authelia/internal/suites/scenario_backend_protection...

package suites

import (
	"crypto/tls"
	"fmt"
	"net/http"
	"testing"

	"github.com/stretchr/testify/suite"
)

// WARNING: This scenario is intended to be used with TLS enabled in the authelia backend.

type BackendProtectionScenario struct {
	suite.Suite
}

func NewBackendProtectionScenario() *BackendProtectionScenario {
	return &BackendProtectionScenario{}
}

func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, expectedStatusCode int) {
	s.Run(url, func() {
		req, err := http.NewRequest(method, url, nil)
		s.Assert().NoError(err)

		tr := &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.
		}
		client := &http.Client{
			Transport: tr,
			CheckRedirect: func(req *http.Request, via []*http.Request) error {
				return http.ErrUseLastResponse
			},
		}
		res, err := client.Do(req)
		s.Assert().NoError(err)
		s.Assert().Equal(expectedStatusCode, res.StatusCode)
	})
}

func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() {
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/assertion", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/attestation", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/user/info/2fa_method", AutheliaBaseURL), 403)

	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/user/info", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), 403)

	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/start", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/finish", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/identity/start", AutheliaBaseURL), 403)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/identity/finish", AutheliaBaseURL), 403)
}

func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {
	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)
	s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)

	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
	s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
}

func TestRunBackendProtection(t *testing.T) {
	if testing.Short() {
		t.Skip("skipping suite test in short mode")
	}

	suite.Run(t, NewBackendProtectionScenario())
}
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`package suites`

			`import (`
			`"crypto/tls"`
			`"fmt"`
			`"net/http"`
			`"testing"`

			`"github.com/stretchr/testify/suite"`
			`)`

[FEATURE] Add TLS support. (#677) * [FEATURE] Add TLS support. Fixes #368. * [FEATURE] Introduce OnError hook in suites. This hook allows to perform actions following an erroneous suite like displaying the logs of Authelia. * Display Authelia logs of Standalone suite when tests fail. * Fix Standalone suite. * Apply suggestions from code review * Rename ssl_key and ssl_cert into tls_key and tls_cert. 2020-03-03 07:18:25 +00:00			`// WARNING: This scenario is intended to be used with TLS enabled in the authelia backend.`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`type BackendProtectionScenario struct {`
			`suite.Suite`
			`}`

			`func NewBackendProtectionScenario() *BackendProtectionScenario {`
			`return &BackendProtectionScenario{}`
			`}`

			`func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, expectedStatusCode int) {`
			`s.Run(url, func() {`
			`req, err := http.NewRequest(method, url, nil)`
			`s.Assert().NoError(err)`

			`tr := &http.Transport{`
[CI] Enable gosec linter (#979) * fix tee append * convert DB table names from var to const * fixed file modes * ignored gosec where relevant and safe 2020-05-05 07:57:30 +00:00			`TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`}`
			`client := &http.Client{`
			`Transport: tr,`
			`CheckRedirect: func(req http.Request, via []http.Request) error {`
			`return http.ErrUseLastResponse`
			`},`
			`}`
			`res, err := client.Do(req)`
			`s.Assert().NoError(err)`
fix(server): send 404 on missing api endpoints instead of 405 (#1806) Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e770c3e4c7af9aa5ef8e3e25b9a73eb however this resolves another issue that's related. Additionally this ensures the behavior is tested. Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Fixes #1520 Closes #1534 2021-03-11 07:36:58 +00:00			`s.Assert().Equal(expectedStatusCode, res.StatusCode)`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`})`
			`}`

			`func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() {`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp", AutheliaBaseURL), 403)`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/assertion", AutheliaBaseURL), 403)`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/attestation", AutheliaBaseURL), 403)`
Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-07 17:14:26 +00:00			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/user/info/2fa_method", AutheliaBaseURL), 403)`

			`s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/user/info", AutheliaBaseURL), 403)`
[MISC] Template global config and refactor some /api endpoints (#1135) * [MISC] Template global config and refactor some /api endpoints * /api/configuration has been removed in favour of templating said global config * /api/configuration/extended has been renamed to /api/configuration and display_name has been removed * /api/user/info has been modified to include display_name Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2020-06-21 13:40:37 +00:00			`s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), 403)`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/start", AutheliaBaseURL), 403)`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/finish", AutheliaBaseURL), 403)`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/identity/start", AutheliaBaseURL), 403)`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/webauthn/identity/finish", AutheliaBaseURL), 403)`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`}`

fix(server): send 404 on missing api endpoints instead of 405 (#1806) Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e770c3e4c7af9aa5ef8e3e25b9a73eb however this resolves another issue that's related. Additionally this ensures the behavior is tested. Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Fixes #1520 Closes #1534 2021-03-11 07:36:58 +00:00			`func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {`
			`s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)`
			`s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)`

			`s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)`
			`s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)`
			`s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)`
			`}`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`func TestRunBackendProtection(t *testing.T) {`
test(suites): short mode skip suites testing (#1823) This PR changes the suites tests so if go test -short is used, they are skipped per go standards and a message is displayed. Additionally removed some redundant types from suite_high_availability_test.go and adjusted a warning about a nil req var. 2021-03-14 07:08:26 +00:00			`if testing.Short() {`
			`t.Skip("skipping suite test in short mode")`
			`}`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`suite.Run(t, NewBackendProtectionScenario())`
			`}`