Test authz webhook

ContainerSSH · Aug 11, 2023 · ef14170 · ef14170
1 parent 979edd3
commit ef14170
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 4 deletions.
diff --git a/internal/auth/webhook_client_impl.go b/internal/auth/webhook_client_impl.go
@@ -43,7 +43,13 @@ func (client *webhookClient) Authorize(
 		client.logger.Debug(err)
 		return &webhookClientContext{meta.AuthFailed(), false, err}
 	}
-	return client.processAuthzWithRetry(meta)
+
+	url := client.endpoint + "/authz"
+	authzRequest := auth.AuthorizationRequest{
+		ConnectionAuthenticatedMetadata: meta,
+	}
+
+	return client.processAuthzWithRetry(meta, url, authzRequest)
 }
 
 func (client *webhookClient) Password(
@@ -268,10 +274,9 @@ func (client *webhookClient) authServerRequest(endpoint string, requestObject in
 
 func (client *webhookClient) processAuthzWithRetry(
 	meta metadata.ConnectionAuthenticatedMetadata,
+	url string,
+	authzRequest interface{},
 ) AuthenticationContext {
-	url := client.endpoint + "/authz"
-	authzRequest := auth.AuthorizationRequest{}
-
 	ctx, cancel := context.WithTimeout(context.Background(), client.timeout)
 	defer cancel()
 	var lastError error

diff --git a/internal/auth/webhook_test.go b/internal/auth/webhook_test.go
@@ -70,6 +70,19 @@ func (h *handler) OnAuthorization(meta metadata.ConnectionAuthenticatedMetadata)
 	metadata.ConnectionAuthenticatedMetadata,
 	error,
 ) {
+	if meta.RemoteAddress.IP.String() != "127.0.0.1" {
+		return false, meta.AuthFailed(), fmt.Errorf("invalid IP: %s", meta.RemoteAddress.IP.String())
+	}
+	if meta.ConnectionID != "0123456789ABCDEF" {
+		return false, meta.AuthFailed(), fmt.Errorf("invalid connection ID: %s", meta.ConnectionID)
+	}
+	if meta.AuthenticatedUsername == "foo" {
+		return true, meta.AuthFailed(), nil
+	}
+	if meta.Username == "crash" {
+		// Simulate a database failure
+		return false, meta.AuthFailed(), fmt.Errorf("database error")
+	}
 	return false, meta.AuthFailed(), nil
 }
 
@@ -143,6 +156,24 @@ func TestAuth(t *testing.T) {
 				)
 				assert.NotEqual(t, nil, authenticationContext.Error())
 				assert.Equal(t, false, authenticationContext.Success())
+
+				authenticationContext = client.Authorize(
+					metadata.NewTestAuthenticatingMetadata("foo").Authenticated("foo"),
+				)
+				assert.Equal(t, nil, authenticationContext.Error())
+				assert.Equal(t, true, authenticationContext.Success())
+
+				authenticationContext = client.Authorize(
+					metadata.NewTestAuthenticatingMetadata("foo").Authenticated("foonoauthz"),
+				)
+				assert.Equal(t, nil, authenticationContext.Error())
+				assert.Equal(t, false, authenticationContext.Success())
+
+				authenticationContext = client.Authorize(
+					metadata.NewTestAuthenticatingMetadata("crash").Authenticated("crash"),
+				)
+				assert.NotEqual(t, nil, authenticationContext.Error())
+				assert.Equal(t, false, authenticationContext.Success())
 			},
 		)
 	}