auth_client_test.cc

// Tests for auth_client.c.

#include <stdlib.h>
#include "gtest/gtest.h"
extern "C" {
#include "auth_client.h"
}

static const char *server = NULL;

static const char *ssl_ca = "../authserv/test/testca/ca.pem";
static const char *ssl_cert = "../authserv/test/testca/certs/client.pem";
static const char *ssl_key = "../authserv/test/testca/private/client.key";

TEST(AuthClientCurlInterface, ErrorConversion) {
  int curl_err = 35;
  int err = auth_client_err_from_curl(curl_err);
  int translated = auth_client_err_to_curl(err);
  EXPECT_EQ(curl_err, translated);
}

TEST(AuthClient, NewAndFree) {
  auth_client_t ac;
  ac = auth_client_new("service", server);
  ASSERT_TRUE(ac != NULL);

  auth_client_free(ac);
}

TEST(AuthClient, CertSetupFailsWithoutCA) {
  auth_client_t ac = auth_client_new("service", server);
  ASSERT_TRUE(ac != NULL);

  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, "nonexisting.pem", ssl_cert, ssl_key));
  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, ssl_ca, "nonexisting.pem", ssl_key));
  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, ssl_ca, ssl_cert, "nonexisting.key"));

  auth_client_free(ac);
}

TEST(AuthClient, AuthOK) {
  auth_client_t ac;
  int result;

  ac = auth_client_new("service", server);
  ASSERT_TRUE(ac != NULL);

  auth_client_set_verbose(ac, 1);

  result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
                           << ", server=" << server;

  auth_client_free(ac);
}

TEST(AuthClient, SSLFailsWithBadCertificate) {
  auth_client_t ac;
  int result;

  ac = auth_client_new("service", server);
  ASSERT_TRUE(ac != NULL);

  auth_client_set_verbose(ac, 1);

  // We can't tell auth_client to make an https request without a
  // client certificate, but we can try to force a failure by
  // providing a bad (unloadable) certificate, for example one where
  // the private and public keys do not match. In this case,
  // auth_client_set_certificate() should still succeed, since it
  // doesn't perform this kind of correctness check.
  result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;

  auth_client_free(ac);
}

int main(int argc, char **argv) {
  server = getenv("AUTH_SERVER");
  if (server == NULL) {
    server = "localhost:1617";
  }

  ::testing::InitGoogleTest(&argc, argv);
  return RUN_ALL_TESTS();
}