160 lines
4.9 KiB
Go
160 lines
4.9 KiB
Go
package auth
|
|
|
|
import (
|
|
"io"
|
|
"log/slog"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"git.warky.dev/wdevs/amcs/internal/config"
|
|
)
|
|
|
|
func testLogger() *slog.Logger {
|
|
return slog.New(slog.NewTextHandler(io.Discard, nil))
|
|
}
|
|
|
|
func TestNewKeyringAndLookup(t *testing.T) {
|
|
_, err := NewKeyring(nil)
|
|
if err == nil {
|
|
t.Fatal("NewKeyring(nil) error = nil, want error")
|
|
}
|
|
|
|
keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
if got, ok := keyring.Lookup("secret"); !ok || got != "client-a" {
|
|
t.Fatalf("Lookup(secret) = (%q, %v), want (client-a, true)", got, ok)
|
|
}
|
|
if _, ok := keyring.Lookup("wrong"); ok {
|
|
t.Fatal("Lookup(wrong) = true, want false")
|
|
}
|
|
}
|
|
|
|
func TestMiddlewareAllowsHeaderAuthAndSetsContext(t *testing.T) {
|
|
keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, nil, nil, nil, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
keyID, ok := KeyIDFromContext(r.Context())
|
|
if !ok || keyID != "client-a" {
|
|
t.Fatalf("KeyIDFromContext() = (%q, %v), want (client-a, true)", keyID, ok)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
|
|
req.Header.Set("x-brain-key", "secret")
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
func TestMiddlewareAllowsBearerAuthAndSetsContext(t *testing.T) {
|
|
keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, nil, nil, nil, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
keyID, ok := KeyIDFromContext(r.Context())
|
|
if !ok || keyID != "client-a" {
|
|
t.Fatalf("KeyIDFromContext() = (%q, %v), want (client-a, true)", keyID, ok)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
|
|
req.Header.Set("Authorization", "Bearer secret")
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
func TestMiddlewarePrefersExplicitHeaderOverBearerAuth(t *testing.T) {
|
|
keyring, err := NewKeyring([]config.APIKey{
|
|
{ID: "client-a", Value: "secret"},
|
|
{ID: "client-b", Value: "other-secret"},
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, nil, nil, nil, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
keyID, ok := KeyIDFromContext(r.Context())
|
|
if !ok || keyID != "client-a" {
|
|
t.Fatalf("KeyIDFromContext() = (%q, %v), want (client-a, true)", keyID, ok)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
|
|
req.Header.Set("x-brain-key", "secret")
|
|
req.Header.Set("Authorization", "Bearer other-secret")
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
func TestMiddlewareAllowsQueryParamWhenEnabled(t *testing.T) {
|
|
keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
handler := Middleware(config.AuthConfig{
|
|
HeaderName: "x-brain-key",
|
|
QueryParam: "key",
|
|
AllowQueryParam: true,
|
|
}, keyring, nil, nil, nil, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/mcp?key=secret", nil)
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("status = %d, want %d", rec.Code, http.StatusNoContent)
|
|
}
|
|
}
|
|
|
|
func TestMiddlewareRejectsMissingOrInvalidKey(t *testing.T) {
|
|
keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
|
|
if err != nil {
|
|
t.Fatalf("NewKeyring() error = %v", err)
|
|
}
|
|
|
|
handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, nil, nil, nil, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Fatalf("missing key status = %d, want %d", rec.Code, http.StatusUnauthorized)
|
|
}
|
|
|
|
req = httptest.NewRequest(http.MethodGet, "/mcp", nil)
|
|
req.Header.Set("x-brain-key", "wrong")
|
|
rec = httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Fatalf("invalid key status = %d, want %d", rec.Code, http.StatusUnauthorized)
|
|
}
|
|
}
|