auth: add tests for audit trails

Signed-off-by: Javi Fontan <jfontan@gmail.com>

Author: jfontan

auth/audit_test.go

@@ -0,0 +1,230 @@
+package auth_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"gopkg.in/src-d/go-mysql-server.v0/auth"
+	"gopkg.in/src-d/go-mysql-server.v0/sql"
+
+	"github.com/sanity-io/litter"
+	"github.com/sirupsen/logrus"
+	"github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/require"
+)
+
+type Authentication struct {
+	user    string
+	address string
+	err     error
+}
+
+type Authorization struct {
+	ctx *sql.Context
+	p   auth.Permission
+	err error
+}
+
+type Query struct {
+	ctx *sql.Context
+	d   time.Duration
+	err error
+}
+
+type auditTest struct {
+	authentication Authentication
+	authorization  Authorization
+	query          Query
+}
+
+func (a *auditTest) Authentication(user string, address string, err error) {
+	a.authentication = Authentication{
+		user:    user,
+		address: address,
+		err:     err,
+	}
+}
+
+func (a *auditTest) Authorization(ctx *sql.Context, p auth.Permission, err error) {
+	a.authorization = Authorization{
+		ctx: ctx,
+		p:   p,
+		err: err,
+	}
+}
+
+func (a *auditTest) Query(ctx *sql.Context, d time.Duration, err error) {
+	println("query!")
+	a.query = Query{
+		ctx: ctx,
+		d:   d,
+		err: err,
+	}
+}
+
+func (a *auditTest) Clean() {
+	a.authorization = Authorization{}
+	a.authentication = Authentication{}
+	a.query = Query{}
+}
+
+func TestAuditAuthentication(t *testing.T) {
+	a := auth.NewNativeSingle("user", "password", auth.AllPermissions)
+	at := new(auditTest)
+	audit := auth.NewAudit(a, at)
+
+	extra := func(t *testing.T, c authenticationTest) {
+		a := at.authentication
+
+		require.Equal(t, c.user, a.user)
+		require.NotEmpty(t, a.address)
+		if c.success {
+			require.NoError(t, a.err)
+		} else {
+			require.Error(t, a.err)
+			require.Nil(t, at.authorization.ctx)
+			require.Nil(t, at.query.ctx)
+		}
+
+		at.Clean()
+	}
+
+	testAuthentication(t, audit, nativeSingleTests, extra)
+}
+
+func TestAuditAuthorization(t *testing.T) {
+	a := auth.NewNativeSingle("user", "", auth.ReadPerm)
+	at := new(auditTest)
+	audit := auth.NewAudit(a, at)
+
+	tests := []authorizationTest{
+		{"user", "invalid query", false},
+		{"user", queries["select"], true},
+
+		{"user", queries["create_index"], false},
+		{"user", queries["drop_index"], false},
+		{"user", queries["insert"], false},
+		{"user", queries["lock"], false},
+		{"user", queries["unlock"], false},
+	}
+
+	extra := func(t *testing.T, c authorizationTest) {
+		a := at.authorization
+		q := at.query
+
+		litter.Dump(q)
+		require.NotNil(t, q.ctx)
+		require.Equal(t, c.user, q.ctx.Client().User)
+		require.NotEmpty(t, q.ctx.Client().Address)
+		require.NotZero(t, q.d)
+		require.Equal(t, c.user, at.authentication.user)
+
+		if c.success {
+			require.Equal(t, c.user, a.ctx.Client().User)
+			require.NotEmpty(t, a.ctx.Client().Address)
+			require.NoError(t, a.err)
+			require.NoError(t, q.err)
+		} else {
+			require.Error(t, q.err)
+
+			// if there's a syntax error authorization is not triggered
+			if auth.ErrNotAuthorized.Is(q.err) {
+				require.Equal(t, q.err, a.err)
+				require.NotNil(t, a.ctx)
+				require.Equal(t, c.user, a.ctx.Client().User)
+				require.NotEmpty(t, a.ctx.Client().Address)
+			} else {
+				require.NoError(t, a.err)
+				require.Nil(t, a.ctx)
+			}
+		}
+
+		at.Clean()
+	}
+
+	testAudit(t, audit, tests, extra)
+}
+
+func TestAuditLog(t *testing.T) {
+	require := require.New(t)
+
+	logger, hook := test.NewNullLogger()
+	l := auth.NewAuditLog(logger)
+
+	pid := uint64(303)
+	id := uint32(42)
+
+	l.Authentication("user", "client", nil)
+	e := hook.LastEntry()
+	require.NotNil(e)
+	require.Equal(logrus.InfoLevel, e.Level)
+	m := logrus.Fields{
+		"system":  "audit",
+		"action":  "authentication",
+		"user":    "user",
+		"address": "client",
+		"success": true,
+	}
+	require.Equal(m, e.Data)
+
+	err := auth.ErrNoPermission.New(auth.ReadPerm)
+	l.Authentication("user", "client", err)
+	e = hook.LastEntry()
+	m["success"] = false
+	m["err"] = err
+	require.Equal(m, e.Data)
+
+	s := sql.NewSession("server", "client", "user", id)
+	ctx := sql.NewContext(context.TODO(),
+		sql.WithSession(s),
+		sql.WithPid(pid),
+		sql.WithQuery("query"),
+	)
+
+	l.Authorization(ctx, auth.ReadPerm, nil)
+	e = hook.LastEntry()
+	require.NotNil(e)
+	require.Equal(logrus.InfoLevel, e.Level)
+	m = logrus.Fields{
+		"system":        "audit",
+		"action":        "authorization",
+		"permission":    auth.ReadPerm.String(),
+		"user":          "user",
+		"query":         "query",
+		"address":       "client",
+		"connection_id": id,
+		"pid":           pid,
+		"success":       true,
+	}
+	require.Equal(m, e.Data)
+
+	l.Authorization(ctx, auth.ReadPerm, err)
+	e = hook.LastEntry()
+	m["success"] = false
+	m["err"] = err
+	require.Equal(m, e.Data)
+
+	l.Query(ctx, 808*time.Second, nil)
+	e = hook.LastEntry()
+	require.NotNil(e)
+	require.Equal(logrus.InfoLevel, e.Level)
+	m = logrus.Fields{
+		"system":        "audit",
+		"action":        "query",
+		"duration":      808 * time.Second,
+		"user":          "user",
+		"query":         "query",
+		"address":       "client",
+		"connection_id": id,
+		"pid":           pid,
+		"success":       true,
+	}
+	require.Equal(m, e.Data)
+
+	l.Query(ctx, 808*time.Second, err)
+	e = hook.LastEntry()
+	m["success"] = false
+	m["err"] = err
+	require.Equal(m, e.Data)
+}

auth/common_test.go

@@ -80,7 +80,7 @@ func connString(user, password string) string {
 	return fmt.Sprintf("%s:%s@tcp(127.0.0.1:%d)/test", user, password, port)
 }
 
-type authenticationTests []struct {
+type authenticationTest struct {
 	user     string
 	password string
 	success  bool
@@ -89,7 +89,8 @@ type authenticationTests []struct {
 func testAuthentication(
 	t *testing.T,
 	a auth.Auth,
-	tests authenticationTests,
+	tests []authenticationTest,
+	extra func(t *testing.T, c authenticationTest),
 ) {
 	t.Helper()
 	req := require.New(t)
@@ -115,6 +116,10 @@ func testAuthentication(
 
 			err = db.Close()
 			req.NoError(err)
+
+			if extra != nil {
+				extra(t, c)
+			}
 		})
 	}
 
@@ -131,7 +136,7 @@ var queries = map[string]string{
 	"unlock":       "unlock tables",
 }
 
-type authorizationTests []struct {
+type authorizationTest struct {
 	user    string
 	query   string
 	success bool
@@ -140,7 +145,8 @@ type authorizationTests []struct {
 func testAuthorization(
 	t *testing.T,
 	a auth.Auth,
-	tests authorizationTests,
+	tests []authorizationTest,
+	extra func(t *testing.T, c authorizationTest),
 ) {
 	t.Helper()
 	req := require.New(t)
@@ -166,7 +172,51 @@ func testAuthorization(
 			}
 
 			req.Error(err)
-			req.True(auth.ErrNotAuthorized.Is(err))
+			if extra != nil {
+				extra(t, c)
+			} else {
+				req.True(auth.ErrNotAuthorized.Is(err))
+			}
+		})
+	}
+}
+
+func testAudit(
+	t *testing.T,
+	a auth.Auth,
+	tests []authorizationTest,
+	extra func(t *testing.T, c authorizationTest),
+) {
+	t.Helper()
+	req := require.New(t)
+
+	tmpDir, s, err := authServer(a)
+	req.NoError(err)
+	defer os.RemoveAll(tmpDir)
+
+	for _, c := range tests {
+		t.Run(fmt.Sprintf("%s", c.user), func(t *testing.T) {
+			req := require.New(t)
+
+			db, err := dsql.Open("mysql", connString(c.user, ""))
+			req.NoError(err)
+			_, err = db.Query(c.query)
+
+			if c.success {
+				req.NoError(err)
+			} else {
+				req.Error(err)
+			}
+
+			err = db.Close()
+			req.NoError(err)
+
+			if extra != nil {
+				extra(t, c)
+			}
 		})
 	}
+
+	err = s.Close()
+	req.NoError(err)
 }