1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
16 "git.arvados.org/arvados.git/lib/config"
17 "git.arvados.org/arvados.git/sdk/go/arvados"
18 "git.arvados.org/arvados.git/sdk/go/arvadostest"
19 "git.arvados.org/arvados.git/sdk/go/ctxlog"
20 check "gopkg.in/check.v1"
23 var _ = check.Suite(&AuthHandlerSuite{})
25 type AuthHandlerSuite struct {
26 cluster *arvados.Cluster
29 func (s *AuthHandlerSuite) SetUpTest(c *check.C) {
30 arvadostest.ResetEnv()
31 repoRoot, err := filepath.Abs("../api/tmp/git/test")
32 c.Assert(err, check.IsNil)
34 cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
35 c.Assert(err, check.Equals, nil)
36 s.cluster, err = cfg.GetCluster("")
37 c.Assert(err, check.Equals, nil)
39 s.cluster.Services.GitHTTP.InternalURLs = map[arvados.URL]arvados.ServiceInstance{{Host: "localhost:0"}: {}}
40 s.cluster.TLS.Insecure = true
41 s.cluster.Git.GitCommand = "/usr/bin/git"
42 s.cluster.Git.Repositories = repoRoot
45 func (s *AuthHandlerSuite) TestPermission(c *check.C) {
46 h := &authHandler{handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
47 log.Printf("%v", r.URL)
48 io.WriteString(w, r.URL.Path)
49 }), cluster: s.cluster}
50 baseURL, err := url.Parse("http://git.example/")
51 c.Assert(err, check.IsNil)
52 for _, trial := range []struct {
60 label: "read repo by name",
61 token: arvadostest.ActiveToken,
62 pathIn: arvadostest.Repository2Name + ".git/git-upload-pack",
63 pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack",
66 label: "read repo by uuid",
67 token: arvadostest.ActiveToken,
68 pathIn: arvadostest.Repository2UUID + ".git/git-upload-pack",
69 pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack",
72 label: "write repo by name",
73 token: arvadostest.ActiveToken,
74 pathIn: arvadostest.Repository2Name + ".git/git-receive-pack",
75 pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack",
78 label: "write repo by uuid",
79 token: arvadostest.ActiveToken,
80 pathIn: arvadostest.Repository2UUID + ".git/git-receive-pack",
81 pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack",
84 label: "uuid not found",
85 token: arvadostest.ActiveToken,
86 pathIn: strings.Replace(arvadostest.Repository2UUID, "6", "z", -1) + ".git/git-upload-pack",
87 status: http.StatusNotFound,
90 label: "name not found",
91 token: arvadostest.ActiveToken,
92 pathIn: "nonexistent-bogus.git/git-upload-pack",
93 status: http.StatusNotFound,
96 label: "read read-only repo",
97 token: arvadostest.SpectatorToken,
98 pathIn: arvadostest.FooRepoName + ".git/git-upload-pack",
99 pathOut: arvadostest.FooRepoUUID + "/.git/git-upload-pack",
102 label: "write read-only repo",
103 token: arvadostest.SpectatorToken,
104 pathIn: arvadostest.FooRepoName + ".git/git-receive-pack",
105 status: http.StatusForbidden,
108 c.Logf("trial label: %q", trial.label)
109 u, err := baseURL.Parse(trial.pathIn)
110 c.Assert(err, check.IsNil)
111 resp := httptest.NewRecorder()
112 req := &http.Request{
116 "Authorization": {"Bearer " + trial.token}}}
117 h.ServeHTTP(resp, req)
118 if trial.status == 0 {
119 trial.status = http.StatusOK
121 c.Check(resp.Code, check.Equals, trial.status)
122 if trial.status < 400 {
123 if trial.pathOut != "" && !strings.HasPrefix(trial.pathOut, "/") {
124 trial.pathOut = "/" + trial.pathOut
126 c.Check(resp.Body.String(), check.Equals, trial.pathOut)
131 func (s *AuthHandlerSuite) TestCORS(c *check.C) {
132 h := &authHandler{cluster: s.cluster}
135 resp := httptest.NewRecorder()
136 req := &http.Request{
140 "Access-Control-Request-Method": {"GET"},
143 h.ServeHTTP(resp, req)
144 c.Check(resp.Code, check.Equals, http.StatusOK)
145 c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST")
146 c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type")
147 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
148 c.Check(resp.Body.String(), check.Equals, "")
150 // CORS actual request. Bogus token and path ensure
151 // authHandler responds 4xx without calling our wrapped (nil)
153 u, err := url.Parse("git.zzzzz.arvadosapi.com/test")
154 c.Assert(err, check.Equals, nil)
155 resp = httptest.NewRecorder()
161 "Authorization": {"OAuth2 foobar"},
164 h.ServeHTTP(resp, req)
165 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")