Add a test for fake password

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
prometheus · Jan 18, 2021 · e58755e · e58755e
1 parent 021b5d3
commit e58755e
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/web/users_test.go b/web/users_test.go
@@ -83,3 +83,48 @@ func TestBasicAuthCache(t *testing.T) {
 	close(start)
 	wg.Wait()
 }
+
+// TestBasicAuthWithFakePassword validates that we can't login the "fakepassword" used in
+// to prevent user enumeration.
+func TestBasicAuthWithFakepassword(t *testing.T) {
+	server := &http.Server{
+		Addr: port,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Write([]byte("Hello World!"))
+		}),
+	}
+
+	done := make(chan struct{})
+	t.Cleanup(func() {
+		if err := server.Shutdown(context.Background()); err != nil {
+			t.Fatal(err)
+		}
+		<-done
+	})
+
+	go func() {
+		ListenAndServe(server, "testdata/tls_config_users_noTLS.good.yml", testlogger)
+		close(done)
+	}()
+
+	login := func() {
+		client := &http.Client{}
+		req, err := http.NewRequest("GET", "http://localhost"+port, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req.SetBasicAuth("fakeuser", "fakepassword")
+		r, err := client.Do(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if r.StatusCode != 401 {
+			t.Fatalf("bad return code, expected %d, got %d", 401, r.StatusCode)
+		}
+	}
+
+	// Login with a cold cache.
+	login()
+	// Login with the response cached.
+	login()
+}