feat(server): role based authentication system (#2434)

- Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication - Retro-compatible with existing AND documented routes, until after v3.41 release - Log a warning if an unprotected-by-default route is accessed unprotected - Authentication methods: none, apikey, basic - `genkey` command to generate API keys Co-authored-by: Joe Jose <45399349+joejose97@users.noreply.github.com>
2024-09-18 13:29:36 +02:00
parent 07651683f9
commit a2e76e1683
25 changed files with 920 additions and 10 deletions
--- a/internal/server/middlewares/auth/configfile_test.go
+++ b/internal/server/middlewares/auth/configfile_test.go
@@ -0,0 +1,80 @@
+package auth
+
+import (
+	"io/fs"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Read reads the toml file specified by the filepath given.
+func Test_Read(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		fileContent string
+		settings    Settings
+		errMessage  string
+	}{
+		"empty_file": {},
+		"malformed_toml": {
+			fileContent: "this is not a toml file",
+			errMessage:  `toml decoding file: toml: expected character =`,
+		},
+		"unknown_field": {
+			fileContent: `unknown = "what is this"`,
+			errMessage: `toml decoding file: strict mode: fields in the document are missing in the target struct:
+1| unknown = "what is this"
+ | ~~~~~~~ missing field`,
+		},
+		"filled_settings": {
+			fileContent: `[[roles]]
+name = "public"
+auth = "none"
+routes = ["GET /v1/vpn/status", "PUT /v1/vpn/status"]
+
+[[roles]]
+name = "client"
+auth = "apikey"
+apikey = "xyz"
+routes = ["GET /v1/vpn/status"]
+`,
+			settings: Settings{
+				Roles: []Role{{
+					Name:   "public",
+					Auth:   AuthNone,
+					Routes: []string{"GET /v1/vpn/status", "PUT /v1/vpn/status"},
+				}, {
+					Name:   "client",
+					Auth:   AuthAPIKey,
+					APIKey: "xyz",
+					Routes: []string{"GET /v1/vpn/status"},
+				}},
+			},
+		},
+	}
+
+	for name, testCase := range testCases {
+		testCase := testCase
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			tempDir := t.TempDir()
+			filepath := tempDir + "/config.toml"
+			const permissions fs.FileMode = 0600
+			err := os.WriteFile(filepath, []byte(testCase.fileContent), permissions)
+			require.NoError(t, err)
+
+			settings, err := Read(filepath)
+
+			assert.Equal(t, testCase.settings, settings)
+			if testCase.errMessage != "" {
+				assert.EqualError(t, err, testCase.errMessage)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}