"tlsauth" contrib package

This package adds authentication middlewares via TLS client
certificates.

1 files changed, 111 insertions, 0 deletions

diff --git a/contrib/tlsauth/gemini_test.go b/contrib/tlsauth/gemini_test.go
new file mode 100644
index 0000000..bc87958
--- /dev/null
+++ b/contrib/tlsauth/gemini_test.go
@@ -0,0 +1,111 @@
+package tlsauth_test
+
+import (
+	"bytes"
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"tildegit.org/tjp/gus"
+	"tildegit.org/tjp/gus/contrib/tlsauth"
+	"tildegit.org/tjp/gus/gemini"
+)
+
+func TestGeminiAuth(t *testing.T) {
+	handler1 := func(_ context.Context, request *gus.Request) *gus.Response {
+		if !strings.HasPrefix(request.Path, "/one") {
+			return nil
+		}
+
+		return gemini.Success("", &bytes.Buffer{})
+	}
+	handler2 := func(_ context.Context, request *gus.Request) *gus.Response {
+		if !strings.HasPrefix(request.Path, "/two") {
+			return nil
+		}
+
+		return gemini.Success("", &bytes.Buffer{})
+	}
+	handler3 := func(_ context.Context, request *gus.Request) *gus.Response {
+		if !strings.HasPrefix(request.Path, "/three") {
+			return nil
+		}
+
+		return gemini.Success("", &bytes.Buffer{})
+	}
+	handler4 := func(_ context.Context, request *gus.Request) *gus.Response {
+		return gemini.Success("", &bytes.Buffer{})
+	}
+
+	handler := gus.FallthroughHandler(
+		tlsauth.GeminiAuth(tlsauth.Allow)(handler1),
+		tlsauth.GeminiAuth(tlsauth.Allow)(handler2),
+		tlsauth.GeminiAuth(tlsauth.Reject)(handler3),
+		tlsauth.GeminiAuth(tlsauth.Reject)(handler4),
+	)
+
+	server, authClient, _ := setup(t,
+		"testdata/server.crt", "testdata/server.key",
+		"testdata/client1.crt", "testdata/client1.key",
+		handler,
+	)
+
+	authlessClient, _ := clientFor(t, server, "", "")
+
+	go server.Serve()
+	defer server.Close()
+
+	resp := requestPath(t, authClient, server, "/one")
+	assert.Equal(t, gemini.StatusSuccess, resp.Status)
+
+	resp = requestPath(t, authlessClient, server, "/two")
+	assert.Equal(t, gemini.StatusClientCertificateRequired, resp.Status)
+
+	resp = requestPath(t, authClient, server, "/three")
+	assert.Equal(t, gemini.StatusCertificateNotAuthorized, resp.Status)
+
+	resp = requestPath(t, authlessClient, server, "/four")
+	assert.Equal(t, gemini.StatusClientCertificateRequired, resp.Status)
+}
+
+func TestGeminiOptionalAuth(t *testing.T) {
+	pathHandler := func(path string) gus.Handler {
+		return func(_ context.Context, request *gus.Request) *gus.Response {
+			if !strings.HasPrefix(request.Path, path) {
+				return nil
+			}
+			return gemini.Success("", &bytes.Buffer{})
+		}
+	}
+
+	handler := gus.FallthroughHandler(
+		tlsauth.GeminiOptionalAuth(tlsauth.Allow)(pathHandler("/one")),
+		tlsauth.GeminiOptionalAuth(tlsauth.Allow)(pathHandler("/two")),
+		tlsauth.GeminiOptionalAuth(tlsauth.Reject)(pathHandler("/three")),
+		tlsauth.GeminiOptionalAuth(tlsauth.Reject)(pathHandler("/four")),
+	)
+
+	server, authClient, _ := setup(t,
+		"testdata/server.crt", "testdata/server.key",
+		"testdata/client1.crt", "testdata/client1.key",
+		handler,
+	)
+	authlessClient, _ := clientFor(t, server, "", "")
+
+	go server.Serve()
+	defer server.Close()
+
+	resp := requestPath(t, authClient, server, "/one")
+	assert.Equal(t, gemini.StatusSuccess, resp.Status)
+
+	resp = requestPath(t, authlessClient, server, "/two")
+	assert.Equal(t, gemini.StatusSuccess, resp.Status)
+
+	resp = requestPath(t, authClient, server, "/three")
+	assert.Equal(t, gemini.StatusCertificateNotAuthorized, resp.Status)
+
+	resp = requestPath(t, authlessClient, server, "/four")
+	assert.Equal(t, gemini.StatusSuccess, resp.Status)
+}