2020-02-07 16:36:28 +00:00
|
|
|
// Copyright (C) 2020 Storj Labs, Inc.
|
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package admin_test
|
|
|
|
|
|
|
|
import (
|
2023-04-12 16:06:36 +01:00
|
|
|
"fmt"
|
2022-10-11 12:39:08 +01:00
|
|
|
"io"
|
2020-02-07 16:36:28 +00:00
|
|
|
"net/http"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"go.uber.org/zap"
|
|
|
|
|
|
|
|
"storj.io/common/testcontext"
|
|
|
|
"storj.io/storj/private/testplanet"
|
|
|
|
"storj.io/storj/satellite"
|
2023-04-12 16:06:36 +01:00
|
|
|
"storj.io/storj/satellite/admin"
|
2020-02-07 16:36:28 +00:00
|
|
|
)
|
|
|
|
|
2023-04-12 16:06:36 +01:00
|
|
|
// TestBasic tests authorization behaviour without oauth.
|
2020-02-07 17:24:58 +00:00
|
|
|
func TestBasic(t *testing.T) {
|
2020-02-07 16:36:28 +00:00
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1,
|
|
|
|
StorageNodeCount: 0,
|
|
|
|
UplinkCount: 0,
|
|
|
|
Reconfigure: testplanet.Reconfigure{
|
2023-08-31 14:22:08 +01:00
|
|
|
Satellite: func(_ *zap.Logger, _ int, config *satellite.Config) {
|
2020-02-07 16:36:28 +00:00
|
|
|
config.Admin.Address = "127.0.0.1:0"
|
2023-08-31 14:22:08 +01:00
|
|
|
config.Admin.StaticDir = "ui"
|
|
|
|
config.Admin.StaticDirBackOffice = "back-office/ui"
|
2020-02-07 16:36:28 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
sat := planet.Satellites[0]
|
|
|
|
address := sat.Admin.Admin.Listener.Addr()
|
2021-10-01 13:26:21 +01:00
|
|
|
baseURL := "http://" + address.String()
|
|
|
|
|
|
|
|
t.Run("UI", func(t *testing.T) {
|
2023-08-31 14:22:08 +01:00
|
|
|
testUI := func(t *testing.T, baseURL string) {
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/package.json", nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
|
|
|
|
content, err := io.ReadAll(response.Body)
|
|
|
|
require.NoError(t, response.Body.Close())
|
|
|
|
require.NotEmpty(t, content)
|
|
|
|
require.Equal(t, byte('{'), content[0])
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("current", func(t *testing.T) {
|
|
|
|
testUI(t, baseURL)
|
|
|
|
})
|
|
|
|
t.Run("back-office", func(t *testing.T) {
|
|
|
|
testUI(t, baseURL+"/back-office")
|
|
|
|
})
|
2021-10-01 13:26:21 +01:00
|
|
|
})
|
2020-02-07 16:36:28 +00:00
|
|
|
|
2023-04-12 16:06:36 +01:00
|
|
|
// Testing authorization behavior without Oauth from here on out.
|
|
|
|
|
2020-02-07 17:24:58 +00:00
|
|
|
t.Run("NoAccess", func(t *testing.T) {
|
2021-10-01 13:26:21 +01:00
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/api/projects/some-id", nil)
|
2021-05-14 16:05:42 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2023-04-12 16:06:36 +01:00
|
|
|
// This request is not through the Oauth proxy and has no authorization token, it should fail.
|
2021-05-14 16:05:42 +01:00
|
|
|
response, err := http.DefaultClient.Do(req)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, err)
|
2020-02-07 16:36:28 +00:00
|
|
|
|
2020-02-07 17:24:58 +00:00
|
|
|
require.Equal(t, http.StatusForbidden, response.StatusCode)
|
2021-10-01 12:36:41 +01:00
|
|
|
require.Equal(t, "application/json", response.Header.Get("Content-Type"))
|
|
|
|
|
2022-10-11 12:39:08 +01:00
|
|
|
body, err := io.ReadAll(response.Body)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, response.Body.Close())
|
2021-10-01 12:36:41 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, `{"error":"Forbidden","detail":""}`, string(body))
|
2020-02-07 17:24:58 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("WrongAccess", func(t *testing.T) {
|
2021-10-01 13:26:21 +01:00
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/api/users/alice@storj.test", nil)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
req.Header.Set("Authorization", "wrong-key")
|
|
|
|
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, response.StatusCode)
|
2021-10-01 12:36:41 +01:00
|
|
|
require.Equal(t, "application/json", response.Header.Get("Content-Type"))
|
|
|
|
|
2022-10-11 12:39:08 +01:00
|
|
|
body, err := io.ReadAll(response.Body)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, response.Body.Close())
|
2021-10-01 12:36:41 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, `{"error":"Forbidden","detail":""}`, string(body))
|
2020-02-07 17:24:58 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("WithAccess", func(t *testing.T) {
|
2021-10-01 13:26:21 +01:00
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, baseURL+"/api", nil)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, err)
|
2020-08-13 13:40:05 +01:00
|
|
|
req.Header.Set("Authorization", planet.Satellites[0].Config.Console.AuthToken)
|
2020-02-07 17:24:58 +00:00
|
|
|
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// currently no main page so 404
|
|
|
|
require.Equal(t, http.StatusNotFound, response.StatusCode)
|
2021-10-01 12:36:41 +01:00
|
|
|
require.Equal(t, "text/plain; charset=utf-8", response.Header.Get("Content-Type"))
|
|
|
|
|
2022-10-11 12:39:08 +01:00
|
|
|
body, err := io.ReadAll(response.Body)
|
2020-02-07 17:24:58 +00:00
|
|
|
require.NoError(t, response.Body.Close())
|
2021-10-01 12:36:41 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Contains(t, string(body), "not found")
|
2020-02-07 17:24:58 +00:00
|
|
|
})
|
2020-02-07 16:36:28 +00:00
|
|
|
})
|
|
|
|
}
|
2023-04-12 16:06:36 +01:00
|
|
|
|
|
|
|
// TestWithOAuth tests authorization behaviour for requests coming through Oauth.
|
|
|
|
func TestWithOAuth(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1,
|
|
|
|
StorageNodeCount: 0,
|
|
|
|
UplinkCount: 1,
|
|
|
|
Reconfigure: testplanet.Reconfigure{
|
|
|
|
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
|
2023-04-14 19:06:49 +01:00
|
|
|
config.Admin.Address = "127.0.0.1:0"
|
2023-04-12 16:06:36 +01:00
|
|
|
config.Admin.StaticDir = "ui/build"
|
|
|
|
config.Admin.Groups = admin.Groups{LimitUpdate: "LimitUpdate"}
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
sat := planet.Satellites[0]
|
|
|
|
projectID := planet.Uplinks[0].Projects[0].ID
|
2023-04-14 19:06:49 +01:00
|
|
|
address := sat.Admin.Admin.Listener.Addr().String()
|
|
|
|
baseURL := "http://" + address
|
|
|
|
|
|
|
|
// Make this admin server the AllowedOauthHost so withAuth thinks it's Oauth.
|
|
|
|
sat.Admin.Admin.Server.SetAllowedOauthHost(address)
|
2023-04-12 16:06:36 +01:00
|
|
|
|
|
|
|
// Requests that require full access should not be accessible through Oauth.
|
|
|
|
t.Run("UnauthorizedThroughOauth", func(t *testing.T) {
|
2023-08-31 14:22:08 +01:00
|
|
|
req, err := http.NewRequestWithContext(
|
|
|
|
ctx,
|
|
|
|
http.MethodGet,
|
|
|
|
fmt.Sprintf("%s/api/projects/%s/apikeys", baseURL, projectID.String()),
|
|
|
|
nil,
|
|
|
|
)
|
2023-04-12 16:06:36 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
req.Header.Set("Authorization", planet.Satellites[0].Config.Console.AuthToken)
|
|
|
|
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, response.StatusCode)
|
|
|
|
require.Equal(t, "application/json", response.Header.Get("Content-Type"))
|
|
|
|
|
|
|
|
body, err := io.ReadAll(response.Body)
|
|
|
|
require.NoError(t, response.Body.Close())
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Contains(t, string(body), admin.UnauthorizedThroughOauth)
|
|
|
|
})
|
|
|
|
|
|
|
|
//
|
|
|
|
t.Run("RequireLimitUpdateAccess", func(t *testing.T) {
|
|
|
|
targetURL := fmt.Sprintf("%s/api/projects/%s/limit", baseURL, projectID.String())
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, targetURL, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// this request does not have the {X-Forwarded-Groups: LimitUpdate} header. It should fail.
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, response.StatusCode)
|
|
|
|
require.Equal(t, "application/json", response.Header.Get("Content-Type"))
|
|
|
|
|
|
|
|
body, err := io.ReadAll(response.Body)
|
|
|
|
require.NoError(t, response.Body.Close())
|
|
|
|
require.NoError(t, err)
|
2023-08-31 14:22:08 +01:00
|
|
|
errDetail := fmt.Sprintf(
|
|
|
|
admin.UnauthorizedNotInGroup,
|
|
|
|
[]string{planet.Satellites[0].Config.Admin.Groups.LimitUpdate},
|
|
|
|
)
|
2023-04-12 16:06:36 +01:00
|
|
|
require.Contains(t, string(body), errDetail)
|
|
|
|
|
|
|
|
req, err = http.NewRequestWithContext(ctx, http.MethodGet, targetURL, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// adding the header should allow this request.
|
|
|
|
req.Header.Set("X-Forwarded-Groups", "LimitUpdate")
|
|
|
|
|
|
|
|
response, err = http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, response.Body.Close())
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestWithAuthNoToken tests when AuthToken config is set to an empty string (disabled authorization).
|
|
|
|
func TestWithAuthNoToken(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1,
|
|
|
|
StorageNodeCount: 0,
|
|
|
|
UplinkCount: 1,
|
|
|
|
Reconfigure: testplanet.Reconfigure{
|
|
|
|
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
|
|
|
|
config.Admin.Address = "127.0.0.1:0"
|
|
|
|
config.Admin.StaticDir = "ui/build"
|
|
|
|
// Disable authorization.
|
|
|
|
config.Console.AuthToken = ""
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
sat := planet.Satellites[0]
|
|
|
|
projectID := planet.Uplinks[0].Projects[0].ID
|
|
|
|
address := sat.Admin.Admin.Listener.Addr()
|
|
|
|
baseURL := "http://" + address.String()
|
|
|
|
|
2023-08-31 14:22:08 +01:00
|
|
|
req, err := http.NewRequestWithContext(
|
|
|
|
ctx,
|
|
|
|
http.MethodGet,
|
|
|
|
fmt.Sprintf("%s/api/projects/%s/apikeys", baseURL, projectID.String()),
|
|
|
|
nil,
|
|
|
|
)
|
2023-04-12 16:06:36 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Authorization disabled, so this should fail.
|
|
|
|
response, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, response.StatusCode)
|
|
|
|
require.Equal(t, "application/json", response.Header.Get("Content-Type"))
|
|
|
|
|
|
|
|
body, err := io.ReadAll(response.Body)
|
|
|
|
require.NoError(t, response.Body.Close())
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Contains(t, string(body), admin.AuthorizationNotEnabled)
|
|
|
|
})
|
|
|
|
}
|