diff --git a/internal/gitaly/server/auth_test.go b/internal/gitaly/server/auth_test.go index ab87f67a3c3b6a1406eaf03e0df3bb54c1c2ad6c..d2e24a7eabef30fba651296080c3476f06741576 100644 --- a/internal/gitaly/server/auth_test.go +++ b/internal/gitaly/server/auth_test.go @@ -355,6 +355,50 @@ func TestStreamingNoAuth(t *testing.T) { testhelper.RequireGrpcCode(t, err, codes.Unauthenticated) } +func TestIsAuthenticated(t *testing.T) { + t.Parallel() + + ctx := testhelper.Context(t) + + t.Run("unauthenticated context", func(t *testing.T) { + require.False(t, serverauth.IsAuthenticated(ctx)) + }) + + t.Run("authenticated context after successful token validation", func(t *testing.T) { + cfg := testcfg.Build(t, testcfg.WithBase(config.Cfg{ + Auth: auth.Config{Token: "secret-token"}, + })) + + serverSocketPath := runServer(t, cfg) + conn, err := dial(ctx, serverSocketPath, client.WithGrpcOptions([]grpc.DialOption{ + grpc.WithPerRPCCredentials(gitalyauth.RPCCredentialsV2("secret-token")), + })) + require.NoError(t, err) + t.Cleanup(func() { conn.Close() }) + + // Make a request that will go through authentication + _, err = gitalypb.NewServerServiceClient(conn).ServerInfo(ctx, &gitalypb.ServerInfoRequest{}) + require.NoError(t, err) + }) + + t.Run("unauthenticated context with wrong token", func(t *testing.T) { + cfg := testcfg.Build(t, testcfg.WithBase(config.Cfg{ + Auth: auth.Config{Token: "secret-token"}, + })) + + serverSocketPath := runServer(t, cfg) + conn, err := dial(ctx, serverSocketPath, client.WithGrpcOptions([]grpc.DialOption{ + grpc.WithPerRPCCredentials(gitalyauth.RPCCredentialsV2("wrong-token")), + })) + require.NoError(t, err) + t.Cleanup(func() { conn.Close() }) + + // Request should fail with permission denied + _, err = gitalypb.NewServerServiceClient(conn).ServerInfo(ctx, &gitalypb.ServerInfoRequest{}) + testhelper.RequireGrpcCode(t, err, codes.PermissionDenied) + }) +} + func TestAuthBeforeLimit(t *testing.T) { ctx := testhelper.Context(t) cfg := testcfg.Build(t, testcfg.WithBase(config.Cfg{