vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-01 21:10:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

test: deny non-admin proxy users on admin endpoints

Browse source
This commit is contained in:
rcourtman 2026-02-04 11:14:53 +00:00
parent 65a0b7a0e4
commit df4ae9d639
1 changed files with 50 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

50
internal/api/security_regression_test.go
View file

@ -1616,6 +1616,56 @@ func TestNotificationsRequireProxyAdmin(t *testing.T) {
}
}
func TestProxyAuthNonAdminDeniedAdminEndpoints(t *testing.T) {
cfg := newTestConfigWithTokens(t)
cfg.ProxyAuthSecret = "proxy-secret"
cfg.ProxyAuthUserHeader = "X-Remote-User"
cfg.ProxyAuthRoleHeader = "X-Remote-Roles"
cfg.ProxyAuthAdminRole = "admin"
router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
cases := []struct {
method string
path string
body string
}{
{method: http.MethodGet, path: "/api/logs/stream", body: ""},
{method: http.MethodGet, path: "/api/logs/download", body: ""},
{method: http.MethodGet, path: "/api/logs/level", body: ""},
{method: http.MethodPost, path: "/api/logs/level", body: `{}`},
{method: http.MethodGet, path: "/api/updates/check", body: ""},
{method: http.MethodPost, path: "/api/updates/apply", body: `{}`},
{method: http.MethodGet, path: "/api/updates/status", body: ""},
{method: http.MethodGet, path: "/api/updates/plan", body: ""},
{method: http.MethodGet, path: "/api/updates/history", body: ""},
{method: http.MethodGet, path: "/api/updates/history/entry", body: ""},
{method: http.MethodGet, path: "/api/diagnostics", body: ""},
{method: http.MethodPost, path: "/api/diagnostics/docker/prepare-token", body: `{}`},
{method: http.MethodPost, path: "/api/license/activate", body: `{}`},
{method: http.MethodPost, path: "/api/license/clear", body: `{}`},
{method: http.MethodGet, path: "/api/license/status", body: ""},
{method: http.MethodGet, path: "/api/notifications/queue/stats", body: ""},
{method: http.MethodGet, path: "/api/notifications/", body: ""},
}
for _, tc := range cases {
req := httptest.NewRequest(tc.method, tc.path, strings.NewReader(tc.body))
req.Header.Set("X-Proxy-Secret", cfg.ProxyAuthSecret)
req.Header.Set("X-Remote-User", "viewer-user")
req.Header.Set("X-Remote-Roles", "viewer")
rec := httptest.NewRecorder()
router.Handler().ServeHTTP(rec, req)
if rec.Code != http.StatusForbidden {
t.Fatalf("expected 403 for non-admin proxy user on %s %s, got %d", tc.method, tc.path, rec.Code)
}
if !strings.Contains(rec.Body.String(), "Admin privileges required") {
t.Fatalf("expected admin privilege error on %s %s, got %q", tc.method, tc.path, rec.Body.String())
}
}
}
func TestDockerAgentEndpointsRequireDockerReportScope(t *testing.T) {
rawToken := "docker-report-token-123.12345678"
record := newTokenRecord(t, rawToken, []string{config.ScopeMonitoringRead}, nil)