Ilia Denisov
286 lines
11 KiB
Go
286 lines
11 KiB
Go
package gatewayauthsession_test
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ed25519"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"testing"
|
|
"time"
|
|
|
|
"galaxy/integration/internal/harness"
|
|
|
|
gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
func TestGatewayAuthSessionSendEmailCodeReachesAuthsessionMailDelivery(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
|
"email": testEmail,
|
|
})
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
var body struct {
|
|
ChallengeID string `json:"challenge_id"`
|
|
}
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
|
|
require.NotEmpty(t, body.ChallengeID)
|
|
|
|
deliveries := h.mailStub.RecordedDeliveries()
|
|
require.Len(t, deliveries, 1)
|
|
require.Equal(t, testEmail, deliveries[0].Email)
|
|
require.Len(t, deliveries[0].Code, 6)
|
|
}
|
|
|
|
func TestGatewayAuthSessionConfirmCreatesProjectionAndAllowsSubscribeEvents(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
clientPrivateKey := newClientPrivateKey("confirm-projection")
|
|
challengeID, code := h.sendChallenge(t, testEmail)
|
|
|
|
response := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
var confirmBody struct {
|
|
DeviceSessionID string `json:"device_session_id"`
|
|
}
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &confirmBody))
|
|
require.NotEmpty(t, confirmBody.DeviceSessionID)
|
|
|
|
record := h.readGatewaySessionRecord(t, confirmBody.DeviceSessionID)
|
|
require.Equal(t, gatewaySessionRecord{
|
|
DeviceSessionID: confirmBody.DeviceSessionID,
|
|
UserID: "user-1",
|
|
ClientPublicKey: base64.StdEncoding.EncodeToString(clientPrivateKey.Public().(ed25519.PublicKey)),
|
|
Status: "active",
|
|
}, record)
|
|
|
|
ensureCalls := h.userStub.EnsureCalls()
|
|
require.Len(t, ensureCalls, 1)
|
|
require.Equal(t, testEmail, ensureCalls[0].Email)
|
|
require.Equal(t, "en", ensureCalls[0].PreferredLanguage)
|
|
require.Equal(t, testTimeZone, ensureCalls[0].TimeZone)
|
|
|
|
conn := h.dialGateway(t)
|
|
client := gatewayv1.NewEdgeGatewayClient(conn)
|
|
|
|
stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-bootstrap", clientPrivateKey))
|
|
require.NoError(t, err)
|
|
|
|
event, err := stream.Recv()
|
|
require.NoError(t, err)
|
|
assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-bootstrap")
|
|
}
|
|
|
|
func TestGatewayAuthSessionAcceptLanguageIsForwardedToMailAndUser(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
clientPrivateKey := newClientPrivateKey("localized")
|
|
challengeID, code := h.sendChallengeWithAcceptLanguage(t, testEmail, "fr-FR, en;q=0.8")
|
|
|
|
deliveries := h.mailStub.RecordedDeliveries()
|
|
require.NotEmpty(t, deliveries)
|
|
require.Equal(t, "fr-FR", deliveries[len(deliveries)-1].Locale)
|
|
|
|
response := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
ensureCalls := h.userStub.EnsureCalls()
|
|
require.Len(t, ensureCalls, 1)
|
|
require.Equal(t, testEmail, ensureCalls[0].Email)
|
|
require.Equal(t, "fr-FR", ensureCalls[0].PreferredLanguage)
|
|
require.Equal(t, testTimeZone, ensureCalls[0].TimeZone)
|
|
}
|
|
|
|
func TestGatewayAuthSessionRepeatedConfirmReturnsSameSessionID(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
clientPrivateKey := newClientPrivateKey("repeated-confirm")
|
|
challengeID, code := h.sendChallenge(t, testEmail)
|
|
|
|
first := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
|
second := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
|
require.Equal(t, http.StatusOK, first.StatusCode)
|
|
require.Equal(t, http.StatusOK, second.StatusCode)
|
|
|
|
var firstBody struct {
|
|
DeviceSessionID string `json:"device_session_id"`
|
|
}
|
|
var secondBody struct {
|
|
DeviceSessionID string `json:"device_session_id"`
|
|
}
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(first.Body), &firstBody))
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(second.Body), &secondBody))
|
|
require.Equal(t, firstBody.DeviceSessionID, secondBody.DeviceSessionID)
|
|
}
|
|
|
|
func TestGatewayAuthSessionInvalidClientPublicKeyPassesThroughUnchanged(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
challengeID, _ := h.sendChallenge(t, testEmail)
|
|
|
|
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/confirm-email-code", map[string]string{
|
|
"challenge_id": challengeID,
|
|
"code": "123456",
|
|
"client_public_key": "invalid",
|
|
"time_zone": testTimeZone,
|
|
})
|
|
|
|
require.Equal(t, http.StatusBadRequest, response.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"invalid_client_public_key","message":"client_public_key is not a valid base64-encoded raw 32-byte Ed25519 public key"}}`, response.Body)
|
|
}
|
|
|
|
func TestGatewayAuthSessionChallengeNotFoundPassesThroughUnchanged(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
response := h.confirmCode(t, "missing-challenge", "123456", newClientPrivateKey("missing-challenge"))
|
|
|
|
require.Equal(t, http.StatusNotFound, response.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"challenge_not_found","message":"challenge not found"}}`, response.Body)
|
|
}
|
|
|
|
func TestGatewayAuthSessionInvalidCodePassesThroughUnchanged(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
clientPrivateKey := newClientPrivateKey("invalid-code")
|
|
challengeID, code := h.sendChallenge(t, testEmail)
|
|
invalidCode := "000000"
|
|
if code == invalidCode {
|
|
invalidCode = "111111"
|
|
}
|
|
|
|
response := h.confirmCode(t, challengeID, invalidCode, clientPrivateKey)
|
|
|
|
require.Equal(t, http.StatusBadRequest, response.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"invalid_code","message":"confirmation code is invalid"}}`, response.Body)
|
|
}
|
|
|
|
func TestGatewayAuthSessionBlockedSendRemainsSuccessShapedWithoutDelivery(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
h.userStub.SeedBlockedEmail(testEmail, "policy_blocked")
|
|
|
|
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
|
"email": testEmail,
|
|
})
|
|
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
var body struct {
|
|
ChallengeID string `json:"challenge_id"`
|
|
}
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
|
|
require.NotEmpty(t, body.ChallengeID)
|
|
require.Empty(t, h.mailStub.RecordedDeliveries())
|
|
}
|
|
|
|
func TestGatewayAuthSessionSessionLimitExceededPassesThroughUnchanged(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
h.seedSessionLimit(t, 1)
|
|
|
|
firstClientPrivateKey := newClientPrivateKey("session-limit-first")
|
|
firstChallengeID, firstCode := h.sendChallenge(t, testEmail)
|
|
firstConfirm := h.confirmCode(t, firstChallengeID, firstCode, firstClientPrivateKey)
|
|
require.Equal(t, http.StatusOK, firstConfirm.StatusCode)
|
|
|
|
const secondEmail = "pilot-second@example.com"
|
|
h.userStub.SeedExisting(secondEmail, "user-1")
|
|
|
|
secondClientPrivateKey := newClientPrivateKey("session-limit-second")
|
|
secondChallengeID, secondCode := h.sendChallenge(t, secondEmail)
|
|
secondConfirm := h.confirmCode(t, secondChallengeID, secondCode, secondClientPrivateKey)
|
|
|
|
require.Equal(t, http.StatusConflict, secondConfirm.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"session_limit_exceeded","message":"active session limit would be exceeded"}}`, secondConfirm.Body)
|
|
}
|
|
|
|
func TestGatewayAuthSessionRevokeClosesPushStreamAndRejectsReopen(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
|
|
|
clientPrivateKey := newClientPrivateKey("revoke")
|
|
challengeID, code := h.sendChallenge(t, testEmail)
|
|
confirm := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
|
require.Equal(t, http.StatusOK, confirm.StatusCode)
|
|
|
|
var confirmBody struct {
|
|
DeviceSessionID string `json:"device_session_id"`
|
|
}
|
|
require.NoError(t, decodeStrictJSONPayload([]byte(confirm.Body), &confirmBody))
|
|
|
|
conn := h.dialGateway(t)
|
|
client := gatewayv1.NewEdgeGatewayClient(conn)
|
|
|
|
stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-revoke", clientPrivateKey))
|
|
require.NoError(t, err)
|
|
|
|
event, err := stream.Recv()
|
|
require.NoError(t, err)
|
|
assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-revoke")
|
|
|
|
revokeResponse := postJSONValue(t, h.authsessionInternalURL+"/api/v1/internal/sessions/"+confirmBody.DeviceSessionID+"/revoke", map[string]any{
|
|
"reason_code": "admin_revoke",
|
|
"actor": map[string]string{
|
|
"type": "system",
|
|
},
|
|
})
|
|
require.Equal(t, http.StatusOK, revokeResponse.StatusCode)
|
|
|
|
recvErrCh := make(chan error, 1)
|
|
go func() {
|
|
_, recvErr := stream.Recv()
|
|
recvErrCh <- recvErr
|
|
}()
|
|
|
|
select {
|
|
case recvErr := <-recvErrCh:
|
|
require.Equal(t, codes.FailedPrecondition, status.Code(recvErr))
|
|
require.Equal(t, "device session is revoked", status.Convert(recvErr).Message())
|
|
case <-time.After(5 * time.Second):
|
|
t.Fatal("gateway stream did not close after authsession revoke")
|
|
}
|
|
|
|
reopened, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-reopen", clientPrivateKey))
|
|
if err == nil {
|
|
_, err = reopened.Recv()
|
|
}
|
|
|
|
require.Equal(t, codes.FailedPrecondition, status.Code(err))
|
|
require.Equal(t, "device session is revoked", status.Convert(err).Message())
|
|
}
|
|
|
|
func TestGatewayAuthSessionGatewayTimeoutMappingOverridesAuthsessionMessage(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{
|
|
gatewayAuthUpstreamTimeout: 50 * time.Millisecond,
|
|
authsessionPublicHTTPTimeout: time.Second,
|
|
authsessionMailBehavior: harness.MailBehavior{
|
|
Delay: 200 * time.Millisecond,
|
|
},
|
|
})
|
|
|
|
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
|
"email": testEmail,
|
|
})
|
|
|
|
require.Equal(t, http.StatusServiceUnavailable, response.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"auth service is unavailable"}}`, response.Body)
|
|
}
|
|
|
|
func TestGatewayAuthSessionAuthsessionServiceUnavailablePassesThroughUnchanged(t *testing.T) {
|
|
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{
|
|
authsessionMailBehavior: harness.MailBehavior{
|
|
StatusCode: http.StatusServiceUnavailable,
|
|
RawBody: `{"error":"mail backend unavailable"}`,
|
|
},
|
|
})
|
|
|
|
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
|
"email": testEmail,
|
|
})
|
|
|
|
require.Equal(t, http.StatusServiceUnavailable, response.StatusCode)
|
|
require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"service is unavailable"}}`, response.Body)
|
|
}
|