mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-16 13:00:44 +09:00
32 lines
1.1 KiB
Go
32 lines
1.1 KiB
Go
package apiv2
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// TestNarrowTagsRejectsMalformed asserts the token endpoint validates tag
|
|
// format at the trust boundary. An "all"-scope client may assign any tag, but a
|
|
// malformed tag (missing the "tag:" prefix) must still be rejected rather than
|
|
// flowing unvalidated into auth-key creation.
|
|
func TestNarrowTagsRejectsMalformed(t *testing.T) {
|
|
all := &types.OAuthClient{Scopes: []string{"all"}}
|
|
|
|
_, bad, ok := narrowTags(all, []string{"not-a-tag"})
|
|
assert.False(t, ok, "malformed tag must be rejected even with all scope")
|
|
assert.Equal(t, "not-a-tag", bad)
|
|
|
|
got, _, ok := narrowTags(all, []string{"tag:anything"})
|
|
assert.True(t, ok, "all scope may assign any well-formed tag")
|
|
assert.Equal(t, []string{"tag:anything"}, got)
|
|
|
|
// A scoped client may only assign its own well-formed tags.
|
|
scoped := &types.OAuthClient{Scopes: []string{"auth_keys"}, Tags: []string{"tag:ci"}}
|
|
|
|
_, bad, ok = narrowTags(scoped, []string{"tag:other"})
|
|
assert.False(t, ok)
|
|
assert.Equal(t, "tag:other", bad)
|
|
}
|