fleet/server/service/http_auth_test.go

package service

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/http/httptest"
	"os"
	"strconv"
	"testing"

	kitlog "github.com/go-kit/kit/log"
	kithttp "github.com/go-kit/kit/transport/http"
	"github.com/gorilla/mux"
	"github.com/fleetdm/fleet/server/config"
	"github.com/fleetdm/fleet/server/datastore/inmem"
	"github.com/fleetdm/fleet/server/kolide"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestLogin(t *testing.T) {
	ds, _ := inmem.New(config.TestConfig())
	svc, _ := newTestService(ds, nil, nil)
	users := createTestUsers(t, ds)
	logger := kitlog.NewLogfmtLogger(os.Stdout)

	opts := []kithttp.ServerOption{
		kithttp.ServerBefore(
			setRequestsContexts(svc, "CHANGEME"),
		),
		kithttp.ServerErrorLogger(logger),
		kithttp.ServerAfter(
			kithttp.SetContentType("application/json; charset=utf-8"),
		),
	}
	r := mux.NewRouter()
	ke := MakeKolideServerEndpoints(svc, "CHANGEME", "")
	kh := makeKolideKitHandlers(ke, opts)
	attachKolideAPIRoutes(r, kh)
	r.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprint(w, "index")
	}))

	server := httptest.NewServer(r)
	var loginTests = []struct {
		username string
		status   int
		password string
	}{
		{
			username: "admin1",
			password: testUsers["admin1"].PlaintextPassword,
			status:   http.StatusOK,
		},
		{
			username: "user1",
			password: testUsers["user1"].PlaintextPassword,
			status:   http.StatusOK,
		},
		{
			username: "nosuchuser",
			password: "nosuchuser",
			status:   http.StatusUnauthorized,
		},
		{
			username: "admin1",
			password: "badpassword",
			status:   http.StatusUnauthorized,
		},
	}

	for _, tt := range loginTests {
		var shouldBeAdmin bool
		if u, ok := testUsers[tt.username]; ok {
			shouldBeAdmin = u.IsAdmin
		}

		// test sessions
		testUser := users[tt.username]

		params := loginRequest{
			Username: tt.username,
			Password: tt.password,
		}
		j, err := json.Marshal(&params)
		assert.Nil(t, err)

		requestBody := &nopCloser{bytes.NewBuffer(j)}
		resp, err := http.Post(server.URL+"/api/v1/kolide/login", "application/json", requestBody)
		require.Nil(t, err)
		assert.Equal(t, tt.status, resp.StatusCode)

		var jsn = struct {
			User  *kolide.User        `json:"user"`
			Token string              `json:"token"`
			Err   []map[string]string `json:"errors,omitempty"`
		}{}
		err = json.NewDecoder(resp.Body).Decode(&jsn)
		require.Nil(t, err)

		if tt.status != http.StatusOK {
			assert.NotEqual(t, "", jsn.Err)
			continue // skip remaining tests
		}

		require.NotNil(t, jsn.User)
		assert.Equal(t, shouldBeAdmin, jsn.User.Admin)
		assert.Equal(t, tt.username, jsn.User.Username)

		// ensure that a session was created for our test user and stored
		sessions, err := ds.ListSessionsForUser(testUser.ID)
		assert.Nil(t, err)
		assert.Len(t, sessions, 1)

		// ensure the session key is not blank
		assert.NotEqual(t, "", sessions[0].Key)

		// test logout
		req, _ := http.NewRequest("POST", server.URL+"/api/v1/kolide/logout", nil)
		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jsn.Token))
		client := &http.Client{}
		resp, err = client.Do(req)
		require.Nil(t, err)
		assert.Equal(t, http.StatusOK, resp.StatusCode, strconv.Itoa(tt.status))

		_, err = ioutil.ReadAll(resp.Body)
		assert.Nil(t, err)

		// ensure that our user's session was deleted from the store
		sessions, err = ds.ListSessionsForUser(testUser.ID)
		assert.Nil(t, err)
		assert.Len(t, sessions, 0)
	}
}

// an io.ReadCloser for new request body
type nopCloser struct {
	io.Reader
}

func (nopCloser) Close() error { return nil }

// helper to convert a bool pointer false
func falseIfNil(b *bool) bool {
	if b == nil {
		return false
	}
	return *b
}
Organizing go code (#241) 2016-09-26 18:48:55 +00:00			`package service`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`import (`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`"bytes"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`"encoding/json"`
			`"fmt"`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`"io"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`"io/ioutil"`
			`"net/http"`
			`"net/http/httptest"`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`"os"`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`"strconv"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`"testing"`

			`kitlog "github.com/go-kit/kit/log"`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`kithttp "github.com/go-kit/kit/transport/http"`
			`"github.com/gorilla/mux"`
Update the Go import paths to new repo name (#27) 2020-11-11 17:59:12 +00:00			`"github.com/fleetdm/fleet/server/config"`
			`"github.com/fleetdm/fleet/server/datastore/inmem"`
			`"github.com/fleetdm/fleet/server/kolide"`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`"github.com/stretchr/testify/assert"`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`"github.com/stretchr/testify/require"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`)`

			`func TestLogin(t *testing.T) {`
Added built in labels (#526) 2016-11-25 18:08:22 +00:00			`ds, _ := inmem.New(config.TestConfig())`
Move live query operations from MySQL to Redis This change optimizes live queries by pushing the computation of query targets to the creation time of the query, and efficiently caching the targets in Redis. This results in a huge performance improvement at both steady-state, and when running live queries. - Live queries are stored using a bitfield in Redis, and takes advantage of bitfield operations to be extremely efficient. - Only run Redis live query test when REDIS_TEST is set in environment - Ensure that live queries are only sent to hosts when there is a client listening for results. Addresses an existing issue in Fleet along with appropriate cleanup for the refactored live query backend. 2020-03-23 01:33:04 +00:00			`svc, _ := newTestService(ds, nil, nil)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`users := createTestUsers(t, ds)`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`logger := kitlog.NewLogfmtLogger(os.Stdout)`

			`opts := []kithttp.ServerOption{`
			`kithttp.ServerBefore(`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`setRequestsContexts(svc, "CHANGEME"),`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`),`
			`kithttp.ServerErrorLogger(logger),`
			`kithttp.ServerAfter(`
			`kithttp.SetContentType("application/json; charset=utf-8"),`
			`),`
			`}`
			`r := mux.NewRouter()`
Add ability to prefix Fleet URLs (#2112) - Add the server_url_prefix flag for configuring this functionality - Add prefix handling to the server routes - Refactor JS to use appropriate paths from modules - Use JS template to get URL prefix into JS environment - Update webpack config to support prefixing Thanks to securityonion.net for sponsoring the development of this feature. Closes #1661 2019-10-16 23:40:45 +00:00			`ke := MakeKolideServerEndpoints(svc, "CHANGEME", "")`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`kh := makeKolideKitHandlers(ke, opts)`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`attachKolideAPIRoutes(r, kh)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`r.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`fmt.Fprint(w, "index")`
			`}))`

			`server := httptest.NewServer(r)`
			`var loginTests = []struct {`
			`username string`
			`status int`
			`password string`
			`}{`
			`{`
			`username: "admin1",`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`password: testUsers["admin1"].PlaintextPassword,`
go-kit server layout 2016-08-28 03:59:17 +00:00			`status: http.StatusOK,`
			`},`
Move API responses under top-level keys (#292) 2016-10-11 16:22:11 +00:00			`{`
			`username: "user1",`
			`password: testUsers["user1"].PlaintextPassword,`
			`status: http.StatusOK,`
			`},`
go-kit server layout 2016-08-28 03:59:17 +00:00			`{`
			`username: "nosuchuser",`
			`password: "nosuchuser",`
			`status: http.StatusUnauthorized,`
			`},`
			`{`
			`username: "admin1",`
			`password: "badpassword",`
			`status: http.StatusUnauthorized,`
			`},`
			`}`

			`for _, tt := range loginTests {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`var shouldBeAdmin bool`
			`if u, ok := testUsers[tt.username]; ok {`
			`shouldBeAdmin = u.IsAdmin`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00
			`// test sessions`
General simplification in go part (#1658) * don't check if error is nil, return it * don't compare bool to bool, use it * don't supply capacity to make for slice when len is equal to cap 2017-12-04 14:43:43 +00:00			`testUser := users[tt.username]`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`params := loginRequest{`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`Username: tt.username,`
			`Password: tt.password,`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`j, err := json.Marshal(&params)`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00			`assert.Nil(t, err)`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`requestBody := &nopCloser{bytes.NewBuffer(j)}`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`resp, err := http.Post(server.URL+"/api/v1/kolide/login", "application/json", requestBody)`
always return errors to the client as a map slice (#724) keep the format for error returns consistent by always returning a []map[string]string for json errors. This simplifies the error handling on the frontend. Use "name":"base" as the name field for errors which do not have a specific or known form field. 2016-12-30 00:40:12 +00:00			`require.Nil(t, err)`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00			`assert.Equal(t, tt.status, resp.StatusCode)`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`var jsn = struct {`
always return errors to the client as a map slice (#724) keep the format for error returns consistent by always returning a []map[string]string for json errors. This simplifies the error handling on the frontend. Use "name":"base" as the name field for errors which do not have a specific or known form field. 2016-12-30 00:40:12 +00:00			User *kolide.User `json:"user"`
			Token string `json:"token"`
			Err []map[string]string `json:"errors,omitempty"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}{}`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00			`err = json.NewDecoder(resp.Body).Decode(&jsn)`
always return errors to the client as a map slice (#724) keep the format for error returns consistent by always returning a []map[string]string for json errors. This simplifies the error handling on the frontend. Use "name":"base" as the name field for errors which do not have a specific or known form field. 2016-12-30 00:40:12 +00:00			`require.Nil(t, err)`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`if tt.status != http.StatusOK {`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00			`assert.NotEqual(t, "", jsn.Err)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`continue // skip remaining tests`
			`}`

Move API responses under top-level keys (#292) 2016-10-11 16:22:11 +00:00			`require.NotNil(t, jsn.User)`
			`assert.Equal(t, shouldBeAdmin, jsn.User.Admin)`
			`assert.Equal(t, tt.username, jsn.User.Username)`
go-kit server layout 2016-08-28 03:59:17 +00:00
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// ensure that a session was created for our test user and stored`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`sessions, err := ds.ListSessionsForUser(testUser.ID)`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`assert.Nil(t, err)`
			`assert.Len(t, sessions, 1)`

			`// ensure the session key is not blank`
			`assert.NotEqual(t, "", sessions[0].Key)`

			`// test logout`
Forgot to specify that logout is post (#136) 2016-09-08 02:58:25 +00:00			`req, _ := http.NewRequest("POST", server.URL+"/api/v1/kolide/logout", nil)`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jsn.Token))`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`client := &http.Client{}`
			`resp, err = client.Do(req)`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`require.Nil(t, err)`
			`assert.Equal(t, http.StatusOK, resp.StatusCode, strconv.Itoa(tt.status))`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`_, err = ioutil.ReadAll(resp.Body)`
assertifying the tests (#163) 2016-09-14 18:40:51 +00:00			`assert.Nil(t, err)`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// ensure that our user's session was deleted from the store`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`sessions, err = ds.ListSessionsForUser(testUser.ID)`
server/service: Fix Missing Test Errors (#2196) This fixes 9 places in the `server/service` tests where err variables were being dropped. No new test failures identified. 2020-02-19 02:11:16 +00:00			`assert.Nil(t, err)`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`assert.Len(t, sessions, 0)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// an io.ReadCloser for new request body`
			`type nopCloser struct {`
			`io.Reader`
			`}`

			`func (nopCloser) Close() error { return nil }`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
			`// helper to convert a bool pointer false`
			`func falseIfNil(b *bool) bool {`
			`if b == nil {`
			`return false`
			`}`
			`return *b`
			`}`