git » chasquid » master » tree

[master] / internal / userdb / userdb_test.go

package userdb

import (
	"fmt"
	"os"
	"reflect"
	"strings"
	"testing"
)

// Remove the file if the test was successful. Used in defer statements, to
// leave files around for inspection when the tests failed.
func removeIfSuccessful(t *testing.T, fname string) {
	// Safeguard, to make sure we only remove test files.
	// This should help prevent accidental deletions.
	if !strings.Contains(fname, "userdb_test") {
		panic("invalid/dangerous directory")
	}

	if !t.Failed() {
		os.Remove(fname)
	}
}

// Create a database with the given content on a temporary filename. Return
// the filename, or an error if there were errors creating it.
func mustCreateDB(t *testing.T, content string) string {
	f, err := os.CreateTemp("", "userdb_test")
	if err != nil {
		t.Fatal(err)
	}

	if _, err := f.WriteString(content); err != nil {
		t.Fatal(err)
	}

	t.Logf("file: %q", f.Name())
	return f.Name()
}

func dbEquals(a, b *DB) bool {
	if a.db == nil || b.db == nil {
		return a.db == nil && b.db == nil
	}

	if len(a.db.Users) != len(b.db.Users) {
		return false
	}

	for k, av := range a.db.Users {
		bv, ok := b.db.Users[k]
		if !ok || !reflect.DeepEqual(av, bv) {
			return false
		}
	}

	return true
}

var emptyDB = &DB{
	db: &ProtoDB{Users: map[string]*Password{}},
}

// Test various cases of loading an empty/broken database.
func TestEmptyLoad(t *testing.T) {
	cases := []struct {
		desc     string
		content  string
		fatal    bool
		fatalErr error
	}{
		{"empty file", "", false, nil},
		{"invalid ", "users: < invalid >", true, nil},
	}

	for _, c := range cases {
		testOneLoad(t, c.desc, c.content, c.fatal, c.fatalErr)
	}
}

func testOneLoad(t *testing.T, desc, content string, fatal bool, fatalErr error) {
	fname := mustCreateDB(t, content)
	defer removeIfSuccessful(t, fname)
	db, err := Load(fname)
	if fatal {
		if err == nil {
			t.Errorf("case %q: expected error loading, got nil", desc)
		}
		if fatalErr != nil && fatalErr != err {
			t.Errorf("case %q: expected error %v, got %v", desc, fatalErr, err)
		}
	} else if !fatal && err != nil {
		t.Fatalf("case %q: error loading database: %v", desc, err)
	}

	if db != nil && !dbEquals(db, emptyDB) {
		t.Errorf("case %q: DB not empty: %#v", desc, db.db.Users)
	}
}

func mustLoad(t *testing.T, fname string) *DB {
	db, err := Load(fname)
	if err != nil {
		t.Fatalf("error loading database: %v", err)
	}

	return db
}

func TestWrite(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	if err := db.Write(); err != nil {
		t.Fatalf("error writing database: %v", err)
	}

	// Load again, check it works and it's still empty.
	db = mustLoad(t, fname)
	if !dbEquals(emptyDB, db) {
		t.Fatalf("expected %v, got %v", emptyDB, db)
	}

	// Add users, write, and load again.
	if err := db.AddUser("user1", "passwd1"); err != nil {
		t.Fatalf("failed to add user1: %v", err)
	}
	if err := db.AddUser("ñoño", "añicos"); err != nil {
		t.Fatalf("failed to add ñoño: %v", err)
	}
	if err := db.AddDeniedUser("ñaca"); err != nil {
		t.Fatalf("failed to add ñaca: %v", err)
	}
	if err := db.Write(); err != nil {
		t.Fatalf("error writing database: %v", err)
	}

	db = mustLoad(t, fname)
	for _, name := range []string{"user1", "ñoño", "ñaca"} {
		if !db.Exists(name) {
			t.Errorf("user %q not in database", name)
		}
		if db.db.Users[name].GetScheme() == nil {
			t.Errorf("user %q missing scheme: %#v", name, db.db.Users[name])
		}
	}

	// Check various user and password combinations, not all valid.
	combinations := []struct {
		user, passwd string
		expected     bool
	}{
		{"user1", "passwd1", true},
		{"user1", "passwd", false},
		{"user1", "passwd12", false},
		{"ñoño", "añicos", true},
		{"ñoño", "anicos", false},
		{"ñaca", "", false},
		{"ñaca", "lalala", false},
		{"notindb", "something", false},
		{"", "", false},
		{" ", "  ", false},
	}
	for _, c := range combinations {
		if db.Authenticate(c.user, c.passwd) != c.expected {
			t.Errorf("auth(%q, %q) != %v", c.user, c.passwd, c.expected)
		}
	}
}

func TestNew(t *testing.T) {
	fname := fmt.Sprintf("%s/userdb_test-%d", os.TempDir(), os.Getpid())
	defer os.Remove(fname)
	db1 := New(fname)
	db1.AddUser("user", "passwd")
	db1.Write()

	db2, err := Load(fname)
	if err != nil {
		t.Fatalf("error loading: %v", err)
	}

	if !dbEquals(db1, db2) {
		t.Errorf("databases differ. db1:%v  !=  db2:%v", db1, db2)
	}
}

func TestInvalidUsername(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	// Names that are invalid.
	names := []string{
		// Contain various types of spaces.
		" ", "  ", "a b", "ñ ñ", "a\xa0b", "a\x85b", "a\nb", "a\tb", "a\xffb",

		// Contain characters not allowed by PRECIS.
		"\u00b9", "\u2163",

		// Names that are not normalized, but would otherwise be valid.
		"A", "Ñ",
	}
	for _, name := range names {
		err := db.AddUser(name, "passwd")
		if err == nil {
			t.Errorf("AddUser(%q) worked, expected it to fail", name)
		}

		err = db.AddDeniedUser(name)
		if err == nil {
			t.Errorf("AddDeniedUser(%q) worked, expected it to fail", name)
		}
	}
}

func plainPassword(p string) *Password {
	return &Password{
		Scheme: &Password_Plain{
			Plain: &Plain{Password: []byte(p)},
		},
	}
}

// Test the plain scheme. Note we don't expect to use it in cases other than
// debugging, but it should be functional for that purpose.
func TestPlainScheme(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	db.db.Users["user"] = plainPassword("pass word")
	err := db.Write()
	if err != nil {
		t.Errorf("Write failed: %v", err)
	}

	db = mustLoad(t, fname)
	if !db.Authenticate("user", "pass word") {
		t.Errorf("failed plain authentication")
	}
	if db.Authenticate("user", "wrong") {
		t.Errorf("plain authentication worked but it shouldn't")
	}
}

// Test the denied scheme.
func TestDeniedScheme(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	db.db.Users["user"] = &Password{Scheme: &Password_Denied{}}
	err := db.Write()
	if err != nil {
		t.Errorf("Write failed: %v", err)
	}

	db = mustLoad(t, fname)
	if db.Authenticate("user", "anything") {
		t.Errorf("denied authentication worked but it shouldn't")
	}
}

func TestReload(t *testing.T) {
	content := "users:< key: 'u1' value:< plain:< password: 'pass' >>>"
	fname := mustCreateDB(t, content)
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	// Add a valid line to the file.
	content += "users:< key: 'u2' value:< plain:< password: 'pass' >>>"
	os.WriteFile(fname, []byte(content), 0660)

	err := db.Reload()
	if err != nil {
		t.Errorf("Reload failed: %v", err)
	}
	if len(db.db.Users) != 2 {
		t.Errorf("expected 2 users, got %d", len(db.db.Users))
	}

	// And now a broken one.
	content += "users:< invalid >"
	os.WriteFile(fname, []byte(content), 0660)

	err = db.Reload()
	if err == nil {
		t.Errorf("expected error, got nil")
	}
	if len(db.db.Users) != 2 {
		t.Errorf("expected 2 users, got %d", len(db.db.Users))
	}

	// Cause an even bigger error loading, check the database is not changed.
	db.fname = "/does/not/exist"
	err = db.Reload()
	if err == nil {
		t.Errorf("expected error, got nil")
	}
	if len(db.db.Users) != 2 {
		t.Errorf("expected 2 users, got %d", len(db.db.Users))
	}
}

func TestRemoveUser(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	if ok := db.RemoveUser("unknown"); ok {
		t.Errorf("removal of unknown user succeeded")
	}

	if err := db.AddUser("user", "passwd"); err != nil {
		t.Fatalf("error adding user: %v", err)
	}

	if ok := db.RemoveUser("unknown"); ok {
		t.Errorf("removal of unknown user succeeded")
	}

	if ok := db.RemoveUser("user"); !ok {
		t.Errorf("removal of existing user failed")
	}

	if ok := db.RemoveUser("user"); ok {
		t.Errorf("removal of unknown user succeeded")
	}
}

func TestExists(t *testing.T) {
	fname := mustCreateDB(t, "")
	defer removeIfSuccessful(t, fname)
	db := mustLoad(t, fname)

	if db.Exists("unknown") {
		t.Errorf("unknown user exists")
	}

	if err := db.AddUser("user", "passwd"); err != nil {
		t.Fatalf("error adding user: %v", err)
	}

	if db.Exists("unknown") {
		t.Errorf("unknown user exists")
	}

	if !db.Exists("user") {
		t.Errorf("known user does not exist")
	}

	if !db.Exists("user") {
		t.Errorf("known user does not exist")
	}

	if err := db.AddDeniedUser("denieduser"); err != nil {
		t.Fatalf("error adding user: %v", err)
	}

	if !db.Exists("denieduser") {
		t.Errorf("known (denied) user does not exist")
	}
}