mirror of
https://github.com/tailscale/tailscale.git
synced 2025-12-24 01:26:39 +00:00
188 lines
5.0 KiB
Go
188 lines
5.0 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package oauthkey
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestResolveAuthKey(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
clientID string
|
|
tags []string
|
|
wantAuthKey string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "keys without client secret prefix pass through unchanged",
|
|
clientID: "tskey-auth-regular",
|
|
tags: []string{"tag:test"},
|
|
wantAuthKey: "tskey-auth-regular",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "client secret without advertised tags",
|
|
clientID: "tskey-client-abc",
|
|
tags: nil,
|
|
wantAuthKey: "",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "client secret with default attributes",
|
|
clientID: "tskey-client-abc",
|
|
tags: []string{"tag:test"},
|
|
wantAuthKey: "tskey-auth-xyz",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "client secret with custom attributes",
|
|
clientID: "tskey-client-abc?ephemeral=false&preauthorized=true",
|
|
tags: []string{"tag:test"},
|
|
wantAuthKey: "tskey-auth-xyz",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "client secret with unknown attribute",
|
|
clientID: "tskey-client-abc?unknown=value",
|
|
tags: []string{"tag:test"},
|
|
wantAuthKey: "",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "oauth client secret with invalid attribute value",
|
|
clientID: "tskey-client-abc?ephemeral=invalid",
|
|
tags: []string{"tag:test"},
|
|
wantAuthKey: "",
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
srv := mockControlServer(t)
|
|
defer srv.Close()
|
|
|
|
// resolveAuthKey reads custom control plane URLs off the baseURL attribute
|
|
// on the client secret string. Therefore, append the baseURL attribute with
|
|
// the mock control server URL to any client secret in order to hit the mock
|
|
// server instead of the default control API.
|
|
if strings.HasPrefix(tt.clientID, "tskey-client") {
|
|
if !strings.Contains(tt.clientID, "?") {
|
|
tt.clientID += "?baseURL=" + srv.URL
|
|
} else {
|
|
tt.clientID += "&baseURL=" + srv.URL
|
|
}
|
|
}
|
|
|
|
got, err := resolveAuthKey(context.Background(), tt.clientID, tt.tags)
|
|
|
|
if tt.wantErr {
|
|
if err == nil {
|
|
t.Error("want error but got none")
|
|
return
|
|
}
|
|
return
|
|
}
|
|
|
|
if err != nil {
|
|
t.Errorf("want no error, got %q", err)
|
|
return
|
|
}
|
|
|
|
if got != tt.wantAuthKey {
|
|
t.Errorf("want authKey = %q, got %q", tt.wantAuthKey, got)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestResolveAuthKeyAttributes(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
clientSecret string
|
|
wantEphemeral bool
|
|
wantPreauth bool
|
|
wantBaseURL string
|
|
}{
|
|
{
|
|
name: "default values",
|
|
clientSecret: "tskey-client-abc",
|
|
wantEphemeral: true,
|
|
wantPreauth: false,
|
|
wantBaseURL: "https://api.tailscale.com",
|
|
},
|
|
{
|
|
name: "ephemeral=false",
|
|
clientSecret: "tskey-client-abc?ephemeral=false",
|
|
wantEphemeral: false,
|
|
wantPreauth: false,
|
|
wantBaseURL: "https://api.tailscale.com",
|
|
},
|
|
{
|
|
name: "preauthorized=true",
|
|
clientSecret: "tskey-client-abc?preauthorized=true",
|
|
wantEphemeral: true,
|
|
wantPreauth: true,
|
|
wantBaseURL: "https://api.tailscale.com",
|
|
},
|
|
{
|
|
name: "baseURL=https://api.example.com",
|
|
clientSecret: "tskey-client-abc?baseURL=https://api.example.com",
|
|
wantEphemeral: true,
|
|
wantPreauth: false,
|
|
wantBaseURL: "https://api.example.com",
|
|
},
|
|
{
|
|
name: "all custom values",
|
|
clientSecret: "tskey-client-abc?ephemeral=false&preauthorized=true&baseURL=https://api.example.com",
|
|
wantEphemeral: false,
|
|
wantPreauth: true,
|
|
wantBaseURL: "https://api.example.com",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
strippedSecret, ephemeral, preauth, baseURL, err := parseOptionalAttributes(tt.clientSecret)
|
|
if err != nil {
|
|
t.Fatalf("want no error, got %q", err)
|
|
}
|
|
if strippedSecret != "tskey-client-abc" {
|
|
t.Errorf("want tskey-client-abc, got %q", strippedSecret)
|
|
}
|
|
if ephemeral != tt.wantEphemeral {
|
|
t.Errorf("want ephemeral = %v, got %v", tt.wantEphemeral, ephemeral)
|
|
}
|
|
if preauth != tt.wantPreauth {
|
|
t.Errorf("want preauth = %v, got %v", tt.wantPreauth, preauth)
|
|
}
|
|
if baseURL != tt.wantBaseURL {
|
|
t.Errorf("want baseURL = %v, got %v", tt.wantBaseURL, baseURL)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func mockControlServer(t *testing.T) *httptest.Server {
|
|
t.Helper()
|
|
|
|
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case strings.Contains(r.URL.Path, "/api/v2/oauth/token"):
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Write([]byte(`{"access_token":"access-123","token_type":"Bearer","expires_in":3600}`))
|
|
case strings.Contains(r.URL.Path, "/api/v2/tailnet") && strings.Contains(r.URL.Path, "/keys"):
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Write([]byte(`{"key":"tskey-auth-xyz"}`))
|
|
default:
|
|
w.WriteHeader(http.StatusNotFound)
|
|
}
|
|
}))
|
|
}
|