route_test.go 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387
  1. // Copyright 2020 The Gogs Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package lfs
  5. import (
  6. "context"
  7. "fmt"
  8. "io/ioutil"
  9. "net/http"
  10. "net/http/httptest"
  11. "testing"
  12. "github.com/stretchr/testify/assert"
  13. "gopkg.in/macaron.v1"
  14. "gogs.io/gogs/internal/auth"
  15. "gogs.io/gogs/internal/db"
  16. "gogs.io/gogs/internal/lfsutil"
  17. )
  18. func Test_authenticate(t *testing.T) {
  19. m := macaron.New()
  20. m.Use(macaron.Renderer())
  21. m.Get("/", authenticate(), func(w http.ResponseWriter, user *db.User) {
  22. fmt.Fprintf(w, "ID: %d, Name: %s", user.ID, user.Name)
  23. })
  24. tests := []struct {
  25. name string
  26. header http.Header
  27. mockUsersStore *db.MockUsersStore
  28. mockTwoFactorsStore *db.MockTwoFactorsStore
  29. mockAccessTokensStore func() db.AccessTokensStore
  30. expStatusCode int
  31. expHeader http.Header
  32. expBody string
  33. }{
  34. {
  35. name: "no authorization",
  36. expStatusCode: http.StatusUnauthorized,
  37. expHeader: http.Header{
  38. "Lfs-Authenticate": []string{`Basic realm="Git LFS"`},
  39. "Content-Type": []string{"application/vnd.git-lfs+json"},
  40. },
  41. expBody: `{"message":"Credentials needed"}` + "\n",
  42. },
  43. {
  44. name: "user has 2FA enabled",
  45. header: http.Header{
  46. "Authorization": []string{"Basic dXNlcm5hbWU6cGFzc3dvcmQ="},
  47. },
  48. mockUsersStore: &db.MockUsersStore{
  49. MockAuthenticate: func(username, password string, loginSourceID int64) (*db.User, error) {
  50. return &db.User{}, nil
  51. },
  52. },
  53. mockTwoFactorsStore: &db.MockTwoFactorsStore{
  54. MockIsUserEnabled: func(userID int64) bool {
  55. return true
  56. },
  57. },
  58. expStatusCode: http.StatusBadRequest,
  59. expHeader: http.Header{},
  60. expBody: "Users with 2FA enabled are not allowed to authenticate via username and password.",
  61. },
  62. {
  63. name: "both user and access token do not exist",
  64. header: http.Header{
  65. "Authorization": []string{"Basic dXNlcm5hbWU="},
  66. },
  67. mockUsersStore: &db.MockUsersStore{
  68. MockAuthenticate: func(username, password string, loginSourceID int64) (*db.User, error) {
  69. return nil, auth.ErrBadCredentials{}
  70. },
  71. },
  72. mockAccessTokensStore: func() db.AccessTokensStore {
  73. mock := db.NewMockAccessTokensStore()
  74. mock.GetBySHA1Func.SetDefaultReturn(nil, db.ErrAccessTokenNotExist{})
  75. return mock
  76. },
  77. expStatusCode: http.StatusUnauthorized,
  78. expHeader: http.Header{
  79. "Lfs-Authenticate": []string{`Basic realm="Git LFS"`},
  80. "Content-Type": []string{"application/vnd.git-lfs+json"},
  81. },
  82. expBody: `{"message":"Credentials needed"}` + "\n",
  83. },
  84. {
  85. name: "authenticated by username and password",
  86. header: http.Header{
  87. "Authorization": []string{"Basic dXNlcm5hbWU6cGFzc3dvcmQ="},
  88. },
  89. mockUsersStore: &db.MockUsersStore{
  90. MockAuthenticate: func(username, password string, loginSourceID int64) (*db.User, error) {
  91. return &db.User{ID: 1, Name: "unknwon"}, nil
  92. },
  93. },
  94. mockTwoFactorsStore: &db.MockTwoFactorsStore{
  95. MockIsUserEnabled: func(userID int64) bool {
  96. return false
  97. },
  98. },
  99. expStatusCode: http.StatusOK,
  100. expHeader: http.Header{},
  101. expBody: "ID: 1, Name: unknwon",
  102. },
  103. {
  104. name: "authenticate by access token",
  105. header: http.Header{
  106. "Authorization": []string{"Basic dXNlcm5hbWU="},
  107. },
  108. mockUsersStore: &db.MockUsersStore{
  109. MockAuthenticate: func(username, password string, loginSourceID int64) (*db.User, error) {
  110. return nil, auth.ErrBadCredentials{}
  111. },
  112. MockGetByID: func(id int64) (*db.User, error) {
  113. return &db.User{ID: 1, Name: "unknwon"}, nil
  114. },
  115. },
  116. mockAccessTokensStore: func() db.AccessTokensStore {
  117. mock := db.NewMockAccessTokensStore()
  118. mock.GetBySHA1Func.SetDefaultReturn(&db.AccessToken{}, nil)
  119. return mock
  120. },
  121. expStatusCode: http.StatusOK,
  122. expHeader: http.Header{},
  123. expBody: "ID: 1, Name: unknwon",
  124. },
  125. }
  126. for _, test := range tests {
  127. t.Run(test.name, func(t *testing.T) {
  128. db.SetMockUsersStore(t, test.mockUsersStore)
  129. db.SetMockTwoFactorsStore(t, test.mockTwoFactorsStore)
  130. if test.mockAccessTokensStore != nil {
  131. db.SetMockAccessTokensStore(t, test.mockAccessTokensStore())
  132. }
  133. r, err := http.NewRequest("GET", "/", nil)
  134. if err != nil {
  135. t.Fatal(err)
  136. }
  137. r.Header = test.header
  138. rr := httptest.NewRecorder()
  139. m.ServeHTTP(rr, r)
  140. resp := rr.Result()
  141. assert.Equal(t, test.expStatusCode, resp.StatusCode)
  142. assert.Equal(t, test.expHeader, resp.Header)
  143. body, err := ioutil.ReadAll(resp.Body)
  144. if err != nil {
  145. t.Fatal(err)
  146. }
  147. assert.Equal(t, test.expBody, string(body))
  148. })
  149. }
  150. }
  151. func Test_authorize(t *testing.T) {
  152. tests := []struct {
  153. name string
  154. authroize macaron.Handler
  155. mockUsersStore *db.MockUsersStore
  156. mockReposStore *db.MockReposStore
  157. mockPermsStore func() db.PermsStore
  158. expStatusCode int
  159. expBody string
  160. }{
  161. {
  162. name: "user does not exist",
  163. authroize: authorize(db.AccessModeNone),
  164. mockUsersStore: &db.MockUsersStore{
  165. MockGetByUsername: func(username string) (*db.User, error) {
  166. return nil, db.ErrUserNotExist{}
  167. },
  168. },
  169. expStatusCode: http.StatusNotFound,
  170. },
  171. {
  172. name: "repository does not exist",
  173. authroize: authorize(db.AccessModeNone),
  174. mockUsersStore: &db.MockUsersStore{
  175. MockGetByUsername: func(username string) (*db.User, error) {
  176. return &db.User{Name: username}, nil
  177. },
  178. },
  179. mockReposStore: &db.MockReposStore{
  180. MockGetByName: func(ownerID int64, name string) (*db.Repository, error) {
  181. return nil, db.ErrRepoNotExist{}
  182. },
  183. },
  184. expStatusCode: http.StatusNotFound,
  185. },
  186. {
  187. name: "actor is not authorized",
  188. authroize: authorize(db.AccessModeWrite),
  189. mockUsersStore: &db.MockUsersStore{
  190. MockGetByUsername: func(username string) (*db.User, error) {
  191. return &db.User{Name: username}, nil
  192. },
  193. },
  194. mockReposStore: &db.MockReposStore{
  195. MockGetByName: func(ownerID int64, name string) (*db.Repository, error) {
  196. return &db.Repository{Name: name}, nil
  197. },
  198. },
  199. mockPermsStore: func() db.PermsStore {
  200. mock := db.NewMockPermsStore()
  201. mock.AuthorizeFunc.SetDefaultHook(func(ctx context.Context, userID int64, repoID int64, desired db.AccessMode, opts db.AccessModeOptions) bool {
  202. return desired <= db.AccessModeRead
  203. })
  204. return mock
  205. },
  206. expStatusCode: http.StatusNotFound,
  207. },
  208. {
  209. name: "actor is authorized",
  210. authroize: authorize(db.AccessModeRead),
  211. mockUsersStore: &db.MockUsersStore{
  212. MockGetByUsername: func(username string) (*db.User, error) {
  213. return &db.User{Name: username}, nil
  214. },
  215. },
  216. mockReposStore: &db.MockReposStore{
  217. MockGetByName: func(ownerID int64, name string) (*db.Repository, error) {
  218. return &db.Repository{Name: name}, nil
  219. },
  220. },
  221. mockPermsStore: func() db.PermsStore {
  222. mock := db.NewMockPermsStore()
  223. mock.AuthorizeFunc.SetDefaultHook(func(ctx context.Context, userID int64, repoID int64, desired db.AccessMode, opts db.AccessModeOptions) bool {
  224. return desired <= db.AccessModeRead
  225. })
  226. return mock
  227. },
  228. expStatusCode: http.StatusOK,
  229. expBody: "owner.Name: owner, repo.Name: repo",
  230. },
  231. }
  232. for _, test := range tests {
  233. t.Run(test.name, func(t *testing.T) {
  234. db.SetMockUsersStore(t, test.mockUsersStore)
  235. db.SetMockReposStore(t, test.mockReposStore)
  236. if test.mockPermsStore != nil {
  237. db.SetMockPermsStore(t, test.mockPermsStore())
  238. }
  239. m := macaron.New()
  240. m.Use(macaron.Renderer())
  241. m.Use(func(c *macaron.Context) {
  242. c.Map(&db.User{})
  243. })
  244. m.Get("/:username/:reponame", test.authroize, func(w http.ResponseWriter, owner *db.User, repo *db.Repository) {
  245. fmt.Fprintf(w, "owner.Name: %s, repo.Name: %s", owner.Name, repo.Name)
  246. })
  247. r, err := http.NewRequest("GET", "/owner/repo", nil)
  248. if err != nil {
  249. t.Fatal(err)
  250. }
  251. rr := httptest.NewRecorder()
  252. m.ServeHTTP(rr, r)
  253. resp := rr.Result()
  254. assert.Equal(t, test.expStatusCode, resp.StatusCode)
  255. body, err := ioutil.ReadAll(resp.Body)
  256. if err != nil {
  257. t.Fatal(err)
  258. }
  259. assert.Equal(t, test.expBody, string(body))
  260. })
  261. }
  262. }
  263. func Test_verifyHeader(t *testing.T) {
  264. tests := []struct {
  265. name string
  266. verifyHeader macaron.Handler
  267. header http.Header
  268. expStatusCode int
  269. }{
  270. {
  271. name: "header not found",
  272. verifyHeader: verifyHeader("Accept", contentType, http.StatusNotAcceptable),
  273. expStatusCode: http.StatusNotAcceptable,
  274. },
  275. {
  276. name: "header found",
  277. verifyHeader: verifyHeader("Accept", "application/vnd.git-lfs+json", http.StatusNotAcceptable),
  278. header: http.Header{
  279. "Accept": []string{"application/vnd.git-lfs+json; charset=utf-8"},
  280. },
  281. expStatusCode: http.StatusOK,
  282. },
  283. }
  284. for _, test := range tests {
  285. t.Run(test.name, func(t *testing.T) {
  286. m := macaron.New()
  287. m.Use(macaron.Renderer())
  288. m.Get("/", test.verifyHeader)
  289. r, err := http.NewRequest("GET", "/", nil)
  290. if err != nil {
  291. t.Fatal(err)
  292. }
  293. r.Header = test.header
  294. rr := httptest.NewRecorder()
  295. m.ServeHTTP(rr, r)
  296. resp := rr.Result()
  297. assert.Equal(t, test.expStatusCode, resp.StatusCode)
  298. })
  299. }
  300. }
  301. func Test_verifyOID(t *testing.T) {
  302. m := macaron.New()
  303. m.Get("/:oid", verifyOID(), func(w http.ResponseWriter, oid lfsutil.OID) {
  304. fmt.Fprintf(w, "oid: %s", oid)
  305. })
  306. tests := []struct {
  307. name string
  308. url string
  309. expStatusCode int
  310. expBody string
  311. }{
  312. {
  313. name: "bad oid",
  314. url: "/bad_oid",
  315. expStatusCode: http.StatusBadRequest,
  316. expBody: `{"message":"Invalid oid"}` + "\n",
  317. },
  318. {
  319. name: "good oid",
  320. url: "/ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f",
  321. expStatusCode: http.StatusOK,
  322. expBody: "oid: ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f",
  323. },
  324. }
  325. for _, test := range tests {
  326. t.Run(test.name, func(t *testing.T) {
  327. r, err := http.NewRequest("GET", test.url, nil)
  328. if err != nil {
  329. t.Fatal(err)
  330. }
  331. rr := httptest.NewRecorder()
  332. m.ServeHTTP(rr, r)
  333. resp := rr.Result()
  334. assert.Equal(t, test.expStatusCode, resp.StatusCode)
  335. body, err := ioutil.ReadAll(resp.Body)
  336. if err != nil {
  337. t.Fatal(err)
  338. }
  339. assert.Equal(t, test.expBody, string(body))
  340. })
  341. }
  342. }
  343. func Test_internalServerError(t *testing.T) {
  344. rr := httptest.NewRecorder()
  345. internalServerError(rr)
  346. resp := rr.Result()
  347. assert.Equal(t, http.StatusInternalServerError, resp.StatusCode)
  348. body, err := ioutil.ReadAll(resp.Body)
  349. if err != nil {
  350. t.Fatal(err)
  351. }
  352. assert.Equal(t, `{"message":"Internal server error"}`+"\n", string(body))
  353. }