AuthenticationMW fixed; rbac tests added;

bakhterets · bakhterets · commit e3ebc31b51f9 · 2026-02-16T18:05:59.000+01:00
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
@@ -129,13 +129,13 @@ func AuthenticationMW(prov *auth.Provider, logger *zap.Logger, secretKey string)
 
 		if errUserID := setUserIDFromClaims(claims, c, logger); errUserID != nil {
 			logger.Error("failed to set userID from claims", zap.Error(errUserID))
-			c.Abort()
+			apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)
 			return
 		}
 
 		if groupsErr := setGroupsFromClaims(claims, c, logger); groupsErr != nil {
 			logger.Error("failed to set groups from claims", zap.Error(groupsErr))
-			c.Abort()
+			apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)
 			return
 		}
 
@@ -174,6 +174,7 @@ func SetJWTClaims(
 
 		claims, ok := token.Claims.(jwt.MapClaims)
 		if !ok {
+			logger.Error("authentication failed: unable to extract claims from token")
 			apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)
 			return
 		}
diff --git a/internal/api/middleware_test.go b/internal/api/middleware_test.go
@@ -123,6 +123,16 @@ func TestAuthenticationMW_HMAC_SuccessAndFailures(t *testing.T) {
 	w := performRequestWithAuth(mw, "Bearer "+signed)
 	assert.Equal(t, http.StatusOK, w.Code, "expected middleware to allow valid HMAC token")
 
+	invalidGroupsTkn := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"preferred_username": "test-user",
+		"groups":             "sd_admins",
+	})
+	invalidSigned, err := invalidGroupsTkn.SignedString([]byte(secret))
+	require.NoError(t, err, "failed to sign token with invalid groups claim")
+
+	w = performRequestWithAuth(mw, "Bearer "+invalidSigned)
+	assert.Equal(t, http.StatusUnauthorized, w.Code, "expected 401 when groups claim has invalid type")
+
 	w = performRequestWithAuth(mw, "")
 	assert.Equal(t, http.StatusUnauthorized, w.Code, "expected 401 when no Authorization header")
 
@@ -136,8 +146,8 @@ func TestAuthenticationMW_RSA_ValidToken(t *testing.T) {
 	require.NoError(t, err, "failed to generate rsa key")
 
 	claims := jwt.MapClaims{
-		"sub":    "rsa-user",
-		"groups": []interface{}{"/sd-admins"},
+		"preferred_username": "rsa-user",
+		"groups":             []interface{}{"/sd-admins"},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	signed, err := token.SignedString(priv)
diff --git a/tests/v2_events_rbac_test.go b/tests/v2_events_rbac_test.go
@@ -714,3 +714,67 @@ func TestV2HasExtendedViewBehavior(t *testing.T) {
 		assert.GreaterOrEqual(t, len(resp.Data), 1, "should see at least the planned event")
 	})
 }
+
+func TestV2InvalidTokenAndClaims(t *testing.T) {
+	truncateIncidents(t)
+	r := initTestsWithHMAC(t)
+
+	creatorToken := generateTestToken("user-a", []string{"sd_creators"})
+
+	components := []int{1, 2}
+	impact := 0
+	system := false
+	startDate := time.Now().Add(time.Hour).UTC()
+	endDate := time.Now().Add(2 * time.Hour).UTC()
+
+	incData := v2.IncidentData{
+		Title: "Test event", Description: "test",
+		ContactEmail: "test@example.com", Impact: &impact,
+		Components: components, StartDate: startDate,
+		EndDate: &endDate, System: &system, Type: event.TypeMaintenance,
+	}
+
+	t.Run("invalid token signature returns 401", func(t *testing.T) {
+		wrongSecretToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"preferred_username": "user-a",
+			"groups":             []interface{}{"sd_creators"},
+		})
+		invalidToken, err := wrongSecretToken.SignedString([]byte("wrong-secret"))
+		require.NoError(t, err)
+
+		data, _ := json.Marshal(incData)
+		w := httptest.NewRecorder()
+		req, _ := http.NewRequest(http.MethodPost, "/v2/events", bytes.NewReader(data))
+		req.Header.Set("Authorization", "Bearer "+invalidToken)
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusUnauthorized, w.Code)
+	})
+
+	t.Run("valid token with invalid groups claim returns 401", func(t *testing.T) {
+		invalidClaimsToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"preferred_username": "user-a",
+			"groups":             "sd_creators",
+		})
+		tokenWithInvalidClaims, err := invalidClaimsToken.SignedString([]byte(testHMACSecret))
+		require.NoError(t, err)
+
+		data, _ := json.Marshal(incData)
+		w := httptest.NewRecorder()
+		req, _ := http.NewRequest(http.MethodPost, "/v2/events", bytes.NewReader(data))
+		req.Header.Set("Authorization", "Bearer "+tokenWithInvalidClaims)
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusUnauthorized, w.Code)
+	})
+
+	t.Run("valid token with valid claims succeeds", func(t *testing.T) {
+		data, _ := json.Marshal(incData)
+		w := httptest.NewRecorder()
+		req, _ := http.NewRequest(http.MethodPost, "/v2/events", bytes.NewReader(data))
+		req.Header.Set("Authorization", "Bearer "+creatorToken)
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -129,13 +129,13 @@ func AuthenticationMW(prov auth.Provider, logger zap.Logger, secretKey string)`
`129`	`129`
`130`	`130`	`if errUserID := setUserIDFromClaims(claims, c, logger); errUserID != nil {`
`131`	`131`	`logger.Error("failed to set userID from claims", zap.Error(errUserID))`
`132`		`- c.Abort()`
	`132`	`+ apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)`
`133`	`133`	`return`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`if groupsErr := setGroupsFromClaims(claims, c, logger); groupsErr != nil {`
`137`	`137`	`logger.Error("failed to set groups from claims", zap.Error(groupsErr))`
`138`		`- c.Abort()`
	`138`	`+ apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)`
`139`	`139`	`return`
`140`	`140`	`}`
`141`	`141`
`@@ -174,6 +174,7 @@ func SetJWTClaims(`
`174`	`174`
`175`	`175`	`claims, ok := token.Claims.(jwt.MapClaims)`
`176`	`176`	`if !ok {`
	`177`	`+ logger.Error("authentication failed: unable to extract claims from token")`
`177`	`178`	`apiErrors.RaiseNotAuthorizedErr(c, apiErrors.ErrAuthTokenInvalid)`
`178`	`179`	`return`
`179`	`180`	`}`