more test cases + fixed a bug where permissions where not checked

3cefbf45 · Fabian Seidl · b54739d1 · 3cefbf45 · 3cefbf45 · 3cefbf45
Commit 3cefbf45 authored 3 years ago by Fabian Seidl
--- a/controller/northbound/server/auth_interceptor.go
+++ b/controller/northbound/server/auth_interceptor.go
@@ -125,16 +125,23 @@ func (auth *AuthInterceptor) verifyUserRoleAndRequestedCall(userRole, requestedM
 		return err
 	}

+	foundRoleInStorage := false
+
 	for _, storedRole := range storedRoles {
 		if userRole == storedRole.Name() {
+			foundRoleInStorage = true
 			err := auth.compareRequestedPermissionWithRolePermissions(requestedMethod, storedRole.GetPermissions())
 			if err != nil {
 				return err
 			}
 		}
+
+		if foundRoleInStorage {
+			return nil
+		}
 	}

-	return nil
+	return status.Errorf(codes.PermissionDenied, "wrong permissions")
 }

 func (auth *AuthInterceptor) compareRequestedPermissionWithRolePermissions(requestedMethod string, storedRolePermissions []string) error {

--- a/controller/northbound/server/auth_interceptor_test.go
+++ b/controller/northbound/server/auth_interceptor_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"log"
 	"net"
+	"reflect"
 	"testing"

 	apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac"
@@ -35,7 +36,12 @@ func dialer() func(context.Context, string) (net.Conn, error) {
 }

 func TestAuthInterceptor_Unary(t *testing.T) {
-	token, err := jwt.GenerateToken(rbac.User{UserName: "testAdmin"})
+	validToken, err := jwt.GenerateToken(rbac.User{UserName: "testAdmin"})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	wrongUserToken, err := jwt.GenerateToken(rbac.User{UserName: "foo"})
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -44,14 +50,14 @@ func TestAuthInterceptor_Unary(t *testing.T) {
 	if err != nil {
 		log.Fatal(err)
 	}
-	user.SetToken(token)
+	user.SetToken(validToken)

 	err = userc.Update(user)
 	if err != nil {
 		log.Fatal(err)
 	}

-	md := metadata.Pairs("authorize", token)
+	md := metadata.Pairs("authorize", validToken)

 	type args struct {
 		ctx     context.Context
@@ -74,6 +80,33 @@ func TestAuthInterceptor_Unary(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "error unary invalid user token",
+			args: args{
+				ctx:     metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorize", wrongUserToken)),
+				request: &apb.GetUsersRequest{},
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "error unary invalid token string",
+			args: args{
+				ctx:     metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorize", "foo")),
+				request: &apb.GetUsersRequest{},
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "error unary no token in metadata",
+			args: args{
+				ctx:     metadata.NewOutgoingContext(context.Background(), metadata.Pairs("foo", "foo")),
+				request: &apb.GetUsersRequest{},
+			},
+			want:    nil,
+			wantErr: true,
+		},
 	}

 	ctx := context.Background()
@@ -93,10 +126,145 @@ func TestAuthInterceptor_Unary(t *testing.T) {
 				return
 			}

-			if got.Status != tt.want.Status {
+			if got != nil && got.Status != tt.want.Status {
 				t.Errorf("AuthInterceptor.Unary() = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 		})
 	}
 }
+
+func TestAuthInterceptor_Stream(t *testing.T) {
+	type fields struct {
+		jwtManager *rbac.JWTManager
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   grpc.StreamServerInterceptor
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := &AuthInterceptor{
+				jwtManager: tt.fields.jwtManager,
+			}
+			if got := auth.Stream(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("AuthInterceptor.Stream() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestAuthInterceptor_authorize(t *testing.T) {
+	type fields struct {
+		jwtManager *rbac.JWTManager
+	}
+	type args struct {
+		ctx    context.Context
+		method string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := &AuthInterceptor{
+				jwtManager: tt.fields.jwtManager,
+			}
+			if err := auth.authorize(tt.args.ctx, tt.args.method); (err != nil) != tt.wantErr {
+				t.Errorf("AuthInterceptor.authorize() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestAuthInterceptor_verifyPermisisonForRequestedCall(t *testing.T) {
+	type fields struct {
+		jwtManager *rbac.JWTManager
+	}
+	type args struct {
+		userRoles       map[string]string
+		requestedMethod string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := &AuthInterceptor{
+				jwtManager: tt.fields.jwtManager,
+			}
+			if err := auth.verifyPermisisonForRequestedCall(tt.args.userRoles, tt.args.requestedMethod); (err != nil) != tt.wantErr {
+				t.Errorf("AuthInterceptor.verifyPermisisonForRequestedCall() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestAuthInterceptor_verifyUserRoleAndRequestedCall(t *testing.T) {
+	type fields struct {
+		jwtManager *rbac.JWTManager
+	}
+	type args struct {
+		userRole        string
+		requestedMethod string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := &AuthInterceptor{
+				jwtManager: tt.fields.jwtManager,
+			}
+			if err := auth.verifyUserRoleAndRequestedCall(tt.args.userRole, tt.args.requestedMethod); (err != nil) != tt.wantErr {
+				t.Errorf("AuthInterceptor.verifyUserRoleAndRequestedCall() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestAuthInterceptor_compareRequestedPermissionWithRolePermissions(t *testing.T) {
+	type fields struct {
+		jwtManager *rbac.JWTManager
+	}
+	type args struct {
+		requestedMethod       string
+		storedRolePermissions []string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := &AuthInterceptor{
+				jwtManager: tt.fields.jwtManager,
+			}
+			if err := auth.compareRequestedPermissionWithRolePermissions(tt.args.requestedMethod, tt.args.storedRolePermissions); (err != nil) != tt.wantErr {
+				t.Errorf("AuthInterceptor.compareRequestedPermissionWithRolePermissions() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/controller/northbound/server/role_test.go
+++ b/controller/northbound/server/role_test.go
@@ -147,6 +147,7 @@ func TestRole_GetRoles(t *testing.T) {
 						Permissions: []string{
 							"/gosdn.core.CoreService/GetPnd",
 							"/gosdn.core.CoreService/GetPndList",
+							"/gosdn.rbac.UserService/GetUsers",
 						}},
 					{
 						Name:        "userTestRole",

--- a/controller/northbound/server/test_util_test.go
+++ b/controller/northbound/server/test_util_test.go
@@ -17,8 +17,8 @@ const userID = "57005d13-7a4d-493d-a02b-50ca51c40197"
 const adminRoleID = "126683ae-5ff2-43ee-92f7-0e2b936f8c77"
 const randomRoleName = "bertram"

-var adminRoleMap = map[string]string{pndID: "admin"}
-var userRoleMap = map[string]string{pndID: "user"}
+var adminRoleMap = map[string]string{pndID: "adminTestRole"}
+var userRoleMap = map[string]string{pndID: "userTestRole"}
 var jwt *rbac.JWTManager

 func clearAndCreateAuthTestSetup() error {
@@ -88,6 +88,7 @@ func createTestRoles() error {
 			Permissions: []string{
 				"/gosdn.core.CoreService/GetPnd",
 				"/gosdn.core.CoreService/GetPndList",
+				"/gosdn.rbac.UserService/GetUsers",
 			},
 		},
 		{