4cddfcf2f3
Backend Tests / Tests (other) (push) Failing after 1s
Backend Tests / Static Checks (push) Failing after 2s
Backend Tests / Tests (internal) (push) Failing after 2s
Backend Tests / Tests (server) (push) Failing after 1s
Backend Tests / Tests (store) (push) Failing after 1s
Build Canary Image / build-frontend (push) Failing after 1s
Frontend Tests / Lint (push) Failing after 1s
Build Canary Image / build-push (linux/amd64) (push) Has been skipped
Build Canary Image / build-push (linux/arm64) (push) Has been skipped
Build Canary Image / merge (push) Has been skipped
Frontend Tests / Build (push) Failing after 1s
Release Please / release-please (push) Failing after 0s
Proto Linter / Lint Protos (push) Failing after 2s
82 lines
3.3 KiB
Go
82 lines
3.3 KiB
Go
package test
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/usememos/memos/internal/profile"
|
|
"github.com/usememos/memos/internal/util"
|
|
storepb "github.com/usememos/memos/proto/gen/store"
|
|
"github.com/usememos/memos/server/auth"
|
|
apiv1 "github.com/usememos/memos/server/router/api/v1"
|
|
)
|
|
|
|
// TestAuthorizerPrivateInstanceFirstRun verifies the private-instance access policy
|
|
// against a real store: anonymous CreateUser is permitted only until the first user
|
|
// exists, bootstrap methods stay open, and other public methods are gated.
|
|
func TestAuthorizerPrivateInstanceFirstRun(t *testing.T) {
|
|
ctx := context.Background()
|
|
ts := NewTestService(t)
|
|
defer ts.Cleanup()
|
|
|
|
// InstanceURL empty => private instance.
|
|
authorizer := apiv1.NewAuthorizer(ts.Store, ts.Secret, &profile.Profile{InstanceURL: ""})
|
|
|
|
const (
|
|
createUser = "/memos.api.v1.UserService/CreateUser"
|
|
signIn = "/memos.api.v1.AuthService/SignIn"
|
|
listMemos = "/memos.api.v1.MemoService/ListMemos"
|
|
getMemoShare = "/memos.api.v1.MemoService/GetMemoByShare"
|
|
)
|
|
|
|
// Anonymous request with no Authorization header resolves to no identity.
|
|
require.Nil(t, authorizer.Authenticate(ctx, ""))
|
|
|
|
// Fresh instance (no users): first-run CreateUser is allowed, and so are the
|
|
// bootstrap methods; browsing is still gated.
|
|
require.NoError(t, authorizer.CheckAccess(ctx, createUser, nil), "first-run CreateUser should be allowed")
|
|
require.NoError(t, authorizer.CheckAccess(ctx, signIn, nil))
|
|
require.NoError(t, authorizer.CheckAccess(ctx, getMemoShare, nil))
|
|
require.ErrorIs(t, authorizer.CheckAccess(ctx, listMemos, nil), apiv1.ErrUnauthenticated)
|
|
|
|
// Once a user exists, anonymous CreateUser is denied while bootstrap stays open.
|
|
_, err := ts.CreateHostUser(ctx, "host")
|
|
require.NoError(t, err)
|
|
require.ErrorIs(t, authorizer.CheckAccess(ctx, createUser, nil), apiv1.ErrUnauthenticated, "CreateUser must be denied once a user exists")
|
|
require.NoError(t, authorizer.CheckAccess(ctx, signIn, nil))
|
|
}
|
|
|
|
// TestAuthorizerAccessTokenAlwaysWorksOnPrivateInstance verifies that a valid
|
|
// Personal Access Token authenticates through the Authorizer even on a private
|
|
// instance, and then passes the access check for an otherwise-gated method.
|
|
func TestAuthorizerAccessTokenAlwaysWorksOnPrivateInstance(t *testing.T) {
|
|
ctx := context.Background()
|
|
ts := NewTestService(t)
|
|
defer ts.Cleanup()
|
|
|
|
user, err := ts.CreateRegularUser(ctx, "pat-user")
|
|
require.NoError(t, err)
|
|
|
|
token := auth.GeneratePersonalAccessToken()
|
|
require.NoError(t, ts.Store.AddUserPersonalAccessToken(ctx, user.ID, &storepb.PersonalAccessTokensUserSetting_PersonalAccessToken{
|
|
TokenId: util.GenUUID(),
|
|
TokenHash: auth.HashPersonalAccessToken(token),
|
|
Description: "authz test PAT",
|
|
CreatedAt: timestamppb.Now(),
|
|
}))
|
|
|
|
// InstanceURL empty => private instance; the PAT must still authenticate.
|
|
authorizer := apiv1.NewAuthorizer(ts.Store, ts.Secret, &profile.Profile{InstanceURL: ""})
|
|
|
|
result := authorizer.Authenticate(ctx, "Bearer "+token)
|
|
require.NotNil(t, result)
|
|
require.NotNil(t, result.User)
|
|
require.Equal(t, user.ID, result.User.ID)
|
|
|
|
// An authenticated caller passes access control even for a gated method.
|
|
require.NoError(t, authorizer.CheckAccess(ctx, "/memos.api.v1.MemoService/ListMemos", result))
|
|
}
|