package shared import ( "net/http" "net/http/httptest" "testing" "github.com/go-chi/chi/v5" ) // Closes the audit's R-001 + R-007 mechanically once auth is wired // per ADR-003. Tests cover: pass-through on empty config, token // gate (401 on missing/wrong, 200 on correct), IP gate (403 on // disallowed, 200 on allowed), /health bypass, both-layers when // both configured, and constant-time comparison usage. func mountWithAuth(cfg AuthConfig) http.Handler { r := chi.NewRouter() r.Get("/health", func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) _, _ = w.Write([]byte("ok")) }) r.Group(func(authed chi.Router) { authed.Use(RequireAuth(cfg)) authed.Get("/data", func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) _, _ = w.Write([]byte("private")) }) }) return r } func get(t *testing.T, srv *httptest.Server, path string, header string) (int, string) { t.Helper() req, err := http.NewRequest(http.MethodGet, srv.URL+path, nil) if err != nil { t.Fatalf("NewRequest: %v", err) } if header != "" { req.Header.Set("Authorization", header) } resp, err := http.DefaultClient.Do(req) if err != nil { t.Fatalf("Do: %v", err) } defer resp.Body.Close() buf := make([]byte, 1024) n, _ := resp.Body.Read(buf) return resp.StatusCode, string(buf[:n]) } func TestRequireAuth_EmptyConfig_PassesThrough(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{})) defer srv.Close() if status, _ := get(t, srv, "/data", ""); status != http.StatusOK { t.Errorf("empty config should pass through, got status %d", status) } if status, _ := get(t, srv, "/health", ""); status != http.StatusOK { t.Errorf("/health on empty config should pass, got %d", status) } } func TestRequireAuth_TokenSet_RejectsMissing(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"})) defer srv.Close() if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized { t.Errorf("missing Authorization should return 401, got %d", status) } } func TestRequireAuth_TokenSet_RejectsWrong(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"})) defer srv.Close() if status, _ := get(t, srv, "/data", "Bearer wrong-token"); status != http.StatusUnauthorized { t.Errorf("wrong token should return 401, got %d", status) } } func TestRequireAuth_TokenSet_AcceptsCorrect(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"})) defer srv.Close() status, body := get(t, srv, "/data", "Bearer secret123") if status != http.StatusOK { t.Errorf("correct Bearer should return 200, got %d", status) } if body != "private" { t.Errorf("expected 'private' body, got %q", body) } } func TestRequireAuth_TokenSet_HealthRemainsPublic(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"})) defer srv.Close() if status, _ := get(t, srv, "/health", ""); status != http.StatusOK { t.Errorf("/health must stay public when token is set, got %d", status) } } func TestRequireAuth_RejectsTokenAsRawNotBearer(t *testing.T) { srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"})) defer srv.Close() // "secret123" alone (without "Bearer " prefix) should NOT pass. if status, _ := get(t, srv, "/data", "secret123"); status != http.StatusUnauthorized { t.Errorf("raw-token without 'Bearer ' prefix must reject, got %d", status) } } func TestRequireAuth_IPAllowlist_AllowsLoopback(t *testing.T) { cfg := AuthConfig{AllowedIPs: []string{"127.0.0.0/8"}} srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() // httptest.Server binds 127.0.0.1, so the test client always // connects from 127.0.0.1 → allowed. if status, _ := get(t, srv, "/data", ""); status != http.StatusOK { t.Errorf("loopback in allowed CIDR should pass, got %d", status) } } func TestRequireAuth_IPAllowlist_RejectsNonAllowed(t *testing.T) { // Allowlist excludes loopback — every test request from 127.x.x.x // gets rejected. cfg := AuthConfig{AllowedIPs: []string{"10.0.0.0/8"}} srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden { t.Errorf("non-allowed IP should return 403, got %d", status) } } func TestRequireAuth_BareIPInAllowlist(t *testing.T) { // Bare IP without /N suffix should be treated as /32. cfg := AuthConfig{AllowedIPs: []string{"127.0.0.1"}} srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() if status, _ := get(t, srv, "/data", ""); status != http.StatusOK { t.Errorf("bare IP /32 should pass, got %d", status) } } func TestRequireAuth_BothLayers_RequiresBoth(t *testing.T) { cfg := AuthConfig{ Token: "secret123", AllowedIPs: []string{"127.0.0.0/8"}, } srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() // Missing token: 401 even from allowed IP. if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized { t.Errorf("allowed IP without token should still 401, got %d", status) } // Wrong token: 401. if status, _ := get(t, srv, "/data", "Bearer wrong"); status != http.StatusUnauthorized { t.Errorf("allowed IP + wrong token should 401, got %d", status) } // Right token: 200 (we're on loopback, IP allowed). if status, _ := get(t, srv, "/data", "Bearer secret123"); status != http.StatusOK { t.Errorf("allowed IP + correct token should 200, got %d", status) } // /health: 200 always. if status, _ := get(t, srv, "/health", ""); status != http.StatusOK { t.Errorf("/health bypass on both-layers cfg, got %d", status) } } func TestRequireAuth_InvalidCIDR_LoggedAndDropped(t *testing.T) { // Mix of valid and invalid CIDRs: invalid should be skipped // (warning logged) and the valid one should still gate. cfg := AuthConfig{AllowedIPs: []string{ "not-a-cidr", "10.0.0.0/8", }} srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() // Loopback test client → still rejected because the only valid // rule is 10.0.0.0/8. if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden { t.Errorf("loopback should reject when allowlist excludes it, got %d", status) } } // TestRequireAuth_SecondaryTokenAccepted locks ADR-006 Decision 6.5: // during a token rotation, both primary and secondary token strings // pass auth. After every caller updates, operators promote secondary // → primary and clear secondary, completing the rotation. func TestRequireAuth_SecondaryTokenAccepted(t *testing.T) { cfg := AuthConfig{ Token: "primary-tok", SecondaryTokens: []string{"secondary-tok"}, } srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() if status, _ := get(t, srv, "/data", "Bearer primary-tok"); status != http.StatusOK { t.Errorf("primary token should pass, got %d", status) } if status, _ := get(t, srv, "/data", "Bearer secondary-tok"); status != http.StatusOK { t.Errorf("secondary token should pass during rotation, got %d", status) } if status, _ := get(t, srv, "/data", "Bearer wrong-tok"); status != http.StatusUnauthorized { t.Errorf("invalid token should still 401, got %d", status) } } // TestRequireAuth_SecondaryTokensOnly locks the case where primary // is empty but secondaries are set — useful mid-rotation when the // previous primary was just promoted to nothing and the new primary // hasn't been written yet. As long as ANY token is configured, auth // is enforced. func TestRequireAuth_SecondaryTokensOnly(t *testing.T) { cfg := AuthConfig{ SecondaryTokens: []string{"only-tok"}, } srv := httptest.NewServer(mountWithAuth(cfg)) defer srv.Close() if status, _ := get(t, srv, "/data", "Bearer only-tok"); status != http.StatusOK { t.Errorf("only-secondary should pass, got %d", status) } if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized { t.Errorf("missing token should 401, got %d", status) } } func TestRemoteIP_SplitHostPortShape(t *testing.T) { // Sanity: real httptest requests come through with "ip:port" // shape; ensure remoteIP returns the IP portion. r, _ := http.NewRequest(http.MethodGet, "/", nil) r.RemoteAddr = "10.1.2.3:54321" ip := remoteIP(r) if ip == nil { t.Fatal("remoteIP returned nil for valid 'ip:port' addr") } if ip.String() != "10.1.2.3" { t.Errorf("remoteIP = %q, want 10.1.2.3", ip.String()) } }