From 76794baf1c0bcfb5aa8647b9d2c44d7c75320bfc Mon Sep 17 00:00:00 2001
From: Joe Heth <joeheth@gmail.com>
Date: Wed, 8 Apr 2020 17:53:50 -0400
Subject: [PATCH] test basic auth middleware

---
 pkg/config/env.go             |  2 +-
 pkg/config/middleware_test.go | 76 ++++++++++++++++++++++++++++++++++-
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/pkg/config/env.go b/pkg/config/env.go
index 95eaabdb..d1fb13ab 100644
--- a/pkg/config/env.go
+++ b/pkg/config/env.go
@@ -193,7 +193,7 @@ var Config = struct {
 	BasicAuthEnabled              bool     `env:"FLAGR_BASIC_AUTH_ENABLED" envDefault:"false"`
 	BasicAuthUsername             string   `env:"FLAGR_BASIC_AUTH_USERNAME" envDefault:""`
 	BasicAuthPassword             string   `env:"FLAGR_BASIC_AUTH_PASSWORD" envDefault:""`
-	BasicAuthPrefixWhitelistPaths []string `env:"FLAGR_BASIC_AUTH_WHITELIST_PATHS" envDefault:"/api/v1/evaluation,/static" envSeparator:","`
+	BasicAuthPrefixWhitelistPaths []string `env:"FLAGR_BASIC_AUTH_WHITELIST_PATHS" envDefault:"/api/v1/flags,/api/v1/evaluation,/static" envSeparator:","`
 	BasicAuthExactWhitelistPaths  []string `env:"FLAGR_BASIC_AUTH_EXACT_WHITELIST_PATHS" envDefault:",/" envSeparator:","`
 
 	// WebPrefix - base path for web and API
diff --git a/pkg/config/middleware_test.go b/pkg/config/middleware_test.go
index 0ed26953..a85bef76 100644
--- a/pkg/config/middleware_test.go
+++ b/pkg/config/middleware_test.go
@@ -58,7 +58,7 @@ func TestSetupGlobalMiddleware(t *testing.T) {
 	Config.PProfEnabled = true
 }
 
-func TestAuthMiddleware(t *testing.T) {
+func TestJWTAuthMiddleware(t *testing.T) {
 	h := &okHandler{}
 
 	t.Run("it will redirect if jwt enabled but no cookie passed", func(t *testing.T) {
@@ -255,7 +255,7 @@ o2kQ+X5xK9cipRgEKwIDAQAB
 	})
 }
 
-func TestAuthMiddlewareWithUnauthorized(t *testing.T) {
+func TestJWTAuthMiddlewareWithUnauthorized(t *testing.T) {
 	h := &okHandler{}
 
 	t.Run("it will return 401 if no cookie passed", func(t *testing.T) {
@@ -315,3 +315,75 @@ func TestAuthMiddlewareWithUnauthorized(t *testing.T) {
 		}
 	})
 }
+
+func TestBasicAuthMiddleware(t *testing.T) {
+	h := &okHandler{}
+
+	t.Run("it does not require basic auth on v1 endpoints", func(t *testing.T) {
+		hh := SetupGlobalMiddleware(h)
+		res := httptest.NewRecorder()
+		res.Body = new(bytes.Buffer)
+		req, _ := http.NewRequest("GET", "http://localhost:18000/api/v1/flags", nil)
+		hh.ServeHTTP(res, req)
+		assert.Equal(t, http.StatusOK, res.Code)
+	})
+
+	t.Run("it will return 200 if basic auth is enabled", func(t *testing.T) {
+		Config.BasicAuthEnabled = true
+		Config.BasicAuthUsername = "admin"
+		Config.BasicAuthPassword = "password"
+		defer func() {
+			Config.BasicAuthEnabled = false
+			Config.BasicAuthUsername = ""
+			Config.BasicAuthPassword = ""
+		}()
+
+		hh := SetupGlobalMiddleware(h)
+		res := httptest.NewRecorder()
+		res.Body = new(bytes.Buffer)
+		req, _ := http.NewRequest("GET", "http://localhost:18000/api/v1/flags", nil)
+		hh.ServeHTTP(res, req)
+		assert.Equal(t, http.StatusOK, res.Code)
+	})
+
+	t.Run("it will return 200 for some paths when disabled", func(t *testing.T) {
+		Config.BasicAuthEnabled = false
+		Config.BasicAuthUsername = ""
+		Config.BasicAuthPassword = ""
+
+		testPaths := []string{"/", "", "/#", "/#/", "/static", "/static/"}
+		for _, path := range testPaths {
+			t.Run(fmt.Sprintf("path: %s", path), func(t *testing.T) {
+				hh := SetupGlobalMiddleware(h)
+				res := httptest.NewRecorder()
+				res.Body = new(bytes.Buffer)
+				req, _ := http.NewRequest("GET", fmt.Sprintf("http://localhost:18000%s", path), nil)
+				hh.ServeHTTP(res, req)
+				assert.Equal(t, http.StatusOK, res.Code)
+			})
+		}
+	})
+
+	t.Run("it will return 401 for some paths when enabled", func(t *testing.T) {
+		Config.BasicAuthEnabled = true
+		Config.BasicAuthUsername = "admin"
+		Config.BasicAuthPassword = "password"
+		defer func() {
+			Config.BasicAuthEnabled = false
+			Config.BasicAuthUsername = ""
+			Config.BasicAuthPassword = ""
+		}()
+
+		testPaths := []string{"/", "", "/#", "/#/", "/static", "/static/"}
+		for _, path := range testPaths {
+			t.Run(fmt.Sprintf("path: %s", path), func(t *testing.T) {
+				hh := SetupGlobalMiddleware(h)
+				res := httptest.NewRecorder()
+				res.Body = new(bytes.Buffer)
+				req, _ := http.NewRequest("GET", fmt.Sprintf("http://localhost:18000%s", path), nil)
+				hh.ServeHTTP(res, req)
+				assert.Equal(t, http.StatusOK, res.Code)
+			})
+		}
+	})
+}