mirror of
https://github.com/octoleo/syncthing.git
synced 2024-10-18 10:06:29 +00:00
aa901790b9
This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
190 lines
4.2 KiB
Go
190 lines
4.2 KiB
Go
// Copyright (C) 2014 The Syncthing Authors.
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
// You can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
package api
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/syncthing/syncthing/lib/config"
|
|
"github.com/syncthing/syncthing/lib/db"
|
|
"github.com/syncthing/syncthing/lib/db/backend"
|
|
"github.com/syncthing/syncthing/lib/events"
|
|
)
|
|
|
|
var guiCfg config.GUIConfiguration
|
|
|
|
func init() {
|
|
guiCfg.User = "user"
|
|
guiCfg.SetPassword("pass")
|
|
}
|
|
|
|
func TestStaticAuthOK(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ok := authStatic("user", "pass", guiCfg)
|
|
if !ok {
|
|
t.Fatalf("should pass auth")
|
|
}
|
|
}
|
|
|
|
func TestSimpleAuthUsernameFail(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ok := authStatic("userWRONG", "pass", guiCfg)
|
|
if ok {
|
|
t.Fatalf("should fail auth")
|
|
}
|
|
}
|
|
|
|
func TestStaticAuthPasswordFail(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ok := authStatic("user", "passWRONG", guiCfg)
|
|
if ok {
|
|
t.Fatalf("should fail auth")
|
|
}
|
|
}
|
|
|
|
func TestFormatOptionalPercentS(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
template string
|
|
username string
|
|
expected string
|
|
}{
|
|
{"cn=%s,dc=some,dc=example,dc=com", "username", "cn=username,dc=some,dc=example,dc=com"},
|
|
{"cn=fixedusername,dc=some,dc=example,dc=com", "username", "cn=fixedusername,dc=some,dc=example,dc=com"},
|
|
{"cn=%%s,dc=%s,dc=example,dc=com", "username", "cn=%s,dc=username,dc=example,dc=com"},
|
|
{"cn=%%s,dc=%%s,dc=example,dc=com", "username", "cn=%s,dc=%s,dc=example,dc=com"},
|
|
{"cn=%s,dc=%s,dc=example,dc=com", "username", "cn=username,dc=username,dc=example,dc=com"},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
templatedDn := formatOptionalPercentS(c.template, c.username)
|
|
if c.expected != templatedDn {
|
|
t.Fatalf("result should be %s != %s", c.expected, templatedDn)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestEscapeForLDAPFilter(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
in string
|
|
out string
|
|
}{
|
|
{"username", `username`},
|
|
{"user(name", `user\28name`},
|
|
{"user)name", `user\29name`},
|
|
{"user\\name", `user\5Cname`},
|
|
{"user*name", `user\2Aname`},
|
|
{"*,CN=asdf", `\2A,CN=asdf`},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
res := escapeForLDAPFilter(c.in)
|
|
if c.out != res {
|
|
t.Fatalf("result should be %s != %s", c.out, res)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestEscapeForLDAPDN(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
in string
|
|
out string
|
|
}{
|
|
{"username", `username`},
|
|
{"* ,CN=asdf", `*\20\2CCN\3Dasdf`},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
res := escapeForLDAPDN(c.in)
|
|
if c.out != res {
|
|
t.Fatalf("result should be %s != %s", c.out, res)
|
|
}
|
|
}
|
|
}
|
|
|
|
type mockClock struct {
|
|
now time.Time
|
|
}
|
|
|
|
func (c *mockClock) Now() time.Time {
|
|
c.now = c.now.Add(1) // time always ticks by at least 1 ns
|
|
return c.now
|
|
}
|
|
|
|
func (c *mockClock) wind(t time.Duration) {
|
|
c.now = c.now.Add(t)
|
|
}
|
|
|
|
func TestTokenManager(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
mdb, _ := db.NewLowlevel(backend.OpenMemory(), events.NoopLogger)
|
|
kdb := db.NewNamespacedKV(mdb, "test")
|
|
clock := &mockClock{now: time.Now()}
|
|
|
|
// Token manager keeps up to three tokens with a validity time of 24 hours.
|
|
tm := newTokenManager("testTokens", kdb, 24*time.Hour, 3)
|
|
tm.timeNow = clock.Now
|
|
|
|
// Create three tokens
|
|
t0 := tm.New()
|
|
t1 := tm.New()
|
|
t2 := tm.New()
|
|
|
|
// Check that the tokens are valid
|
|
if !tm.Check(t0) {
|
|
t.Errorf("token %q should be valid", t0)
|
|
}
|
|
if !tm.Check(t1) {
|
|
t.Errorf("token %q should be valid", t1)
|
|
}
|
|
if !tm.Check(t2) {
|
|
t.Errorf("token %q should be valid", t2)
|
|
}
|
|
|
|
// Create a fourth token
|
|
t3 := tm.New()
|
|
// It should be valid
|
|
if !tm.Check(t3) {
|
|
t.Errorf("token %q should be valid", t3)
|
|
}
|
|
// But the first token should have been removed
|
|
if tm.Check(t0) {
|
|
t.Errorf("token %q should be invalid", t0)
|
|
}
|
|
|
|
// Wind the clock by 12 hours
|
|
clock.wind(12 * time.Hour)
|
|
// The second token should still be valid (and checking it will give it more life)
|
|
if !tm.Check(t1) {
|
|
t.Errorf("token %q should be valid", t1)
|
|
}
|
|
|
|
// Wind the clock by 12 hours
|
|
clock.wind(12 * time.Hour)
|
|
// The second token should still be valid
|
|
if !tm.Check(t1) {
|
|
t.Errorf("token %q should be valid", t1)
|
|
}
|
|
// But the third and fourth tokens should have expired
|
|
if tm.Check(t2) {
|
|
t.Errorf("token %q should be invalid", t2)
|
|
}
|
|
if tm.Check(t3) {
|
|
t.Errorf("token %q should be invalid", t3)
|
|
}
|
|
}
|