 changes: 50 additions & 7 deletions internal/broker/broker_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -375,14 +375,16 @@ func TestIsAuthenticated(t *testing.T) {
correctPassword := "password"

tests := map[string]struct {
sessionMode string
username string
sessionMode string
sessionOffline bool
username string

firstMode string
firstChallenge string
firstAuthInfo map[string]any
badFirstKey bool
getUserInfoFails bool
firstMode string
firstChallenge string
firstAuthInfo map[string]any
badFirstKey bool
getUserInfoFails bool
groupsReturnedByProvider []info.Group

customHandlers map[string]testutils.EndpointHandler
address string
Expand All @@ -395,6 +397,7 @@ func TestIsAuthenticated(t *testing.T) {
invalidAuthData bool
dontWaitForFirstCall bool
readOnlyDataDir bool
wantGroups []info.Group
}{
"Successfully_authenticate_user_with_device_auth_and_newpassword": {firstChallenge: "-", wantSecondCall: true},
"Successfully_authenticate_user_with_password": {firstMode: authmodes.Password, token: &tokenOptions{}},
Expand Down Expand Up @@ -423,6 +426,24 @@ func TestIsAuthenticated(t *testing.T) {
},
address: "127.0.0.1:31313",
},
"Authenticating_with_password_refreshes_groups": {
firstMode: authmodes.Password,
token: &tokenOptions{},
groupsReturnedByProvider: []info.Group{{Name: "refreshed-group"}},
wantGroups: []info.Group{{Name: "refreshed-group"}},
},
"Authenticating_with_password_keeps_old_groups_if_fetching_user_info_fails": {
firstMode: authmodes.Password,
token: &tokenOptions{groups: []info.Group{{Name: "old-group"}}},
getUserInfoFails: true,
wantGroups: []info.Group{{Name: "old-group"}},
},
"Authenticating_with_password_keeps_old_groups_if_session_is_offline": {
firstMode: authmodes.Password,
token: &tokenOptions{groups: []info.Group{{Name: "old-group"}}},
sessionOffline: true,
wantGroups: []info.Group{{Name: "old-group"}},
},

"Error_when_authentication_data_is_invalid": {invalidAuthData: true},
"Error_when_challenge_can_not_be_decrypted": {firstMode: authmodes.Password, badFirstKey: true},
Expand Down Expand Up @@ -501,6 +522,12 @@ func TestIsAuthenticated(t *testing.T) {
tc.sessionMode = "auth"
}

if tc.sessionOffline {
tc.customHandlers = map[string]testutils.EndpointHandler{
"/.well-known/openid-configuration": testutils.UnavailableHandler(),
}
}

outDir := t.TempDir()
dataDir := filepath.Join(outDir, "data")

Expand All @@ -518,6 +545,11 @@ func TestIsAuthenticated(t *testing.T) {
cfg.customHandlers = tc.customHandlers
cfg.listenAddress = tc.address
}
if tc.groupsReturnedByProvider != nil {
cfg.getGroupsFunc = func() ([]info.Group, error) {
return tc.groupsReturnedByProvider, nil
}
}
b := newBrokerForTests(t, cfg)

sessionID, key := newSessionForTests(t, b, tc.username, tc.sessionMode)
Expand Down Expand Up @@ -581,6 +613,17 @@ func TestIsAuthenticated(t *testing.T) {

err = os.WriteFile(filepath.Join(outDir, "first_call"), out, 0600)
require.NoError(t, err, "Failed to write first response")

if tc.wantGroups != nil {
type userInfoMsgType struct {
UserInfo info.User `json:"userinfo"`
}
userInfoMsg := userInfoMsgType{}
err = json.Unmarshal([]byte(data), &userInfoMsg)
require.NoError(t, err, "Failed to unmarshal user info message")
userInfo := userInfoMsg.UserInfo
require.ElementsMatch(t, tc.wantGroups, userInfo.Groups, "Groups should match")
}
}()

if !tc.dontWaitForFirstCall {
Expand Down
4 changes: 4 additions & 0 deletions internal/broker/helper_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ func generateAndStoreCachedInfo(t *testing.T, options tokenOptions, path string)
type tokenOptions struct {
username string
issuer string
groups []info.Group

expired bool
noRefreshToken bool
Expand Down Expand Up @@ -211,6 +212,9 @@ func generateCachedInfo(t *testing.T, options tokenOptions) *token.AuthCachedInf
{Name: "saved-local-group", UGID: ""},
},
}
if options.groups != nil {
tok.UserInfo.Groups = options.groups
}
}

if options.invalidClaims {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely a hashed password
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely an encrypted token
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
access: granted
data: '{"userinfo":{"name":"test-user@email.com","uuid":"saved-user-id","dir":"/home/test-user@email.com","shell":"/usr/bin/bash","gecos":"test-user@email.com","groups":[{"name":"old-group","ugid":""}]}}'
err: <nil>
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely a hashed password
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely an encrypted token
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
access: granted
data: '{"userinfo":{"name":"test-user@email.com","uuid":"saved-user-id","dir":"/home/test-user@email.com","shell":"/usr/bin/bash","gecos":"test-user@email.com","groups":[{"name":"old-group","ugid":""}]}}'
err: <nil>
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely a hashed password
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Definitely an encrypted token
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
access: granted
data: '{"userinfo":{"name":"test-user@email.com","uuid":"test-user-id","dir":"/home/test-user@email.com","shell":"/usr/bin/bash","gecos":"test-user@email.com","groups":[{"name":"refreshed-group","ugid":""}]}}'
err: <nil>

0 comments on commit 0ebefc3

Please sign in to comment.