test: bearer-token flow (engine) + docker/head/virtual/probe/events (server)
This commit is contained in:
@@ -92,6 +92,15 @@ func mockUpstream(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
w.Header().Set("ETag", `"v1"`)
|
||||
w.Write([]byte(`{"name":"pkg"}`))
|
||||
case "/protected.bin": // requires a bearer token obtained from /token
|
||||
if r.Header.Get("Authorization") != "Bearer minted-token" {
|
||||
w.Header().Set("Www-Authenticate", `Bearer realm="`+upstream.URL+`/token",service="reg",scope="repo:pull"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
w.Write([]byte("protected payload"))
|
||||
case "/token":
|
||||
w.Write([]byte(`{"token":"minted-token","expires_in":300}`))
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
@@ -261,6 +270,39 @@ func TestMutableRevalidation(t *testing.T) {
|
||||
res.Reader.Close()
|
||||
}
|
||||
|
||||
func TestBearerTokenFlow(t *testing.T) {
|
||||
requireStack(t)
|
||||
ctx := context.Background()
|
||||
r := seed(t, genericRemote("eng-bearer"))
|
||||
p := prov(t, models.PackageGeneric)
|
||||
|
||||
// GET: 401 challenge -> token endpoint -> retry with bearer -> 200.
|
||||
res, err := testEngine.Fetch(ctx, r, "protected.bin", p)
|
||||
if err != nil {
|
||||
t.Fatalf("bearer fetch: %v", err)
|
||||
}
|
||||
if readAll(t, res) != "protected payload" {
|
||||
t.Error("bearer-protected content mismatch")
|
||||
}
|
||||
|
||||
// HEAD path also negotiates a bearer token (uncached).
|
||||
testCache.FlushRemote(ctx, "eng-bearer")
|
||||
testDB.DeleteArtifact(ctx, "eng-bearer", "protected.bin")
|
||||
if h, err := testEngine.Head(ctx, r, "protected.bin", p); err != nil || h.Source != "cache" && h.Source != "remote" {
|
||||
t.Fatalf("bearer head: %+v %v", h, err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBearerTokenParsing(t *testing.T) {
|
||||
// Non-Bearer challenges and missing realms are rejected.
|
||||
if _, _, err := fetchBearerToken(context.Background(), "Basic realm=x", models.Remote{}); err == nil {
|
||||
t.Error("expected error for non-Bearer challenge")
|
||||
}
|
||||
if _, _, err := fetchBearerToken(context.Background(), `Bearer service="reg"`, models.Remote{}); err == nil {
|
||||
t.Error("expected error for missing realm")
|
||||
}
|
||||
}
|
||||
|
||||
func asProxyError(err error, target **ProxyError) bool {
|
||||
pe, ok := err.(*ProxyError)
|
||||
if ok {
|
||||
|
||||
Reference in New Issue
Block a user