package vhost import ( "net/http/httptest" "testing" "github.com/stretchr/testify/require" httppkg "github.com/fatedier/frp/pkg/util/http" ) func TestCheckRouteAuthByRequest(t *testing.T) { rc := &RouteConfig{ Username: "alice", Password: "secret", } t.Run("accepts nil route config", func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) require.True(t, checkRouteAuthByRequest(req, nil)) }) t.Run("accepts route without credentials", func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) require.True(t, checkRouteAuthByRequest(req, &RouteConfig{})) }) t.Run("accepts authorization header", func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) req.SetBasicAuth("alice", "secret") require.True(t, checkRouteAuthByRequest(req, rc)) }) t.Run("accepts proxy authorization header", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "secret")) require.True(t, checkRouteAuthByRequest(req, rc)) }) t.Run("rejects authorization fallback for proxy request", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.SetBasicAuth("alice", "secret") require.False(t, checkRouteAuthByRequest(req, rc)) }) t.Run("rejects wrong proxy authorization even when authorization matches", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.SetBasicAuth("alice", "secret") req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "wrong")) require.False(t, checkRouteAuthByRequest(req, rc)) }) t.Run("rejects when neither header matches", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.SetBasicAuth("alice", "wrong") req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "wrong")) require.False(t, checkRouteAuthByRequest(req, rc)) }) t.Run("rejects proxy authorization on direct request", func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "secret")) require.False(t, checkRouteAuthByRequest(req, rc)) }) } func TestGetRequestRouteUser(t *testing.T) { t.Run("proxy request uses proxy authorization username", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.Host = "target.example.com" req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("proxy-user", "proxy-pass")) req.SetBasicAuth("direct-user", "direct-pass") require.Equal(t, "proxy-user", getRequestRouteUser(req)) }) t.Run("connect request keeps proxy authorization routing", func(t *testing.T) { req := httptest.NewRequest("CONNECT", "http://target.example.com:443", nil) req.Host = "target.example.com:443" req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("proxy-user", "proxy-pass")) req.SetBasicAuth("direct-user", "direct-pass") require.Equal(t, "proxy-user", getRequestRouteUser(req)) }) t.Run("direct request uses authorization username", func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) req.Host = "example.com" req.SetBasicAuth("direct-user", "direct-pass") require.Equal(t, "direct-user", getRequestRouteUser(req)) }) t.Run("proxy request does not fall back when proxy authorization is invalid", func(t *testing.T) { req := httptest.NewRequest("GET", "http://target.example.com/", nil) req.Host = "target.example.com" req.Header.Set("Proxy-Authorization", "Basic !!!") req.SetBasicAuth("direct-user", "direct-pass") require.Empty(t, getRequestRouteUser(req)) }) }