Check if authorisation header is set before attempting to extract tok…

…en (exercism#981) * Check if authorisation header is set before attempting to extract token * Add unit tests for debug.DumpRequest and debug.DumpResponse.
nywilken · Feb 13, 2021 · 0934426 · 0934426
1 parent ce8f497
commit 0934426
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 4 deletions.
diff --git a/debug/debug.go b/debug/debug.go
@@ -44,10 +44,10 @@ func DumpRequest(req *http.Request) {
 	body := io.TeeReader(req.Body, &bodyCopy)
 	req.Body = ioutil.NopCloser(body)
 
-	temp := req.Header.Get("Authorization")
+	authHeader := req.Header.Get("Authorization")
 
-	if !UnmaskAPIKey {
-		if token := strings.Split(temp, " ")[1]; token != "" {
+	if authParts := strings.Split(authHeader, " "); len(authParts) > 1 && !UnmaskAPIKey {
+		if token := authParts[1]; token != "" {
 			req.Header.Set("Authorization", "Bearer "+Redact(token))
 		}
 	}
@@ -62,7 +62,7 @@ func DumpRequest(req *http.Request) {
 	Println("========================= END DumpRequest =========================")
 	Println("")
 
-	req.Header.Set("Authorization", temp)
+	req.Header.Set("Authorization", authHeader)
 	req.Body = ioutil.NopCloser(&bodyCopy)
 }
 

diff --git a/debug/debug_test.go b/debug/debug_test.go
@@ -2,6 +2,7 @@ package debug
 
 import (
 	"bytes"
+	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -29,6 +30,76 @@ func TestVerboseDisabled(t *testing.T) {
 	}
 }
 
+func TestDumpRequest(t *testing.T) {
+	testCases := []struct {
+		desc    string
+		auth    string
+		verbose bool
+		unmask  bool
+	}{
+		{
+			desc:    "Do not attempt to dump request if 'Verbose' is set to false",
+			auth:    "",
+			verbose: false,
+			unmask:  false,
+		},
+		{
+			desc:    "Dump request without authorization header",
+			auth:    "", //not set
+			verbose: true,
+			unmask:  false,
+		},
+		{
+			desc:    "Dump request with malformed 'Authorization' header",
+			auth:    "malformed",
+			verbose: true,
+			unmask:  true,
+		},
+		{
+			desc:    "Dump request with properly formed 'Authorization' header",
+			auth:    "Bearer abc12-345abcde1234-5abc12",
+			verbose: true,
+			unmask:  false,
+		},
+	}
+
+	b := &bytes.Buffer{}
+	output = b
+	for _, tc := range testCases {
+		Verbose = tc.verbose
+		UnmaskAPIKey = tc.unmask
+		r, _ := http.NewRequest("GET", "https://api.example.com/bogus", nil)
+		if tc.auth != "" {
+			r.Header.Set("Authorization", tc.auth)
+		}
+
+		DumpRequest(r)
+		if tc.verbose {
+			assert.Regexp(t, "GET /bogus", b.String(), tc.desc)
+			assert.Equal(t, tc.auth, r.Header.Get("Authorization"), tc.desc)
+			if tc.unmask {
+				assert.Regexp(t, "Authorization: "+tc.auth, b.String(), tc.desc)
+			}
+		} else {
+			assert.NotRegexp(t, "GET /bogus", b.String(), tc.desc)
+		}
+	}
+}
+
+func TestDumpResponse(t *testing.T) {
+	b := &bytes.Buffer{}
+	output = b
+	Verbose = true
+	r := &http.Response{
+		StatusCode: 200,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+	}
+
+	DumpResponse(r)
+	assert.Regexp(t, "HTTP/1.1 200 OK", b.String())
+}
+
 func TestRedact(t *testing.T) {
 	fakeToken := "1a11111aaaa111aa1a11111a11111aa1"
 	expected := "1a11*************************aa1"