lib/controller/localdb/login_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "encoding/json"
   9
  10         "git.arvados.org/arvados.git/sdk/go/arvados"
  11         check "gopkg.in/check.v1"
  12 )
  13
  14 var _ = check.Suite(&loginSuite{})
  15
  16 type loginSuite struct{}
  17
  18 func (s *loginSuite) TestValidateLoginRedirectTarget(c *check.C) {
  19         var cluster arvados.Cluster
  20         for _, trial := range []struct {
  21                 pass    bool
  22                 wb1     string
  23                 wb2     string
  24                 trusted string
  25                 target  string
  26         }{
  27                 {true, "https://wb1.example/", "https://wb2.example/", "", "https://wb2.example/"},
  28                 {true, "https://wb1.example:443/", "https://wb2.example:443/", "", "https://wb2.example/"},
  29                 {true, "https://wb1.example:443/", "https://wb2.example:443/", "", "https://wb2.example"},
  30                 {true, "https://wb1.example:443", "https://wb2.example:443", "", "https://wb2.example/"},
  31                 {true, "http://wb1.example:80/", "http://wb2.example:80/", "", "http://wb2.example/"},
  32                 {false, "https://wb1.example:80/", "https://wb2.example:80/", "", "https://wb2.example/"},
  33                 {false, "https://wb1.example:1234/", "https://wb2.example:1234/", "", "https://wb2.example/"},
  34                 {false, "https://wb1.example/", "https://wb2.example/", "", "https://bad.wb2.example/"},
  35                 {true, "https://wb1.example/", "https://wb2.example/", "https://good.wb2.example/", "https://good.wb2.example"},
  36                 {true, "https://wb1.example/", "https://wb2.example/", "https://good.wb2.example:443/", "https://good.wb2.example"},
  37                 {true, "https://wb1.example/", "https://wb2.example/", "https://good.wb2.example:443", "https://good.wb2.example/"},
  38
  39                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://ok.wildcard.example/"},
  40                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://ok.ok.wildcard.example/"},
  41                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://[ok.ok.wildcard.example]:443/"},
  42                 {true, "https://wb1.example/", "https://wb2.example/", "https://[*.wildcard.example]:443", "https://ok.ok.wildcard.example/"},
  43                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example:443", "https://ok.wildcard.example/"},
  44                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://ok.wildcard.example:443/"},
  45                 {true, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example:443", "https://ok.wildcard.example:443/"},
  46
  47                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "http://wildcard.example/"},
  48                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "http://.wildcard.example/"},
  49                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "http://wrongscheme.wildcard.example/"},
  50                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "http://wrongscheme.wildcard.example:443/"},
  51                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://wrongport.wildcard.example:80/"},
  52                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://notmatching-wildcard.example/"},
  53                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "http://notmatching.wildcard.example/"},
  54                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example:443", "https://attacker.example/ok.wildcard.example/"},
  55                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://attacker.example/ok.wildcard.example/"},
  56                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://attacker.example/?https://ok.wildcard.example/"},
  57                 {false, "https://wb1.example/", "https://wb2.example/", "https://*.wildcard.example", "https://attacker.example/#https://ok.wildcard.example/"},
  58                 {false, "https://wb1.example/", "https://wb2.example/", "https://*-wildcard.example", "https://notsupported-wildcard.example/"},
  59         } {
  60                 c.Logf("trial %+v", trial)
  61                 // We use json.Unmarshal() to load the test strings
  62                 // because we're testing behavior when the config file
  63                 // contains string X.
  64                 err := json.Unmarshal([]byte(`"`+trial.wb1+`"`), &cluster.Services.Workbench1.ExternalURL)
  65                 c.Assert(err, check.IsNil)
  66                 err = json.Unmarshal([]byte(`"`+trial.wb2+`"`), &cluster.Services.Workbench2.ExternalURL)
  67                 c.Assert(err, check.IsNil)
  68                 if trial.trusted != "" {
  69                         err = json.Unmarshal([]byte(`{"`+trial.trusted+`": {}}`), &cluster.Login.TrustedClients)
  70                         c.Assert(err, check.IsNil)
  71                 }
  72                 err = validateLoginRedirectTarget(&cluster, trial.target)
  73                 c.Check(err == nil, check.Equals, trial.pass)
  74         }
  75 }