broker: Test refreshing of groups

ubuntu · Nov 18, 2024 · c9b9239 · c9b9239
1 parent 038d181
commit c9b9239
Show file tree

Hide file tree

Showing 11 changed files with 69 additions and 7 deletions.
diff --git a/internal/broker/broker_test.go b/internal/broker/broker_test.go
@@ -375,14 +375,16 @@ func TestIsAuthenticated(t *testing.T) {
 	correctPassword := "password"
 
 	tests := map[string]struct {
-		sessionMode string
-		username    string
+		sessionMode    string
+		sessionOffline bool
+		username       string
 
-		firstMode        string
-		firstChallenge   string
-		firstAuthInfo    map[string]any
-		badFirstKey      bool
-		getUserInfoFails bool
+		firstMode                string
+		firstChallenge           string
+		firstAuthInfo            map[string]any
+		badFirstKey              bool
+		getUserInfoFails         bool
+		groupsReturnedByProvider []info.Group
 
 		customHandlers map[string]testutils.EndpointHandler
 		address        string
@@ -395,6 +397,7 @@ func TestIsAuthenticated(t *testing.T) {
 		invalidAuthData      bool
 		dontWaitForFirstCall bool
 		readOnlyDataDir      bool
+		wantGroups           []info.Group
 	}{
 		"Successfully_authenticate_user_with_device_auth_and_newpassword": {firstChallenge: "-", wantSecondCall: true},
 		"Successfully_authenticate_user_with_password":                    {firstMode: authmodes.Password, token: &tokenOptions{}},
@@ -423,6 +426,24 @@ func TestIsAuthenticated(t *testing.T) {
 			},
 			address: "127.0.0.1:31313",
 		},
+		"Authenticating_with_password_refreshes_groups": {
+			firstMode:                authmodes.Password,
+			token:                    &tokenOptions{},
+			groupsReturnedByProvider: []info.Group{{Name: "refreshed-group"}},
+			wantGroups:               []info.Group{{Name: "refreshed-group"}},
+		},
+		"Authenticating_with_password_keeps_old_groups_if_fetching_user_info_fails": {
+			firstMode:        authmodes.Password,
+			token:            &tokenOptions{groups: []info.Group{{Name: "old-group"}}},
+			getUserInfoFails: true,
+			wantGroups:       []info.Group{{Name: "old-group"}},
+		},
+		"Authenticating_with_password_keeps_old_groups_if_session_is_offline": {
+			firstMode:      authmodes.Password,
+			token:          &tokenOptions{groups: []info.Group{{Name: "old-group"}}},
+			sessionOffline: true,
+			wantGroups:     []info.Group{{Name: "old-group"}},
+		},
 
 		"Error_when_authentication_data_is_invalid":         {invalidAuthData: true},
 		"Error_when_challenge_can_not_be_decrypted":         {firstMode: authmodes.Password, badFirstKey: true},
@@ -501,6 +522,12 @@ func TestIsAuthenticated(t *testing.T) {
 				tc.sessionMode = "auth"
 			}
 
+			if tc.sessionOffline {
+				tc.customHandlers = map[string]testutils.EndpointHandler{
+					"/.well-known/openid-configuration": testutils.UnavailableHandler(),
+				}
+			}
+
 			outDir := t.TempDir()
 			dataDir := filepath.Join(outDir, "data")
 
@@ -518,6 +545,11 @@ func TestIsAuthenticated(t *testing.T) {
 				cfg.customHandlers = tc.customHandlers
 				cfg.listenAddress = tc.address
 			}
+			if tc.groupsReturnedByProvider != nil {
+				cfg.getGroupsFunc = func() ([]info.Group, error) {
+					return tc.groupsReturnedByProvider, nil
+				}
+			}
 			b := newBrokerForTests(t, cfg)
 
 			sessionID, key := newSessionForTests(t, b, tc.username, tc.sessionMode)
@@ -581,6 +613,17 @@ func TestIsAuthenticated(t *testing.T) {
 
 				err = os.WriteFile(filepath.Join(outDir, "first_call"), out, 0600)
 				require.NoError(t, err, "Failed to write first response")
+
+				if tc.wantGroups != nil {
+					type userInfoMsgType struct {
+						UserInfo info.User `json:"userinfo"`
+					}
+					userInfoMsg := userInfoMsgType{}
+					err = json.Unmarshal([]byte(data), &userInfoMsg)
+					require.NoError(t, err, "Failed to unmarshal user info message")
+					userInfo := userInfoMsg.UserInfo
+					require.ElementsMatch(t, tc.wantGroups, userInfo.Groups, "Groups should match")
+				}
 			}()
 
 			if !tc.dontWaitForFirstCall {

diff --git a/internal/broker/helper_test.go b/internal/broker/helper_test.go
@@ -148,6 +148,7 @@ func generateAndStoreCachedInfo(t *testing.T, options tokenOptions, path string)
 type tokenOptions struct {
 	username string
 	issuer   string
+	groups   []info.Group
 
 	expired        bool
 	noRefreshToken bool
@@ -211,6 +212,9 @@ func generateCachedInfo(t *testing.T, options tokenOptions) *token.AuthCachedInf
 				{Name: "saved-local-group", UGID: ""},
 			},
 		}
+		if options.groups != nil {
+			tok.UserInfo.Groups = options.groups
+		}
 	}
 
 	if options.invalidClaims {

diff --git a/...eps_old_groups_if_fetching_user_info_fails/data/provider_url/[email protected]/password b/...eps_old_groups_if_fetching_user_info_fails/data/provider_url/[email protected]/password
@@ -0,0 +1 @@
+Definitely a hashed password
diff --git a/...s_old_groups_if_fetching_user_info_fails/data/provider_url/[email protected]/token.json b/...s_old_groups_if_fetching_user_info_fails/data/provider_url/[email protected]/token.json
@@ -0,0 +1 @@
+Definitely an encrypted token
diff --git a/...lden/Authenticating_with_password_keeps_old_groups_if_fetching_user_info_fails/first_call b/...lden/Authenticating_with_password_keeps_old_groups_if_fetching_user_info_fails/first_call
@@ -0,0 +1,3 @@
+access: granted
+data: '{"userinfo":{"name":"[email protected]","uuid":"saved-user-id","dir":"/home/[email protected]","shell":"/usr/bin/bash","gecos":"[email protected]","groups":[{"name":"old-group","ugid":""}]}}'
+err: <nil>
diff --git a/...ord_keeps_old_groups_if_session_is_offline/data/provider_url/[email protected]/password b/...ord_keeps_old_groups_if_session_is_offline/data/provider_url/[email protected]/password
@@ -0,0 +1 @@
+Definitely a hashed password
diff --git a/...d_keeps_old_groups_if_session_is_offline/data/provider_url/[email protected]/token.json b/...d_keeps_old_groups_if_session_is_offline/data/provider_url/[email protected]/token.json
@@ -0,0 +1 @@
+Definitely an encrypted token
diff --git a/...ted/golden/Authenticating_with_password_keeps_old_groups_if_session_is_offline/first_call b/...ted/golden/Authenticating_with_password_keeps_old_groups_if_session_is_offline/first_call
@@ -0,0 +1,3 @@
+access: granted
+data: '{"userinfo":{"name":"[email protected]","uuid":"saved-user-id","dir":"/home/[email protected]","shell":"/usr/bin/bash","gecos":"[email protected]","groups":[{"name":"old-group","ugid":""}]}}'
+err: <nil>
diff --git a/...henticating_with_password_refreshes_groups/data/provider_url/[email protected]/password b/...henticating_with_password_refreshes_groups/data/provider_url/[email protected]/password
@@ -0,0 +1 @@
+Definitely a hashed password
diff --git a/...nticating_with_password_refreshes_groups/data/provider_url/[email protected]/token.json b/...nticating_with_password_refreshes_groups/data/provider_url/[email protected]/token.json
@@ -0,0 +1 @@
+Definitely an encrypted token
diff --git a/...tdata/TestIsAuthenticated/golden/Authenticating_with_password_refreshes_groups/first_call b/...tdata/TestIsAuthenticated/golden/Authenticating_with_password_refreshes_groups/first_call
@@ -0,0 +1,3 @@
+access: granted
+data: '{"userinfo":{"name":"[email protected]","uuid":"test-user-id","dir":"/home/[email protected]","shell":"/usr/bin/bash","gecos":"[email protected]","groups":[{"name":"refreshed-group","ugid":""}]}}'
+err: <nil>