Revert authorization/authentication split

Authentication provider module is responsible only for authentication. Nothing more. Access control (authorization) should be kept separate.
2025-04-05 22:17:39 +03:00 · 2020-02-28 01:38:40 +03:00 · 2020-02-28 01:38:40 +03:00 · 55a91a37b7
commit 55a91a37b7
parent 3092ca0ca5
14 changed files with 130 additions and 288 deletions
--- a/internal/auth/sasl_test.go
+++ b/internal/auth/sasl_test.go
@ -3,28 +3,22 @@ package auth
 import (
 	"errors"
 	"net"
-	"reflect"
 	"testing"

-	"github.com/emersion/go-sasl"
 	"github.com/foxcpp/maddy/internal/module"
 	"github.com/foxcpp/maddy/internal/testutils"
 )

 type mockAuth struct {
-	db map[string][]string
+	db map[string]bool
 }

-func (mockAuth) SASLMechanisms() []string {
-	return []string{sasl.Plain, sasl.Login}
-}
-
-func (m mockAuth) AuthPlain(username, _ string) ([]string, error) {
-	ids, ok := m.db[username]
+func (m mockAuth) AuthPlain(username, _ string) error {
+	ok := m.db[username]
 	if !ok {
-		return nil, errors.New("invalid creds")
+		return errors.New("invalid creds")
 	}
-	return ids, nil
+	return nil
 }

 func TestCreateSASL(t *testing.T) {
@ -32,15 +26,15 @@ func TestCreateSASL(t *testing.T) {
 		Log: testutils.Logger(t, "saslauth"),
 		Plain: []module.PlainAuth{
 			&mockAuth{
-				db: map[string][]string{
-					"user1": []string{"user1a", "user1b"},
+				db: map[string]bool{
+					"user1": true,
 				},
 			},
 		},
 	}

 	t.Run("XWHATEVER", func(t *testing.T) {
-		srv := a.CreateSASL("XWHATEVER", &net.TCPAddr{}, func([]string) error { return nil })
+		srv := a.CreateSASL("XWHATEVER", &net.TCPAddr{}, func(string) error { return nil })
 		_, _, err := srv.Next([]byte(""))
 		if err == nil {
 			t.Error("No error for XWHATEVER use")
@ -48,9 +42,10 @@ func TestCreateSASL(t *testing.T) {
 	})

 	t.Run("PLAIN", func(t *testing.T) {
-		var ids []string
-		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(passed []string) error {
-			ids = passed
+		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(id string) error {
+			if id != "user1" {
+				t.Fatal("Wrong auth. identities passed to callback:", id)
+			}
 			return nil
 		})

@ -58,15 +53,13 @@ func TestCreateSASL(t *testing.T) {
 		if err != nil {
 			t.Error("Unexpected error:", err)
 		}
-		if !reflect.DeepEqual(ids, []string{"user1a", "user1b"}) {
-			t.Error("Wrong auth. identities passed to callback:", ids)
-		}
 	})

-	t.Run("PLAIN with autorization identity", func(t *testing.T) {
-		var ids []string
-		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(passed []string) error {
-			ids = passed
+	t.Run("PLAIN with authorization identity", func(t *testing.T) {
+		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(id string) error {
+			if id != "user1a" {
+				t.Fatal("Wrong authorization identity passed:", id)
+			}
 			return nil
 		})

@ -74,30 +67,5 @@ func TestCreateSASL(t *testing.T) {
 		if err != nil {
 			t.Error("Unexpected error:", err)
 		}
-		if !reflect.DeepEqual(ids, []string{"user1a"}) {
-			t.Error("Wrong auth. identities passed to callback:", ids)
-		}
-	})
-
-	t.Run("PLAIN with wrong authorization identity", func(t *testing.T) {
-		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(passed []string) error {
-			return nil
-		})
-
-		_, _, err := srv.Next([]byte("user1c\x00user1\x00aa"))
-		if err == nil {
-			t.Error("Next should fail")
-		}
-	})
-
-	t.Run("PLAIN with wrong authentication identity", func(t *testing.T) {
-		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(passed []string) error {
-			return nil
-		})
-
-		_, _, err := srv.Next([]byte("\x00user2\x00aa"))
-		if err == nil {
-			t.Error("Next should fail")
-		}
 	})
 }