diff --git a/config/auth_test.go b/config/auth_test.go new file mode 100644 index 000000000..7e59b59b3 --- /dev/null +++ b/config/auth_test.go @@ -0,0 +1,610 @@ +package config + +import ( + "testing" + + "github.com/charmbracelet/wish/git" + "github.com/gliderlabs/ssh" + "github.com/matryer/is" +) + +func TestAuth(t *testing.T) { + adminKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMwLvyV3ouVrTysUYGoJdl5Vgn5BACKov+n9PlzfPwH a@b" + adminPk, _, _, _, _ := ssh.ParseAuthorizedKey([]byte(adminKey)) + dummyKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxIobhwtfdwN7m1TFt9wx3PsfvcAkISGPxmbmbauST8 a@b" + dummyPk, _, _, _, _ := ssh.ParseAuthorizedKey([]byte(dummyKey)) + cases := []struct { + name string + cfg Config + repo string + key ssh.PublicKey + access git.AccessLevel + }{ + // Repo access + { + name: "anon access: no-access, anonymous user", + access: git.NoAccess, + repo: "foo", + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + }, + }, + { + name: "anon access: no-access, authd user", + key: dummyPk, + repo: "foo", + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: no-access, admin user", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-only, anonymous user", + repo: "foo", + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "read-only", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + }, + }, + { + name: "anon access: read-only, authd user", + repo: "foo", + key: dummyPk, + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "read-only", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-only, admin user", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "read-only", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-write, anonymous user", + repo: "foo", + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-write", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + }, + }, + { + name: "anon access: read-write, authd user", + repo: "foo", + key: dummyPk, + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-write", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, { + name: "anon access: read-write, admin user", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "read-write", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: admin-access, anonymous user", + repo: "foo", + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + }, + }, + { + name: "anon access: admin-access, authd user", + repo: "foo", + key: dummyPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, { + name: "anon access: admin-access, admin user", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + }, + }, + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + + // Collabs + { + name: "anon access: no-access, authd user, collab", + key: dummyPk, + repo: "foo", + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "user", + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: no-access, authd user, collab, private repo", + key: dummyPk, + repo: "foo", + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Private: true, + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "user", + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: no-access, admin user, collab, private repo", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "no-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Private: true, + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "admin", + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-only, authd user, collab, private repo", + repo: "foo", + key: dummyPk, + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-only", + Repos: []RepoConfig{ + { + Repo: "foo", + Private: true, + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "user", + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: admin-access, anonymous user, collab", + repo: "foo", + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Collabs: []string{ + "user", + }, + }, + }, + }, + }, + { + name: "anon access: admin-access, authd user, collab", + repo: "foo", + key: dummyPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "user", + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, { + name: "anon access: admin-access, admin user, collab", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Repos: []RepoConfig{ + { + Repo: "foo", + Collabs: []string{ + "user", + }, + }, + }, + Users: []User{ + { + Name: "admin", + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + + // New repo + { + name: "anon access: no-access, anonymous user, new repo", + access: git.NoAccess, + repo: "foo", + cfg: Config{ + AnonAccess: "no-access", + }, + }, + { + name: "anon access: no-access, authd user, new repo", + key: dummyPk, + repo: "foo", + access: git.NoAccess, + cfg: Config{ + AnonAccess: "no-access", + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: no-access, admin user, new repo", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "no-access", + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-only, anonymous user, new repo", + repo: "foo", + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "read-only", + }, + }, + { + name: "anon access: read-only, authd user, new repo", + repo: "foo", + key: dummyPk, + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "read-only", + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-only, admin user, new repo", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "read-only", + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-write, anonymous user, new repo", + repo: "foo", + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-write", + }, + }, + { + name: "anon access: read-write, authd user, new repo", + repo: "foo", + key: dummyPk, + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-write", + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: read-write, admin user, new repo", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "read-write", + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + { + name: "anon access: admin-access, anonymous user, new repo", + repo: "foo", + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + }, + }, + { + name: "anon access: admin-access, authd user, new repo", + repo: "foo", + key: dummyPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Users: []User{ + { + PublicKeys: []string{ + dummyKey, + }, + }, + }, + }, + }, + { + name: "anon access: admin-access, admin user, new repo", + repo: "foo", + key: adminPk, + access: git.AdminAccess, + cfg: Config{ + AnonAccess: "admin-access", + Users: []User{ + { + Admin: true, + PublicKeys: []string{ + adminKey, + }, + }, + }, + }, + }, + + // No users + { + name: "anon access: read-only, no users", + repo: "foo", + access: git.ReadOnlyAccess, + cfg: Config{ + AnonAccess: "read-only", + }, + }, + { + name: "anon access: read-write, no users", + repo: "foo", + access: git.ReadWriteAccess, + cfg: Config{ + AnonAccess: "read-write", + }, + }, + } + for _, c := range cases { + t.Run(c.name, func(t *testing.T) { + is := is.New(t) + al := c.cfg.accessForKey(c.repo, c.key) + is.Equal(al, c.access) + }) + } +}