grafana/pkg/middleware/auth_test.go

package middleware

import (
	"fmt"
	"testing"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/stretchr/testify/require"

	. "github.com/smartystreets/goconvey/convey"
)

func TestMiddlewareAuth(t *testing.T) {
	Convey("Given the grafana middleware", t, func() {
		reqSignIn := Auth(&AuthOptions{ReqSignedIn: true})

		middlewareScenario(t, "ReqSignIn true and unauthenticated request", func(sc *scenarioContext) {
			sc.m.Get("/secure", reqSignIn, sc.defaultHandler)

			sc.fakeReq("GET", "/secure").exec()

			Convey("Should redirect to login", func() {
				So(sc.resp.Code, ShouldEqual, 302)
			})
		})

		middlewareScenario(t, "ReqSignIn true and unauthenticated API request", func(sc *scenarioContext) {
			sc.m.Get("/api/secure", reqSignIn, sc.defaultHandler)

			sc.fakeReq("GET", "/api/secure").exec()

			Convey("Should return 401", func() {
				So(sc.resp.Code, ShouldEqual, 401)
			})
		})

		Convey("Anonymous auth enabled", func() {
			origEnabled := setting.AnonymousEnabled
			t.Cleanup(func() {
				setting.AnonymousEnabled = origEnabled
			})
			origName := setting.AnonymousOrgName
			t.Cleanup(func() {
				setting.AnonymousOrgName = origName
			})
			setting.AnonymousEnabled = true
			setting.AnonymousOrgName = "test"

			bus.AddHandler("test", func(query *models.GetOrgByNameQuery) error {
				query.Result = &models.Org{Id: 1, Name: "test"}
				return nil
			})

			middlewareScenario(t, "ReqSignIn true and request with forceLogin in query string", func(sc *scenarioContext) {
				sc.m.Get("/secure", reqSignIn, sc.defaultHandler)

				sc.fakeReq("GET", "/secure?forceLogin=true").exec()

				Convey("Should redirect to login", func() {
					So(sc.resp.Code, ShouldEqual, 302)
					location, ok := sc.resp.Header()["Location"]
					So(ok, ShouldBeTrue)
					So(location[0], ShouldEqual, "/login")
				})
			})

			middlewareScenario(t, "ReqSignIn true and request with same org provided in query string", func(sc *scenarioContext) {
				sc.m.Get("/secure", reqSignIn, sc.defaultHandler)

				sc.fakeReq("GET", "/secure?orgId=1").exec()

				Convey("Should not redirect to login", func() {
					So(sc.resp.Code, ShouldEqual, 200)
				})
			})

			middlewareScenario(t, "ReqSignIn true and request with different org provided in query string", func(sc *scenarioContext) {
				sc.m.Get("/secure", reqSignIn, sc.defaultHandler)

				sc.fakeReq("GET", "/secure?orgId=2").exec()

				Convey("Should redirect to login", func() {
					So(sc.resp.Code, ShouldEqual, 302)
					location, ok := sc.resp.Header()["Location"]
					So(ok, ShouldBeTrue)
					So(location[0], ShouldEqual, "/login")
				})
			})
		})

		Convey("snapshot public mode or signed in", func() {
			middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(sc *scenarioContext) {
				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
				sc.fakeReq("GET", "/api/snapshot").exec()
				So(sc.resp.Code, ShouldEqual, 401)
			})

			middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(sc *scenarioContext) {
				setting.SnapshotPublicMode = true
				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
				sc.fakeReq("GET", "/api/snapshot").exec()
				So(sc.resp.Code, ShouldEqual, 200)
			})
		})
	})
}

func TestRemoveForceLoginparams(t *testing.T) {
	tcs := []struct {
		inp string
		exp string
	}{
		{inp: "/?forceLogin=true", exp: "/?"},
		{inp: "/d/dash/dash-title?ordId=1&forceLogin=true", exp: "/d/dash/dash-title?ordId=1"},
		{inp: "/?kiosk&forceLogin=true", exp: "/?kiosk"},
		{inp: "/d/dash/dash-title?ordId=1&kiosk&forceLogin=true", exp: "/d/dash/dash-title?ordId=1&kiosk"},
		{inp: "/d/dash/dash-title?ordId=1&forceLogin=true&kiosk", exp: "/d/dash/dash-title?ordId=1&kiosk"},
		{inp: "/d/dash/dash-title?forceLogin=true&kiosk", exp: "/d/dash/dash-title?&kiosk"},
	}
	for i, tc := range tcs {
		t.Run(fmt.Sprintf("testcase %d", i), func(t *testing.T) {
			require.Equal(t, tc.exp, removeForceLoginParams(tc.inp))
		})
	}
}