omni/internal/pkg/auth/check_test.go
Utku Ozdemir 0e76483bab
Some checks failed
default / default (push) Has been cancelled
default / e2e-backups (push) Has been cancelled
default / e2e-forced-removal (push) Has been cancelled
default / e2e-omni-upgrade (push) Has been cancelled
default / e2e-scaling (push) Has been cancelled
default / e2e-short (push) Has been cancelled
default / e2e-short-secureboot (push) Has been cancelled
default / e2e-templates (push) Has been cancelled
default / e2e-upgrades (push) Has been cancelled
default / e2e-workload-proxy (push) Has been cancelled
chore: rekres, bump deps, Go, Talos and k8s versions, satisfy linters
- Bump some deps, namely cosi-runtime and Talos machinery.
- Update `auditState` to implement the new methods in COSI's `state.State`.
- Bump default Talos and Kubernetes versions to their latest.
- Rekres, which brings Go 1.24.5. Also update it in go.mod files.
- Fix linter errors coming from new linters.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
2025-07-11 18:23:48 +02:00

225 lines
4.7 KiB
Go

// Copyright (c) 2025 Sidero Labs, Inc.
//
// Use of this software is governed by the Business Source License
// included in the LICENSE file.
package auth_test
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
"github.com/siderolabs/omni/internal/pkg/auth"
"github.com/siderolabs/omni/internal/pkg/auth/role"
"github.com/siderolabs/omni/internal/pkg/ctxstore"
)
func TestCheck(t *testing.T) {
for _, tt := range []struct { //nolint:govet
name string
ctx context.Context //nolint:containedctx
opts []auth.CheckOption
want auth.CheckResult
errorIs error
}{
{
name: "empty context",
ctx: t.Context(),
errorIs: auth.ErrUnauthenticated,
},
{
name: "auth disabled",
ctx: ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: false,
},
),
},
{
name: "not authenticated, no requirements",
ctx: ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
want: auth.CheckResult{
AuthEnabled: true,
Role: role.None,
},
},
{
name: "not authenticated, verified email",
ctx: ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
opts: []auth.CheckOption{auth.WithVerifiedEmail()},
errorIs: auth.ErrUnauthenticated,
},
{
name: "not authenticated, none role",
ctx: ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
opts: []auth.CheckOption{auth.WithValidSignature(true)},
errorIs: auth.ErrUnauthenticated,
},
{
name: "not authenticated, operator role",
ctx: ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
opts: []auth.CheckOption{auth.WithRole(role.Operator)},
errorIs: auth.ErrUnauthenticated,
},
{
name: "verified email",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.VerifiedEmailContextKey{
Email: "user@example.com",
},
),
opts: []auth.CheckOption{auth.WithVerifiedEmail()},
want: auth.CheckResult{
AuthEnabled: true,
VerifiedEmail: "user@example.com",
Role: role.None,
},
},
{
name: "role okay",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.RoleContextKey{
Role: role.Operator,
},
),
opts: []auth.CheckOption{auth.WithRole(role.Operator)},
want: auth.CheckResult{
AuthEnabled: true,
HasValidSignature: true,
Role: role.Operator,
},
},
{
name: "role mismatch",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.RoleContextKey{
Role: role.Operator,
},
),
opts: []auth.CheckOption{auth.WithRole(role.Admin)},
errorIs: auth.ErrUnauthorized,
},
{
name: "role and verified email",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.RoleContextKey{
Role: role.Operator,
},
),
auth.VerifiedEmailContextKey{
Email: "user@example.com",
},
),
auth.IdentityContextKey{
Identity: "user2@example.com",
},
),
opts: []auth.CheckOption{auth.WithRole(role.Operator), auth.WithVerifiedEmail()},
want: auth.CheckResult{
AuthEnabled: true,
HasValidSignature: true,
Role: role.Operator,
Identity: "user2@example.com",
VerifiedEmail: "user@example.com",
},
},
{
name: "valid signature",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.RoleContextKey{
Role: role.None,
},
),
opts: []auth.CheckOption{},
want: auth.CheckResult{
AuthEnabled: true,
HasValidSignature: true,
Role: role.None,
},
},
{
name: "missing signature",
ctx: ctxstore.WithValue(
ctxstore.WithValue(
t.Context(),
auth.EnabledAuthContextKey{
Enabled: true,
},
),
auth.VerifiedEmailContextKey{
Email: "me@example.com",
},
),
opts: []auth.CheckOption{auth.WithValidSignature(true)},
errorIs: auth.ErrUnauthenticated,
},
} {
t.Run(tt.name, func(t *testing.T) {
result, err := auth.Check(tt.ctx, tt.opts...)
if tt.errorIs != nil {
assert.ErrorIs(t, err, tt.errorIs)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.want, result)
})
}
}