local lu = require("luaunit") local ngx = require("ngx") local conf = require("ssso_config") local ng = require("ssso_nginx") local sites = require("ssso_sites") local here = debug.getinfo(1).source:sub(2, -17) conf.load_conf(here) sites.load_sites(here) function test_anonymous_access_to_unknown_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/unknown" local r = ng.class__request:current() -- when local resp = sites.handle_request(r, nil) -- then lu.assertNil(resp) lu.assertNil(ngx.req.header["Cookie"]) end function test_anonymous_access_to_public_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/public/page" local r = ng.class__request:current() -- when local resp = sites.handle_request(r, nil) -- then lu.assertNil(resp) lu.assertNil(ngx.req.header["Cookie"]) end function test_anonymous_access_to_public_page_of_mixed_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/mixed/bob/wiki/foo.adoc" local r = ng.class__request:current() -- when local resp = sites.handle_request(r, nil) -- then lu.assertNil(resp) lu.assertNil(ngx.req.header["Cookie"]) end function test_anonymous_access_to_private_page_of_mixed_site_redirected_401() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/mixed/bob/wiki/_new" local r = ng.class__request:current() -- when local resp = sites.handle_request(r, nil) -- then lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/mixed/bob/wiki/_new&cause=401") lu.assertNil(ngx.req.header["Cookie"]) end function test_anonymous_access_to_private_site_redirected_401() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/private/page" local r = ng.class__request:current() -- when local resp = sites.handle_request(r, nil) -- then lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/private/page&cause=401") lu.assertNil(ngx.req.header["Authorization"]) end function test_authenticated_access_to_unknown_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/unknown" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("U", nil, nil, nil, {}, {}) -- when local resp = sites.handle_request(r, profile) -- then lu.assertNil(resp) lu.assertNil(ngx.req.header["Cookie"]) end function test_authenticated_access_to_public_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/public/page" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("U", "P", nil, nil, { { r = { "^/public", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASS", "\rp."}, }, }, }, {} ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertNil(resp) lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASS=P") end function test_authenticated_access_to_public_site_can_be_denied() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/public/page" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("banned", nil, nil, nil, {}, { "^/public", } ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/public/page&cause=403") lu.assertNil(ngx.req.header["Cookie"]) end function test_authenticated_access_to_public_page_of_mixed_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/mixed/bob/wiki/foo.adoc" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("U", "P", nil, nil, { { r = { "^/public", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASS", "\rp."}, }, }, { r = { "^/mixed/admin", "^/mixed/.-/wiki/_new", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASSWORD", "\rp."}, {"H", "Authorization", "Basic \rb64(\ru.:\rp.)."}, }, }, { r = { "^/mixed", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASSWORD", "\rp."}, }, }, }, {} ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertNil(resp) lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASSWORD=P") lu.assertNil(ngx.req.header["Authorization"]) end function test_authenticated_access_to_private_page_of_mixed_site_accepted() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/mixed/bob/wiki/_new" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("U", "P", nil, nil, { { r = { "^/public", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASS", "\rp."}, }, }, { r = { "^/mixed/admin", "^/mixed/.-/wiki/_new", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASSWORD", "\rp."}, {"H", "Authorization", "Basic \rb64(\ru.:\rp.)."}, }, }, { r = { "^/mixed", }, a = { {"C", "X-PROXY-USER", "\ru."}, {"C", "X-PROXY-PASSWORD", "\rp."}, }, }, }, {} ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertNil(resp) lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASSWORD=P") lu.assertEquals(ngx.req.header["Authorization"], "Basic VTpQ") end function test_authenticated_access_to_private_site_accepted_with_the_right_user() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/private/page" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("jean", "P", nil, nil, { { r = { "^/private", }, a = { {"H", "Authorization", "Basic \rb64(\ru.:\rp.)."}, }, }, }, {} ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertNil(resp) lu.assertEquals(ngx.req.header["Authorization"], "Basic amVhbjpQ") end function test_authenticated_access_to_private_site_redirected_403_with_the_wrong_user() -- given ngx.req.reset() ngx.reset_var() ngx.var.request_uri = "/private/page" local r = ng.class__request:current() local profile = sites.class__profile:build_from_lists("U", "P", nil, nil, {}, { "^/private", } ) -- when local resp = sites.handle_request(r, profile) -- then lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/private/page&cause=403") lu.assertNil(ngx.req.header["Authorization"]) end os.exit(lu.LuaUnit.run())