test: negative tests for API.Authorizations

ipfs · Nov 16, 2023 · 6acfaf7 · 6acfaf7
1 parent 8f24bb7
commit 6acfaf7
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 6 deletions.
diff --git a/client/rpc/auth/auth.go b/client/rpc/auth/auth.go
@@ -10,7 +10,7 @@ type AuthorizedRoundTripper struct {
 }
 
 // NewAuthorizedRoundTripper creates a new [http.RoundTripper] that will set the
-// Authorization HTTP header with the value of [secret]. The given [roundTripper] is
+// Authorization HTTP header with the value of [authorization]. The given [roundTripper] is
 // the base [http.RoundTripper]. If it is nil, [http.DefaultTransport] is used.
 func NewAuthorizedRoundTripper(authorization string, roundTripper http.RoundTripper) http.RoundTripper {
 	if roundTripper == nil {

diff --git a/test/cli/auth_test.go → test/cli/rpc_auth_test.go b/test/cli/auth_test.go → test/cli/rpc_auth_test.go
@@ -13,7 +13,7 @@ import (
 
 const rpcDeniedMsg = "Kubo RPC Access Denied: Please provide a valid authorization token as defined in the API.Authorizations configuration."
 
-func TestAuth(t *testing.T) {
+func TestRPCAuth(t *testing.T) {
 	t.Parallel()
 
 	makeAndStartProtectedNode := func(t *testing.T, authorizations map[string]*config.RPCAuthScope) *harness.Node {
@@ -47,14 +47,24 @@ func TestAuth(t *testing.T) {
 				Transport: auth.NewAuthorizedRoundTripper(header, http.DefaultTransport),
 			}
 
-			// Can access /id
+			// Can access /id with valid token
 			resp := apiClient.Post("/api/v0/id", nil)
 			assert.Equal(t, 200, resp.StatusCode)
 
 			// But not /config/show
 			resp = apiClient.Post("/api/v0/config/show", nil)
 			assert.Equal(t, 403, resp.StatusCode)
 
+			// create client which sends invalid access token
+			invalidApiClient := node.APIClient()
+			invalidApiClient.Client = &http.Client{
+				Transport: auth.NewAuthorizedRoundTripper("Bearer invalid", http.DefaultTransport),
+			}
+
+			// Can't access /id with invalid token
+			errResp := invalidApiClient.Post("/api/v0/id", nil)
+			assert.Equal(t, 403, errResp.StatusCode)
+
 			node.StopDaemon()
 		}
 	}
@@ -93,11 +103,11 @@ func TestAuth(t *testing.T) {
 		{"Basic (user:pass)", "basic:user:pass", "Basic dXNlcjpwYXNz"},
 		{"Basic (encoded)", "basic:dXNlcjpwYXNz", "Basic dXNlcjpwYXNz"},
 	} {
-		t.Run("Adheres to Allowed Paths on CLI "+testCase.name, makeCLITest(testCase.authSecret))
-		t.Run("Adheres to Allowed Paths on HTTP "+testCase.name, makeHTTPTest(testCase.authSecret, testCase.header))
+		t.Run("AllowedPaths on CLI "+testCase.name, makeCLITest(testCase.authSecret))
+		t.Run("AllowedPaths on HTTP "+testCase.name, makeHTTPTest(testCase.authSecret, testCase.header))
 	}
 
-	t.Run("Generic Allowed Path Gives Full Access", func(t *testing.T) {
+	t.Run("AllowedPaths set to /api/v0 Gives Full Access", func(t *testing.T) {
 		t.Parallel()
 
 		node := makeAndStartProtectedNode(t, map[string]*config.RPCAuthScope{
@@ -117,4 +127,36 @@ func TestAuth(t *testing.T) {
 
 		node.StopDaemon()
 	})
+
+	t.Run("API.Authorizations set to nil disables Authorization header check", func(t *testing.T) {
+		t.Parallel()
+
+		node := harness.NewT(t).NewNode().Init()
+		node.UpdateConfig(func(cfg *config.Config) {
+			cfg.API.Authorizations = nil
+		})
+		node.StartDaemon()
+
+		apiClient := node.APIClient()
+		resp := apiClient.Post("/api/v0/id", nil)
+		assert.Equal(t, 200, resp.StatusCode)
+
+		node.StopDaemon()
+	})
+
+	t.Run("API.Authorizations set to empty map disables Authorization header check", func(t *testing.T) {
+		t.Parallel()
+
+		node := harness.NewT(t).NewNode().Init()
+		node.UpdateConfig(func(cfg *config.Config) {
+			cfg.API.Authorizations = map[string]*config.RPCAuthScope{}
+		})
+		node.StartDaemon()
+
+		apiClient := node.APIClient()
+		resp := apiClient.Post("/api/v0/id", nil)
+		assert.Equal(t, 200, resp.StatusCode)
+
+		node.StopDaemon()
+	})
 }