279 lines
7.0 KiB
Lua
279 lines
7.0 KiB
Lua
local lu = require("luaunit")
|
|
local ngx = require("ngx")
|
|
local conf = require("ssso_config")
|
|
local ng = require("ssso_nginx")
|
|
local sites = require("ssso_sites")
|
|
|
|
local here = debug.getinfo(1).source:sub(2, -17)
|
|
conf.load_conf(here)
|
|
sites.load_sites(here)
|
|
|
|
function test_anonymous_access_to_unknown_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/unknown"
|
|
local r = ng.class__request:current()
|
|
-- when
|
|
local resp = sites.handle_request(r, nil)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_anonymous_access_to_public_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/public/page"
|
|
local r = ng.class__request:current()
|
|
-- when
|
|
local resp = sites.handle_request(r, nil)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_anonymous_access_to_public_page_of_mixed_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/mixed/bob/wiki/foo.adoc"
|
|
local r = ng.class__request:current()
|
|
-- when
|
|
local resp = sites.handle_request(r, nil)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_anonymous_access_to_private_page_of_mixed_site_redirected_401()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/mixed/bob/wiki/_new"
|
|
local r = ng.class__request:current()
|
|
-- when
|
|
local resp = sites.handle_request(r, nil)
|
|
-- then
|
|
lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/mixed/bob/wiki/_new&cause=401")
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_anonymous_access_to_private_site_redirected_401()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/private/page"
|
|
local r = ng.class__request:current()
|
|
-- when
|
|
local resp = sites.handle_request(r, nil)
|
|
-- then
|
|
lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/private/page&cause=401")
|
|
lu.assertNil(ngx.req.header["Authorization"])
|
|
end
|
|
|
|
function test_authenticated_access_to_unknown_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/unknown"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("U", nil, nil, nil, {}, {})
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_authenticated_access_to_public_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/public/page"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("U", "P", nil, nil,
|
|
{
|
|
{
|
|
r = {
|
|
"^/public",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASS", "\rp."},
|
|
},
|
|
},
|
|
},
|
|
{}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASS=P")
|
|
end
|
|
|
|
|
|
function test_authenticated_access_to_public_site_can_be_denied()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/public/page"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("banned", nil, nil, nil,
|
|
{},
|
|
{
|
|
"^/public",
|
|
}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/public/page&cause=403")
|
|
lu.assertNil(ngx.req.header["Cookie"])
|
|
end
|
|
|
|
function test_authenticated_access_to_public_page_of_mixed_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/mixed/bob/wiki/foo.adoc"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("U", "P", nil, nil,
|
|
{
|
|
{
|
|
r = {
|
|
"^/public",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASS", "\rp."},
|
|
},
|
|
},
|
|
{
|
|
r = {
|
|
"^/mixed/admin",
|
|
"^/mixed/.-/wiki/_new",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASSWORD", "\rp."},
|
|
{"H", "Authorization", "Basic \rb64(\ru.:\rp.)."},
|
|
},
|
|
},
|
|
{
|
|
r = {
|
|
"^/mixed",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASSWORD", "\rp."},
|
|
},
|
|
},
|
|
},
|
|
{}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASSWORD=P")
|
|
lu.assertNil(ngx.req.header["Authorization"])
|
|
end
|
|
|
|
function test_authenticated_access_to_private_page_of_mixed_site_accepted()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/mixed/bob/wiki/_new"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("U", "P", nil, nil,
|
|
{
|
|
{
|
|
r = {
|
|
"^/public",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASS", "\rp."},
|
|
},
|
|
},
|
|
{
|
|
r = {
|
|
"^/mixed/admin",
|
|
"^/mixed/.-/wiki/_new",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASSWORD", "\rp."},
|
|
{"H", "Authorization", "Basic \rb64(\ru.:\rp.)."},
|
|
},
|
|
},
|
|
{
|
|
r = {
|
|
"^/mixed",
|
|
},
|
|
a = {
|
|
{"C", "X-PROXY-USER", "\ru."},
|
|
{"C", "X-PROXY-PASSWORD", "\rp."},
|
|
},
|
|
},
|
|
},
|
|
{}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertEquals(ngx.req.header["Cookie"], "X-PROXY-USER=U; X-PROXY-PASSWORD=P")
|
|
lu.assertEquals(ngx.req.header["Authorization"], "Basic VTpQ")
|
|
end
|
|
|
|
function test_authenticated_access_to_private_site_accepted_with_the_right_user()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/private/page"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("jean", "P", nil, nil,
|
|
{
|
|
{
|
|
r = {
|
|
"^/private",
|
|
},
|
|
a = {
|
|
{"H", "Authorization", "Basic \rb64(\ru.:\rp.)."},
|
|
},
|
|
},
|
|
},
|
|
{}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertNil(resp)
|
|
lu.assertEquals(ngx.req.header["Authorization"], "Basic amVhbjpQ")
|
|
end
|
|
|
|
function test_authenticated_access_to_private_site_redirected_403_with_the_wrong_user()
|
|
-- given
|
|
ngx.req.reset()
|
|
ngx.reset_var()
|
|
ngx.var.request_uri = "/private/page"
|
|
local r = ng.class__request:current()
|
|
local profile = sites.class__profile:build_from_lists("U", "P", nil, nil,
|
|
{},
|
|
{
|
|
"^/private",
|
|
}
|
|
)
|
|
-- when
|
|
local resp = sites.handle_request(r, profile)
|
|
-- then
|
|
lu.assertEquals(resp, "307:https://my-domain.tld/ssso/login?back=/private/page&cause=403")
|
|
lu.assertNil(ngx.req.header["Authorization"])
|
|
end
|
|
|
|
os.exit(lu.LuaUnit.run())
|