hosted system tests (red)

mlibrary · Jan 10, 2024 · 86c0ef8 · 86c0ef8
1 parent b3dec48
commit 86c0ef8
Show file tree

Hide file tree

Showing 5 changed files with 202 additions and 0 deletions.
diff --git a/apache/conf/test-site.conf b/apache/conf/test-site.conf
@@ -3,9 +3,16 @@
 
   DocumentRoot /lauth/test-site/web
   ScriptAlias /debug /lauth/test-site/cgi/printenv
+  ScriptAlias /cgi/private-cats.pl /lauth/test-site/cgi/private-cats.pl
 
   # LogLevel debug
 
+  <Location /cgi>
+    AuthType RemoteUser
+    AuthzSendForbiddenOnFailure On
+    Require valid-user
+  </Location>
+
   <Location /debug>
     AuthType RemoteUser
     AuthzSendForbiddenOnFailure On

diff --git a/db/delegation.sql b/db/delegation.sql
@@ -0,0 +1,120 @@
+-- private-cats is the collection that the user will request
+-- the user is authorized for this collection
+INSERT INTO aa_coll VALUES(
+  'private-cats', -- uniqueIdentifier
+  'private-cats', -- commonName
+  'auth system testing: delegation',
+  'catpics', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'pw', -- dlpsAuthenMethod
+  'd', -- dlpsAuthzType
+  'f', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+-- extra-cats is a private collection the user is authorized for
+INSERT INTO aa_coll VALUES(
+  'extra-cats', -- uniqueIdentifier
+  'extra-cats', -- commonName
+  'auth system testing: delegation',
+  'catpics', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'pw', -- dlpsAuthenMethod
+  'd', -- dlpsAuthzType
+  'f', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+-- secret-cats is a private collection the user is not authorized for
+INSERT INTO aa_coll VALUES(
+  'secret-cats', -- uniqueIdentifier
+  'secret-cats', -- commonName
+  'auth system testing: delegation',
+  'catpics', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'pw', -- dlpsAuthenMethod
+  'd', -- dlpsAuthzType
+  'f', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+-- public-cats is a public collection the user is not explicitly authorized for
+INSERT INTO aa_coll VALUES(
+  'public-cats', -- uniqueIdentifier
+  'public-cats', -- commonName
+  'auth system testing: delegation',
+  'catpics', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'pw', -- dlpsAuthenMethod
+  'd', -- dlpsAuthzType
+  't', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+-- foia-cats is a public collection the user is explicitly authorized for
+INSERT INTO aa_coll VALUES(
+  'foia-cats', -- uniqueIdentifier
+  'foia-cats', -- commonName
+  'auth system testing: delegation',
+  'catpics', -- dlpsClass
+  'none', -- dlpsSource (unused)
+  'pw', -- dlpsAuthenMethod
+  'd', -- dlpsAuthzType
+  't', -- dlpsPartlyPublic
+  0, -- manager
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+-- we only need one location for these tests
+INSERT INTO aa_coll_obj VALUES(
+  'www.lauth.local', -- server hostname, not vhost
+  '/lauth/test-site/cgi/private-cats.pl', -- dlpsPath
+  'private-cats', -- coll.uniqueIdentifier
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL, -- uniqueIdentifier
+  'lauth-allowed', -- userid
+  NULL, -- user_grp
+  NULL, -- inst
+  'private-cats', -- coll
+  CURRENT_TIMESTAMP,
+  'root',
+  NULL,
+  'f'
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL, -- uniqueIdentifier
+  'lauth-allowed', -- userid
+  NULL, -- user_grp
+  NULL, -- inst
+  'extra-cats', -- coll
+  CURRENT_TIMESTAMP,
+  'root',
+  NULL,
+  'f'
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL, -- uniqueIdentifier
+  'lauth-allowed', -- userid
+  NULL, -- user_grp
+  NULL, -- inst
+  'foia-cats', -- coll
+  CURRENT_TIMESTAMP,
+  'root',
+  NULL,
+  'f'
+);
diff --git a/db/setup.sh b/db/setup.sh
@@ -43,4 +43,5 @@ if [[ $all == "true" ]]; then
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/keys.sql"
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/test-fixture.sql"
   mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/network.sql"
+  mariadb --user=$user --host=$host --port=$port --password=$password $database < "$directory/delegation.sql"
 fi
diff --git a/test-site/cgi/private-cats.pl b/test-site/cgi/private-cats.pl
@@ -0,0 +1,21 @@
+#!/usr/bin/perl
+
+# This file comes from the httpd:2.4 image. It is inlined here without
+# modifications other than removing the warning comments and adding the
+# shebang, so it can be used with the built image or standalone server.
+
+# It is reproduced under license: https://www.apache.org/licenses/LICENSE-2.0
+
+##
+##  printenv -- demo CGI program which just prints its environment
+##
+use strict;
+use warnings;
+
+print "Content-type: text/plain; charset=iso-8859-1\n\n";
+foreach my $var (sort(keys(%ENV))) {
+    my $val = $ENV{$var};
+    $val =~ s|\n|\\n|g;
+    $val =~ s|"|\\"|g;
+    print "${var}=\"${val}\"\n";
+}
diff --git a/test/delegation/hosted_spec.rb b/test/delegation/hosted_spec.rb
@@ -1,4 +1,57 @@
 RSpec.describe "A web server-hosted application in delegated mode" do
   # These are apps like CGI and mod_php. They should receive identity and the
   # authorized collections in the server environment.
+  # These collections and grants are defined in delegation.sql
+  include AuthUsers
+  context "when logged in as an authorized user" do
+    subject(:response) do
+      website.get("/cgi/private-cats.pl") do |req|
+        req.headers["X-Forwarded-User"] = good_user
+      end
+    end
+    it "is OK" do
+      expect(response.status).to eq HttpCodes::OK
+    end
+
+    it "lists the matching public collections" do
+      expect(parse_env(response.body)["PUBLIC_COLL"]&.split(":"))
+        .to contain_exactly 'public-cats'
+    end
+
+    it "lists the matching authorized collections" do
+      expect(parse_env(response.body)["AUTHZD_COLL"]&.split(":"))
+        .to contain_exactly 'extra-cats', 'foia-cats'
+    end
+  end
+
+  context "when not logged in" do
+    subject(:response) { website.get("/cgi/private-cats.pl") }
+    it "is OK" do
+      expect(response.status).to eq HttpCodes::OK
+    end
+
+    it "lists the matching public collections" do
+      expect(parse_env(response.body)["PUBLIC_COLL"]&.split(":"))
+        .to contain_exactly 'domestic-cats', 'foia-cats'
+    end
+
+    it "lists the matching authorized collections" do
+      expect(parse_env(response.body)["AUTHZD_COLL"]&.split(":"))
+        .to be_empty
+    end
+  end
+
+  private
+
+  def parse_env(response_body)
+    response_body
+      .split("\n")
+      .map{|s| s.split("=", 2)}
+      .to_h
+  end
+
+  def website
+    @website ||= Faraday.new(TestSite::URL)
+  end
+
 end