projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
21217: Strip leading/trailing space chars from incoming tokens.
[arvados.git] / sdk / go / auth / handlers_test.go
diff --git a/sdk/go/auth/handlers_test.go b/sdk/go/auth/handlers_test.go
index 362aeb7f04feacf35dd47da718fc852dae4110f5..85ea8893a50f61bf9531e6e3a5acd01ff09b008a 100644 (file)
--- a/sdk/go/auth/handlers_test.go
+++ b/sdk/go/auth/handlers_test.go
@@ -7,6 +7,8 @@ package auth
 import (
        "net/http"
        "net/http/httptest"
+       "net/url"
+       "strings"
        "testing"
 
        check "gopkg.in/check.v1"
@@ -32,9 +34,36 @@ func (s *HandlersSuite) SetUpTest(c *check.C) {
 func (s *HandlersSuite) TestLoadToken(c *check.C) {
        handler := LoadToken(s)
        handler.ServeHTTP(httptest.NewRecorder(), httptest.NewRequest("GET", "/foo/bar?api_token=xyzzy", nil))
-       c.Assert(s.gotCredentials, check.NotNil)
-       c.Assert(s.gotCredentials.Tokens, check.HasLen, 1)
-       c.Check(s.gotCredentials.Tokens[0], check.Equals, "xyzzy")
+       c.Check(s.gotCredentials.Tokens, check.DeepEquals, []string{"xyzzy"})
+}
+
+// Ignore leading and trailing spaces, newlines, etc. in case a user
+// has added them inadvertently during copy/paste.
+func (s *HandlersSuite) TestTrimSpaceInQuery(c *check.C) {
+       handler := LoadToken(s)
+       handler.ServeHTTP(httptest.NewRecorder(), httptest.NewRequest("GET", "/foo/bar?api_token=%20xyzzy%0a", nil))
+       c.Check(s.gotCredentials.Tokens, check.DeepEquals, []string{"xyzzy"})
+}
+func (s *HandlersSuite) TestTrimSpaceInPostForm(c *check.C) {
+       handler := LoadToken(s)
+       req := httptest.NewRequest("POST", "/foo/bar", strings.NewReader(url.Values{"api_token": []string{"\nxyzzy\n"}}.Encode()))
+       req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+       handler.ServeHTTP(httptest.NewRecorder(), req)
+       c.Check(s.gotCredentials.Tokens, check.DeepEquals, []string{"xyzzy"})
+}
+func (s *HandlersSuite) TestTrimSpaceInCookie(c *check.C) {
+       handler := LoadToken(s)
+       req := httptest.NewRequest("GET", "/foo/bar", nil)
+       req.AddCookie(&http.Cookie{Name: "arvados_api_token", Value: EncodeTokenCookie([]byte("\vxyzzy\n"))})
+       handler.ServeHTTP(httptest.NewRecorder(), req)
+       c.Check(s.gotCredentials.Tokens, check.DeepEquals, []string{"xyzzy"})
+}
+func (s *HandlersSuite) TestTrimSpaceInBasicAuth(c *check.C) {
+       handler := LoadToken(s)
+       req := httptest.NewRequest("GET", "/foo/bar", nil)
+       req.SetBasicAuth("username", "\txyzzy\n")
+       handler.ServeHTTP(httptest.NewRecorder(), req)
+       c.Check(s.gotCredentials.Tokens, check.DeepEquals, []string{"xyzzy"})
 }
 
 func (s *HandlersSuite) TestRequireLiteralTokenEmpty(c *check.C) {
@@ -76,4 +105,5 @@ func (s *HandlersSuite) TestRequireLiteralToken(c *check.C) {
 func (s *HandlersSuite) ServeHTTP(w http.ResponseWriter, r *http.Request) {
        s.served++
        s.gotCredentials = CredentialsFromRequest(r)
+       s.gotCredentials.LoadTokensFromHTTPRequestBody(r)
 }