package auth import "testing" func TestForwardAuthTrusts(t *testing.T) { fa, err := NewForwardAuthConfig("u", "e", "n", "g", "admins", []string{"127.0.0.1/32", "10.0.0.0/8", "::1"}) if err != nil { t.Fatalf("config: %v", err) } cases := map[string]bool{ "127.0.0.1": true, "10.5.6.7": true, "::1": true, "192.168.1.1": false, "8.8.8.8": false, "": false, "not-an-ip": false, } for ip, want := range cases { if got := fa.trusts(ip); got != want { t.Errorf("trusts(%q) = %v, want %v", ip, got, want) } } } func TestForwardAuthBadCIDR(t *testing.T) { if _, err := NewForwardAuthConfig("u", "e", "n", "g", "a", []string{"not-a-cidr/99"}); err == nil { t.Fatal("expected error for malformed CIDR") } } func TestHasAdminGroup(t *testing.T) { fa := &ForwardAuthConfig{AdminGroup: "veola-admins"} cases := map[string]bool{ "veola-admins": true, "users|veola-admins|staff": true, // Authentik pipe-delimited "users,veola-admins": true, // comma-delimited "VEOLA-ADMINS": true, // case-insensitive "users|staff": false, "": false, "veola-admins-extra": false, } for header, want := range cases { if got := fa.hasAdminGroup(header); got != want { t.Errorf("hasAdminGroup(%q) = %v, want %v", header, got, want) } } // Empty admin group never matches. empty := &ForwardAuthConfig{AdminGroup: ""} if empty.hasAdminGroup("anything") { t.Error("empty admin group should not match") } }