96 lines
3.7 KiB
Go
96 lines
3.7 KiB
Go
package docker
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/apikey"
|
|
"github.com/portainer/portainer/api/datastore"
|
|
dockerdomain "github.com/portainer/portainer/api/docker"
|
|
dockerclient "github.com/portainer/portainer/api/docker/client"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
"github.com/portainer/portainer/api/internal/testhelpers"
|
|
"github.com/portainer/portainer/api/jwt"
|
|
"github.com/portainer/portainer/pkg/fips"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// unreachableDockerURL points the test environment at a port that refuses connections, so an
|
|
// authorized caller fails fast when the handler builds a docker client rather than blocking on a
|
|
// real daemon. The authorization middleware runs before this, which is what these tests assert.
|
|
const unreachableDockerURL = "tcp://127.0.0.1:1"
|
|
|
|
func newDashboardAuthTestHandler(t *testing.T) (*Handler, *jwt.Service, *datastore.Store) {
|
|
t.Helper()
|
|
fips.InitFIPS(false)
|
|
|
|
_, store := datastore.MustNewTestStore(t, true, true)
|
|
|
|
require.NoError(t, store.Endpoint().Create(&portainer.Endpoint{
|
|
ID: 1, Name: "docker-env", Type: portainer.DockerEnvironment, URL: unreachableDockerURL,
|
|
}))
|
|
|
|
jwtService, err := jwt.NewService("1h", store)
|
|
require.NoError(t, err)
|
|
|
|
bouncer := security.NewRequestBouncer(t.Context(), store, jwtService, apikey.NewAPIKeyService(nil, nil))
|
|
|
|
factory := dockerclient.NewClientFactory(nil, nil)
|
|
authorizationService := authorization.NewService(store)
|
|
containerService := dockerdomain.NewContainerService(factory, store)
|
|
|
|
handler := NewHandler(bouncer, authorizationService, store, factory, containerService)
|
|
|
|
return handler, jwtService, store
|
|
}
|
|
|
|
func dashboardRequest(t *testing.T, handler *Handler, jwtService *jwt.Service, user *portainer.User) *httptest.ResponseRecorder {
|
|
t.Helper()
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/docker/1/dashboard", nil)
|
|
tk, _, err := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})
|
|
require.NoError(t, err)
|
|
testhelpers.AddTestSecurityCookie(req, tk)
|
|
|
|
rr := httptest.NewRecorder()
|
|
handler.ServeHTTP(rr, req)
|
|
return rr
|
|
}
|
|
|
|
// TestEndpointAuthorization_DeniedUser_Returns403 verifies that the docker /dashboard
|
|
// route rejects users with no access policy for the target environment (R8S-1057).
|
|
func TestEndpointAuthorization_DeniedUser_Returns403(t *testing.T) {
|
|
handler, jwtService, store := newDashboardAuthTestHandler(t)
|
|
|
|
noAccessUser := &portainer.User{
|
|
Username: "no-access",
|
|
Role: portainer.StandardUserRole,
|
|
PortainerAuthorizations: authorization.DefaultPortainerAuthorizations(),
|
|
}
|
|
require.NoError(t, store.User().Create(noAccessUser))
|
|
|
|
// A standard user with no access policy must be rejected before the dashboard handler
|
|
// builds a docker client for the environment.
|
|
rr := dashboardRequest(t, handler, jwtService, noAccessUser)
|
|
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
}
|
|
|
|
// TestEndpointAuthorization_AuthorizedUser_NotForbidden verifies that the docker /dashboard
|
|
// route lets an authorized caller through the authorization middleware (R8S-1057). The request
|
|
// fails later when the handler cannot reach the docker daemon, but it must not be rejected with 403.
|
|
func TestEndpointAuthorization_AuthorizedUser_NotForbidden(t *testing.T) {
|
|
handler, jwtService, store := newDashboardAuthTestHandler(t)
|
|
|
|
adminUser := &portainer.User{Username: "admin", Role: portainer.AdministratorRole}
|
|
require.NoError(t, store.User().Create(adminUser))
|
|
|
|
rr := dashboardRequest(t, handler, jwtService, adminUser)
|
|
|
|
assert.NotEqual(t, http.StatusForbidden, rr.Code)
|
|
}
|