1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
16 "git.curoverse.com/arvados.git/lib/config"
17 "git.curoverse.com/arvados.git/sdk/go/arvados"
18 "git.curoverse.com/arvados.git/sdk/go/arvadostest"
19 check "gopkg.in/check.v1"
22 var _ = check.Suite(&AuthHandlerSuite{})
24 type AuthHandlerSuite struct{}
26 func (s *AuthHandlerSuite) SetUpSuite(c *check.C) {
27 arvadostest.StartAPI()
30 func (s *AuthHandlerSuite) TearDownSuite(c *check.C) {
34 func (s *AuthHandlerSuite) SetUpTest(c *check.C) {
35 arvadostest.ResetEnv()
36 repoRoot, err := filepath.Abs("../api/tmp/git/test")
37 c.Assert(err, check.IsNil)
39 cfg, err := config.NewLoader(nil, nil).Load()
40 c.Assert(err, check.Equals, nil)
41 cluster, err := cfg.GetCluster("")
42 c.Assert(err, check.Equals, nil)
44 cluster.Services.GitHTTP.InternalURLs = map[arvados.URL]arvados.ServiceInstance{arvados.URL{Host: "localhost:0"}: arvados.ServiceInstance{}}
45 cluster.TLS.Insecure = true
46 cluster.Git.GitCommand = "/usr/bin/git"
47 cluster.Git.Repositories = repoRoot
50 func (s *AuthHandlerSuite) TestPermission(c *check.C) {
51 h := &authHandler{handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
52 log.Printf("%v", r.URL)
53 io.WriteString(w, r.URL.Path)
55 baseURL, err := url.Parse("http://git.example/")
56 c.Assert(err, check.IsNil)
57 for _, trial := range []struct {
65 label: "read repo by name",
66 token: arvadostest.ActiveToken,
67 pathIn: arvadostest.Repository2Name + ".git/git-upload-pack",
68 pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack",
71 label: "read repo by uuid",
72 token: arvadostest.ActiveToken,
73 pathIn: arvadostest.Repository2UUID + ".git/git-upload-pack",
74 pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack",
77 label: "write repo by name",
78 token: arvadostest.ActiveToken,
79 pathIn: arvadostest.Repository2Name + ".git/git-receive-pack",
80 pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack",
83 label: "write repo by uuid",
84 token: arvadostest.ActiveToken,
85 pathIn: arvadostest.Repository2UUID + ".git/git-receive-pack",
86 pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack",
89 label: "uuid not found",
90 token: arvadostest.ActiveToken,
91 pathIn: strings.Replace(arvadostest.Repository2UUID, "6", "z", -1) + ".git/git-upload-pack",
92 status: http.StatusNotFound,
95 label: "name not found",
96 token: arvadostest.ActiveToken,
97 pathIn: "nonexistent-bogus.git/git-upload-pack",
98 status: http.StatusNotFound,
101 label: "read read-only repo",
102 token: arvadostest.SpectatorToken,
103 pathIn: arvadostest.FooRepoName + ".git/git-upload-pack",
104 pathOut: arvadostest.FooRepoUUID + "/.git/git-upload-pack",
107 label: "write read-only repo",
108 token: arvadostest.SpectatorToken,
109 pathIn: arvadostest.FooRepoName + ".git/git-receive-pack",
110 status: http.StatusForbidden,
113 c.Logf("trial label: %q", trial.label)
114 u, err := baseURL.Parse(trial.pathIn)
115 c.Assert(err, check.IsNil)
116 resp := httptest.NewRecorder()
117 req := &http.Request{
121 "Authorization": {"Bearer " + trial.token}}}
122 h.ServeHTTP(resp, req)
123 if trial.status == 0 {
124 trial.status = http.StatusOK
126 c.Check(resp.Code, check.Equals, trial.status)
127 if trial.status < 400 {
128 if trial.pathOut != "" && !strings.HasPrefix(trial.pathOut, "/") {
129 trial.pathOut = "/" + trial.pathOut
131 c.Check(resp.Body.String(), check.Equals, trial.pathOut)
136 func (s *AuthHandlerSuite) TestCORS(c *check.C) {
140 resp := httptest.NewRecorder()
141 req := &http.Request{
145 "Access-Control-Request-Method": {"GET"},
148 h.ServeHTTP(resp, req)
149 c.Check(resp.Code, check.Equals, http.StatusOK)
150 c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST")
151 c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type")
152 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
153 c.Check(resp.Body.String(), check.Equals, "")
155 // CORS actual request. Bogus token and path ensure
156 // authHandler responds 4xx without calling our wrapped (nil)
158 u, err := url.Parse("git.zzzzz.arvadosapi.com/test")
159 c.Assert(err, check.Equals, nil)
160 resp = httptest.NewRecorder()
166 "Authorization": {"OAuth2 foobar"},
169 h.ServeHTTP(resp, req)
170 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")