Support multiple topics in auth

This commit is contained in:
Philipp Heckel 2022-01-27 12:49:05 -05:00
parent e61a0c2f78
commit 631ade5430
2 changed files with 30 additions and 5 deletions

View file

@ -1140,7 +1140,7 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc {
if s.auth == nil {
return next(w, r, v)
}
t, err := s.topicFromPath(r.URL.Path)
topics, _, err := s.topicsFromPath(r.URL.Path)
if err != nil {
return err
}
@ -1152,9 +1152,11 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc {
return errHTTPUnauthorized
}
}
if err := s.auth.Authorize(user, t.ID, perm); err != nil {
log.Printf("unauthorized: %s", err.Error())
return errHTTPForbidden
for _, t := range topics {
if err := s.auth.Authorize(user, t.ID, perm); err != nil {
log.Printf("unauthorized: %s", err.Error())
return errHTTPForbidden
}
}
return next(w, r, v)
}

View file

@ -549,7 +549,7 @@ func TestServer_Auth_Success_User(t *testing.T) {
manager := s.auth.(auth.Manager)
require.Nil(t, manager.AddUser("ben", "ben", auth.RoleUser))
require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true)) // Not mytopic!
require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true))
response := request(t, s, "GET", "/mytopic/auth", "", map[string]string{
"Authorization": basicAuth("ben:ben"),
@ -557,6 +557,29 @@ func TestServer_Auth_Success_User(t *testing.T) {
require.Equal(t, 200, response.Code)
}
func TestServer_Auth_Success_User_MultipleTopics(t *testing.T) {
c := newTestConfig(t)
c.AuthFile = filepath.Join(t.TempDir(), "user.db")
c.AuthDefaultRead = false
c.AuthDefaultWrite = false
s := newTestServer(t, c)
manager := s.auth.(auth.Manager)
require.Nil(t, manager.AddUser("ben", "ben", auth.RoleUser))
require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true))
require.Nil(t, manager.AllowAccess("ben", "anothertopic", true, true))
response := request(t, s, "GET", "/mytopic,anothertopic/auth", "", map[string]string{
"Authorization": basicAuth("ben:ben"),
})
require.Equal(t, 200, response.Code)
response = request(t, s, "GET", "/mytopic,anothertopic,NOT-THIS-ONE/auth", "", map[string]string{
"Authorization": basicAuth("ben:ben"),
})
require.Equal(t, 403, response.Code)
}
func TestServer_Auth_Fail_InvalidPass(t *testing.T) {
c := newTestConfig(t)
c.AuthFile = filepath.Join(t.TempDir(), "user.db")