-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dashboard/app: introduce authorized public clients
Let's disable throttling for all authorized clients. The only diff between the authorized and non-authorized public client is a throttling.
- Loading branch information
1 parent
084d817
commit 0f1ec4d
Showing
6 changed files
with
150 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,6 +14,7 @@ import ( | |
|
||
"github.com/google/syzkaller/dashboard/dashapi" | ||
"github.com/stretchr/testify/assert" | ||
"google.golang.org/appengine/v2/aetest" | ||
"google.golang.org/appengine/v2/user" | ||
) | ||
|
||
|
@@ -429,3 +430,89 @@ func TestAccess(t *testing.T) { | |
} | ||
} | ||
} | ||
|
||
const ( | ||
BadAuthDomain = iota | ||
Regular | ||
Authenticated | ||
AuthorizedAccessPublic | ||
AuthorizedUser | ||
AuthorizedAdmin | ||
) | ||
|
||
func makeUser(t int) *user.User { | ||
u := &user.User{ | ||
AuthDomain: "gmail.com", | ||
Admin: false, | ||
FederatedIdentity: "", | ||
FederatedProvider: "", | ||
} | ||
switch t { | ||
case BadAuthDomain: | ||
u.Email = "[email protected]" | ||
u.AuthDomain = "public.com" | ||
case Regular: | ||
u = nil | ||
case Authenticated: | ||
u.Email = "[email protected]" | ||
case AuthorizedAccessPublic: | ||
u.Email = "[email protected]" | ||
case AuthorizedUser: | ||
u.Email = "[email protected]" | ||
case AuthorizedAdmin: | ||
u.Email ="[email protected]" | ||
u.Admin = true | ||
} | ||
return u | ||
} | ||
|
||
func TestAuthorization(t *testing.T) { | ||
c := NewCtx(t) | ||
defer c.Close() | ||
|
||
// BadAuthDomain gives no access. | ||
assert.False(t, isAuthorizedUserDomain(c.ctx, makeUser(BadAuthDomain))) | ||
assert.False(t, isAuthorizedPublicEmail(c.ctx, makeUser(BadAuthDomain))) | ||
|
||
// Authentication gives nothing too. | ||
assert.False(t, isAuthorizedPublicEmail(c.ctx, makeUser(Regular))) | ||
assert.False(t, isAuthorizedUserDomain(c.ctx, makeUser(Regular))) | ||
|
||
assert.False(t, isAuthorizedUserDomain(c.ctx, makeUser(Authenticated))) | ||
assert.False(t, isAuthorizedPublicEmail(c.ctx, makeUser(Authenticated))) | ||
|
||
// Authenticated + allowlisted users access w/o throttling. | ||
assert.False(t, isAuthorizedUserDomain(c.ctx, makeUser(AuthorizedAccessPublic))) | ||
assert.True(t, isAuthorizedPublicEmail(c.ctx, makeUser(AuthorizedAccessPublic))) | ||
assert.True(t, isAuthorized(c.ctx)) | ||
|
||
// AccessUser gives evetything except admin rights. | ||
assert.True(t, isAuthorizedUserDomain(c.ctx, makeUser(AuthorizedUser))) | ||
assert.True(t, isAuthorizedPublicEmail(c.ctx, makeUser(AuthorizedUser))) | ||
} | ||
|
||
func TestAccessLevel(t *testing.T) { | ||
c := NewCtx(t) | ||
defer c.Close() | ||
req, err := c.inst.NewRequest("GET", "", nil) | ||
assert.NoError(t, err) | ||
|
||
aetest.Login(makeUser(BadAuthDomain), req) | ||
assert.Equal(t, AccessPublic, accessLevel(c.ctx, req)) | ||
|
||
aetest.Login(makeUser(Regular), req) | ||
assert.Equal(t, AccessPublic, accessLevel(c.ctx, req)) | ||
|
||
aetest.Login(makeUser(Authenticated), req) | ||
assert.Equal(t, AccessPublic, accessLevel(c.ctx, req)) | ||
|
||
aetest.Login(makeUser(AuthorizedAccessPublic), req) | ||
assert.Equal(t, AccessPublic, accessLevel(c.ctx, req)) | ||
|
||
aetest.Login(makeUser(AuthorizedUser), req) | ||
assert.Equal(t, AccessUser, accessLevel(c.ctx, req)) | ||
|
||
aetest.Login(makeUser(AuthorizedAdmin), req) | ||
assert.Equal(t, AccessAdmin, accessLevel(c.ctx, req)) | ||
|
||
} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,7 +33,6 @@ import ( | |
db "google.golang.org/appengine/v2/datastore" | ||
"google.golang.org/appengine/v2/log" | ||
aemail "google.golang.org/appengine/v2/mail" | ||
"google.golang.org/appengine/v2/user" | ||
) | ||
|
||
type Ctx struct { | ||
|
@@ -341,14 +340,13 @@ func (c *Ctx) httpRequest(method, url, body, contentType string, | |
} | ||
r = registerRequest(r, c) | ||
r = r.WithContext(c.transformContext(r.Context())) | ||
if access == AccessAdmin || access == AccessUser { | ||
user := &user.User{ | ||
Email: "[email protected]", | ||
AuthDomain: "gmail.com", | ||
} | ||
if access == AccessAdmin { | ||
user.Admin = true | ||
} | ||
user := makeUser(Regular) | ||
if access == AccessAdmin { | ||
user = makeUser(AuthorizedAdmin) | ||
} else if access == AccessUser { | ||
user = makeUser(AuthorizedUser) | ||
} | ||
if user != nil { | ||
aetest.Login(user, r) | ||
} | ||
w := httptest.NewRecorder() | ||
|