X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/bef091f69353d5a1ec7ef6c4e84f81756023596b..be28c5f528a93ee32eef4c1dc2d0872cb718b29f:/services/arv-git-httpd/auth_handler_test.go diff --git a/services/arv-git-httpd/auth_handler_test.go b/services/arv-git-httpd/auth_handler_test.go index df64999405..4e1a47dcb2 100644 --- a/services/arv-git-httpd/auth_handler_test.go +++ b/services/arv-git-httpd/auth_handler_test.go @@ -5,19 +5,139 @@ package main import ( + "io" + "log" "net/http" "net/http/httptest" "net/url" + "path/filepath" + "strings" + "git.arvados.org/arvados.git/lib/config" + "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/arvadostest" + "git.arvados.org/arvados.git/sdk/go/ctxlog" check "gopkg.in/check.v1" ) var _ = check.Suite(&AuthHandlerSuite{}) -type AuthHandlerSuite struct{} +type AuthHandlerSuite struct { + cluster *arvados.Cluster +} + +func (s *AuthHandlerSuite) SetUpSuite(c *check.C) { + arvadostest.StartAPI() +} + +func (s *AuthHandlerSuite) TearDownSuite(c *check.C) { + arvadostest.StopAPI() +} + +func (s *AuthHandlerSuite) SetUpTest(c *check.C) { + arvadostest.ResetEnv() + repoRoot, err := filepath.Abs("../api/tmp/git/test") + c.Assert(err, check.IsNil) + + cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load() + c.Assert(err, check.Equals, nil) + s.cluster, err = cfg.GetCluster("") + c.Assert(err, check.Equals, nil) + + s.cluster.Services.GitHTTP.InternalURLs = map[arvados.URL]arvados.ServiceInstance{{Host: "localhost:0"}: {}} + s.cluster.TLS.Insecure = true + s.cluster.Git.GitCommand = "/usr/bin/git" + s.cluster.Git.Repositories = repoRoot +} + +func (s *AuthHandlerSuite) TestPermission(c *check.C) { + h := &authHandler{handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + log.Printf("%v", r.URL) + io.WriteString(w, r.URL.Path) + }), cluster: s.cluster} + baseURL, err := url.Parse("http://git.example/") + c.Assert(err, check.IsNil) + for _, trial := range []struct { + label string + token string + pathIn string + pathOut string + status int + }{ + { + label: "read repo by name", + token: arvadostest.ActiveToken, + pathIn: arvadostest.Repository2Name + ".git/git-upload-pack", + pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack", + }, + { + label: "read repo by uuid", + token: arvadostest.ActiveToken, + pathIn: arvadostest.Repository2UUID + ".git/git-upload-pack", + pathOut: arvadostest.Repository2UUID + ".git/git-upload-pack", + }, + { + label: "write repo by name", + token: arvadostest.ActiveToken, + pathIn: arvadostest.Repository2Name + ".git/git-receive-pack", + pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack", + }, + { + label: "write repo by uuid", + token: arvadostest.ActiveToken, + pathIn: arvadostest.Repository2UUID + ".git/git-receive-pack", + pathOut: arvadostest.Repository2UUID + ".git/git-receive-pack", + }, + { + label: "uuid not found", + token: arvadostest.ActiveToken, + pathIn: strings.Replace(arvadostest.Repository2UUID, "6", "z", -1) + ".git/git-upload-pack", + status: http.StatusNotFound, + }, + { + label: "name not found", + token: arvadostest.ActiveToken, + pathIn: "nonexistent-bogus.git/git-upload-pack", + status: http.StatusNotFound, + }, + { + label: "read read-only repo", + token: arvadostest.SpectatorToken, + pathIn: arvadostest.FooRepoName + ".git/git-upload-pack", + pathOut: arvadostest.FooRepoUUID + "/.git/git-upload-pack", + }, + { + label: "write read-only repo", + token: arvadostest.SpectatorToken, + pathIn: arvadostest.FooRepoName + ".git/git-receive-pack", + status: http.StatusForbidden, + }, + } { + c.Logf("trial label: %q", trial.label) + u, err := baseURL.Parse(trial.pathIn) + c.Assert(err, check.IsNil) + resp := httptest.NewRecorder() + req := &http.Request{ + Method: "POST", + URL: u, + Header: http.Header{ + "Authorization": {"Bearer " + trial.token}}} + h.ServeHTTP(resp, req) + if trial.status == 0 { + trial.status = http.StatusOK + } + c.Check(resp.Code, check.Equals, trial.status) + if trial.status < 400 { + if trial.pathOut != "" && !strings.HasPrefix(trial.pathOut, "/") { + trial.pathOut = "/" + trial.pathOut + } + c.Check(resp.Body.String(), check.Equals, trial.pathOut) + } + } +} func (s *AuthHandlerSuite) TestCORS(c *check.C) { - h := &authHandler{} + h := &authHandler{cluster: s.cluster} // CORS preflight resp := httptest.NewRecorder()