commit fd09c7480fbdd20065c2373f1a3d677c41ecfde9
parent 55a4dab8a50c0255228e4a2e2498a7c5c73d1595
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Sun, 23 Mar 2025 23:30:35 +0100
More tests for authorization logic.
Diffstat:
3 files changed, 67 insertions(+), 10 deletions(-)
diff --git a/src/backend/taler-merchant-httpd_helper.c b/src/backend/taler-merchant-httpd_helper.c
@@ -623,13 +623,6 @@ TMH_check_auth_config (struct MHD_Connection *connection,
}
else
{
- // FIXME prettify
- /*
- if (0 != strncasecmp (RFC_8959_PREFIX,
- *auth_token,
- strlen (RFC_8959_PREFIX)))
- GNUNET_break_op (0);
- else*/
auth_wellformed = true;
}
}
diff --git a/src/backend/taler-merchant-httpd_private-post-instances-ID-auth.c b/src/backend/taler-merchant-httpd_private-post-instances-ID-auth.c
@@ -131,8 +131,7 @@ post_instances_ID_auth (struct TMH_MerchantInstance *mi,
break;
}
- if ( (NULL == TMH_default_auth) &&
- (! mi->auth_override))
+ if (! mi->auth_override)
{
// FIXME are we sure what the scope here is?
ec = TMH_check_token (hc->auth_token,
@@ -185,6 +184,8 @@ retry:
/* Finally, also update our running process */
mi->auth = ias;
}
+
+
mi->auth_override = false;
if (0 == strcmp (mi->settings.id,
"admin"))
diff --git a/src/testing/test_merchant_instance_auth.sh b/src/testing/test_merchant_instance_auth.sh
@@ -179,7 +179,22 @@ echo -n "Configuring 'second' instance ..." >&2
STATUS=$(curl -H "Content-Type: application/json" -X POST \
-H 'Authorization: Bearer '"$TOKEN" \
http://localhost:9966/management/instances \
- -d '{"auth":{"method":"token","token":"secret-token:second"},"id":"second","name":"second","address":{},"jurisdiction":{},"use_stefan":true,"default_wire_transfer_delay":{"d_us" : 3600000000},"default_pay_delay":{"d_us": 3600000000}}' \
+ -d '{"auth":{"method":"token","token":"second"},"id":"second","name":"second","address":{},"jurisdiction":{},"use_stefan":true,"default_wire_transfer_delay":{"d_us" : 3600000000},"default_pay_delay":{"d_us": 3600000000}}' \
+ -w "%{http_code}" -s -o /dev/null)
+
+if [ "$STATUS" != "204" ]
+then
+ exit_fail "Expected 204, instance created. got: $STATUS"
+fi
+
+echo "OK" >&2
+
+echo -n "Configuring 'third' instance ..." >&2
+
+STATUS=$(curl -H "Content-Type: application/json" -X POST \
+ -H 'Authorization: Bearer '"$TOKEN" \
+ http://localhost:9966/management/instances \
+ -d '{"auth":{"method":"token","token":"third"},"id":"third","name":"third","address":{},"jurisdiction":{},"use_stefan":true,"default_wire_transfer_delay":{"d_us" : 3600000000},"default_pay_delay":{"d_us": 3600000000}}' \
-w "%{http_code}" -s -o /dev/null)
if [ "$STATUS" != "204" ]
@@ -224,6 +239,24 @@ TOKEN=$(jq -e -r .token < "$LAST_RESPONSE")
echo " OK" >&2
+echo -n "Requesting login token... (write)" >&2
+
+STATUS=$(curl -H "Content-Type: application/json" -X POST \
+ -H 'Authorization: Basic '"$BASIC_AUTH2" \
+ http://localhost:9966/instances/second/private/token \
+ -d '{"scope":"write","refreshable":true}' \
+ -w "%{http_code}" -s -o "$LAST_RESPONSE")
+
+if [ "$STATUS" != "200" ]
+then
+ jq < "$LAST_RESPONSE" >&2
+ exit_fail "Expected 200, login token created. got: $STATUS"
+fi
+
+RWTOKEN=$(jq -e -r .token < "$LAST_RESPONSE")
+
+echo " OK" >&2
+
echo -n "Using login token..." >&2
STATUS=$(curl "http://localhost:9966/instances/second/private/orders" \
@@ -238,6 +271,36 @@ fi
echo " OK" >&2
+echo -n "Updating 'second' instance token using the 'second' auth token..." >&2
+
+STATUS=$(curl -H "Content-Type: application/json" -X POST \
+ -H 'Authorization: Bearer '"$RWTOKEN" \
+ http://localhost:9966/instances/second/private/auth \
+ -d '{"method":"token","token":"again"}' \
+ -w "%{http_code}" -s -o /dev/null)
+
+if [ "$STATUS" != "204" ]
+then
+ exit_fail "Expected 204, instance not authorized. got: $STATUS"
+fi
+
+echo " OK" >&2
+
+echo -n "Updating 'third' instance token using the 'second' auth token..." >&2
+
+STATUS=$(curl -H "Content-Type: application/json" -X POST \
+ -H 'Authorization: Bearer '"$RWTOKEN" \
+ http://localhost:9966/management/instances/third/auth \
+ -d '{"method":"token","token":"new_one"}' \
+ -w "%{http_code}" -s -o /dev/null)
+
+if [ "$STATUS" != "401" ]
+then
+ exit_fail "Expected 401, instance not authorized. got: $STATUS"
+fi
+
+echo " OK" >&2
+
echo -n "Refreshing login token..." >&2
STATUS=$(curl -H "Content-Type: application/json" -X POST \
