From 5e1aa32b1a5adaf73817b7141cbf0dc6650b5b42 Mon Sep 17 00:00:00 2001
From: Zach Smith <zach@driver.xyz>
Date: Wed, 1 Aug 2018 16:11:21 -0700
Subject: [RFC] Use akka's built-in authenticate/authorize directives in
 AuthProvider (#136)

* Use akka's built-in authenticate/authorize directives in AuthProvider

* Move AuthProvider companion object to AuthProvider file, move realm to parameter of AuthProvider

* Add secondary constructor to maintain ABI compat
---
 src/test/scala/xyz/driver/core/AuthTest.scala      | 50 +++++++++++++++-------
 src/test/scala/xyz/driver/core/rest/RestTest.scala |  1 -
 2 files changed, 35 insertions(+), 16 deletions(-)

(limited to 'src/test')

diff --git a/src/test/scala/xyz/driver/core/AuthTest.scala b/src/test/scala/xyz/driver/core/AuthTest.scala
index a7707aa..2e772fb 100644
--- a/src/test/scala/xyz/driver/core/AuthTest.scala
+++ b/src/test/scala/xyz/driver/core/AuthTest.scala
@@ -1,7 +1,11 @@
 package xyz.driver.core
 
-import akka.http.scaladsl.model.headers.{HttpChallenges, RawHeader}
-import akka.http.scaladsl.server.AuthenticationFailedRejection.CredentialsRejected
+import akka.http.scaladsl.model.headers.{
+  HttpChallenges,
+  OAuth2BearerToken,
+  RawHeader,
+  Authorization => AkkaAuthorization
+}
 import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server._
 import akka.http.scaladsl.testkit.ScalatestRouteTest
@@ -79,36 +83,51 @@ class AuthTest extends FlatSpec with Matchers with ScalatestRouteTest {
       } ~>
       check {
         // handled shouldBe false
-        val challenge = HttpChallenges.basic("Failed to authenticate user")
-        rejections should contain(AuthenticationFailedRejection(CredentialsRejected, challenge))
+        rejections should contain(
+          AuthenticationFailedRejection(
+            AuthenticationFailedRejection.CredentialsMissing,
+            HttpChallenges.oAuth2(authStatusService.realm)))
       }
   }
 
   it should "throw error if authorized user does not have the requested permission" in {
 
-    val referenceAuthToken = AuthToken("I am a test role's token")
+    val referenceAuthToken  = AuthToken("I am a test role's token")
+    val referenceAuthHeader = AkkaAuthorization(OAuth2BearerToken(referenceAuthToken.value))
 
     Post("/administration/attempt").addHeader(
-      RawHeader(AuthProvider.AuthenticationTokenHeader, referenceAuthToken.value)
+      referenceAuthHeader
     ) ~>
       authorize(TestRoleNotAllowedPermission) { user =>
         complete("Never going to get here")
       } ~>
       check {
         handled shouldBe false
-        rejections should contain(
-          AuthenticationFailedRejection(
-            CredentialsRejected,
-            HttpChallenges.basic("User does not have the required permissions: TestRoleNotAllowedPermission")))
+        rejections should contain(AuthorizationFailedRejection)
       }
   }
 
   it should "pass and retrieve the token to client code, if token is in request and user has permission" in {
+    val referenceAuthToken  = AuthToken("I am token")
+    val referenceAuthHeader = AkkaAuthorization(OAuth2BearerToken(referenceAuthToken.value))
+
+    Get("/valid/attempt/?a=2&b=5").addHeader(
+      referenceAuthHeader
+    ) ~>
+      authorize(TestRoleAllowedPermission) { ctx =>
+        complete(s"Alright, user ${ctx.authenticatedUser.id} is authorized")
+      } ~>
+      check {
+        handled shouldBe true
+        responseAs[String] shouldBe "Alright, user 1 is authorized"
+      }
+  }
 
-    val referenceAuthToken = AuthToken("I am token")
+  it should "authenticate correctly even without the 'Bearer' prefix on the Authorization header" in {
+    val referenceAuthToken = AuthToken("unprefixed_token")
 
     Get("/valid/attempt/?a=2&b=5").addHeader(
-      RawHeader(AuthProvider.AuthenticationTokenHeader, referenceAuthToken.value)
+      RawHeader(ContextHeaders.AuthenticationTokenHeader, referenceAuthToken.value)
     ) ~>
       authorize(TestRoleAllowedPermission) { ctx =>
         complete(s"Alright, user ${ctx.authenticatedUser.id} is authorized")
@@ -128,11 +147,12 @@ class AuthTest extends FlatSpec with Matchers with ScalatestRouteTest {
         "sub"         -> JsString("1"),
         "permissions" -> JsObject(Map(TestRoleAllowedByTokenPermission.toString -> JsBoolean(true)))
       )).prettyPrint
-    val permissionsToken   = PermissionsToken(Jwt.encode(claim, privateKey, JwtAlgorithm.RS256))
-    val referenceAuthToken = AuthToken("I am token")
+    val permissionsToken    = PermissionsToken(Jwt.encode(claim, privateKey, JwtAlgorithm.RS256))
+    val referenceAuthToken  = AuthToken("I am token")
+    val referenceAuthHeader = AkkaAuthorization(OAuth2BearerToken(referenceAuthToken.value))
 
     Get("/alic/attempt/?a=2&b=5")
-      .addHeader(RawHeader(AuthProvider.AuthenticationTokenHeader, referenceAuthToken.value))
+      .addHeader(referenceAuthHeader)
       .addHeader(RawHeader(AuthProvider.PermissionsTokenHeader, permissionsToken.value)) ~>
       authorize(TestRoleAllowedByTokenPermission) { ctx =>
         complete(s"Alright, user ${ctx.authenticatedUser.id} is authorized by permissions token")
diff --git a/src/test/scala/xyz/driver/core/rest/RestTest.scala b/src/test/scala/xyz/driver/core/rest/RestTest.scala
index e742462..19e4ed1 100644
--- a/src/test/scala/xyz/driver/core/rest/RestTest.scala
+++ b/src/test/scala/xyz/driver/core/rest/RestTest.scala
@@ -1,6 +1,5 @@
 package xyz.driver.core.rest
 
-import akka.http.javadsl.server.MalformedRequestContentRejection
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.server.{Directives, Route, ValidationRejection}
 import akka.http.scaladsl.testkit.ScalatestRouteTest
-- 
cgit v1.2.3