RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: misc adjustments

pull/4713/head
James Elliott 2023-03-10 14:56:50 +11:00
parent 4b2881005e
commit c418c09931
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
38 changed files with 550 additions and 529 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/authelia-scripts/cmd/gen.go
View File

@ -7,5 +7,5 @@
package cmd
const (
versionSwaggerUI = "4.17.0"
versionSwaggerUI = "4.18.0"
)

3
docs/content/en/contributing/guidelines/commit-message.md
View File

@ -52,7 +52,7 @@ for, and the structure it must have.
│ codecov|commands|configuration|deps|docker|duo|go|golangci-lint|
│ handlers|logging|metrics|middlewares|mocks|model|notification|npm|ntp|
│ oidc|random|regulation|renovate|reviewdog|server|session|storage|
│ suites|templates|totp|utils|web
│ suites|templates|totp|trust|utils|web
└─⫸ Commit Type: build|ci|docs|feat|fix|i18n|perf|refactor|release|revert|test
```
@ -101,6 +101,7 @@ commit messages).
* suites
* templates
* totp
* trust
* utils
There are currently a few exceptions to the "use package name" rule:

2
docs/data/configkeys.json
View File

File diff suppressed because one or more lines are too long

12
internal/authentication/ldap_user_provider.go
View File

@ -18,7 +18,7 @@ import (
// LDAPUserProvider is a UserProvider that connects to LDAP servers like ActiveDirectory, OpenLDAP, OpenDJ, FreeIPA, etc.
type LDAPUserProvider struct {
config schema.LDAPAuthenticationBackend
trust trust.Provider
trust trust.CertificateProvider
log *logrus.Logger
factory LDAPClientFactory
@ -47,14 +47,14 @@ type LDAPUserProvider struct {
}
// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory.
func NewLDAPUserProvider(config schema.AuthenticationBackend, trustProvider trust.Provider) (provider *LDAPUserProvider) {
func NewLDAPUserProvider(config schema.AuthenticationBackend, trustProvider trust.CertificateProvider) (provider *LDAPUserProvider) {
provider = NewLDAPUserProviderWithFactory(*config.LDAP, config.PasswordReset.Disable, trustProvider, NewProductionLDAPClientFactory())
return provider
}
// NewLDAPUserProviderWithFactory creates a new instance of LDAPUserProvider with the specified LDAPClientFactory.
func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, disableResetPassword bool, trustProvider trust.Provider, factory LDAPClientFactory) (provider *LDAPUserProvider) {
func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, disableResetPassword bool, trustProvider trust.CertificateProvider, factory LDAPClientFactory) (provider *LDAPUserProvider) {
if config.TLS == nil {
config.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS
}
@ -73,7 +73,7 @@ func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, dis
}
if provider.trust == nil {
provider.trust = trust.NewProvider()
provider.trust = trust.NewProduction()
}
provider.parseDynamicUsersConfiguration()
@ -88,7 +88,7 @@ func (p *LDAPUserProvider) dialOpts() (opts []ldap.DialOpt) {
}
if p.config.TLS != nil {
opts = append(opts, ldap.DialWithTLSConfig(p.trust.GetTLSConfiguration(p.config.TLS)))
opts = append(opts, ldap.DialWithTLSConfig(p.trust.GetTLSConfig(p.config.TLS)))
}
return opts
@ -247,7 +247,7 @@ func (p *LDAPUserProvider) connectCustom(url, username, password string, startTL
}
if startTLS {
if err = client.StartTLS(p.trust.GetTLSConfiguration(p.config.TLS)); err != nil {
if err = client.StartTLS(p.trust.GetTLSConfig(p.config.TLS)); err != nil {
client.Close()
return nil, fmt.Errorf("starttls failed with error: %w", err)

2
internal/authentication/ldap_user_provider_test.go
View File

@ -31,7 +31,7 @@ func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) {
Password: "password",
},
false,
trust.NewProvider(),
trust.NewProduction(),
mockFactory)
dialURL := mockFactory.EXPECT().

22
internal/commands/context.go
View File

@ -120,9 +120,21 @@ func (ctx *CmdCtx) CheckSchema() (err error) {
// LoadTrustedCertificates loads the trusted certificates into the CmdCtx.
func (ctx *CmdCtx) LoadTrustedCertificates() (err error) {
ctx.providers.Trust = trust.NewProvider(trust.WithPaths(ctx.config.CertificatesDirectory...))
opts := []trust.ProductionOpt{
trust.WithCertificatePaths(ctx.config.Trust.Certificates.Paths...),
trust.WithSystem(!ctx.config.Trust.Certificates.DisableSystemCertificates),
trust.WithValidateNotAfter(!ctx.config.Trust.Certificates.DisableValidateNotAfter),
trust.WithValidateNotBefore(!ctx.config.Trust.Certificates.DisableValidateNotBefore),
trust.WithValidationReturnErrors(!ctx.config.Trust.Certificates.DisableValidationErrors),
}
return ctx.providers.Trust.StartupCheck()
for _, chain := range ctx.config.Trust.Certificates.Certificates {
opts = append(opts, trust.WithStatic(chain.Certificates()...))
}
ctx.providers.CertificateTrust = trust.NewProduction(opts...)
return ctx.providers.CertificateTrust.StartupCheck()
}
// LoadProviders loads all providers into the CmdCtx.
@ -139,14 +151,14 @@ func (ctx *CmdCtx) LoadProviders() (warns, errs []error) {
ctx.providers.NTP = ntp.NewProvider(&ctx.config.NTP)
ctx.providers.PasswordPolicy = middlewares.NewPasswordPolicyProvider(ctx.config.PasswordPolicy)
ctx.providers.Regulator = regulation.NewRegulator(ctx.config.Regulation, ctx.providers.StorageProvider, utils.RealClock{})
ctx.providers.SessionProvider = session.NewProvider(ctx.config.Session, ctx.providers.Trust)
ctx.providers.SessionProvider = session.NewProvider(ctx.config.Session, ctx.providers.CertificateTrust)
ctx.providers.TOTP = totp.NewTimeBasedProvider(ctx.config.TOTP)
switch {
case ctx.config.AuthenticationBackend.File != nil:
ctx.providers.UserProvider = authentication.NewFileUserProvider(ctx.config.AuthenticationBackend.File)
case ctx.config.AuthenticationBackend.LDAP != nil:
ctx.providers.UserProvider = authentication.NewLDAPUserProvider(ctx.config.AuthenticationBackend, ctx.providers.Trust)
ctx.providers.UserProvider = authentication.NewLDAPUserProvider(ctx.config.AuthenticationBackend, ctx.providers.CertificateTrust)
}
if ctx.providers.Templates, err = templates.New(templates.Config{EmailTemplatesPath: ctx.config.Notifier.TemplatePath}); err != nil {
@ -155,7 +167,7 @@ func (ctx *CmdCtx) LoadProviders() (warns, errs []error) {
switch {
case ctx.config.Notifier.SMTP != nil:
ctx.providers.Notifier = notification.NewSMTPNotifier(ctx.config.Notifier.SMTP, ctx.providers.Trust)
ctx.providers.Notifier = notification.NewSMTPNotifier(ctx.config.Notifier.SMTP, ctx.providers.CertificateTrust)
case ctx.config.Notifier.FileSystem != nil:
ctx.providers.Notifier = notification.NewFileNotifier(*ctx.config.Notifier.FileSystem)
}

6
internal/commands/helpers.go
View File

@ -15,11 +15,11 @@ import (
func getStorageProvider(ctx *CmdCtx) (provider storage.Provider) {
switch {
case ctx.config.Storage.PostgreSQL != nil:
tconfig := ctx.providers.Trust.GetTLSConfiguration(ctx.config.Storage.PostgreSQL.TLS)
tconfig := ctx.providers.CertificateTrust.GetTLSConfig(ctx.config.Storage.PostgreSQL.TLS)
return storage.NewPostgreSQLProvider(ctx.config, tconfig, ctx.providers.Trust.GetTrustedCertificates())
return storage.NewPostgreSQLProvider(ctx.config, tconfig, ctx.providers.CertificateTrust.GetCertPool())
case ctx.config.Storage.MySQL != nil:
return storage.NewMySQLProvider(ctx.config, ctx.providers.Trust.GetTLSConfiguration(ctx.config.Storage.MySQL.TLS))
return storage.NewMySQLProvider(ctx.config, ctx.providers.CertificateTrust.GetTLSConfig(ctx.config.Storage.MySQL.TLS))
case ctx.config.Storage.Local != nil:
return storage.NewSQLiteProvider(ctx.config)
default:

7
internal/configuration/deprecation.go
View File

@ -155,4 +155,11 @@ var deprecations = map[string]Deprecation{
AutoMap: true,
MapFunc: nil,
},
"certificates_directory": {
Version: model.SemanticVersion{Major: 4, Minor: 38},
Key: "certificates_directory",
NewKey: "trust.certificates.paths",
AutoMap: true,
MapFunc: nil,
},
}

10
internal/configuration/schema/configuration.go
View File

@ -2,11 +2,10 @@ package schema
// Configuration object extracted from YAML configuration file.
type Configuration struct {
Theme string `koanf:"theme"`
CertificatesDirectory []string `koanf:"certificates_directory"`
JWTSecret string `koanf:"jwt_secret"`
DefaultRedirectionURL string `koanf:"default_redirection_url"`
Default2FAMethod string `koanf:"default_2fa_method"`
Theme string `koanf:"theme"`
JWTSecret string `koanf:"jwt_secret"`
DefaultRedirectionURL string `koanf:"default_redirection_url"`
Default2FAMethod string `koanf:"default_2fa_method"`
Log LogConfiguration `koanf:"log"`
IdentityProviders IdentityProvidersConfiguration `koanf:"identity_providers"`
@ -24,4 +23,5 @@ type Configuration struct {
Webauthn WebauthnConfiguration `koanf:"webauthn"`
PasswordPolicy PasswordPolicyConfiguration `koanf:"password_policy"`
PrivacyPolicy PrivacyPolicy `koanf:"privacy_policy"`
Trust Trust `koanf:"trust"`
}

7
internal/configuration/schema/keys.go
View File

@ -9,7 +9,6 @@ package schema
// Keys is a list of valid schema keys detected by reflecting over a schema.Configuration struct.
var Keys = []string{
"theme",
"certificates_directory",
"jwt_secret",
"default_redirection_url",
"default_2fa_method",
@ -275,4 +274,10 @@ var Keys = []string{
"privacy_policy.enabled",
"privacy_policy.require_user_acceptance",
"privacy_policy.policy_url",
"trust.certificates.paths",
"trust.certificates.certificates",
"trust.certificates.disable_system_certificates",
"trust.certificates.disable_validation_errors",
"trust.certificates.disable_validate_not_before",
"trust.certificates.disable_validate_not_after",
}

14
internal/configuration/schema/trust.go 100644
View File

@ -0,0 +1,14 @@
package schema
type Trust struct {
Certificates CertificateTrust `koanf:"certificates"`
}
type CertificateTrust struct {
Paths []string `koanf:"paths"`
Certificates []X509CertificateChain `koanf:"certificates"`
DisableSystemCertificates bool `koanf:"disable_system_certificates"`
DisableValidationErrors bool `koanf:"disable_validation_errors"`
DisableValidateNotBefore bool `koanf:"disable_validate_not_before"`
DisableValidateNotAfter bool `koanf:"disable_validate_not_after"`
}

4
internal/configuration/schema/types.go
View File

@ -157,6 +157,10 @@ func NewX509CertificateChain(in string) (chain *X509CertificateChain, err error)
cert *x509.Certificate
)
if chain.certs, err = x509.ParseCertificates(data); err == nil && len(chain.certs) != 0 {
return chain, nil
}
for {
block, data = pem.Decode(data)

13
internal/configuration/validator/configuration.go
View File

@ -2,7 +2,6 @@ package validator
import (
"fmt"
"os"
"strings"
"github.com/authelia/authelia/v4/internal/configuration/schema"
@ -13,18 +12,6 @@ import (
func ValidateConfiguration(config *schema.Configuration, validator *schema.StructValidator) {
var err error
if len(config.CertificatesDirectory) != 0 {
var info os.FileInfo
for _, dir := range config.CertificatesDirectory {
if info, err = os.Stat(dir); err != nil {
validator.Push(fmt.Errorf("the location '%s' in 'certificates_directory' could not be inspected: %w", dir, err))
} else if !info.IsDir() {
validator.Push(fmt.Errorf("the location '%s' referred to in 'certificates_directory' is not a directory", dir))
}
}
}
if config.JWTSecret == "" {
validator.Push(fmt.Errorf("option 'jwt_secret' is required"))
}

3
internal/configuration/validator/configuration_test.go
View File

@ -2,7 +2,6 @@ package validator
import (
"fmt"
"runtime"
"testing"
"github.com/stretchr/testify/assert"
@ -111,6 +110,7 @@ func TestShouldRaiseErrorWithBadDefaultRedirectionURL(t *testing.T) {
assert.EqualError(t, validator.Warnings()[0], "access control: no rules have been specified so the 'default_policy' of 'two_factor' is going to be applied to all requests")
}
/*
func TestShouldNotOverrideCertificatesDirectoryAndShouldPassWhenBlank(t *testing.T) {
validator := schema.NewStructValidator()
config := newDefaultConfig()
@ -169,6 +169,7 @@ func TestShouldNotRaiseErrorOnValidCertificatesDirectory(t *testing.T) {
assert.EqualError(t, validator.Warnings()[0], "access control: no rules have been specified so the 'default_policy' of 'two_factor' is going to be applied to all requests")
}
*/
func TestValidateDefault2FAMethod(t *testing.T) {
testCases := []struct {

10
internal/handlers/handler_authz_impl_legacy_test.go
View File

@ -462,11 +462,11 @@ func (s *LegacyAuthzSuite) TestShouldHandleLegacyBasicAuth() { // TestShouldVeri
mock.Ctx.Request.Header.Set("X-Original-URL", "https://one-factor.example.com")
gomock.InOrder(
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil),
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -505,7 +505,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleLegacyBasicAuthFailures() {
func(mock *mocks.MockAutheliaCtx) {
mock.Ctx.Request.Header.Set("Authorization", "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(false, fmt.Errorf("generic error"))
},
@ -517,11 +517,11 @@ func (s *LegacyAuthzSuite) TestShouldHandleLegacyBasicAuthFailures() {
mock.Ctx.Request.Header.Set("X-Original-URL", "https://admin.example.com/")
gomock.InOrder(
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil),
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},

48
internal/handlers/handler_authz_test.go
View File

@ -136,11 +136,11 @@ func (s *AuthzSuite) TestShouldApplyDefaultPolicy() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -221,11 +221,11 @@ func (s *AuthzSuite) TestShouldApplyPolicyOfBypassDomain() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -263,11 +263,11 @@ func (s *AuthzSuite) TestShouldVerifyFailureToGetDetailsUsingBasicScheme() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
gomock.InOrder(
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil),
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(nil, fmt.Errorf("generic failure")),
)
@ -352,11 +352,11 @@ func (s *AuthzSuite) TestShouldApplyPolicyOfOneFactorDomain() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -404,11 +404,11 @@ func (s *AuthzSuite) TestShouldHandleAnyCaseSchemeParameter() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, fmt.Sprintf("%s am9objpwYXNzd29yZA==", tc.scheme))
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -447,11 +447,11 @@ func (s *AuthzSuite) TestShouldApplyPolicyOfTwoFactorDomain() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -495,11 +495,11 @@ func (s *AuthzSuite) TestShouldApplyPolicyOfDenyDomain() {
mock.Ctx.Request.Header.Set(fasthttp.HeaderProxyAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -546,11 +546,11 @@ func (s *AuthzSuite) TestShouldApplyPolicyOfOneFactorDomainWithAuthorizationHead
mock.Ctx.Request.Header.Set(fasthttp.HeaderAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(true, nil)
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
GetDetails(gomock.Eq("john")).
Return(&authentication.UserDetails{
Emails: []string{"john@example.com"},
@ -672,7 +672,7 @@ func (s *AuthzSuite) TestShouldHandleAuthzWithAuthorizationHeaderInvalidPassword
mock.Ctx.Request.Header.Set(fasthttp.HeaderAuthorization, "Basic am9objpwYXNzd29yZA==")
mock.UserProviderMock.EXPECT().
mock.MockUserProvider.EXPECT().
CheckUserPassword(gomock.Eq("john"), gomock.Eq("password")).
Return(false, nil)
@ -993,7 +993,7 @@ func (s *AuthzSuite) TestShouldNotRefreshUserDetailsFromBackendWhenRefreshDisabl
s.Require().NoError(mock.Ctx.SaveSession(userSession))
mock.UserProviderMock.EXPECT().GetDetails("john").Times(0)
mock.MockUserProvider.EXPECT().GetDetails("john").Times(0)
authz.Handler(mock.Ctx)
@ -1092,8 +1092,8 @@ func (s *AuthzSuite) TestShouldDestroySessionWhenUserDoesNotExist() {
s.Require().NoError(mock.Ctx.SaveSession(userSession))
gomock.InOrder(
mock.UserProviderMock.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.UserProviderMock.EXPECT().GetDetails("john").Return(nil, authentication.ErrUserNotFound).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(nil, authentication.ErrUserNotFound).Times(1),
)
authz.Handler(mock.Ctx)
@ -1184,8 +1184,8 @@ func (s *AuthzSuite) TestShouldUpdateRemovedUserGroupsFromBackendAndDeny() {
s.Require().NoError(mock.Ctx.SaveSession(userSession))
gomock.InOrder(
mock.UserProviderMock.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.UserProviderMock.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(user, nil).Times(1),
)
authz.Handler(mock.Ctx)
@ -1273,8 +1273,8 @@ func (s *AuthzSuite) TestShouldUpdateAddedUserGroupsFromBackendAndDeny() {
s.Require().NoError(mock.Ctx.SaveSession(userSession))
gomock.InOrder(
mock.UserProviderMock.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.UserProviderMock.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(user, nil).Times(1),
mock.MockUserProvider.EXPECT().GetDetails("john").Return(user, nil).Times(1),
)
authz.Handler(mock.Ctx)

46
internal/handlers/handler_firstfactor_test.go
View File

@ -50,12 +50,12 @@ func (s *FirstFactorSuite) TestShouldFailIfBodyIsInBadFormat() {
}
func (s *FirstFactorSuite) TestShouldFailIfUserProviderCheckPasswordFail() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(false, fmt.Errorf("failed"))
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "test",
@ -78,12 +78,12 @@ func (s *FirstFactorSuite) TestShouldFailIfUserProviderCheckPasswordFail() {
}
func (s *FirstFactorSuite) TestShouldCheckAuthenticationIsNotMarkedWhenProviderCheckPasswordError() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(false, fmt.Errorf("invalid credentials"))
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "test",
@ -104,12 +104,12 @@ func (s *FirstFactorSuite) TestShouldCheckAuthenticationIsNotMarkedWhenProviderC
}
func (s *FirstFactorSuite) TestShouldCheckAuthenticationIsMarkedWhenInvalidCredentials() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(false, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "test",
@ -130,17 +130,17 @@ func (s *FirstFactorSuite) TestShouldCheckAuthenticationIsMarkedWhenInvalidCrede
}
func (s *FirstFactorSuite) TestShouldFailIfUserProviderGetDetailsFail() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(nil)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(nil, fmt.Errorf("failed"))
@ -157,12 +157,12 @@ func (s *FirstFactorSuite) TestShouldFailIfUserProviderGetDetailsFail() {
}
func (s *FirstFactorSuite) TestShouldFailIfAuthenticationMarkFail() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(fmt.Errorf("failed"))
@ -179,12 +179,12 @@ func (s *FirstFactorSuite) TestShouldFailIfAuthenticationMarkFail() {
}
func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
@ -193,7 +193,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(nil)
@ -220,12 +220,12 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
}
func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
@ -234,7 +234,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(nil)
@ -262,12 +262,12 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
}
func (s *FirstFactorSuite) TestShouldSaveUsernameFromAuthenticationBackendInSession() {
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
@ -279,7 +279,7 @@ func (s *FirstFactorSuite) TestShouldSaveUsernameFromAuthenticationBackendInSess
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(nil)
@ -324,12 +324,12 @@ func (s *FirstFactorRedirectionSuite) SetupTest() {
}
s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
s.mock.MockUserProvider.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
@ -338,7 +338,7 @@ func (s *FirstFactorRedirectionSuite) SetupTest() {
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Any()).
Return(nil)

2
internal/handlers/handler_register_duo_device_test.go
View File

@ -130,7 +130,7 @@ func (s *RegisterDuoDeviceSuite) TestShouldRespondWithDeny() {
func (s *RegisterDuoDeviceSuite) TestShouldRespondOK() {
s.mock.Ctx.Request.SetBodyString("{\"device\":\"1234567890123456\", \"method\":\"push\"}")
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
SavePreferredDuoDevice(gomock.Eq(s.mock.Ctx), gomock.Eq(model.DuoDevice{Username: "john", Device: "1234567890123456", Method: "push"})).
Return(nil)

60
internal/handlers/handler_sign_duo_test.go
View File

@ -43,7 +43,7 @@ func (s *SecondFactorDuoPostSuite) TearDownTest() {
func (s *SecondFactorDuoPostSuite) TestShouldEnroll() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(nil, errors.New("no Duo device and method saved"))
@ -73,7 +73,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldEnroll() {
func (s *SecondFactorDuoPostSuite) TestShouldAutoSelect() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().LoadPreferredDuoDevice(s.mock.Ctx, "john").Return(nil, errors.New("no Duo device and method saved"))
s.mock.MockStorage.EXPECT().LoadPreferredDuoDevice(s.mock.Ctx, "john").Return(nil, errors.New("no Duo device and method saved"))
var duoDevices = []duo.Device{
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
@ -89,11 +89,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldAutoSelect() {
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, &session.UserSession{CookieDomain: "example.com", Username: "john"}, gomock.Eq(values)).Return(&preAuthResponse, nil)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
SavePreferredDuoDevice(s.mock.Ctx, model.DuoDevice{Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}).
Return(nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -128,7 +128,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldAutoSelect() {
func (s *SecondFactorDuoPostSuite) TestShouldDenyAutoSelect() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(nil, errors.New("no Duo device and method saved"))
@ -160,7 +160,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldDenyAutoSelect() {
func (s *SecondFactorDuoPostSuite) TestShouldFailAutoSelect() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(nil, errors.New("no Duo device and method saved"))
@ -178,7 +178,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldFailAutoSelect() {
func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndEnroll() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
@ -193,7 +193,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndEnroll() {
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, &session.UserSession{CookieDomain: "example.com", Username: "john"}, gomock.Eq(values)).Return(&preAuthResponse, nil)
s.mock.StorageMock.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
s.mock.MockStorage.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
s.Require().NoError(err)
@ -210,7 +210,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndEnroll() {
func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndCallPreauthAPIWithInvalidDevicesAndEnroll() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
@ -227,7 +227,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndCallPreauthAPIWit
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, &session.UserSession{CookieDomain: "example.com", Username: "john"}, gomock.Eq(values)).Return(&preAuthResponse, nil)
s.mock.StorageMock.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
s.mock.MockStorage.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
s.Require().NoError(err)
@ -243,7 +243,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndCallPreauthAPIWit
func (s *SecondFactorDuoPostSuite) TestShouldUseOldDeviceAndSelect() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
@ -278,11 +278,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldUseOldDeviceAndSelect() {
func (s *SecondFactorDuoPostSuite) TestShouldUseInvalidMethodAndAutoSelect() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "invalidmethod"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -307,7 +307,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldUseInvalidMethodAndAutoSelect() {
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, &session.UserSession{CookieDomain: "example.com", Username: "john"}, gomock.Eq(values)).Return(&preAuthResponse, nil)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
SavePreferredDuoDevice(s.mock.Ctx, model.DuoDevice{Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}).
Return(nil)
@ -334,7 +334,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldUseInvalidMethodAndAutoSelect() {
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndAllowAccess() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
@ -358,7 +358,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndAllowAccess() {
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndDenyAccess() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
@ -388,7 +388,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndDenyAccess() {
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndFail() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
@ -406,11 +406,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndFail() {
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndDenyAccess() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -458,7 +458,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndDenyAccess() {
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndFail() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
@ -489,11 +489,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndFail() {
func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToDefaultURL() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -538,11 +538,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToDefaultURL() {
func (s *SecondFactorDuoPostSuite) TestShouldNotReturnRedirectURL() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -595,11 +595,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToSafeTargetURL() {
},
},
}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -644,11 +644,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToSafeTargetURL() {
func (s *SecondFactorDuoPostSuite) TestShouldNotRedirectToUnsafeURL() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -691,11 +691,11 @@ func (s *SecondFactorDuoPostSuite) TestShouldNotRedirectToUnsafeURL() {
func (s *SecondFactorDuoPostSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadPreferredDuoDevice(s.mock.Ctx, "john").
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",

48
internal/handlers/handler_sign_totp_test.go
View File

@ -37,11 +37,11 @@ func (s *HandlerSignTOTPSuite) TearDownTest() {
func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
Return(&config, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -52,9 +52,9 @@ func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.MockTOTP.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
@ -75,11 +75,11 @@ func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {
func (s *HandlerSignTOTPSuite) TestShouldFailWhenTOTPSignInInfoFailsToUpdate() {
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
Return(&config, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -90,9 +90,9 @@ func (s *HandlerSignTOTPSuite) TestShouldFailWhenTOTPSignInInfoFailsToUpdate() {
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.MockTOTP.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any()).Return(errors.New("failed to perform update"))
@ -111,11 +111,11 @@ func (s *HandlerSignTOTPSuite) TestShouldFailWhenTOTPSignInInfoFailsToUpdate() {
func (s *HandlerSignTOTPSuite) TestShouldNotReturnRedirectURL() {
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
Return(&config, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -126,9 +126,9 @@ func (s *HandlerSignTOTPSuite) TestShouldNotReturnRedirectURL() {
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.MockTOTP.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
@ -157,11 +157,11 @@ func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {
},
}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
Return(&config, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -172,9 +172,9 @@ func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.MockTOTP.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
@ -193,11 +193,11 @@ func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {
}
func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, "john").
Return(&model.TOTPConfiguration{Secret: []byte("secret")}, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -208,11 +208,11 @@ func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
s.mock.TOTPMock.EXPECT().
s.mock.MockTOTP.EXPECT().
Validate(gomock.Eq("abc"), gomock.Eq(&model.TOTPConfiguration{Secret: []byte("secret")})).
Return(true, nil)
@ -231,11 +231,11 @@ func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {
func (s *HandlerSignTOTPSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
Return(&config, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
Username: "john",
@ -246,11 +246,11 @@ func (s *HandlerSignTOTPSuite) TestShouldRegenerateSessionForPreventingSessionFi
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
}))
s.mock.TOTPMock.EXPECT().
s.mock.MockTOTP.EXPECT().
Validate(gomock.Eq("abc"), gomock.Eq(&config)).
Return(true, nil)
s.mock.StorageMock.
s.mock.MockStorage.
EXPECT().
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())

22
internal/handlers/handler_user_info_test.go
View File

@ -107,7 +107,7 @@ func TestUserInfoEndpoint_SetCorrectMethod(t *testing.T) {
userSession.AuthenticationLevel = 1
assert.NoError(t, mock.Ctx.SaveSession(userSession))
mock.StorageMock.
mock.MockStorage.
EXPECT().
LoadUserInfo(mock.Ctx, gomock.Eq("john")).
Return(resp.db, resp.err)
@ -274,33 +274,33 @@ func TestUserInfoEndpoint_SetDefaultMethod(t *testing.T) {
if resp.db.Method == "" {
gomock.InOrder(
mock.StorageMock.
mock.MockStorage.
EXPECT().
LoadPreferred2FAMethod(mock.Ctx, gomock.Eq("john")).
Return("", sql.ErrNoRows),
mock.StorageMock.
mock.MockStorage.
EXPECT().
SavePreferred2FAMethod(mock.Ctx, gomock.Eq("john"), gomock.Eq("")).
Return(resp.saveErr),
mock.StorageMock.
mock.MockStorage.
EXPECT().
LoadUserInfo(mock.Ctx, gomock.Eq("john")).
Return(resp.db, nil),
mock.StorageMock.EXPECT().
mock.MockStorage.EXPECT().
SavePreferred2FAMethod(mock.Ctx, gomock.Eq("john"), gomock.Eq(resp.api.Method)).
Return(resp.saveErr),
)
} else {
gomock.InOrder(
mock.StorageMock.
mock.MockStorage.
EXPECT().
LoadPreferred2FAMethod(mock.Ctx, gomock.Eq("john")).
Return(resp.db.Method, nil),
mock.StorageMock.
mock.MockStorage.
EXPECT().
LoadUserInfo(mock.Ctx, gomock.Eq("john")).
Return(resp.db, nil),
mock.StorageMock.EXPECT().
mock.MockStorage.EXPECT().
SavePreferred2FAMethod(mock.Ctx, gomock.Eq("john"), gomock.Eq(resp.api.Method)).
Return(resp.saveErr),
)
@ -349,7 +349,7 @@ func TestUserInfoEndpoint_SetDefaultMethod(t *testing.T) {
}
func (s *FetchSuite) TestShouldReturnError500WhenStorageFailsToLoad() {
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
LoadUserInfo(s.mock.Ctx, gomock.Eq("john")).
Return(model.UserInfo{}, fmt.Errorf("failure"))
@ -421,7 +421,7 @@ func (s *SaveSuite) TestShouldReturnError500WhenBadMethodProvided() {
func (s *SaveSuite) TestShouldReturnError500WhenDatabaseFailsToSave() {
s.mock.Ctx.Request.SetBody([]byte("{\"method\":\"webauthn\"}"))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
SavePreferred2FAMethod(s.mock.Ctx, gomock.Eq("john"), gomock.Eq("webauthn")).
Return(fmt.Errorf("Failure"))
@ -434,7 +434,7 @@ func (s *SaveSuite) TestShouldReturnError500WhenDatabaseFailsToSave() {
func (s *SaveSuite) TestShouldReturn200WhenMethodIsSuccessfullySaved() {
s.mock.Ctx.Request.SetBody([]byte("{\"method\":\"webauthn\"}"))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
SavePreferred2FAMethod(s.mock.Ctx, gomock.Eq("john"), gomock.Eq("webauthn")).
Return(nil)

6
internal/handlers/webauthn_test.go
View File

@ -21,7 +21,7 @@ func TestWebauthnGetUser(t *testing.T) {
DisplayName: "John Smith",
}
ctx.StorageMock.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return([]model.WebauthnDevice{
ctx.MockStorage.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return([]model.WebauthnDevice{
{
ID: 1,
RPID: "https://example.com",
@ -106,7 +106,7 @@ func TestWebauthnGetUserWithoutDisplayName(t *testing.T) {
Username: "john",
}
ctx.StorageMock.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return([]model.WebauthnDevice{
ctx.MockStorage.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return([]model.WebauthnDevice{
{
ID: 1,
RPID: "https://example.com",
@ -136,7 +136,7 @@ func TestWebauthnGetUserWithErr(t *testing.T) {
Username: "john",
}
ctx.StorageMock.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return(nil, errors.New("not found"))
ctx.MockStorage.EXPECT().LoadWebauthnDevicesByUsername(ctx.Ctx, "john").Return(nil, errors.New("not found"))
user, err := getWebAuthnUser(ctx.Ctx, userSession)

2
internal/middlewares/authelia_context_test.go
View File

@ -126,7 +126,7 @@ func TestShouldCallNextWithAutheliaCtx(t *testing.T) {
ctx := &fasthttp.RequestCtx{}
configuration := schema.Configuration{}
userProvider := mocks.NewMockUserProvider(ctrl)
sessionProvider := session.NewProvider(configuration.Session, trust.NewProvider())
sessionProvider := session.NewProvider(configuration.Session, trust.NewProduction())
providers := middlewares.Providers{
UserProvider: userProvider,
SessionProvider: sessionProvider,

24
internal/middlewares/identity_verification_test.go
View File

@ -58,7 +58,7 @@ func TestShouldFailIfJWTCannotBeSaved(t *testing.T) {
mock.Ctx.Configuration.JWTSecret = testJWTSecret
mock.StorageMock.EXPECT().
mock.MockStorage.EXPECT().
SaveIdentityVerification(mock.Ctx, gomock.Any()).
Return(fmt.Errorf("cannot save"))
@ -77,11 +77,11 @@ func TestShouldFailSendingAnEmail(t *testing.T) {
mock.Ctx.Request.Header.Add(fasthttp.HeaderXForwardedProto, "http")
mock.Ctx.Request.Header.Add(fasthttp.HeaderXForwardedHost, "host")
mock.StorageMock.EXPECT().
mock.MockStorage.EXPECT().
SaveIdentityVerification(mock.Ctx, gomock.Any()).
Return(nil)
mock.NotifierMock.EXPECT().
mock.MockNotifier.EXPECT().
Send(gomock.Eq(mock.Ctx), gomock.Eq(mail.Address{Address: "john@example.com"}), gomock.Eq("Title"), gomock.Any(), gomock.Any()).
Return(fmt.Errorf("no notif"))
@ -99,11 +99,11 @@ func TestShouldSucceedIdentityVerificationStartProcess(t *testing.T) {
mock.Ctx.Request.Header.Add(fasthttp.HeaderXForwardedProto, "http")
mock.Ctx.Request.Header.Add(fasthttp.HeaderXForwardedHost, "host")
mock.StorageMock.EXPECT().
mock.MockStorage.EXPECT().
SaveIdentityVerification(mock.Ctx, gomock.Any()).
Return(nil)
mock.NotifierMock.EXPECT().
mock.MockNotifier.EXPECT().
Send(gomock.Eq(mock.Ctx), gomock.Eq(mail.Address{Address: "john@example.com"}), gomock.Eq("Title"), gomock.Any(), gomock.Any()).
Return(nil)
@ -175,7 +175,7 @@ func (s *IdentityVerificationFinishProcess) TestShouldFailIfTokenIsNotFoundInDB(
s.mock.Ctx.Request.SetBodyString(fmt.Sprintf("{\"token\":\"%s\"}", token))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
FindIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String())).
Return(false, nil)
@ -211,7 +211,7 @@ func (s *IdentityVerificationFinishProcess) TestShouldFailForWrongAction() {
time.Now().Add(1*time.Minute))
s.mock.Ctx.Request.SetBodyString(fmt.Sprintf("{\"token\":\"%s\"}", token))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
FindIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String())).
Return(true, nil)
@ -226,7 +226,7 @@ func (s *IdentityVerificationFinishProcess) TestShouldFailForWrongUser() {
time.Now().Add(1*time.Minute))
s.mock.Ctx.Request.SetBodyString(fmt.Sprintf("{\"token\":\"%s\"}", token))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
FindIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String())).
Return(true, nil)
@ -243,11 +243,11 @@ func (s *IdentityVerificationFinishProcess) TestShouldFailIfTokenCannotBeRemoved
time.Now().Add(1*time.Minute))
s.mock.Ctx.Request.SetBodyString(fmt.Sprintf("{\"token\":\"%s\"}", token))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
FindIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String())).
Return(true, nil)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
ConsumeIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String()), gomock.Eq(model.NewNullIP(s.mock.Ctx.RemoteIP()))).
Return(fmt.Errorf("cannot remove"))
@ -262,11 +262,11 @@ func (s *IdentityVerificationFinishProcess) TestShouldReturn200OnFinishComplete(
time.Now().Add(1*time.Minute))
s.mock.Ctx.Request.SetBodyString(fmt.Sprintf("{\"token\":\"%s\"}", token))
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
FindIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String())).
Return(true, nil)
s.mock.StorageMock.EXPECT().
s.mock.MockStorage.EXPECT().
ConsumeIdentityVerification(s.mock.Ctx, gomock.Eq(verification.JTI.String()), gomock.Eq(model.NewNullIP(s.mock.Ctx.RemoteIP()))).
Return(nil)

28
internal/middlewares/types.go
View File

@ -36,20 +36,20 @@ type AutheliaCtx struct {
// Providers contain all provider provided to Authelia.
type Providers struct {
Authorizer *authorization.Authorizer
SessionProvider *session.Provider
Regulator *regulation.Regulator
OpenIDConnect *oidc.OpenIDConnectProvider
Metrics metrics.Provider
NTP *ntp.Provider
UserProvider authentication.UserProvider
StorageProvider storage.Provider
Notifier notification.Notifier
Templates *templates.Provider
TOTP totp.Provider
Trust trust.Provider
PasswordPolicy PasswordPolicyProvider
Random random.Provider
Authorizer *authorization.Authorizer
SessionProvider *session.Provider
Regulator *regulation.Regulator
OpenIDConnect *oidc.OpenIDConnectProvider
Metrics metrics.Provider
NTP *ntp.Provider
UserProvider authentication.UserProvider
StorageProvider storage.Provider
Notifier notification.Notifier
Templates *templates.Provider
TOTP totp.Provider
CertificateTrust trust.CertificateProvider
PasswordPolicy PasswordPolicyProvider
Random random.Provider
}
// RequestHandler represents an Authelia request handler.

34
internal/mocks/authelia_ctx.go
View File

@ -31,12 +31,12 @@ type MockAutheliaCtx struct {
Ctrl *gomock.Controller
// Providers.
UserProviderMock *MockUserProvider
StorageMock *MockStorage
NotifierMock *MockNotifier
TOTPMock *MockTOTP
RandomMock *MockRandom
TrustMock *MockTrust
MockUserProvider *MockUserProvider
MockStorage *MockStorage
MockNotifier *MockNotifier
MockTOTP *MockTOTP
MockRandom *MockRandom
MockCertifiateTrust *MockCertificateTrust
UserSession *session.UserSession
@ -185,14 +185,14 @@ func NewMockAutheliaCtx(t *testing.T) *MockAutheliaCtx {
providers := middlewares.Providers{}
mockAuthelia.Ctrl = gomock.NewController(t)
mockAuthelia.UserProviderMock = NewMockUserProvider(mockAuthelia.Ctrl)
providers.UserProvider = mockAuthelia.UserProviderMock
mockAuthelia.MockUserProvider = NewMockUserProvider(mockAuthelia.Ctrl)
providers.UserProvider = mockAuthelia.MockUserProvider
mockAuthelia.StorageMock = NewMockStorage(mockAuthelia.Ctrl)
providers.StorageProvider = mockAuthelia.StorageMock
mockAuthelia.MockStorage = NewMockStorage(mockAuthelia.Ctrl)
providers.StorageProvider = mockAuthelia.MockStorage
mockAuthelia.NotifierMock = NewMockNotifier(mockAuthelia.Ctrl)
providers.Notifier = mockAuthelia.NotifierMock
mockAuthelia.MockNotifier = NewMockNotifier(mockAuthelia.Ctrl)
providers.Notifier = mockAuthelia.MockNotifier
providers.Authorizer = authorization.NewAuthorizer(
&config)
@ -202,14 +202,14 @@ func NewMockAutheliaCtx(t *testing.T) *MockAutheliaCtx {
providers.Regulator = regulation.NewRegulator(config.Regulation, providers.StorageProvider, &mockAuthelia.Clock)
mockAuthelia.TOTPMock = NewMockTOTP(mockAuthelia.Ctrl)
providers.TOTP = mockAuthelia.TOTPMock
mockAuthelia.MockTOTP = NewMockTOTP(mockAuthelia.Ctrl)
providers.TOTP = mockAuthelia.MockTOTP
mockAuthelia.RandomMock = NewMockRandom(mockAuthelia.Ctrl)
mockAuthelia.MockRandom = NewMockRandom(mockAuthelia.Ctrl)
providers.Random = random.NewMathematical()
mockAuthelia.TrustMock = NewMockTrust(mockAuthelia.Ctrl)
providers.Trust = mockAuthelia.TrustMock
mockAuthelia.MockCertifiateTrust = NewMockCertificateTrust(mockAuthelia.Ctrl)
providers.CertificateTrust = mockAuthelia.MockCertifiateTrust
var err error

2
internal/mocks/gen.go
View File

@ -9,4 +9,4 @@ package mocks
//go:generate mockgen -package mocks -destination storage.go -mock_names Provider=MockStorage github.com/authelia/authelia/v4/internal/storage Provider
//go:generate mockgen -package mocks -destination duo_api.go -mock_names API=MockAPI github.com/authelia/authelia/v4/internal/duo API
//go:generate mockgen -package mocks -destination random.go -mock_names Provider=MockRandom github.com/authelia/authelia/v4/internal/random Provider
//go:generate mockgen -package mocks -destination trust.go -mock_names Provider=MockTrust github.com/authelia/authelia/v4/internal/trust Provider
//go:generate mockgen -package mocks -destination trust_certificate.go -mock_names CertificateProvider=MockCertificateTrust github.com/authelia/authelia/v4/internal/trust CertificateProvider

107
internal/mocks/trust.go
View File

@ -1,107 +0,0 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/authelia/authelia/v4/internal/trust (interfaces: Provider)
// Package mocks is a generated GoMock package.
package mocks
import (
tls "crypto/tls"
x509 "crypto/x509"
reflect "reflect"
schema "github.com/authelia/authelia/v4/internal/configuration/schema"
gomock "github.com/golang/mock/gomock"
)
// MockTrust is a mock of Provider interface.
type MockTrust struct {
ctrl *gomock.Controller
recorder *MockTrustMockRecorder
}
// MockTrustMockRecorder is the mock recorder for MockTrust.
type MockTrustMockRecorder struct {
mock *MockTrust
}
// NewMockTrust creates a new mock instance.
func NewMockTrust(ctrl *gomock.Controller) *MockTrust {
mock := &MockTrust{ctrl: ctrl}
mock.recorder = &MockTrustMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use.
func (m *MockTrust) EXPECT() *MockTrustMockRecorder {
return m.recorder
}
// AddTrustedCertificate mocks base method.
func (m *MockTrust) AddTrustedCertificate(arg0 *x509.Certificate) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddTrustedCertificate", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddTrustedCertificate indicates an expected call of AddTrustedCertificate.
func (mr *MockTrustMockRecorder) AddTrustedCertificate(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustedCertificate", reflect.TypeOf((*MockTrust)(nil).AddTrustedCertificate), arg0)
}
// AddTrustedCertificateFromPath mocks base method.
func (m *MockTrust) AddTrustedCertificateFromPath(arg0 string) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddTrustedCertificateFromPath", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddTrustedCertificateFromPath indicates an expected call of AddTrustedCertificateFromPath.
func (mr *MockTrustMockRecorder) AddTrustedCertificateFromPath(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustedCertificateFromPath", reflect.TypeOf((*MockTrust)(nil).AddTrustedCertificateFromPath), arg0)
}
// GetTLSConfiguration mocks base method.
func (m *MockTrust) GetTLSConfiguration(arg0 *schema.TLSConfig) *tls.Config {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetTLSConfiguration", arg0)
ret0, _ := ret[0].(*tls.Config)
return ret0
}
// GetTLSConfiguration indicates an expected call of GetTLSConfiguration.
func (mr *MockTrustMockRecorder) GetTLSConfiguration(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTLSConfiguration", reflect.TypeOf((*MockTrust)(nil).GetTLSConfiguration), arg0)
}
// GetTrustedCertificates mocks base method.
func (m *MockTrust) GetTrustedCertificates() *x509.CertPool {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetTrustedCertificates")
ret0, _ := ret[0].(*x509.CertPool)
return ret0
}
// GetTrustedCertificates indicates an expected call of GetTrustedCertificates.
func (mr *MockTrustMockRecorder) GetTrustedCertificates() *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustedCertificates", reflect.TypeOf((*MockTrust)(nil).GetTrustedCertificates))
}
// StartupCheck mocks base method.
func (m *MockTrust) StartupCheck() error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "StartupCheck")
ret0, _ := ret[0].(error)
return ret0
}
// StartupCheck indicates an expected call of StartupCheck.
func (mr *MockTrustMockRecorder) StartupCheck() *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartupCheck", reflect.TypeOf((*MockTrust)(nil).StartupCheck))
}

135
internal/mocks/trust_certificate.go 100644
View File

@ -0,0 +1,135 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/authelia/authelia/v4/internal/trust (interfaces: CertificateProvider)
// Package mocks is a generated GoMock package.
package mocks
import (
tls "crypto/tls"
x509 "crypto/x509"
reflect "reflect"
schema "github.com/authelia/authelia/v4/internal/configuration/schema"
gomock "github.com/golang/mock/gomock"
)
// MockCertificateTrust is a mock of CertificateProvider interface.
type MockCertificateTrust struct {
ctrl *gomock.Controller
recorder *MockCertificateTrustMockRecorder
}
// MockCertificateTrustMockRecorder is the mock recorder for MockCertificateTrust.
type MockCertificateTrustMockRecorder struct {
mock *MockCertificateTrust
}
// NewMockCertificateTrust creates a new mock instance.
func NewMockCertificateTrust(ctrl *gomock.Controller) *MockCertificateTrust {
mock := &MockCertificateTrust{ctrl: ctrl}
mock.recorder = &MockCertificateTrustMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use.
func (m *MockCertificateTrust) EXPECT() *MockCertificateTrustMockRecorder {
return m.recorder
}
// AddTrustedCertificate mocks base method.
func (m *MockCertificateTrust) AddTrustedCertificate(arg0 *x509.Certificate) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddTrustedCertificate", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddTrustedCertificate indicates an expected call of AddTrustedCertificate.
func (mr *MockCertificateTrustMockRecorder) AddTrustedCertificate(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustedCertificate", reflect.TypeOf((*MockCertificateTrust)(nil).AddTrustedCertificate), arg0)
}
// AddTrustedCertificateFromPath mocks base method.
func (m *MockCertificateTrust) AddTrustedCertificateFromPath(arg0 string) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddTrustedCertificateFromPath", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddTrustedCertificateFromPath indicates an expected call of AddTrustedCertificateFromPath.
func (mr *MockCertificateTrustMockRecorder) AddTrustedCertificateFromPath(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustedCertificateFromPath", reflect.TypeOf((*MockCertificateTrust)(nil).AddTrustedCertificateFromPath), arg0)
}
// AddTrustedCertificatesFromBytes mocks base method.
func (m *MockCertificateTrust) AddTrustedCertificatesFromBytes(arg0 []byte) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddTrustedCertificatesFromBytes", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddTrustedCertificatesFromBytes indicates an expected call of AddTrustedCertificatesFromBytes.
func (mr *MockCertificateTrustMockRecorder) AddTrustedCertificatesFromBytes(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustedCertificatesFromBytes", reflect.TypeOf((*MockCertificateTrust)(nil).AddTrustedCertificatesFromBytes), arg0)
}
// GetCertPool mocks base method.
func (m *MockCertificateTrust) GetCertPool() *x509.CertPool {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCertPool")
ret0, _ := ret[0].(*x509.CertPool)
return ret0
}
// GetCertPool indicates an expected call of GetCertPool.
func (mr *MockCertificateTrustMockRecorder) GetCertPool() *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertPool", reflect.TypeOf((*MockCertificateTrust)(nil).GetCertPool))
}
// GetTLSConfig mocks base method.
func (m *MockCertificateTrust) GetTLSConfig(arg0 *schema.TLSConfig) *tls.Config {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetTLSConfig", arg0)
ret0, _ := ret[0].(*tls.Config)
return ret0
}
// GetTLSConfig indicates an expected call of GetTLSConfig.
func (mr *MockCertificateTrustMockRecorder) GetTLSConfig(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTLSConfig", reflect.TypeOf((*MockCertificateTrust)(nil).GetTLSConfig), arg0)
}
// NewTLSConfig mocks base method.
func (m *MockCertificateTrust) NewTLSConfig(arg0 *schema.TLSConfig, arg1 *x509.CertPool) *tls.Config {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "NewTLSConfig", arg0, arg1)
ret0, _ := ret[0].(*tls.Config)
return ret0
}
// NewTLSConfig indicates an expected call of NewTLSConfig.
func (mr *MockCertificateTrustMockRecorder) NewTLSConfig(arg0, arg1 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewTLSConfig", reflect.TypeOf((*MockCertificateTrust)(nil).NewTLSConfig), arg0, arg1)
}
// StartupCheck mocks base method.
func (m *MockCertificateTrust) StartupCheck() error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "StartupCheck")
ret0, _ := ret[0].(error)
return ret0
}
// StartupCheck indicates an expected call of StartupCheck.
func (mr *MockCertificateTrustMockRecorder) StartupCheck() *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartupCheck", reflect.TypeOf((*MockCertificateTrust)(nil).StartupCheck))
}

6
internal/notification/smtp_notifier.go
View File

@ -18,7 +18,7 @@ import (
)
// NewSMTPNotifier creates a SMTPNotifier using the notifier configuration.
func NewSMTPNotifier(config *schema.SMTPNotifierConfiguration, trustProvider trust.Provider) *SMTPNotifier {
func NewSMTPNotifier(config *schema.SMTPNotifierConfiguration, trustProvider trust.CertificateProvider) *SMTPNotifier {
var domain string
at := strings.LastIndex(config.Sender.Address, "@")
@ -43,7 +43,7 @@ type SMTPNotifier struct {
config *schema.SMTPNotifierConfiguration
random random.Provider
trust trust.Provider
trust trust.CertificateProvider
domain string
@ -59,7 +59,7 @@ func (n *SMTPNotifier) opts() (opts []gomail.Option) {
}
if n.config.TLS != nil {
opts = append(opts, gomail.WithTLSConfig(n.trust.GetTLSConfiguration(n.config.TLS)))
opts = append(opts, gomail.WithTLSConfig(n.trust.GetTLSConfig(n.config.TLS)))
}
ssl := n.config.Port == smtpPortSUBMISSIONS

2
internal/session/provider.go
View File

@ -16,7 +16,7 @@ type Provider struct {
}
// NewProvider instantiate a session provider given a configuration.
func NewProvider(config schema.SessionConfiguration, trustProvider trust.Provider) *Provider {
func NewProvider(config schema.SessionConfiguration, trustProvider trust.CertificateProvider) *Provider {
log := logging.Logger()
name, p, s, err := NewSessionProvider(config, trustProvider)

4
internal/session/provider_config.go
View File

@ -93,7 +93,7 @@ func NewProviderConfigAndSession(config schema.SessionCookieConfiguration, provi
return c, p, nil
}
func NewSessionProvider(config schema.SessionConfiguration, trustProvider trust.Provider) (name string, provider session.Provider, serializer Serializer, err error) {
func NewSessionProvider(config schema.SessionConfiguration, trustProvider trust.CertificateProvider) (name string, provider session.Provider, serializer Serializer, err error) {
// If redis configuration is provided, then use the redis provider.
switch {
case config.Redis != nil:
@ -102,7 +102,7 @@ func NewSessionProvider(config schema.SessionConfiguration, trustProvider trust.
var tlsConfig *tls.Config
if config.Redis.TLS != nil && trustProvider != nil {
tlsConfig = trustProvider.GetTLSConfiguration(config.Redis.TLS)
tlsConfig = trustProvider.GetTLSConfig(config.Redis.TLS)
}
if config.Redis.HighAvailability != nil && config.Redis.HighAvailability.SentinelName != "" {

32
internal/trust/opt.go
View File

@ -4,40 +4,50 @@ import (
"crypto/x509"
)
type Opt func(provider *Production)
// ProductionOpt describes a Production option.
type ProductionOpt func(provider *Production)
func WithPaths(paths ...string) Opt {
// WithCertificatePaths alters the paths this provider checks for relevant trusted certificates.
func WithCertificatePaths(paths ...string) ProductionOpt {
return func(provider *Production) {
provider.config.Paths = paths
}
}
func WithSystem(system bool) Opt {
// WithSystem sets the value which controls if the system certificate pool is trusted. Default is true.
func WithSystem(system bool) ProductionOpt {
return func(provider *Production) {
provider.config.System = system
}
}
func WithInvalid(invalid bool) Opt {
// WithValidationReturnErrors sets the value which determines if invalid certificates will return an error. Default is
// true.
func WithValidationReturnErrors(errs bool) ProductionOpt {
return func(provider *Production) {
provider.config.Invalid = invalid
provider.config.ValidationReturnErrors = errs
}
}
func WithExpired(expired bool) Opt {
// WithValidateNotAfter sets the value which determines if certificates not after time value (expiration) will be
// validated. Default is true.
func WithValidateNotAfter(expired bool) ProductionOpt {
return func(provider *Production) {
provider.config.Expired = expired
provider.config.ValidateNotAfter = expired
}
}
func WithFuture(future bool) Opt {
// WithValidateNotBefore sets the value which determines if the certificate not before time value will be validated.
// Default is true.
func WithValidateNotBefore(future bool) ProductionOpt {
return func(provider *Production) {
provider.config.Future = future
provider.config.ValidateNotBefore = future
}
}
func WithStatic(static []*x509.Certificate) Opt {
// WithStatic includes static trusted certificates.
func WithStatic(static ...*x509.Certificate) ProductionOpt {
return func(provider *Production) {
provider.config.Static = static
provider.config.Static = append(provider.config.Static, static...)
}
}

236
internal/trust/standard.go → internal/trust/production.go
View File

@ -17,12 +17,17 @@ import (
"github.com/authelia/authelia/v4/internal/logging"
)
// NewProvider returns a new provider.
func NewProvider(opts ...Opt) (provider *Production) {
// NewProduction returns a new provider.
func NewProduction(opts ...ProductionOpt) (provider *Production) {
provider = &Production{
mu: &sync.Mutex{},
config: Config{},
log: logging.Logger().WithFields(map[string]any{"service": "trust"}),
mu: &sync.Mutex{},
config: Config{
System: true,
ValidationReturnErrors: true,
ValidateNotAfter: true,
ValidateNotBefore: true,
},
log: logging.Logger().WithFields(map[string]any{"service": "trust"}),
}
for _, opt := range opts {
@ -32,7 +37,7 @@ func NewProvider(opts ...Opt) (provider *Production) {
return provider
}
// Production is a trust.Provider used for production operations. Should only be initialized via trust.NewProvider.
// Production is a trust.CertificateProvider used for production operations. Should only be initialized via trust.NewProduction.
type Production struct {
mu *sync.Mutex
log *logrus.Entry
@ -50,14 +55,15 @@ type Config struct {
// System allows trusting of system certificates.
System bool
// Invalid allows importing of expired or future certificates and instead just logs a warning.
Invalid bool
// ValidationReturnErrors ensures that errors during validation are returned during validation. If disabled the
// errors will instead be logged as warnings.
ValidationReturnErrors bool
// Expired enforces checks on the expired status of certificates.
Expired bool
// ValidateNotAfter enforces checks on the not after value of certificates.
ValidateNotAfter bool
// Future enforces checks on the not yet valid status of certificates.
Future bool
// ValidateNotBefore enforces checks on the not before value of certificates.
ValidateNotBefore bool
}
// StartupCheck implements the startup check provider interface.
@ -86,8 +92,40 @@ func (t *Production) AddTrustedCertificate(cert *x509.Certificate) (err error) {
return nil
}
// AddTrustedCertificatesFromPEM adds the *x509.Certificate content of a PEM block to this provider.
func (t *Production) AddTrustedCertificatesFromPEM(blocks []byte) (err error) {
// AddTrustedCertificatesFromBytes adds the *x509.Certificate content of a DER binary encoded block or PEM encoded
// blocks to this provider.
func (t *Production) AddTrustedCertificatesFromBytes(data []byte) (err error) {
t.init()
found, certs, err := t.readFromBytes("", data)
if err != nil {
return err
}
if found == 0 {
return fmt.Errorf("no certificates found in data")
}
t.mu.Lock()
pool := t.pool.Clone()
t.mu.Unlock()
for i := 0; i < len(certs); i++ {
if err = t.validate(certs[i]); err != nil {
return err
}
pool.AddCert(certs[i])
}
t.mu.Lock()
t.pool = pool
t.mu.Unlock()
return nil
}
@ -128,50 +166,56 @@ func (t *Production) AddTrustedCertificateFromPath(path string) (err error) {
return nil
}
// GetTrustedCertificates returns the trusted certificates for this provider.
func (t *Production) GetTrustedCertificates() (pool *x509.CertPool) {
// GetCertPool returns the trusted certificates for this provider.
func (t *Production) GetCertPool() (pool *x509.CertPool) {
t.init()
t.mu.Lock()
pool = t.pool.Clone()
defer t.mu.Unlock()
t.mu.Unlock()
return pool
return t.pool.Clone()
}
// GetTLSConfiguration returns a *tls.Config when provided with a *schema.TLSConfig with this providers trusted certificates.
func (t *Production) GetTLSConfiguration(sconfig *schema.TLSConfig) (config *tls.Config) {
if sconfig == nil {
// GetTLSConfig returns a *tls.Config when provided with a *schema.TLSConfig with this providers trusted certificates.
func (t *Production) GetTLSConfig(c *schema.TLSConfig) (config *tls.Config) {
if c == nil {
return nil
}
t.init()
var certificates []tls.Certificate
if sconfig.PrivateKey != nil && sconfig.CertificateChain.HasCertificates() {
certificates = []tls.Certificate{
{
Certificate: sconfig.CertificateChain.CertificatesRaw(),
Leaf: sconfig.CertificateChain.Leaf(),
PrivateKey: sconfig.PrivateKey,
},
}
}
t.mu.Lock()
rootCAs := t.pool.Clone()
t.mu.Unlock()
return t.NewTLSConfig(c, rootCAs)
}
func (t *Production) NewTLSConfig(c *schema.TLSConfig, rootCAs *x509.CertPool) (config *tls.Config) {
if c == nil {
return nil
}
var certificates []tls.Certificate
if c.PrivateKey != nil && c.CertificateChain.HasCertificates() {
certificates = []tls.Certificate{
{
Certificate: c.CertificateChain.CertificatesRaw(),
Leaf: c.CertificateChain.Leaf(),
PrivateKey: c.PrivateKey,
},
}
}
return &tls.Config{
ServerName: sconfig.ServerName,
InsecureSkipVerify: sconfig.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
MinVersion: sconfig.MinimumVersion.MinVersion(),
MaxVersion: sconfig.MaximumVersion.MaxVersion(),
ServerName: c.ServerName,
InsecureSkipVerify: c.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
MinVersion: c.MinimumVersion.MinVersion(),
MaxVersion: c.MaximumVersion.MaxVersion(),
RootCAs: rootCAs,
Certificates: certificates,
}
@ -277,35 +321,35 @@ func (t *Production) read(name string) (found int, certs []*x509.Certificate, er
}
}
func (t *Production) readFromFile(name string) (found int, certs []*x509.Certificate, err error) {
ext := strings.ToLower(filepath.Ext(name))
func (t *Production) readFromBytes(ext string, data []byte) (found int, certs []*x509.Certificate, err error) {
isPEM := ext == extPEM
if !isPEM {
if certs, err = x509.ParseCertificates(data); err == nil {
return len(certs), certs, nil
}
}
var (
cert *x509.Certificate
block *pem.Block
data []byte
)
if data, err = os.ReadFile(name); err != nil {
return 0, nil, fmt.Errorf("failed to read certificate: %w", err)
}
for len(data) > 0 {
if block, data = pem.Decode(data); block == nil {
if len(certs) != 0 {
break
}
return 0, nil, fmt.Errorf("failed to parse certificate: the file contained no PEM blocks")
return 0, nil, fmt.Errorf("failed to parse certificate: the file contained no PEM blocks and was not DER binary encoded")
}
if block.Type != "CERTIFICATE" {
switch ext {
case extPEM:
if isPEM {
continue
default:
return 0, nil, fmt.Errorf("failed to parse certificate PEM block: the PEM block is not a certificate, it's a '%s'", block.Type)
}
return 0, nil, fmt.Errorf("failed to parse certificate PEM block: the PEM block is not a certificate, it's a '%s'", block.Type)
}
if len(block.Headers) != 0 {
@ -322,6 +366,18 @@ func (t *Production) readFromFile(name string) (found int, certs []*x509.Certifi
return len(certs), certs, nil
}
func (t *Production) readFromFile(name string) (found int, certs []*x509.Certificate, err error) {
var (
data []byte
)
if data, err = os.ReadFile(name); err != nil {
return 0, nil, fmt.Errorf("failed to read certificate: %w", err)
}
return t.readFromBytes(strings.ToLower(filepath.Ext(name)), data)
}
func (t *Production) readFromDirectory(name string) (found int, certs []*x509.Certificate, err error) {
var entries []os.DirEntry
@ -368,86 +424,24 @@ func (t *Production) readFromDirectory(name string) (found int, certs []*x509.Ce
return found, certs, nil
}
/*
func (t *Production) load(dir string) (found int, certs []*x509.Certificate, err error) {
var (
entries []os.DirEntry
data []byte
)
t.log.WithFields(map[string]any{"directory": dir}).Debug("Starting certificate scan on directory")
if entries, err = os.ReadDir(dir); err != nil {
return found, nil, err
}
if len(entries) == 0 {
t.log.WithFields(map[string]any{"directory": dir}).Trace("Finished certificate scan on empty directory")
return 0, nil, nil
}
for _, entry := range entries {
if entry.IsDir() {
continue
}
ext := strings.ToLower(filepath.Ext(entry.Name()))
switch ext {
case extCER, extCRT, extPEM:
path := filepath.Join(dir, entry.Name())
t.log.WithFields(map[string]any{"directory": dir, "name": entry.Name()}).Trace("Certificate scan on directory discovered a potential certificate")
if data, err = os.ReadFile(path); err != nil {
return 0, nil, fmt.Errorf("failed to read certificate: %w", err)
}
var loaded []*x509.Certificate
if loaded, err = loadPEMCertificates(data); err != nil {
return 0, nil, fmt.Errorf("failed to read certificate: certificate at path '%s': %w", path, err)
}
c := len(loaded)
if c == 0 {
return 0, nil, fmt.Errorf("failed to read certificate: certificate at path '%s' does not contain PEM encoded certificate blocks", path)
}
certs = append(certs, loaded...)
found += c
default:
continue
}
}
t.log.WithFields(map[string]any{"directory": dir, "found": found}).Debug("Finished certificate scan on directory")
return found, certs, nil
}
*/
func (t *Production) validate(cert *x509.Certificate) (err error) {
now := time.Now()
if t.config.Expired && cert.NotAfter.Before(now) {
if t.config.ValidateNotAfter && cert.NotAfter.Before(now) {
switch {
case t.config.Invalid:
t.log.WithFields(map[string]any{"signature": string(cert.Signature), "common name": cert.Subject.CommonName, "expires": cert.NotAfter.Unix()}).Warn("Certificate which has expired was loaded")
default:
case t.config.ValidationReturnErrors:
return fmt.Errorf("failed to load certificate which is expired with signature %s: not after %d (now is %d)", cert.Signature, cert.NotAfter.Unix(), now.Unix())
default:
t.log.WithFields(map[string]any{"signature": string(cert.Signature), "common name": cert.Subject.CommonName, "expires": cert.NotAfter.Unix()}).Warn("Certificate which has expired was loaded")
}
}
if t.config.Future && !cert.NotBefore.IsZero() && cert.NotBefore.After(now) {
if t.config.ValidateNotBefore && !cert.NotBefore.IsZero() && cert.NotBefore.After(now) {
switch {
case t.config.Invalid:
t.log.WithFields(map[string]any{"signature": string(cert.Signature), "common name": cert.Subject.CommonName, "not before": cert.NotBefore.Unix()}).Warn("Certificate which is only valid in the future was loaded")
default:
case t.config.ValidationReturnErrors:
return fmt.Errorf("failed to load certificate which is not yet valid with signature %s: not before %d (now is %d)", cert.Signature, cert.NotBefore.Unix(), now.Unix())
default:
t.log.WithFields(map[string]any{"signature": string(cert.Signature), "common name": cert.Subject.CommonName, "not before": cert.NotBefore.Unix()}).Warn("Certificate which is only valid in the future was loaded")
}
}

25
internal/trust/production_test.go 100644
View File

@ -0,0 +1,25 @@
package trust
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestNewProvider(t *testing.T) {
provider := NewProduction()
assert.NotNil(t, provider.GetCertPool())
provider = NewProduction()
assert.NoError(t, provider.StartupCheck())
assert.NotNil(t, provider.GetCertPool())
}
func TestNewProvider_WithDirectories(t *testing.T) {
provider := NewProduction(WithCertificatePaths("../suites/common/pki/"))
assert.NoError(t, provider.StartupCheck())
assert.NotNil(t, provider.GetCertPool())
}

19
internal/trust/provider.go
View File

@ -8,20 +8,27 @@ import (
"github.com/authelia/authelia/v4/internal/model"
)
// Provider is the trust provider implementation signature.
type Provider interface {
// CertificateProvider is the certificate trust provider implementation signature.
type CertificateProvider interface {
model.StartupCheck
// AddTrustedCertificate adds a trusted *x509.Certificate to this provider.
AddTrustedCertificate(cert *x509.Certificate) (err error)
// AddTrustedCertificatesFromBytes adds the *x509.Certificate content of a DER binary encoded block or PEM encoded
// blocks to this provider.
AddTrustedCertificatesFromBytes(data []byte) (err error)
// AddTrustedCertificateFromPath adds a trusted certificates from a path to the provider. If the path is a directory
// the directory is scanned for .crt, .cer, and .pem files.
AddTrustedCertificateFromPath(path string) (err error)
// GetTrustedCertificates returns the trusted certificates for the provider.
GetTrustedCertificates() (pool *x509.CertPool)
// GetCertPool returns the trusted certificates for the provider.
GetCertPool() (pool *x509.CertPool)
// GetTLSConfiguration returns a *tls.Config when provided with a *schema.TLSConfig with the providers trusted certificates.
GetTLSConfiguration(sconfig *schema.TLSConfig) (config *tls.Config)
// NewTLSConfig returns a *tls.Config when provided with a *schema.TLSConfig and a *x509.CertPool.
NewTLSConfig(c *schema.TLSConfig, rootCAs *x509.CertPool) (config *tls.Config)
// GetTLSConfig returns a *tls.Config when provided with a *schema.TLSConfig with the providers trusted certificates.
GetTLSConfig(sconfig *schema.TLSConfig) (config *tls.Config)
}

34
internal/trust/standard_test.go
View File

@ -1,34 +0,0 @@
package trust
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestNewProvider(t *testing.T) {
provider := NewProvider()
assert.NotNil(t, provider.GetTrustedCertificates())
provider = NewProvider()
assert.NoError(t, provider.StartupCheck())
assert.NotNil(t, provider.GetTrustedCertificates())
}
func TestNewProvider_WithDirectories(t *testing.T) {
provider := NewProvider(WithPaths("../suites/common/pki/"), WithSystem(true))
pool := provider.GetTrustedCertificates()
assert.NotNil(t, pool)
assert.Equal(t, pool, provider.GetTrustedCertificates())
assert.NoError(t, provider.StartupCheck())
poolx := provider.GetTrustedCertificates()
assert.NotEqual(t, pool, poolx)
}

40
internal/trust/util.go
View File

@ -1,40 +0,0 @@
package trust
import (
"crypto/x509"
"encoding/pem"
"fmt"
)
func loadPEMCertificates(data []byte) (certs []*x509.Certificate, err error) {
var (
cert *x509.Certificate
block *pem.Block
)
for len(data) > 0 {
if block, data = pem.Decode(data); block == nil {
if len(certs) == 0 {
break
}
return nil, fmt.Errorf("failed to parse certificate: the file contained no PEM blocks")
}
if block.Type != "CERTIFICATE" {
return nil, fmt.Errorf("failed to parse certificate PEM block: the PEM block is not a certificate, it's a '%s'", block.Type)
}
if len(block.Headers) != 0 {
return nil, fmt.Errorf("failed to parse certificate PEM block: the PEM block has additional unexpected headers")
}
if cert, err = x509.ParseCertificate(block.Bytes); err != nil {
return nil, fmt.Errorf("failed to parse certificate PEM block: %w", err)
}
certs = append(certs, cert)
}
return certs, nil
}