mirror of https://github.com/go-gost/gost.git
test(e2e): add auth module e2e test suite
Verify HTTP proxy authentication for both inline single-user auth and a named auther with multiple users. Covers valid credentials, wrong password, missing credentials, and any-user-in-auther acceptance.master
parent
3119cb43f2
commit
6746f556b7
|
|
@ -0,0 +1,123 @@
|
||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
// AuthSuite verifies proxy authentication on the HTTP handler, using both
|
||||||
|
// inline single-user auth and a named auther with multiple users. Requests
|
||||||
|
// carry proxy credentials via curl's -x http://user:pass@host form; a rejected
|
||||||
|
// request gets a 407 and never reaches the echo server.
|
||||||
|
type AuthSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *AuthSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
|
||||||
|
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoC = echoC
|
||||||
|
|
||||||
|
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoIP = echoIP
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *AuthSuite) TearDownSuite() {
|
||||||
|
if s.echoC != nil {
|
||||||
|
s.echoC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// proxyRequest sends one request through the gost proxy using the given
|
||||||
|
// userinfo ("user:pass", or "" for no credentials) and returns the response
|
||||||
|
// body. An authenticated request returns "hello-gost"; a rejected one returns
|
||||||
|
// an empty body.
|
||||||
|
func (s *AuthSuite) proxyRequest(gostC testcontainers.Container, userinfo string) string {
|
||||||
|
proxy := "http://127.0.0.1:8080"
|
||||||
|
if userinfo != "" {
|
||||||
|
proxy = fmt.Sprintf("http://%s@127.0.0.1:8080", userinfo)
|
||||||
|
}
|
||||||
|
cmd := []string{
|
||||||
|
"curl", "-s",
|
||||||
|
"-x", proxy,
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP),
|
||||||
|
}
|
||||||
|
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
return string(body)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *AuthSuite) runGost(cfg string) testcontainers.Container {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, cfg, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
return gostC
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestInlineAuthValid verifies that correct inline credentials are accepted.
|
||||||
|
func (s *AuthSuite) TestInlineAuthValid() {
|
||||||
|
gostC := s.runGost("testdata/auth/inline.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().Contains(s.proxyRequest(gostC, "user:pass"), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestInlineAuthWrongPassword verifies that a wrong password is rejected.
|
||||||
|
func (s *AuthSuite) TestInlineAuthWrongPassword() {
|
||||||
|
gostC := s.runGost("testdata/auth/inline.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().NotContains(s.proxyRequest(gostC, "user:wrong"), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestInlineAuthMissing verifies that a request without credentials is rejected.
|
||||||
|
func (s *AuthSuite) TestInlineAuthMissing() {
|
||||||
|
gostC := s.runGost("testdata/auth/inline.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().NotContains(s.proxyRequest(gostC, ""), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestNamedAutherFirstUser verifies that the first user in a named auther is
|
||||||
|
// accepted.
|
||||||
|
func (s *AuthSuite) TestNamedAutherFirstUser() {
|
||||||
|
gostC := s.runGost("testdata/auth/auther.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().Contains(s.proxyRequest(gostC, "alice:secret"), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestNamedAutherSecondUser verifies that any user in a named auther, not just
|
||||||
|
// the first, is accepted.
|
||||||
|
func (s *AuthSuite) TestNamedAutherSecondUser() {
|
||||||
|
gostC := s.runGost("testdata/auth/auther.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().Contains(s.proxyRequest(gostC, "bob:hunter2"), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestNamedAutherInvalid verifies that credentials not in the named auther are
|
||||||
|
// rejected.
|
||||||
|
func (s *AuthSuite) TestNamedAutherInvalid() {
|
||||||
|
gostC := s.runGost("testdata/auth/auther.yaml")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.Require().NotContains(s.proxyRequest(gostC, "alice:wrong"), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAuthSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(AuthSuite))
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
# HTTP proxy authenticated via a named auther holding multiple users. Any
|
||||||
|
# listed user/password pair is accepted; unlisted credentials are rejected.
|
||||||
|
services:
|
||||||
|
- name: proxy
|
||||||
|
addr: ":8080"
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: alice
|
||||||
|
password: secret
|
||||||
|
- username: bob
|
||||||
|
password: hunter2
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
# HTTP proxy with inline single-user authentication. Clients must supply the
|
||||||
|
# proxy credentials user/pass; wrong or missing credentials get a 407 and never
|
||||||
|
# reach the echo server.
|
||||||
|
services:
|
||||||
|
- name: proxy
|
||||||
|
addr: ":8080"
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auth:
|
||||||
|
username: user
|
||||||
|
password: pass
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
Loading…
Reference in New Issue