Add provisioner webhook auth tests (#136)

Added unit tests for the new webhook header checks.
mattermost · Oct 25, 2023 · 10db783 · 10db783
1 parent e6a8df8
commit 10db783
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 1 deletion.
diff --git a/server/webhook.go b/server/webhook.go
@@ -17,6 +17,8 @@ import (
 const (
 	installationLogsURLTmpl = `https://grafana.internal.mattermost.com/explore?orgId=1&left={"datasource":"PFB2D5CACEC34D62E","queries":[{"refId":"A","datasource":{"type":"loki","uid":"PFB2D5CACEC34D62E"},"editorMode":"code","expr":"{app=\"mattermost\", namespace=\"{{.ID}}\"}","queryType":"range"}],"range":{"from":"now-1h","to":"now"}}`
 	provisionerLogsURLTmpl  = `https://grafana.internal.mattermost.com/explore?orgId=1&left={"datasource":"PFB2D5CACEC34D62E","queries":[{"refId":"A","datasource":{"type":"loki","uid":"PFB2D5CACEC34D62E"},"editorMode":"code","expr":"{namespace=\"mattermost-cloud-test\", component=\"provisioner\"} |= %60{{.ID}}%60","queryType":"range"}],"range":{"from":"now-3h","to":"now"}}`
+
+	authHeaderKey = "X-MM-Cloud-Plugin-Auth-Token"
 )
 
 // getStringFromTemplate returns a string from a template and data provided.
@@ -36,7 +38,7 @@ func getStringFromTemplate(tmpl string, data any) (string, error) {
 }
 
 func (p *Plugin) authenticateWebhook(r *http.Request) error {
-	token := r.Header.Get("X-MM-Cloud-Plugin-Auth-Token")
+	token := r.Header.Get(authHeaderKey)
 
 	if equal := subtle.ConstantTimeCompare([]byte(token), []byte(p.configuration.ProvisioningServerWebhookSecret)); equal != 1 {
 		return errors.New("unauthorized")

diff --git a/server/webhook_test.go b/server/webhook_test.go
@@ -0,0 +1,70 @@
+package main
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestAuthenticateWebhook(t *testing.T) {
+	plugin := Plugin{
+		configuration: &configuration{},
+	}
+
+	t.Run("no auth set, header not defined", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+
+		require.NoError(t, plugin.authenticateWebhook(request))
+	})
+
+	t.Run("no auth set, header defined as empty", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+		request.Header.Add(authHeaderKey, "")
+
+		require.NoError(t, plugin.authenticateWebhook(request))
+	})
+
+	t.Run("no auth set, header defined as wrong value", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+		request.Header.Add(authHeaderKey, "test")
+
+		require.EqualError(t, plugin.authenticateWebhook(request), "unauthorized")
+	})
+
+	plugin.configuration.ProvisioningServerWebhookSecret = "secret1"
+
+	t.Run("auth set, header not defined", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+
+		require.EqualError(t, plugin.authenticateWebhook(request), "unauthorized")
+	})
+
+	t.Run("auth set, header defined as empty", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+		request.Header.Add(authHeaderKey, "")
+
+		require.EqualError(t, plugin.authenticateWebhook(request), "unauthorized")
+	})
+
+	t.Run("auth set, header defined as wrong value", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+		request.Header.Add(authHeaderKey, "test")
+
+		require.EqualError(t, plugin.authenticateWebhook(request), "unauthorized")
+	})
+
+	t.Run("auth set, header defined as right value", func(t *testing.T) {
+		request, err := http.NewRequest(http.MethodPost, "test.domain.com", nil)
+		require.NoError(t, err)
+		request.Header.Add(authHeaderKey, "secret1")
+
+		require.NoError(t, plugin.authenticateWebhook(request))
+	})
+}