grafana/pkg/middleware/middleware_jwt_auth_test.go

package middleware

import (
	"context"
	"errors"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/contexthandler"
	"github.com/grafana/grafana/pkg/setting"
)

func TestMiddlewareJWTAuth(t *testing.T) {
	const id int64 = 12
	const orgID int64 = 2

	configure := func(cfg *setting.Cfg) {
		cfg.JWTAuthEnabled = true
		cfg.JWTAuthHeaderName = "x-jwt-assertion"
	}

	configureUsernameClaim := func(cfg *setting.Cfg) {
		cfg.JWTAuthUsernameClaim = "foo-username"
	}

	configureEmailClaim := func(cfg *setting.Cfg) {
		cfg.JWTAuthEmailClaim = "foo-email"
	}

	configureAutoSignUp := func(cfg *setting.Cfg) {
		cfg.JWTAuthAutoSignUp = true
	}

	token := "some-token"

	middlewareScenario(t, "Valid token with valid login claim", func(t *testing.T, sc *scenarioContext) {
		myUsername := "vladimir"
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub":          myUsername,
				"foo-username": myUsername,
			}, nil
		}
		bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {
			query.Result = &models.SignedInUser{
				UserId: id,
				OrgId:  orgID,
				Login:  query.Login,
			}
			return nil
		})

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 200, sc.resp.Code)
		assert.True(t, sc.context.IsSignedIn)
		assert.Equal(t, orgID, sc.context.OrgId)
		assert.Equal(t, id, sc.context.UserId)
		assert.Equal(t, myUsername, sc.context.Login)
	}, configure, configureUsernameClaim)

	middlewareScenario(t, "Valid token with valid email claim", func(t *testing.T, sc *scenarioContext) {
		myEmail := "vladimir@example.com"
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub":       myEmail,
				"foo-email": myEmail,
			}, nil
		}
		bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {
			query.Result = &models.SignedInUser{
				UserId: id,
				OrgId:  orgID,
				Email:  query.Email,
			}
			return nil
		})

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 200, sc.resp.Code)
		assert.True(t, sc.context.IsSignedIn)
		assert.Equal(t, orgID, sc.context.OrgId)
		assert.Equal(t, id, sc.context.UserId)
		assert.Equal(t, myEmail, sc.context.Email)
	}, configure, configureEmailClaim)

	middlewareScenario(t, "Valid token with no user and auto_sign_up disabled", func(t *testing.T, sc *scenarioContext) {
		myEmail := "vladimir@example.com"
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub":       myEmail,
				"name":      "Vladimir Example",
				"foo-email": myEmail,
			}, nil
		}
		bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {
			return models.ErrUserNotFound
		})

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 401, sc.resp.Code)
		assert.Equal(t, contexthandler.UserNotFound, sc.respJson["message"])
	}, configure, configureEmailClaim)

	middlewareScenario(t, "Valid token with no user and auto_sign_up enabled", func(t *testing.T, sc *scenarioContext) {
		myEmail := "vladimir@example.com"
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub":       myEmail,
				"name":      "Vladimir Example",
				"foo-email": myEmail,
			}, nil
		}
		bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {
			query.Result = &models.SignedInUser{
				UserId: id,
				OrgId:  orgID,
				Email:  query.Email,
			}
			return nil
		})
		bus.AddHandler("upsert-user", func(ctx context.Context, command *models.UpsertUserCommand) error {
			command.Result = &models.User{
				Id:    id,
				Name:  command.ExternalUser.Name,
				Email: command.ExternalUser.Email,
			}
			return nil
		})

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 200, sc.resp.Code)
		assert.True(t, sc.context.IsSignedIn)
		assert.Equal(t, orgID, sc.context.OrgId)
		assert.Equal(t, id, sc.context.UserId)
		assert.Equal(t, myEmail, sc.context.Email)
	}, configure, configureEmailClaim, configureAutoSignUp)

	middlewareScenario(t, "Valid token without a login claim", func(t *testing.T, sc *scenarioContext) {
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub": "baz",
				"foo": "bar",
			}, nil
		}

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 401, sc.resp.Code)
		assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
	}, configure, configureUsernameClaim)

	middlewareScenario(t, "Valid token without a email claim", func(t *testing.T, sc *scenarioContext) {
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return models.JWTClaims{
				"sub": "baz",
				"foo": "bar",
			}, nil
		}

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 401, sc.resp.Code)
		assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
	}, configure, configureEmailClaim)

	middlewareScenario(t, "Invalid token", func(t *testing.T, sc *scenarioContext) {
		var verifiedToken string
		sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {
			verifiedToken = token
			return nil, errors.New("token is invalid")
		}

		sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()
		assert.Equal(t, verifiedToken, token)
		assert.Equal(t, 401, sc.resp.Code)
		assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])
	}, configure, configureUsernameClaim)
}
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`package middleware`

			`import (`
			`"context"`
			`"errors"`
			`"testing"`

Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`"github.com/stretchr/testify/assert"`

Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/contexthandler"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`func TestMiddlewareJWTAuth(t *testing.T) {`
			`const id int64 = 12`
			`const orgID int64 = 2`

			`configure := func(cfg *setting.Cfg) {`
			`cfg.JWTAuthEnabled = true`
			`cfg.JWTAuthHeaderName = "x-jwt-assertion"`
			`}`

			`configureUsernameClaim := func(cfg *setting.Cfg) {`
			`cfg.JWTAuthUsernameClaim = "foo-username"`
			`}`

			`configureEmailClaim := func(cfg *setting.Cfg) {`
			`cfg.JWTAuthEmailClaim = "foo-email"`
			`}`

Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`configureAutoSignUp := func(cfg *setting.Cfg) {`
			`cfg.JWTAuthAutoSignUp = true`
			`}`

Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`token := "some-token"`

			`middlewareScenario(t, "Valid token with valid login claim", func(t testing.T, sc scenarioContext) {`
			`myUsername := "vladimir"`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
			`return models.JWTClaims{`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`"sub": myUsername,`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`"foo-username": myUsername,`
			`}, nil`
			`}`
Rename AddHandlerCtx to AddHandler (#43557) 2021-12-28 23:08:07 +08:00			`bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`query.Result = &models.SignedInUser{`
			`UserId: id,`
			`OrgId: orgID,`
			`Login: query.Login,`
			`}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 200, sc.resp.Code)`
			`assert.True(t, sc.context.IsSignedIn)`
			`assert.Equal(t, orgID, sc.context.OrgId)`
			`assert.Equal(t, id, sc.context.UserId)`
			`assert.Equal(t, myUsername, sc.context.Login)`
			`}, configure, configureUsernameClaim)`

			`middlewareScenario(t, "Valid token with valid email claim", func(t testing.T, sc scenarioContext) {`
			`myEmail := "vladimir@example.com"`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
			`return models.JWTClaims{`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`"sub": myEmail,`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`"foo-email": myEmail,`
			`}, nil`
			`}`
Rename AddHandlerCtx to AddHandler (#43557) 2021-12-28 23:08:07 +08:00			`bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`query.Result = &models.SignedInUser{`
			`UserId: id,`
			`OrgId: orgID,`
			`Email: query.Email,`
			`}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 200, sc.resp.Code)`
			`assert.True(t, sc.context.IsSignedIn)`
			`assert.Equal(t, orgID, sc.context.OrgId)`
			`assert.Equal(t, id, sc.context.UserId)`
			`assert.Equal(t, myEmail, sc.context.Email)`
			`}, configure, configureEmailClaim)`

Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`middlewareScenario(t, "Valid token with no user and auto_sign_up disabled", func(t testing.T, sc scenarioContext) {`
			`myEmail := "vladimir@example.com"`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
			`return models.JWTClaims{`
			`"sub": myEmail,`
			`"name": "Vladimir Example",`
			`"foo-email": myEmail,`
			`}, nil`
			`}`
			`bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {`
			`return models.ErrUserNotFound`
			`})`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 401, sc.resp.Code)`
			`assert.Equal(t, contexthandler.UserNotFound, sc.respJson["message"])`
			`}, configure, configureEmailClaim)`

			`middlewareScenario(t, "Valid token with no user and auto_sign_up enabled", func(t testing.T, sc scenarioContext) {`
			`myEmail := "vladimir@example.com"`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
			`return models.JWTClaims{`
			`"sub": myEmail,`
			`"name": "Vladimir Example",`
			`"foo-email": myEmail,`
			`}, nil`
			`}`
			`bus.AddHandler("get-sign-user", func(ctx context.Context, query *models.GetSignedInUserQuery) error {`
			`query.Result = &models.SignedInUser{`
			`UserId: id,`
			`OrgId: orgID,`
			`Email: query.Email,`
			`}`
			`return nil`
			`})`
			`bus.AddHandler("upsert-user", func(ctx context.Context, command *models.UpsertUserCommand) error {`
			`command.Result = &models.User{`
			`Id: id,`
			`Name: command.ExternalUser.Name,`
			`Email: command.ExternalUser.Email,`
			`}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 200, sc.resp.Code)`
			`assert.True(t, sc.context.IsSignedIn)`
			`assert.Equal(t, orgID, sc.context.OrgId)`
			`assert.Equal(t, id, sc.context.UserId)`
			`assert.Equal(t, myEmail, sc.context.Email)`
			`}, configure, configureEmailClaim, configureAutoSignUp)`

Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`middlewareScenario(t, "Valid token without a login claim", func(t testing.T, sc scenarioContext) {`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`return models.JWTClaims{`
			`"sub": "baz",`
			`"foo": "bar",`
			`}, nil`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`}`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 401, sc.resp.Code)`
			`assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])`
			`}, configure, configureUsernameClaim)`

			`middlewareScenario(t, "Valid token without a email claim", func(t testing.T, sc scenarioContext) {`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-14 00:15:22 +08:00			`return models.JWTClaims{`
			`"sub": "baz",`
			`"foo": "bar",`
			`}, nil`
Auth: support JWT Authentication (#29995) 2021-03-31 23:40:44 +08:00			`}`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 401, sc.resp.Code)`
			`assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])`
			`}, configure, configureEmailClaim)`

			`middlewareScenario(t, "Invalid token", func(t testing.T, sc scenarioContext) {`
			`var verifiedToken string`
			`sc.jwtAuthService.VerifyProvider = func(ctx context.Context, token string) (models.JWTClaims, error) {`
			`verifiedToken = token`
			`return nil, errors.New("token is invalid")`
			`}`

			`sc.fakeReq("GET", "/").withJWTAuthHeader(token).exec()`
			`assert.Equal(t, verifiedToken, token)`
			`assert.Equal(t, 401, sc.resp.Code)`
			`assert.Equal(t, contexthandler.InvalidJWT, sc.respJson["message"])`
			`}, configure, configureUsernameClaim)`
			`}`