mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 16:43:40 +00:00
79fb4cc1cc
# Which Problems Are Solved System administrators can block hosts and IPs for HTTP calls in actions. Using DNS, blocked IPs could be bypassed. # How the Problems Are Solved - Hosts are resolved (DNS lookup) to check whether their corresponding IP is blocked. # Additional Changes - Added complete lookup ip address range and "unspecified" address to the default `DenyList`
283 lines
7.0 KiB
Go
283 lines
7.0 KiB
Go
package start
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/muhlemmer/gu"
|
|
"github.com/spf13/viper"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/zitadel/zitadel/internal/actions"
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
)
|
|
|
|
func TestMustNewConfig(t *testing.T) {
|
|
encodedKey := "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6aStGRlNKTDdmNXl3NEtUd3pnTQpQMzRlUEd5Y20vTStrVDBNN1Y0Q2d4NVYzRWFESXZUUUtUTGZCYUVCNDV6YjlMdGpJWHpEdzByWFJvUzJoTzZ0CmgrQ1lRQ3ozS0N2aDA5QzBJenhaaUIySVMzSC9hVCs1Qng5RUZZK3ZuQWtaamNjYnlHNVlOUnZtdE9sbnZJZUkKSDdxWjB0RXdrUGZGNUdFWk5QSlB0bXkzVUdWN2lvZmRWUVMxeFJqNzMrYU13NXJ2SDREOElkeWlBQzNWZWtJYgpwdDBWajBTVVgzRHdLdG9nMzM3QnpUaVBrM2FYUkYwc2JGaFFvcWRKUkk4TnFnWmpDd2pxOXlmSTV0eXhZc3duCitKR3pIR2RIdlczaWRPRGxtd0V0NUsycGFzaVJJV0syT0dmcSt3MEVjbHRRSGFidXFFUGdabG1oQ2tSZE5maXgKQndJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
|
|
decodedKey, err := base64.StdEncoding.DecodeString(encodedKey)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
type args struct {
|
|
yaml string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want func(*testing.T, *Config)
|
|
}{{
|
|
name: "actions deny list ok",
|
|
args: args{
|
|
yaml: `
|
|
Actions:
|
|
HTTP:
|
|
DenyList:
|
|
- localhost
|
|
- 127.0.0.1
|
|
- foobar
|
|
Log:
|
|
Level: info
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
|
|
&actions.HostChecker{Domain: "localhost"},
|
|
&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
|
|
&actions.HostChecker{Domain: "foobar"}})
|
|
},
|
|
}, {
|
|
name: "actions deny list string ok",
|
|
args: args{
|
|
yaml: `
|
|
Actions:
|
|
HTTP:
|
|
DenyList: localhost,127.0.0.1,foobar
|
|
Log:
|
|
Level: info
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
|
|
&actions.HostChecker{Domain: "localhost"},
|
|
&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
|
|
&actions.HostChecker{Domain: "foobar"}})
|
|
},
|
|
}, {
|
|
name: "features ok",
|
|
args: args{yaml: `
|
|
DefaultInstance:
|
|
Features:
|
|
LoginDefaultOrg: true
|
|
LegacyIntrospection: true
|
|
TriggerIntrospectionProjections: true
|
|
UserSchema: true
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.DefaultInstance.Features, &command.InstanceFeatures{
|
|
LoginDefaultOrg: gu.Ptr(true),
|
|
LegacyIntrospection: gu.Ptr(true),
|
|
TriggerIntrospectionProjections: gu.Ptr(true),
|
|
UserSchema: gu.Ptr(true),
|
|
})
|
|
},
|
|
}, {
|
|
name: "system api users ok",
|
|
args: args{yaml: `
|
|
SystemAPIUsers:
|
|
- superuser:
|
|
Memberships:
|
|
- MemberType: System
|
|
- MemberType: Organization
|
|
- MemberType: IAM
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.SystemAPIUsers, map[string]*authz.SystemAPIUser{
|
|
"superuser": {
|
|
Memberships: authz.Memberships{{
|
|
MemberType: authz.MemberTypeSystem,
|
|
}, {
|
|
MemberType: authz.MemberTypeOrganization,
|
|
}, {
|
|
MemberType: authz.MemberTypeIAM,
|
|
}},
|
|
},
|
|
})
|
|
},
|
|
}, {
|
|
name: "system api users string ok",
|
|
args: args{yaml: fmt.Sprintf(`
|
|
SystemAPIUsers: >
|
|
{"systemuser": {"path": "/path/to/superuser/key.pem"}, "systemuser2": {"keyData": "%s"}}
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`, encodedKey)},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.SystemAPIUsers, map[string]*authz.SystemAPIUser{
|
|
"systemuser": {
|
|
Path: "/path/to/superuser/key.pem",
|
|
},
|
|
"systemuser2": {
|
|
KeyData: decodedKey,
|
|
},
|
|
})
|
|
},
|
|
}, {
|
|
name: "headers ok",
|
|
args: args{yaml: `
|
|
Telemetry:
|
|
Headers:
|
|
single-value: single-value
|
|
multi-value:
|
|
- multi-value1
|
|
- multi-value2
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.Telemetry.Headers, http.Header{
|
|
"single-value": []string{"single-value"},
|
|
"multi-value": []string{"multi-value1", "multi-value2"},
|
|
})
|
|
},
|
|
}, {
|
|
name: "headers string ok",
|
|
args: args{yaml: `
|
|
Telemetry:
|
|
Headers: >
|
|
{"single-value": "single-value", "multi-value": ["multi-value1", "multi-value2"]}
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.Telemetry.Headers, http.Header{
|
|
"single-value": []string{"single-value"},
|
|
"multi-value": []string{"multi-value1", "multi-value2"},
|
|
})
|
|
},
|
|
}, {
|
|
name: "message texts ok",
|
|
args: args{yaml: `
|
|
DefaultInstance:
|
|
MessageTexts:
|
|
- MessageTextType: InitCode
|
|
Title: foo
|
|
- MessageTextType: PasswordReset
|
|
Greeting: bar
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.DefaultInstance.MessageTexts, []*domain.CustomMessageText{{
|
|
MessageTextType: "InitCode",
|
|
Title: "foo",
|
|
}, {
|
|
MessageTextType: "PasswordReset",
|
|
Greeting: "bar",
|
|
}})
|
|
},
|
|
}, {
|
|
name: "message texts string ok",
|
|
args: args{yaml: `
|
|
DefaultInstance:
|
|
MessageTexts: >
|
|
[{"messageTextType": "InitCode", "title": "foo"}, {"messageTextType": "PasswordReset", "greeting": "bar"}]
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.DefaultInstance.MessageTexts, []*domain.CustomMessageText{{
|
|
MessageTextType: "InitCode",
|
|
Title: "foo",
|
|
}, {
|
|
MessageTextType: "PasswordReset",
|
|
Greeting: "bar",
|
|
}})
|
|
},
|
|
}, {
|
|
name: "roles ok",
|
|
args: args{yaml: `
|
|
InternalAuthZ:
|
|
RolePermissionMappings:
|
|
- Role: IAM_OWNER
|
|
Permissions:
|
|
- iam.write
|
|
- Role: ORG_OWNER
|
|
Permissions:
|
|
- org.write
|
|
- org.read
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.InternalAuthZ, authz.Config{
|
|
RolePermissionMappings: []authz.RoleMapping{
|
|
{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
|
|
{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
|
|
},
|
|
})
|
|
},
|
|
}, {
|
|
name: "roles string ok",
|
|
args: args{yaml: `
|
|
InternalAuthZ:
|
|
RolePermissionMappings: >
|
|
[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write", "org.read"]}]
|
|
Log:
|
|
Level: info
|
|
Actions:
|
|
HTTP:
|
|
DenyList: []
|
|
`},
|
|
want: func(t *testing.T, config *Config) {
|
|
assert.Equal(t, config.InternalAuthZ, authz.Config{
|
|
RolePermissionMappings: []authz.RoleMapping{
|
|
{Role: "IAM_OWNER", Permissions: []string{"iam.write"}},
|
|
{Role: "ORG_OWNER", Permissions: []string{"org.write", "org.read"}},
|
|
},
|
|
})
|
|
},
|
|
}}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
v := viper.New()
|
|
v.SetConfigType("yaml")
|
|
require.NoError(t, v.ReadConfig(strings.NewReader(tt.args.yaml)))
|
|
got := MustNewConfig(v)
|
|
tt.want(t, got)
|
|
})
|
|
}
|
|
}
|