mirror of
https://github.com/kopia/kopia.git
synced 2025-12-23 22:57:50 -05:00
cbcd59f18e
* nit: replaced harcoded string constants with named constants * acl: added management of ACL entries * auth: implemented DefaultAuthorizer which uses ACLs if any entries are found in the system and falls back to LegacyAuthorizer if not * cli: switch to DefaultAuthorizer when starting server * cli: added ACL management * server: refactored authenticator + added refresh Authenticator is now an interface which also supports Refresh. * authz: refactored authorizer to be an interface + added Refresh() * server: refresh authentication and authorizer * e2e tests for ACLs * server: handling of SIGHUP to refresh authn/authz caches * server: reorganized flags to specify auth options: - removed '--allow-repository-users' - it's always on - one of --without-password, --server-password or --random-password can be specified to specify password for the UI user - htpasswd-file - can be specified to provide password for UI or remote users * cli: moved 'kopia user' to 'kopia server user' * server: allow all UI actions if no authenticator is set * acl: removed priority until we have a better understood use case for it * acl: added validation of allowed labels when adding ACL entries * site: added docs for ACLs
45 lines
1.4 KiB
Go
45 lines
1.4 KiB
Go
package auth_test
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/kopia/kopia/internal/auth"
|
|
)
|
|
|
|
func TestAuthentication(t *testing.T) {
|
|
a := auth.AuthenticateSingleUser("user1", "password1")
|
|
verifyAuthenticator(t, a, "user1", "password1", true)
|
|
verifyAuthenticator(t, a, "user1", "password2", false)
|
|
verifyAuthenticator(t, a, "user1", "password11", false)
|
|
verifyAuthenticator(t, a, "user1a", "password1", false)
|
|
verifyAuthenticator(t, a, "user1a", "password1a", false)
|
|
}
|
|
|
|
func TestCombineAuthenticators_Empty(t *testing.T) {
|
|
a := auth.CombineAuthenticators()
|
|
if a != nil {
|
|
t.Fatal("combined authenticator expected to return nil for zero-length input")
|
|
}
|
|
}
|
|
|
|
func TestCombineAuthenticators(t *testing.T) {
|
|
a1 := auth.AuthenticateSingleUser("user1", "password1")
|
|
a2 := auth.AuthenticateSingleUser("user2", "password2")
|
|
a3 := auth.AuthenticateSingleUser("user3", "password3")
|
|
|
|
a := auth.CombineAuthenticators(a1, a2, a3)
|
|
verifyAuthenticator(t, a, "user1", "password1", true)
|
|
verifyAuthenticator(t, a, "user2", "password2", true)
|
|
verifyAuthenticator(t, a, "user3", "password3", true)
|
|
verifyAuthenticator(t, a, "user1", "password2", false)
|
|
}
|
|
|
|
func verifyAuthenticator(t *testing.T, a auth.Authenticator, username, password string, want bool) {
|
|
t.Helper()
|
|
|
|
if got := a.IsValid(context.Background(), nil, username, password); got != want {
|
|
t.Errorf("invalid authenticator result for %v/%v: %v, want %v", username, password, got, want)
|
|
}
|
|
}
|