cacert-boardvoting/internal/handlers/middleware_test.go

/*
Copyright CAcert Inc.
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package handlers

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"database/sql"
	"log"
	"net/http"
	"net/http/httptest"
	"os"
	"path"
	"testing"

	"github.com/jmoiron/sqlx"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"git.cacert.org/cacert-boardvoting/internal"
	"git.cacert.org/cacert-boardvoting/internal/models"
)

func prepareTestDb(t *testing.T) *sqlx.DB {
	t.Helper()

	testDir := t.TempDir()

	db, err := sql.Open("sqlite3", path.Join(testDir, "test.sqlite"))
	require.NoError(t, err)

	dbx := sqlx.NewDb(db, "sqlite3")

	return dbx
}

func Test_secureHeaders(t *testing.T) {
	rr := httptest.NewRecorder()

	r, err := http.NewRequest(http.MethodGet, "/", nil)
	require.NoError(t, err)

	next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		_, _ = w.Write([]byte("OK"))
	})

	SecureHeaders(next).ServeHTTP(rr, r)

	rs := rr.Result()

	defer func() { _ = rs.Body.Close() }()

	assert.Equal(t, "default-src 'self'; font-src 'self' data:", rs.Header.Get("Content-Security-Policy"))
	assert.Equal(t, "origin-when-cross-origin", rs.Header.Get("Referrer-Policy"))
	assert.Equal(t, "nosniff", rs.Header.Get("X-Content-Type-Options"))
	assert.Equal(t, "deny", rs.Header.Get("X-Frame-Options"))
	assert.Equal(t, "0", rs.Header.Get("X-XSS-Protection"))
	assert.Equal(t, "max-age=63072000", rs.Header.Get("Strict-Transport-Security"))
}

func TestApplication_tryAuthenticate(t *testing.T) {
	db := prepareTestDb(t)

	err := internal.InitializeDb(db.DB, log.New(os.Stdout, "", log.LstdFlags))

	require.NoError(t, err)

	users := &models.UserModel{DB: db}

	_, err = users.Create(
		context.Background(),
		&models.CreateUserParams{
			Admin: &models.User{
				Name:     "Admin",
				Reminder: sql.NullString{String: "admin@example.org", Valid: true},
			},
			Name:      "Test User",
			Reminder:  "test@example.org",
			Emails:    []string{"test@example.org"},
			Reasoning: "Test data",
		},
	)

	var nextCtx context.Context

	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, _ = w.Write([]byte("OK"))

		nextCtx = r.Context()
	})

	require.NoError(t, err)

	mw := UserMiddleware{
		users: &models.UserModel{DB: db},
	}

	t.Run("without TLS", func(t *testing.T) {
		rr := httptest.NewRecorder()

		r, err := http.NewRequest(http.MethodGet, "/", nil)
		require.NoError(t, err)

		mw.TryAuthenticate(next).ServeHTTP(rr, r)

		rs := rr.Result()

		defer func() { _ = rs.Body.Close() }()

		assert.Equal(t, http.StatusOK, rs.StatusCode)
		assert.Nil(t, nextCtx.Value(ctxUser))
	})

	t.Run("with TLS no certificate", func(t *testing.T) {
		rr := httptest.NewRecorder()

		r, err := http.NewRequest(http.MethodGet, "/", nil)
		require.NoError(t, err)

		r.TLS = &tls.ConnectionState{PeerCertificates: []*x509.Certificate{}}

		mw.TryAuthenticate(next).ServeHTTP(rr, r)

		rs := rr.Result()

		defer func() { _ = rs.Body.Close() }()

		assert.Equal(t, http.StatusOK, rs.StatusCode)
		assert.Nil(t, nextCtx.Value(ctxUser))
	})

	t.Run("with TLS matching user", func(t *testing.T) {
		rr := httptest.NewRecorder()

		r, err := http.NewRequest(http.MethodGet, "/", nil)
		require.NoError(t, err)

		r.TLS = &tls.ConnectionState{PeerCertificates: []*x509.Certificate{{
			EmailAddresses: []string{"test@example.org"},
			ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
		}}}

		mw.TryAuthenticate(next).ServeHTTP(rr, r)

		rs := rr.Result()

		defer func() { _ = rs.Body.Close() }()

		assert.Equal(t, http.StatusOK, rs.StatusCode)

		user := nextCtx.Value(ctxUser)

		assert.NotNil(t, user)

		userInstance, ok := user.(*models.User)
		assert.True(t, ok)

		assert.Equal(t, userInstance.Name, "Test User")
	})
}
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`/*`
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00			`Copyright CAcert Inc.`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`SPDX-License-Identifier: Apache-2.0`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`package handlers`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
			`import (`
			`"context"`
			`"crypto/tls"`
			`"crypto/x509"`
Implement user creation and voter management 2022-06-04 17:00:57 +00:00			`"database/sql"`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`"log"`
			`"net/http"`
			`"net/http/httptest"`
			`"os"`
Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`"path"`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`"testing"`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`"github.com/jmoiron/sqlx"`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"git.cacert.org/cacert-boardvoting/internal"`
			`"git.cacert.org/cacert-boardvoting/internal/models"`
			`)`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`func prepareTestDb(t testing.T) sqlx.DB {`
			`t.Helper()`

			`testDir := t.TempDir()`

			`db, err := sql.Open("sqlite3", path.Join(testDir, "test.sqlite"))`
			`require.NoError(t, err)`

			`dbx := sqlx.NewDb(db, "sqlite3")`

			`return dbx`
			`}`

Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`func Test_secureHeaders(t *testing.T) {`
			`rr := httptest.NewRecorder()`

			`r, err := http.NewRequest(http.MethodGet, "/", nil)`
			`require.NoError(t, err)`

			`next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {`
			`_, _ = w.Write([]byte("OK"))`
			`})`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`SecureHeaders(next).ServeHTTP(rr, r)`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00			`rs := rr.Result()`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Fix golangci-lint warnings 2022-09-26 09:58:36 +00:00			`defer func() { _ = rs.Body.Close() }()`

Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`assert.Equal(t, "default-src 'self'; font-src 'self' data:", rs.Header.Get("Content-Security-Policy"))`
			`assert.Equal(t, "origin-when-cross-origin", rs.Header.Get("Referrer-Policy"))`
			`assert.Equal(t, "nosniff", rs.Header.Get("X-Content-Type-Options"))`
			`assert.Equal(t, "deny", rs.Header.Get("X-Frame-Options"))`
			`assert.Equal(t, "0", rs.Header.Get("X-XSS-Protection"))`
			`assert.Equal(t, "max-age=63072000", rs.Header.Get("Strict-Transport-Security"))`
			`}`

			`func TestApplication_tryAuthenticate(t *testing.T) {`
			`db := prepareTestDb(t)`

			`err := internal.InitializeDb(db.DB, log.New(os.Stdout, "", log.LstdFlags))`

			`require.NoError(t, err)`

			`users := &models.UserModel{DB: db}`

Remove old code - remove the old code and its dependencies - perform some refactoring and fix notifications - add TODO tags for observed shortcomings - rename voters.go to users.go - implement health check for SMTP connection 2022-05-29 13:36:27 +00:00			`_, err = users.Create(`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`context.Background(),`
Implement user creation and voter management 2022-06-04 17:00:57 +00:00			`&models.CreateUserParams{`
			`Admin: &models.User{`
			`Name: "Admin",`
			`Reminder: sql.NullString{String: "admin@example.org", Valid: true},`
			`},`
			`Name: "Test User",`
			`Reminder: "test@example.org",`
			`Emails: []string{"test@example.org"},`
			`Reasoning: "Test data",`
			`},`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`)`

			`var nextCtx context.Context`

			`next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, _ = w.Write([]byte("OK"))`

			`nextCtx = r.Context()`
			`})`

			`require.NoError(t, err)`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`mw := UserMiddleware{`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`users: &models.UserModel{DB: db},`
			`}`

			`t.Run("without TLS", func(t *testing.T) {`
			`rr := httptest.NewRecorder()`

			`r, err := http.NewRequest(http.MethodGet, "/", nil)`
			`require.NoError(t, err)`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`mw.TryAuthenticate(next).ServeHTTP(rr, r)`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00			`rs := rr.Result()`
Fix golangci-lint warnings 2022-09-26 09:58:36 +00:00
			`defer func() { _ = rs.Body.Close() }()`

Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`assert.Equal(t, http.StatusOK, rs.StatusCode)`
			`assert.Nil(t, nextCtx.Value(ctxUser))`
			`})`

			`t.Run("with TLS no certificate", func(t *testing.T) {`
			`rr := httptest.NewRecorder()`

			`r, err := http.NewRequest(http.MethodGet, "/", nil)`
			`require.NoError(t, err)`

			`r.TLS = &tls.ConnectionState{PeerCertificates: []*x509.Certificate{}}`

Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`mw.TryAuthenticate(next).ServeHTTP(rr, r)`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00			`rs := rr.Result()`
Fix golangci-lint warnings 2022-09-26 09:58:36 +00:00
			`defer func() { _ = rs.Body.Close() }()`

Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`assert.Equal(t, http.StatusOK, rs.StatusCode)`
			`assert.Nil(t, nextCtx.Value(ctxUser))`
			`})`

			`t.Run("with TLS matching user", func(t *testing.T) {`
			`rr := httptest.NewRecorder()`

			`r, err := http.NewRequest(http.MethodGet, "/", nil)`
			`require.NoError(t, err)`

Remove old code - remove the old code and its dependencies - perform some refactoring and fix notifications - add TODO tags for observed shortcomings - rename voters.go to users.go - implement health check for SMTP connection 2022-05-29 13:36:27 +00:00			`r.TLS = &tls.ConnectionState{PeerCertificates: []*x509.Certificate{{`
			`EmailAddresses: []string{"test@example.org"},`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},`
			`}}}`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Refactoring away from main package This commit is a refactoring of code that has been located in the main package. We introduce separate packages for the main application, jobs, notifications, and request handlers. Dependencies are injected from the main application, this will make testing easier. 2022-10-15 17:58:58 +00:00			`mw.TryAuthenticate(next).ServeHTTP(rr, r)`
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00			`rs := rr.Result()`
Fix golangci-lint warnings 2022-09-26 09:58:36 +00:00
			`defer func() { _ = rs.Body.Close() }()`

Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`assert.Equal(t, http.StatusOK, rs.StatusCode)`
Update linter config and apply suggestions - remove copyright years (they are in git) - remove outdated linter bug workarounds - update .golangci.yml to match current schema (as of golangci-lint 1.59.0) 2024-06-08 08:29:35 +00:00
Add tests for handlers and middleware - drop migration 2022052601_drop_unused_decisions_colums because it was implicitly part of an earlier migration - add /health endpoint for database health check - add tests for the health check endpoint - add tests for middleware secureHeaders, logRequest and tryAuthenticate - add models.UserModel.CreateUser method 2022-05-26 17:22:56 +00:00			`user := nextCtx.Value(ctxUser)`

			`assert.NotNil(t, user)`

			`userInstance, ok := user.(*models.User)`
			`assert.True(t, ok)`

			`assert.Equal(t, userInstance.Name, "Test User")`
			`})`
			`}`