Home Explore Help
Register Sign In
Apq
/
docker-compose
mirror of https://github.com/docker/compose.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6412b9f638
Branches Tags
docker-compose
/
aci
/
login
/
login_test.go

login_test.go 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371 
  1. /*
    2. 

  2.    Copyright 2020 Docker, Inc.
    3. 

  3. 

  4.    Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5.    you may not use this file except in compliance with the License.
    6. 

  6.    You may obtain a copy of the License at
    7. 

  7. 

  8.        http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10.    Unless required by applicable law or agreed to in writing, software
    11. 

  11.    distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13.    See the License for the specific language governing permissions and
    14. 

  14.    limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package login
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"io/ioutil"
    22. 

  22. 	"net/http"
    23. 

  23. 	"net/url"
    24. 

  24. 	"os"
    25. 

  25. 	"path/filepath"
    26. 

  26. 	"reflect"
    27. 

  27. 	"testing"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"github.com/stretchr/testify/mock"
    31. 

  31. 	"gotest.tools/v3/assert"
    32. 

  32. 

  33. 	"golang.org/x/oauth2"
    34. 

  34. )
    35. 

  35. 

  36. func testLoginService(t *testing.T, m *MockAzureHelper) (*AzureLoginService, error) {
    37. 

  37. 	dir, err := ioutil.TempDir("", "test_store")
    38. 

  38. 	if err != nil {
    39. 

  39. 		return nil, err
    40. 

  40. 	}
    41. 

  41. 	t.Cleanup(func() {
    42. 

  42. 		_ = os.RemoveAll(dir)
    43. 

  43. 	})
    44. 

  44. 	return newAzureLoginServiceFromPath(filepath.Join(dir, tokenStoreFilename), m)
    45. 

  45. }
    46. 

  46. 

  47. func TestRefreshInValidToken(t *testing.T) {
    48. 

  48. 	data := refreshTokenData("refreshToken")
    49. 

  49. 	m := &MockAzureHelper{}
    50. 

  50. 	m.On("queryToken", data, "123456").Return(azureToken{
    51. 

  51. 		RefreshToken: "newRefreshToken",
    52. 

  52. 		AccessToken:  "newAccessToken",
    53. 

  53. 		ExpiresIn:    3600,
    54. 

  54. 		Foci:         "1",
    55. 

  55. 	}, nil)
    56. 

  56. 

  57. 	azureLogin, err := testLoginService(t, m)
    58. 

  58. 	assert.NilError(t, err)
    59. 

  59. 	err = azureLogin.tokenStore.writeLoginInfo(TokenInfo{
    60. 

  60. 		TenantID: "123456",
    61. 

  61. 		Token: oauth2.Token{
    62. 

  62. 			AccessToken:  "accessToken",
    63. 

  63. 			RefreshToken: "refreshToken",
    64. 

  64. 			Expiry:       time.Now().Add(-1 * time.Hour),
    65. 

  65. 			TokenType:    "Bearer",
    66. 

  66. 		},
    67. 

  67. 	})
    68. 

  68. 	assert.NilError(t, err)
    69. 

  69. 

  70. 	token, _ := azureLogin.GetValidToken()
    71. 

  71. 

  72. 	assert.Equal(t, token.AccessToken, "newAccessToken")
    73. 

  73. 	assert.Assert(t, time.Now().Add(3500*time.Second).Before(token.Expiry))
    74. 

  74. 

  75. 	storedToken, _ := azureLogin.tokenStore.readToken()
    76. 

  76. 	assert.Equal(t, storedToken.Token.AccessToken, "newAccessToken")
    77. 

  77. 	assert.Equal(t, storedToken.Token.RefreshToken, "newRefreshToken")
    78. 

  78. 	assert.Assert(t, time.Now().Add(3500*time.Second).Before(storedToken.Token.Expiry))
    79. 

  79. }
    80. 

  80. 

  81. func TestClearErrorMessageIfNotAlreadyLoggedIn(t *testing.T) {
    82. 

  82. 	dir, err := ioutil.TempDir("", "test_store")
    83. 

  83. 	assert.NilError(t, err)
    84. 

  84. 	t.Cleanup(func() {
    85. 

  85. 		_ = os.RemoveAll(dir)
    86. 

  86. 	})
    87. 

  87. 	_, err = newAuthorizerFromLoginStorePath(filepath.Join(dir, tokenStoreFilename))
    88. 

  88. 	assert.ErrorContains(t, err, "not logged in to azure, you need to run \"docker login azure\" first")
    89. 

  89. }
    90. 

  90. 

  91. func TestDoesNotRefreshValidToken(t *testing.T) {
    92. 

  92. 	expiryDate := time.Now().Add(1 * time.Hour)
    93. 

  93. 	azureLogin, err := testLoginService(t, nil)
    94. 

  94. 	assert.NilError(t, err)
    95. 

  95. 	err = azureLogin.tokenStore.writeLoginInfo(TokenInfo{
    96. 

  96. 		TenantID: "123456",
    97. 

  97. 		Token: oauth2.Token{
    98. 

  98. 			AccessToken:  "accessToken",
    99. 

  99. 			RefreshToken: "refreshToken",
    100. 

  100. 			Expiry:       expiryDate,
    101. 

  101. 			TokenType:    "Bearer",
    102. 

  102. 		},
    103. 

  103. 	})
    104. 

  104. 	assert.NilError(t, err)
    105. 

  105. 

  106. 	token, _ := azureLogin.GetValidToken()
    107. 

  107. 	assert.Equal(t, token.AccessToken, "accessToken")
    108. 

  108. }
    109. 

  109. 

  110. func TestInvalidLogin(t *testing.T) {
    111. 

  111. 	m := &MockAzureHelper{}
    112. 

  112. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    113. 

  113. 		redirectURL := args.Get(0).(string)
    114. 

  114. 		err := queryKeyValue(redirectURL, "error", "access denied: login failed")
    115. 

  115. 		assert.NilError(t, err)
    116. 

  116. 	})
    117. 

  117. 

  118. 	azureLogin, err := testLoginService(t, m)
    119. 

  119. 	assert.NilError(t, err)
    120. 

  120. 

  121. 	err = azureLogin.Login(context.TODO(), "")
    122. 

  122. 	assert.Error(t, err, "no login code: login failed")
    123. 

  123. }
    124. 

  124. 

  125. func TestValidLogin(t *testing.T) {
    126. 

  126. 	var redirectURL string
    127. 

  127. 	m := &MockAzureHelper{}
    128. 

  128. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    129. 

  129. 		redirectURL = args.Get(0).(string)
    130. 

  130. 		err := queryKeyValue(redirectURL, "code", "123456879")
    131. 

  131. 		assert.NilError(t, err)
    132. 

  132. 	})
    133. 

  133. 

  134. 	m.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
    135. 

  135. 		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
    136. 

  136. 		return reflect.DeepEqual(data, url.Values{
    137. 

  137. 			"grant_type":   []string{"authorization_code"},
    138. 

  138. 			"client_id":    []string{clientID},
    139. 

  139. 			"code":         []string{"123456879"},
    140. 

  140. 			"scope":        []string{scopes},
    141. 

  141. 			"redirect_uri": []string{redirectURL},
    142. 

  142. 		})
    143. 

  143. 	}), "organizations").Return(azureToken{
    144. 

  144. 		RefreshToken: "firstRefreshToken",
    145. 

  145. 		AccessToken:  "firstAccessToken",
    146. 

  146. 		ExpiresIn:    3600,
    147. 

  147. 		Foci:         "1",
    148. 

  148. 	}, nil)
    149. 

  149. 

  150. 	authBody := `{"value":[{"id":"/tenants/12345a7c-c56d-43e8-9549-dd230ce8a038","tenantId":"12345a7c-c56d-43e8-9549-dd230ce8a038"}]}`
    151. 

  151. 

  152. 	m.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 200, nil)
    153. 

  153. 	data := refreshTokenData("firstRefreshToken")
    154. 

  154. 	m.On("queryToken", data, "12345a7c-c56d-43e8-9549-dd230ce8a038").Return(azureToken{
    155. 

  155. 		RefreshToken: "newRefreshToken",
    156. 

  156. 		AccessToken:  "newAccessToken",
    157. 

  157. 		ExpiresIn:    3600,
    158. 

  158. 		Foci:         "1",
    159. 

  159. 	}, nil)
    160. 

  160. 	azureLogin, err := testLoginService(t, m)
    161. 

  161. 	assert.NilError(t, err)
    162. 

  162. 

  163. 	err = azureLogin.Login(context.TODO(), "")
    164. 

  164. 	assert.NilError(t, err)
    165. 

  165. 

  166. 	loginToken, err := azureLogin.tokenStore.readToken()
    167. 

  167. 	assert.NilError(t, err)
    168. 

  168. 	assert.Equal(t, loginToken.Token.AccessToken, "newAccessToken")
    169. 

  169. 	assert.Equal(t, loginToken.Token.RefreshToken, "newRefreshToken")
    170. 

  170. 	assert.Assert(t, time.Now().Add(3500*time.Second).Before(loginToken.Token.Expiry))
    171. 

  171. 	assert.Equal(t, loginToken.TenantID, "12345a7c-c56d-43e8-9549-dd230ce8a038")
    172. 

  172. 	assert.Equal(t, loginToken.Token.Type(), "Bearer")
    173. 

  173. }
    174. 

  174. 

  175. func TestValidLoginRequestedTenant(t *testing.T) {
    176. 

  176. 	var redirectURL string
    177. 

  177. 	m := &MockAzureHelper{}
    178. 

  178. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    179. 

  179. 		redirectURL = args.Get(0).(string)
    180. 

  180. 		err := queryKeyValue(redirectURL, "code", "123456879")
    181. 

  181. 		assert.NilError(t, err)
    182. 

  182. 	})
    183. 

  183. 

  184. 	m.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
    185. 

  185. 		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
    186. 

  186. 		return reflect.DeepEqual(data, url.Values{
    187. 

  187. 			"grant_type":   []string{"authorization_code"},
    188. 

  188. 			"client_id":    []string{clientID},
    189. 

  189. 			"code":         []string{"123456879"},
    190. 

  190. 			"scope":        []string{scopes},
    191. 

  191. 			"redirect_uri": []string{redirectURL},
    192. 

  192. 		})
    193. 

  193. 	}), "organizations").Return(azureToken{
    194. 

  194. 		RefreshToken: "firstRefreshToken",
    195. 

  195. 		AccessToken:  "firstAccessToken",
    196. 

  196. 		ExpiresIn:    3600,
    197. 

  197. 		Foci:         "1",
    198. 

  198. 	}, nil)
    199. 

  199. 

  200. 	authBody := `{"value":[{"id":"/tenants/00000000-c56d-43e8-9549-dd230ce8a038","tenantId":"00000000-c56d-43e8-9549-dd230ce8a038"},
    201. 

  201. 						   {"id":"/tenants/12345a7c-c56d-43e8-9549-dd230ce8a038","tenantId":"12345a7c-c56d-43e8-9549-dd230ce8a038"}]}`
    202. 

  202. 

  203. 	m.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 200, nil)
    204. 

  204. 	data := refreshTokenData("firstRefreshToken")
    205. 

  205. 	m.On("queryToken", data, "12345a7c-c56d-43e8-9549-dd230ce8a038").Return(azureToken{
    206. 

  206. 		RefreshToken: "newRefreshToken",
    207. 

  207. 		AccessToken:  "newAccessToken",
    208. 

  208. 		ExpiresIn:    3600,
    209. 

  209. 		Foci:         "1",
    210. 

  210. 	}, nil)
    211. 

  211. 	azureLogin, err := testLoginService(t, m)
    212. 

  212. 	assert.NilError(t, err)
    213. 

  213. 

  214. 	err = azureLogin.Login(context.TODO(), "12345a7c-c56d-43e8-9549-dd230ce8a038")
    215. 

  215. 	assert.NilError(t, err)
    216. 

  216. 

  217. 	loginToken, err := azureLogin.tokenStore.readToken()
    218. 

  218. 	assert.NilError(t, err)
    219. 

  219. 	assert.Equal(t, loginToken.Token.AccessToken, "newAccessToken")
    220. 

  220. 	assert.Equal(t, loginToken.Token.RefreshToken, "newRefreshToken")
    221. 

  221. 	assert.Assert(t, time.Now().Add(3500*time.Second).Before(loginToken.Token.Expiry))
    222. 

  222. 	assert.Equal(t, loginToken.TenantID, "12345a7c-c56d-43e8-9549-dd230ce8a038")
    223. 

  223. 	assert.Equal(t, loginToken.Token.Type(), "Bearer")
    224. 

  224. }
    225. 

  225. 

  226. func TestLoginNoTenant(t *testing.T) {
    227. 

  227. 	var redirectURL string
    228. 

  228. 	m := &MockAzureHelper{}
    229. 

  229. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    230. 

  230. 		redirectURL = args.Get(0).(string)
    231. 

  231. 		err := queryKeyValue(redirectURL, "code", "123456879")
    232. 

  232. 		assert.NilError(t, err)
    233. 

  233. 	})
    234. 

  234. 

  235. 	m.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
    236. 

  236. 		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
    237. 

  237. 		return reflect.DeepEqual(data, url.Values{
    238. 

  238. 			"grant_type":   []string{"authorization_code"},
    239. 

  239. 			"client_id":    []string{clientID},
    240. 

  240. 			"code":         []string{"123456879"},
    241. 

  241. 			"scope":        []string{scopes},
    242. 

  242. 			"redirect_uri": []string{redirectURL},
    243. 

  243. 		})
    244. 

  244. 	}), "organizations").Return(azureToken{
    245. 

  245. 		RefreshToken: "firstRefreshToken",
    246. 

  246. 		AccessToken:  "firstAccessToken",
    247. 

  247. 		ExpiresIn:    3600,
    248. 

  248. 		Foci:         "1",
    249. 

  249. 	}, nil)
    250. 

  250. 

  251. 	authBody := `{"value":[{"id":"/tenants/12345a7c-c56d-43e8-9549-dd230ce8a038","tenantId":"12345a7c-c56d-43e8-9549-dd230ce8a038"}]}`
    252. 

  252. 	m.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 200, nil)
    253. 

  253. 

  254. 	azureLogin, err := testLoginService(t, m)
    255. 

  255. 	assert.NilError(t, err)
    256. 

  256. 

  257. 	err = azureLogin.Login(context.TODO(), "00000000-c56d-43e8-9549-dd230ce8a038")
    258. 

  258. 	assert.Error(t, err, "could not find requested azure tenant 00000000-c56d-43e8-9549-dd230ce8a038: login failed")
    259. 

  259. }
    260. 

  260. 

  261. func TestLoginRequestedTenantNotFound(t *testing.T) {
    262. 

  262. 	var redirectURL string
    263. 

  263. 	m := &MockAzureHelper{}
    264. 

  264. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    265. 

  265. 		redirectURL = args.Get(0).(string)
    266. 

  266. 		err := queryKeyValue(redirectURL, "code", "123456879")
    267. 

  267. 		assert.NilError(t, err)
    268. 

  268. 	})
    269. 

  269. 

  270. 	m.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
    271. 

  271. 		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
    272. 

  272. 		return reflect.DeepEqual(data, url.Values{
    273. 

  273. 			"grant_type":   []string{"authorization_code"},
    274. 

  274. 			"client_id":    []string{clientID},
    275. 

  275. 			"code":         []string{"123456879"},
    276. 

  276. 			"scope":        []string{scopes},
    277. 

  277. 			"redirect_uri": []string{redirectURL},
    278. 

  278. 		})
    279. 

  279. 	}), "organizations").Return(azureToken{
    280. 

  280. 		RefreshToken: "firstRefreshToken",
    281. 

  281. 		AccessToken:  "firstAccessToken",
    282. 

  282. 		ExpiresIn:    3600,
    283. 

  283. 		Foci:         "1",
    284. 

  284. 	}, nil)
    285. 

  285. 

  286. 	authBody := `{"value":[]}`
    287. 

  287. 	m.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 200, nil)
    288. 

  288. 

  289. 	azureLogin, err := testLoginService(t, m)
    290. 

  290. 	assert.NilError(t, err)
    291. 

  291. 

  292. 	err = azureLogin.Login(context.TODO(), "")
    293. 

  293. 	assert.Error(t, err, "could not find azure tenant: login failed")
    294. 

  294. }
    295. 

  295. 

  296. func TestLoginAuthorizationFailed(t *testing.T) {
    297. 

  297. 	var redirectURL string
    298. 

  298. 	m := &MockAzureHelper{}
    299. 

  299. 	m.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
    300. 

  300. 		redirectURL = args.Get(0).(string)
    301. 

  301. 		err := queryKeyValue(redirectURL, "code", "123456879")
    302. 

  302. 		assert.NilError(t, err)
    303. 

  303. 	})
    304. 

  304. 

  305. 	m.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
    306. 

  306. 		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
    307. 

  307. 		return reflect.DeepEqual(data, url.Values{
    308. 

  308. 			"grant_type":   []string{"authorization_code"},
    309. 

  309. 			"client_id":    []string{clientID},
    310. 

  310. 			"code":         []string{"123456879"},
    311. 

  311. 			"scope":        []string{scopes},
    312. 

  312. 			"redirect_uri": []string{redirectURL},
    313. 

  313. 		})
    314. 

  314. 	}), "organizations").Return(azureToken{
    315. 

  315. 		RefreshToken: "firstRefreshToken",
    316. 

  316. 		AccessToken:  "firstAccessToken",
    317. 

  317. 		ExpiresIn:    3600,
    318. 

  318. 		Foci:         "1",
    319. 

  319. 	}, nil)
    320. 

  320. 

  321. 	authBody := `[access denied]`
    322. 

  322. 

  323. 	m.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 400, nil)
    324. 

  324. 

  325. 	azureLogin, err := testLoginService(t, m)
    326. 

  326. 	assert.NilError(t, err)
    327. 

  327. 

  328. 	err = azureLogin.Login(context.TODO(), "")
    329. 

  329. 	assert.Error(t, err, "unable to login status code 400: [access denied]: login failed")
    330. 

  330. }
    331. 

  331. 

  332. func refreshTokenData(refreshToken string) url.Values {
    333. 

  333. 	return url.Values{
    334. 

  334. 		"grant_type":    []string{"refresh_token"},
    335. 

  335. 		"client_id":     []string{clientID},
    336. 

  336. 		"scope":         []string{scopes},
    337. 

  337. 		"refresh_token": []string{refreshToken},
    338. 

  338. 	}
    339. 

  339. }
    340. 

  340. 

  341. func queryKeyValue(redirectURL string, key string, value string) error {
    342. 

  342. 	req, err := http.NewRequest("GET", redirectURL, nil)
    343. 

  343. 	if err != nil {
    344. 

  344. 		return err
    345. 

  345. 	}
    346. 

  346. 	q := req.URL.Query()
    347. 

  347. 	q.Add(key, value)
    348. 

  348. 	req.URL.RawQuery = q.Encode()
    349. 

  349. 	client := &http.Client{}
    350. 

  350. 	_, err = client.Do(req)
    351. 

  351. 	return err
    352. 

  352. }
    353. 

  353. 

  354. type MockAzureHelper struct {
    355. 

  355. 	mock.Mock
    356. 

  356. }
    357. 

  357. 

  358. func (s *MockAzureHelper) queryToken(data url.Values, tenantID string) (token azureToken, err error) {
    359. 

  359. 	args := s.Called(data, tenantID)
    360. 

  360. 	return args.Get(0).(azureToken), args.Error(1)
    361. 

  361. }
    362. 

  362. 

  363. func (s *MockAzureHelper) queryAuthorizationAPI(authorizationURL string, authorizationHeader string) ([]byte, int, error) {
    364. 

  364. 	args := s.Called(authorizationURL, authorizationHeader)
    365. 

  365. 	return args.Get(0).([]byte), args.Int(1), args.Error(2)
    366. 

  366. }
    367. 

  367. 

  368. func (s *MockAzureHelper) openAzureLoginPage(redirectURL string) error {
    369. 

  369. 	s.Called(redirectURL)
    370. 

  370. 	return nil
    371. 

  371. }
    372.