2019-11-24 20:27:59 +00:00
|
|
|
package suites
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/suite"
|
2023-02-28 09:01:09 +00:00
|
|
|
"github.com/valyala/fasthttp"
|
2019-11-24 20:27:59 +00:00
|
|
|
)
|
|
|
|
|
2020-03-03 07:18:25 +00:00
|
|
|
// WARNING: This scenario is intended to be used with TLS enabled in the authelia backend.
|
|
|
|
|
2019-11-24 20:27:59 +00:00
|
|
|
type BackendProtectionScenario struct {
|
|
|
|
suite.Suite
|
2023-02-28 09:01:09 +00:00
|
|
|
|
|
|
|
client *http.Client
|
2019-11-24 20:27:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewBackendProtectionScenario() *BackendProtectionScenario {
|
|
|
|
return &BackendProtectionScenario{}
|
|
|
|
}
|
|
|
|
|
2023-02-28 09:01:09 +00:00
|
|
|
func (s *BackendProtectionScenario) SetupSuite() {
|
|
|
|
tr := &http.Transport{
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.
|
|
|
|
}
|
|
|
|
|
|
|
|
s.client = &http.Client{
|
|
|
|
Transport: tr,
|
|
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-24 20:27:59 +00:00
|
|
|
func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, expectedStatusCode int) {
|
|
|
|
s.Run(url, func() {
|
|
|
|
req, err := http.NewRequest(method, url, nil)
|
|
|
|
s.Assert().NoError(err)
|
|
|
|
|
2023-02-28 09:01:09 +00:00
|
|
|
res, err := s.client.Do(req)
|
|
|
|
|
2019-11-24 20:27:59 +00:00
|
|
|
s.Assert().NoError(err)
|
2021-03-11 07:36:58 +00:00
|
|
|
s.Assert().Equal(expectedStatusCode, res.StatusCode)
|
2019-11-24 20:27:59 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() {
|
2023-02-28 09:07:42 +00:00
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/secondfactor/webauthn/credentials", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/webauthn", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/register", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/register", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodDelete, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/1", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/secondfactor/webauthn/credential/1", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/user/info/2fa_method", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/user/info", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/totp/identity/start", AutheliaBaseURL), fasthttp.StatusForbidden)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/secondfactor/totp/identity/finish", AutheliaBaseURL), fasthttp.StatusForbidden)
|
2019-11-24 20:27:59 +00:00
|
|
|
}
|
|
|
|
|
2021-03-11 07:36:58 +00:00
|
|
|
func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {
|
2023-02-28 09:07:42 +00:00
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodHead, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), fasthttp.StatusNotFound)
|
2021-03-11 07:36:58 +00:00
|
|
|
|
2023-02-28 09:07:42 +00:00
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodGet, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodHead, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
|
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPost, fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), fasthttp.StatusNotFound)
|
2021-03-11 07:36:58 +00:00
|
|
|
}
|
|
|
|
|
2022-04-03 23:58:01 +00:00
|
|
|
func (s *BackendProtectionScenario) TestInvalidEndpointsReturn405() {
|
2023-04-15 05:03:14 +00:00
|
|
|
s.AssertRequestStatusCode(fasthttp.MethodPut, fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), fasthttp.StatusMethodNotAllowed)
|
2022-04-03 23:58:01 +00:00
|
|
|
}
|
|
|
|
|
2019-11-24 20:27:59 +00:00
|
|
|
func TestRunBackendProtection(t *testing.T) {
|
2021-03-14 07:08:26 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("skipping suite test in short mode")
|
|
|
|
}
|
|
|
|
|
2019-11-24 20:27:59 +00:00
|
|
|
suite.Run(t, NewBackendProtectionScenario())
|
|
|
|
}
|