diff --git a/controller/northbound/server/auth_interceptor.go b/controller/northbound/server/auth_interceptor.go
index 45768c5bcadde8442d897dcb388671b5b319e6dd..2baf5dd09c2e4e3b06b08fa82f6981fdd705946b 100644
--- a/controller/northbound/server/auth_interceptor.go
+++ b/controller/northbound/server/auth_interceptor.go
@@ -125,16 +125,23 @@ func (auth *AuthInterceptor) verifyUserRoleAndRequestedCall(userRole, requestedM
return err
}
+ foundRoleInStorage := false
+
for _, storedRole := range storedRoles {
if userRole == storedRole.Name() {
+ foundRoleInStorage = true
err := auth.compareRequestedPermissionWithRolePermissions(requestedMethod, storedRole.GetPermissions())
if err != nil {
return err
}
}
+
+ if foundRoleInStorage {
+ return nil
+ }
}
- return nil
+ return status.Errorf(codes.PermissionDenied, "wrong permissions")
}
func (auth *AuthInterceptor) compareRequestedPermissionWithRolePermissions(requestedMethod string, storedRolePermissions []string) error {
diff --git a/controller/northbound/server/auth_interceptor_test.go b/controller/northbound/server/auth_interceptor_test.go
index 6380a356870f4d5cfffb4c1a8f61dae8266c7270..a4fb36216a73c55ff2dc09bc638a484444d1872f 100644
--- a/controller/northbound/server/auth_interceptor_test.go
+++ b/controller/northbound/server/auth_interceptor_test.go
@@ -4,6 +4,7 @@ import (
"context"
"log"
"net"
+ "reflect"
"testing"
apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac"
@@ -35,7 +36,12 @@ func dialer() func(context.Context, string) (net.Conn, error) {
}
func TestAuthInterceptor_Unary(t *testing.T) {
- token, err := jwt.GenerateToken(rbac.User{UserName: "testAdmin"})
+ validToken, err := jwt.GenerateToken(rbac.User{UserName: "testAdmin"})
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ wrongUserToken, err := jwt.GenerateToken(rbac.User{UserName: "foo"})
if err != nil {
log.Fatal(err)
}
@@ -44,14 +50,14 @@ func TestAuthInterceptor_Unary(t *testing.T) {
if err != nil {
log.Fatal(err)
}
- user.SetToken(token)
+ user.SetToken(validToken)
err = userc.Update(user)
if err != nil {
log.Fatal(err)
}
- md := metadata.Pairs("authorize", token)
+ md := metadata.Pairs("authorize", validToken)
type args struct {
ctx context.Context
@@ -74,6 +80,33 @@ func TestAuthInterceptor_Unary(t *testing.T) {
},
wantErr: false,
},
+ {
+ name: "error unary invalid user token",
+ args: args{
+ ctx: metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorize", wrongUserToken)),
+ request: &apb.GetUsersRequest{},
+ },
+ want: nil,
+ wantErr: true,
+ },
+ {
+ name: "error unary invalid token string",
+ args: args{
+ ctx: metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorize", "foo")),
+ request: &apb.GetUsersRequest{},
+ },
+ want: nil,
+ wantErr: true,
+ },
+ {
+ name: "error unary no token in metadata",
+ args: args{
+ ctx: metadata.NewOutgoingContext(context.Background(), metadata.Pairs("foo", "foo")),
+ request: &apb.GetUsersRequest{},
+ },
+ want: nil,
+ wantErr: true,
+ },
}
ctx := context.Background()
@@ -93,10 +126,145 @@ func TestAuthInterceptor_Unary(t *testing.T) {
return
}
- if got.Status != tt.want.Status {
+ if got != nil && got.Status != tt.want.Status {
t.Errorf("AuthInterceptor.Unary() = %v, wantErr %v", err, tt.wantErr)
return
}
})
}
}
+
+func TestAuthInterceptor_Stream(t *testing.T) {
+ type fields struct {
+ jwtManager *rbac.JWTManager
+ }
+ tests := []struct {
+ name string
+ fields fields
+ want grpc.StreamServerInterceptor
+ }{
+ // TODO: Add test cases.
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ auth := &AuthInterceptor{
+ jwtManager: tt.fields.jwtManager,
+ }
+ if got := auth.Stream(); !reflect.DeepEqual(got, tt.want) {
+ t.Errorf("AuthInterceptor.Stream() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
+
+func TestAuthInterceptor_authorize(t *testing.T) {
+ type fields struct {
+ jwtManager *rbac.JWTManager
+ }
+ type args struct {
+ ctx context.Context
+ method string
+ }
+ tests := []struct {
+ name string
+ fields fields
+ args args
+ wantErr bool
+ }{
+ // TODO: Add test cases.
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ auth := &AuthInterceptor{
+ jwtManager: tt.fields.jwtManager,
+ }
+ if err := auth.authorize(tt.args.ctx, tt.args.method); (err != nil) != tt.wantErr {
+ t.Errorf("AuthInterceptor.authorize() error = %v, wantErr %v", err, tt.wantErr)
+ }
+ })
+ }
+}
+
+func TestAuthInterceptor_verifyPermisisonForRequestedCall(t *testing.T) {
+ type fields struct {
+ jwtManager *rbac.JWTManager
+ }
+ type args struct {
+ userRoles map[string]string
+ requestedMethod string
+ }
+ tests := []struct {
+ name string
+ fields fields
+ args args
+ wantErr bool
+ }{
+ // TODO: Add test cases.
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ auth := &AuthInterceptor{
+ jwtManager: tt.fields.jwtManager,
+ }
+ if err := auth.verifyPermisisonForRequestedCall(tt.args.userRoles, tt.args.requestedMethod); (err != nil) != tt.wantErr {
+ t.Errorf("AuthInterceptor.verifyPermisisonForRequestedCall() error = %v, wantErr %v", err, tt.wantErr)
+ }
+ })
+ }
+}
+
+func TestAuthInterceptor_verifyUserRoleAndRequestedCall(t *testing.T) {
+ type fields struct {
+ jwtManager *rbac.JWTManager
+ }
+ type args struct {
+ userRole string
+ requestedMethod string
+ }
+ tests := []struct {
+ name string
+ fields fields
+ args args
+ wantErr bool
+ }{
+ // TODO: Add test cases.
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ auth := &AuthInterceptor{
+ jwtManager: tt.fields.jwtManager,
+ }
+ if err := auth.verifyUserRoleAndRequestedCall(tt.args.userRole, tt.args.requestedMethod); (err != nil) != tt.wantErr {
+ t.Errorf("AuthInterceptor.verifyUserRoleAndRequestedCall() error = %v, wantErr %v", err, tt.wantErr)
+ }
+ })
+ }
+}
+
+func TestAuthInterceptor_compareRequestedPermissionWithRolePermissions(t *testing.T) {
+ type fields struct {
+ jwtManager *rbac.JWTManager
+ }
+ type args struct {
+ requestedMethod string
+ storedRolePermissions []string
+ }
+ tests := []struct {
+ name string
+ fields fields
+ args args
+ wantErr bool
+ }{
+ // TODO: Add test cases.
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ auth := &AuthInterceptor{
+ jwtManager: tt.fields.jwtManager,
+ }
+ if err := auth.compareRequestedPermissionWithRolePermissions(tt.args.requestedMethod, tt.args.storedRolePermissions); (err != nil) != tt.wantErr {
+ t.Errorf("AuthInterceptor.compareRequestedPermissionWithRolePermissions() error = %v, wantErr %v", err, tt.wantErr)
+ }
+ })
+ }
+}
diff --git a/controller/northbound/server/role_test.go b/controller/northbound/server/role_test.go
index ef2aeabe647035c1bfaaa3dab84eec4ba21486ca..055d99c86474a830c568999185fb9c699284fd6c 100644
--- a/controller/northbound/server/role_test.go
+++ b/controller/northbound/server/role_test.go
@@ -147,6 +147,7 @@ func TestRole_GetRoles(t *testing.T) {
Permissions: []string{
"/gosdn.core.CoreService/GetPnd",
"/gosdn.core.CoreService/GetPndList",
+ "/gosdn.rbac.UserService/GetUsers",
}},
{
Name: "userTestRole",
diff --git a/controller/northbound/server/test_util_test.go b/controller/northbound/server/test_util_test.go
index 2f7012b9693b84d7fc00791ed20c374f10c2eb4d..d4b242fd9d68384df3264ac1f83d780faefb1440 100644
--- a/controller/northbound/server/test_util_test.go
+++ b/controller/northbound/server/test_util_test.go
@@ -17,8 +17,8 @@ const userID = "57005d13-7a4d-493d-a02b-50ca51c40197"
const adminRoleID = "126683ae-5ff2-43ee-92f7-0e2b936f8c77"
const randomRoleName = "bertram"
-var adminRoleMap = map[string]string{pndID: "admin"}
-var userRoleMap = map[string]string{pndID: "user"}
+var adminRoleMap = map[string]string{pndID: "adminTestRole"}
+var userRoleMap = map[string]string{pndID: "userTestRole"}
var jwt *rbac.JWTManager
func clearAndCreateAuthTestSetup() error {
@@ -88,6 +88,7 @@ func createTestRoles() error {
Permissions: []string{
"/gosdn.core.CoreService/GetPnd",
"/gosdn.core.CoreService/GetPndList",
+ "/gosdn.rbac.UserService/GetUsers",
},
},
{