fix: login (#2019)

Signed-off-by: Peter Matseykanets <peter.matseykanets@suse.com>
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>

Author: github-actions[bot]

rancher2/util.go

@@ -15,6 +15,7 @@ import (
 	"net/url"
 	"reflect"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -139,58 +140,63 @@ func NewListOpts(filters map[string]interface{}) *types.ListOpts {
 }
 
 func DoUserLogin(url, user, pass, ttl, desc, cacert string, insecure bool) (string, string, error) {
-	loginURL := url + "/v1-public/login"
-	v3loginURL := url + "/v3-public/localProviders/local?action=login"
+	TTL, err := strconv.ParseInt(ttl, 10, 64)
+	if err != nil || TTL < 0 {
+		return "", "", fmt.Errorf("Invalid ttl value: %s", ttl)
+	}
 
-	loginData, err := json.Marshal(map[string]string{
+	payload, err := json.Marshal(map[string]any{
 		"type":        "localProvider",
 		"username":    user,
 		"password":    pass,
-		"ttl":         ttl,
+		"ttl":         TTL,
 		"description": desc,
 	})
 	if err != nil {
-		return "", "", err
+		return "", "", fmt.Errorf("Marshalling login data: %v", err)
 	}
 
+	loginURL := url + "/v1-public/login"
+	v3loginURL := url + "/v3-public/localProviders/local?action=login"
+
 	loginHead := map[string]string{
 		"Accept":       "application/json",
 		"Content-Type": "application/json",
 	}
 
+	errPrefix := "Doing user login"
+
 	// Login with user and pass
-	respBody, resp, err := DoPost(loginURL, string(loginData), cacert, insecure, loginHead)
+	respBody, resp, err := DoPost(loginURL, string(payload), cacert, insecure, loginHead)
 	if err != nil {
-		return "", "", err
+		return "", "", fmt.Errorf("%s: %v", errPrefix, err)
 	}
 
 	if resp.StatusCode == http.StatusNotFound {
 		// /v1-public/login endpoint is not available
 		// try to fall back to /v3-public endpoint.
-		respBody, _, err = DoPost(v3loginURL, string(loginData), cacert, insecure, loginHead)
+		respBody, _, err = DoPost(v3loginURL, string(payload), cacert, insecure, loginHead)
 		if err != nil {
-			return "", "", err
+			return "", "", fmt.Errorf("%s: %v", errPrefix, err)
 		}
 	}
 
-	token := ""
-	errMsg := "Doing user login"
-
+	var token string
 	if respBody["token"] != nil {
 		token, _ = respBody["token"].(string)
 	}
 
 	if token == "" {
 		if respBody["code"] != nil {
 			code, _ := respBody["code"].(string)
-			errMsg += ": " + code
+			errPrefix += ": " + code
 		}
-		return "", "", errors.New(errMsg)
+		return "", "", errors.New(errPrefix)
 	}
 
 	id, _, ok := strings.Cut(token, ":")
 	if !ok {
-		return "", "", errors.New(errMsg + ": invalid token format")
+		return "", "", errors.New(errPrefix + ": invalid token format")
 	}
 	id = strings.TrimPrefix(id, "ext/")
 

rancher2/util_test.go

@@ -10,6 +10,14 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+type loginInput struct {
+	Type        string `json:"type"`
+	Username    string `json:"username"`
+	Password    string `json:"password"`
+	TTL         int64  `json:"ttl"`
+	Description string `json:"description"`
+}
+
 func TestDoUserLogin(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		tokenID := "token-xqmfl"
@@ -20,12 +28,14 @@ func TestDoUserLogin(t *testing.T) {
 			assert.Equal(t, "/v1-public/login", r.URL.Path)
 			assert.Equal(t, "application/json", r.Header.Get("Content-Type"))
 
-			var reqBody map[string]string
+			var reqBody loginInput
 			err := json.NewDecoder(r.Body).Decode(&reqBody)
 			require.NoError(t, err)
-			assert.Equal(t, "localProvider", reqBody["type"])
-			assert.Equal(t, "admin", reqBody["username"])
-			assert.Equal(t, "secret", reqBody["password"])
+			assert.Equal(t, "localProvider", reqBody.Type)
+			assert.Equal(t, bootstrapDefaultUser, reqBody.Username)
+			assert.Equal(t, bootstrapDefaultPassword, reqBody.Password)
+			assert.Equal(t, int64(60000), reqBody.TTL)
+			assert.Equal(t, bootstrapDefaultSessionDesc, reqBody.Description)
 
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(map[string]any{
@@ -34,7 +44,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		id, token, err := DoUserLogin(srv.URL, "admin", "secret", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		id, token, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.NoError(t, err)
 		assert.Equal(t, tokenID, id)
 		assert.Equal(t, tokenValue, token)
@@ -52,7 +62,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		id, token, err := DoUserLogin(srv.URL, "admin", "secret", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		id, token, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.NoError(t, err)
 		assert.Equal(t, "saml-user-abc123", id, "ext/ prefix should be stripped from ID")
 		assert.Equal(t, tokenValue, token)
@@ -68,7 +78,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		_, _, err := DoUserLogin(srv.URL, "admin", "wrongpass", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, "wrongpass", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "Unauthorized")
 	})
@@ -82,7 +92,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		_, _, err := DoUserLogin(srv.URL, "admin", "secret", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "invalid token format")
 	})
@@ -99,7 +109,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		_, _, err := DoUserLogin(srv.URL, "admin", "secret", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.Error(t, err)
 	})
 
@@ -124,6 +134,12 @@ func TestDoUserLogin(t *testing.T) {
 
 			if r.URL.Path == "/v3-public/localProviders/local" {
 				assert.Equal(t, "login", r.URL.Query().Get("action"))
+
+				var reqBody loginInput
+				err := json.NewDecoder(r.Body).Decode(&reqBody)
+				require.NoError(t, err)
+				assert.Equal(t, int64(60000), reqBody.TTL)
+
 				_ = json.NewEncoder(w).Encode(map[string]any{
 					"token": tokenValue,
 				})
@@ -134,7 +150,7 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		id, token, err := DoUserLogin(srv.URL, "admin", "secret", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		id, token, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.NoError(t, err)
 		assert.Equal(t, tokenID, id)
 		assert.Equal(t, tokenValue, token)
@@ -162,8 +178,53 @@ func TestDoUserLogin(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		_, _, err := DoUserLogin(srv.URL, "admin", "wrongpass", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, "wrongpass", bootstrapDefaultTTL, bootstrapDefaultSessionDesc, "", true)
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "Unauthorized")
 	})
+
+	t.Run("invalid ttl value - not a number", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			t.Error("should not make request with invalid TTL")
+		}))
+		defer srv.Close()
+
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, "not-a-number", bootstrapDefaultSessionDesc, "", true)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "Invalid ttl value")
+	})
+
+	t.Run("invalid ttl value - negative number", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			t.Error("should not make request with negative TTL")
+		}))
+		defer srv.Close()
+
+		_, _, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, "-1000", bootstrapDefaultSessionDesc, "", true)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "Invalid ttl value")
+	})
+
+	t.Run("valid ttl value - zero", func(t *testing.T) {
+		tokenID := "token-zero-ttl"
+		tokenValue := tokenID + ":secrettoken"
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			var reqBody loginInput
+			err := json.NewDecoder(r.Body).Decode(&reqBody)
+			require.NoError(t, err)
+			assert.Equal(t, int64(0), reqBody.TTL)
+
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"token": tokenValue,
+			})
+		}))
+		defer srv.Close()
+
+		id, token, err := DoUserLogin(srv.URL, bootstrapDefaultUser, bootstrapDefaultPassword, "0", bootstrapDefaultSessionDesc, "", true)
+		require.NoError(t, err)
+		assert.Equal(t, tokenID, id)
+		assert.Equal(t, tokenValue, token)
+	})
 }