server/auth/grpc_test.go - infra/luci/luci-go - Git at Google

 // Copyright 2023 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package auth

 import (
 	"context"
 	"net"
 	"net/http"
 	"testing"

 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/peer"

 	. "github.com/smartystreets/goconvey/convey"
 	. "go.chromium.org/luci/common/testing/assertions"
 )

 func TestAuthenticatingInterceptor(t *testing.T) {
 	t.Parallel()

 	Convey("With request", t, func() {
 		ctx := injectTestDB(context.Background(), &fakeDB{
 			allowedClientID: "some_client_id",
 		})

 		requestCtx := metadata.NewIncomingContext(ctx, metadata.MD{
 			":authority": {"some.example.com"},
 			"x-boom":     {"val1", "val2"},
 			// Can happen when using pRPC transport.
 			"cookie": {
 				"cookie_1=value_1; cookie_2=value_2",
 				"cookie_3=value_3",
 			},
 		})
 		requestCtx = peer.NewContext(requestCtx, &peer.Peer{
 			Addr: &net.IPAddr{
 				IP: net.IPv4(1, 2, 3, 4),
 			},
 		})

 		Convey("Pass", func() {
 			intr := AuthenticatingInterceptor([]Method{
 				fakeAuthMethod{
 					clientID: "some_client_id",
 					email:    "someone@example.com",
 					observe: func(r RequestMetadata) {
 						So(r.Header("X-Boom"), ShouldEqual, "val1")

 						cookie, err := r.Cookie("cookie_1")
 						So(err, ShouldBeNil)
 						So(cookie.Value, ShouldEqual, "value_1")

 						cookie, err = r.Cookie("cookie_2")
 						So(err, ShouldBeNil)
 						So(cookie.Value, ShouldEqual, "value_2")

 						cookie, err = r.Cookie("cookie_3")
 						So(err, ShouldBeNil)
 						So(cookie.Value, ShouldEqual, "value_3")

 						_, err = r.Cookie("cookie_4")
 						So(err, ShouldEqual, http.ErrNoCookie)

 						So(r.RemoteAddr(), ShouldEqual, "1.2.3.4")
 						So(r.Host(), ShouldEqual, "some.example.com")
 					},
 				},
 			})

 			var innerCtx context.Context
 			_, err := intr.Unary()(requestCtx, "request", &grpc.UnaryServerInfo{}, func(ctx context.Context, req any) (any, error) {
 				innerCtx = ctx
 				return "response", nil
 			})
 			So(err, ShouldBeNil)

 			// The handler was actually called and with the correct state.
 			So(innerCtx, ShouldNotBeNil)
 			So(CurrentIdentity(innerCtx), ShouldEqual, "user:someone@example.com")
 		})

 		Convey("Blocked", func() {
 			intr := AuthenticatingInterceptor([]Method{
 				fakeAuthMethod{
 					clientID: "another_client_id",
 				},
 			})
 			_, err := intr.Unary()(requestCtx, "request", &grpc.UnaryServerInfo{}, func(ctx context.Context, req any) (any, error) {
 				panic("must not be called")
 			})
 			So(err, ShouldHaveGRPCStatus, codes.PermissionDenied)
 		})
 	})
 }
	// Copyright 2023 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package auth

	import (
	"context"
	"net"
	"net/http"
	"testing"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/peer"

	. "github.com/smartystreets/goconvey/convey"
	. "go.chromium.org/luci/common/testing/assertions"
	)

	func TestAuthenticatingInterceptor(t *testing.T) {
	t.Parallel()

	Convey("With request", t, func() {
	ctx := injectTestDB(context.Background(), &fakeDB{
	allowedClientID: "some_client_id",
	})

	requestCtx := metadata.NewIncomingContext(ctx, metadata.MD{
	":authority": {"some.example.com"},
	"x-boom": {"val1", "val2"},
	// Can happen when using pRPC transport.
	"cookie": {
	"cookie_1=value_1; cookie_2=value_2",
	"cookie_3=value_3",
	},
	})
	requestCtx = peer.NewContext(requestCtx, &peer.Peer{
	Addr: &net.IPAddr{
	IP: net.IPv4(1, 2, 3, 4),
	},
	})

	Convey("Pass", func() {
	intr := AuthenticatingInterceptor([]Method{
	fakeAuthMethod{
	clientID: "some_client_id",
	email: "someone@example.com",
	observe: func(r RequestMetadata) {
	So(r.Header("X-Boom"), ShouldEqual, "val1")

	cookie, err := r.Cookie("cookie_1")
	So(err, ShouldBeNil)
	So(cookie.Value, ShouldEqual, "value_1")

	cookie, err = r.Cookie("cookie_2")
	So(err, ShouldBeNil)
	So(cookie.Value, ShouldEqual, "value_2")

	cookie, err = r.Cookie("cookie_3")
	So(err, ShouldBeNil)
	So(cookie.Value, ShouldEqual, "value_3")

	_, err = r.Cookie("cookie_4")
	So(err, ShouldEqual, http.ErrNoCookie)

	So(r.RemoteAddr(), ShouldEqual, "1.2.3.4")
	So(r.Host(), ShouldEqual, "some.example.com")
	},
	},
	})

	var innerCtx context.Context
	_, err := intr.Unary()(requestCtx, "request", &grpc.UnaryServerInfo{}, func(ctx context.Context, req any) (any, error) {
	innerCtx = ctx
	return "response", nil
	})
	So(err, ShouldBeNil)

	// The handler was actually called and with the correct state.
	So(innerCtx, ShouldNotBeNil)
	So(CurrentIdentity(innerCtx), ShouldEqual, "user:someone@example.com")
	})

	Convey("Blocked", func() {
	intr := AuthenticatingInterceptor([]Method{
	fakeAuthMethod{
	clientID: "another_client_id",
	},
	})
	_, err := intr.Unary()(requestCtx, "request", &grpc.UnaryServerInfo{}, func(ctx context.Context, req any) (any, error) {
	panic("must not be called")
	})
	So(err, ShouldHaveGRPCStatus, codes.PermissionDenied)
	})
	})
	}