Auth support in frontends

2018-07-06 16:52:04 +02:00 · 2018-07-06 16:52:04 +02:00 · 79bf19c897
commit 79bf19c897
parent 0c0ecc1cdc
38 changed files with 3550 additions and 631 deletions
--- a/provider/kv/keynames.go
+++ b/provider/kv/keynames.go
@ -33,22 +33,41 @@ const (
 	pathFrontendPassTLSCert               = "/passtlscert"
 	pathFrontendWhiteListSourceRange      = "/whitelist/sourcerange"
 	pathFrontendWhiteListUseXForwardedFor = "/whitelist/usexforwardedfor"
-	pathFrontendBasicAuth                 = "/basicauth"
-	pathFrontendEntryPoints               = "/entrypoints"
-	pathFrontendRedirectEntryPoint        = "/redirect/entrypoint"
-	pathFrontendRedirectRegex             = "/redirect/regex"
-	pathFrontendRedirectReplacement       = "/redirect/replacement"
-	pathFrontendRedirectPermanent         = "/redirect/permanent"
-	pathFrontendErrorPages                = "/errors/"
-	pathFrontendErrorPagesBackend         = "/backend"
-	pathFrontendErrorPagesQuery           = "/query"
-	pathFrontendErrorPagesStatus          = "/status"
-	pathFrontendRateLimit                 = "/ratelimit/"
-	pathFrontendRateLimitRateSet          = pathFrontendRateLimit + "rateset/"
-	pathFrontendRateLimitExtractorFunc    = pathFrontendRateLimit + "extractorfunc"
-	pathFrontendRateLimitPeriod           = "/period"
-	pathFrontendRateLimitAverage          = "/average"
-	pathFrontendRateLimitBurst            = "/burst"
+
+	pathFrontendBasicAuth                        = "/basicauth" // Deprecated
+	pathFrontendAuth                             = "/auth/"
+	pathFrontendAuthBasic                        = pathFrontendAuth + "basic/"
+	pathFrontendAuthBasicUsers                   = pathFrontendAuthBasic + "users"
+	pathFrontendAuthBasicUsersFile               = pathFrontendAuthBasic + "usersfile"
+	pathFrontendAuthDigest                       = pathFrontendAuth + "digest/"
+	pathFrontendAuthDigestUsers                  = pathFrontendAuthDigest + "users"
+	pathFrontendAuthDigestUsersFile              = pathFrontendAuthDigest + "usersfile"
+	pathFrontendAuthForward                      = pathFrontendAuth + "forward/"
+	pathFrontendAuthForwardAddress               = pathFrontendAuthForward + "address"
+	pathFrontendAuthForwardTLS                   = pathFrontendAuthForward + "tls/"
+	pathFrontendAuthForwardTLSCa                 = pathFrontendAuthForwardTLS + "ca"
+	pathFrontendAuthForwardTLSCaOptional         = pathFrontendAuthForwardTLS + "caoptional"
+	pathFrontendAuthForwardTLSCert               = pathFrontendAuthForwardTLS + "cert"
+	pathFrontendAuthForwardTLSInsecureSkipVerify = pathFrontendAuthForwardTLS + "insecureskipverify"
+	pathFrontendAuthForwardTLSKey                = pathFrontendAuthForwardTLS + "key"
+	pathFrontendAuthForwardTrustForwardHeader    = pathFrontendAuthForward + "trustforwardheader"
+	pathFrontendAuthHeaderField                  = pathFrontendAuth + "headerfield"
+
+	pathFrontendEntryPoints            = "/entrypoints"
+	pathFrontendRedirectEntryPoint     = "/redirect/entrypoint"
+	pathFrontendRedirectRegex          = "/redirect/regex"
+	pathFrontendRedirectReplacement    = "/redirect/replacement"
+	pathFrontendRedirectPermanent      = "/redirect/permanent"
+	pathFrontendErrorPages             = "/errors/"
+	pathFrontendErrorPagesBackend      = "/backend"
+	pathFrontendErrorPagesQuery        = "/query"
+	pathFrontendErrorPagesStatus       = "/status"
+	pathFrontendRateLimit              = "/ratelimit/"
+	pathFrontendRateLimitRateSet       = pathFrontendRateLimit + "rateset/"
+	pathFrontendRateLimitExtractorFunc = pathFrontendRateLimit + "extractorfunc"
+	pathFrontendRateLimitPeriod        = "/period"
+	pathFrontendRateLimitAverage       = "/average"
+	pathFrontendRateLimitBurst         = "/burst"

 	pathFrontendCustomRequestHeaders    = "/headers/customrequestheaders/"
 	pathFrontendCustomResponseHeaders   = "/headers/customresponseheaders/"
--- a/provider/kv/kv_config.go
+++ b/provider/kv/kv_config.go
@ -46,7 +46,8 @@ func (p *Provider) buildConfiguration() *types.Configuration {
 		"getPassHostHeader": p.getPassHostHeader(),
 		"getPassTLSCert":    p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
 		"getEntryPoints":    p.getFuncList(pathFrontendEntryPoints),
-		"getBasicAuth":      p.getFuncList(pathFrontendBasicAuth),
+		"getBasicAuth":      p.getFuncList(pathFrontendBasicAuth), // Deprecated
+		"getAuth":           p.getAuth,
 		"getRoutes":         p.getRoutes,
 		"getRedirect":       p.getRedirect,
 		"getErrorPages":     p.getErrorPages,
@ -368,6 +369,78 @@ func (p *Provider) getTLSSection(prefix string) []*tls.Configuration {
 	return tlsSection
 }

+// hasDeprecatedBasicAuth check if the frontend basic auth use the deprecated configuration
+func (p *Provider) hasDeprecatedBasicAuth(rootPath string) bool {
+	return len(p.getList(rootPath, pathFrontendBasicAuth)) > 0
+}
+
+// GetAuth Create auth from path
+func (p *Provider) getAuth(rootPath string) *types.Auth {
+	hasDeprecatedBasicAuth := p.hasDeprecatedBasicAuth(rootPath)
+	if len(p.getList(rootPath, pathFrontendAuth)) > 0 || hasDeprecatedBasicAuth {
+		auth := &types.Auth{
+			HeaderField: p.get("", rootPath, pathFrontendAuthHeaderField),
+		}
+
+		if len(p.getList(rootPath, pathFrontendAuthBasic)) > 0 || hasDeprecatedBasicAuth {
+			auth.Basic = p.getAuthBasic(rootPath)
+		} else if len(p.getList(rootPath, pathFrontendAuthDigest)) > 0 {
+			auth.Digest = p.getAuthDigest(rootPath)
+		} else if len(p.getList(rootPath, pathFrontendAuthForward)) > 0 {
+			auth.Forward = p.getAuthForward(rootPath)
+		}
+
+		return auth
+	}
+	return nil
+}
+
+// getAuthBasic Create Basic Auth from path
+func (p *Provider) getAuthBasic(rootPath string) *types.Basic {
+	basicAuth := &types.Basic{
+		UsersFile: p.get("", rootPath, pathFrontendAuthBasicUsersFile),
+	}
+
+	// backward compatibility
+	if p.hasDeprecatedBasicAuth(rootPath) {
+		basicAuth.Users = p.getList(rootPath, pathFrontendBasicAuth)
+		log.Warnf("Deprecated configuration found: %s. Please use %s.", pathFrontendBasicAuth, pathFrontendAuthBasic)
+	} else {
+		basicAuth.Users = p.getList(rootPath, pathFrontendAuthBasicUsers)
+	}
+
+	return basicAuth
+}
+
+// getAuthDigest Create Digest Auth from path
+func (p *Provider) getAuthDigest(rootPath string) *types.Digest {
+	return &types.Digest{
+		Users:     p.getList(rootPath, pathFrontendAuthDigestUsers),
+		UsersFile: p.get("", rootPath, pathFrontendAuthDigestUsersFile),
+	}
+}
+
+// getAuthForward Create Forward Auth from path
+func (p *Provider) getAuthForward(rootPath string) *types.Forward {
+	forwardAuth := &types.Forward{
+		Address:            p.get("", rootPath, pathFrontendAuthForwardAddress),
+		TrustForwardHeader: p.getBool(false, rootPath, pathFrontendAuthForwardTrustForwardHeader),
+	}
+
+	// TLS configuration
+	if len(p.getList(rootPath, pathFrontendAuthForwardTLS)) > 0 {
+		forwardAuth.TLS = &types.ClientTLS{
+			CA:                 p.get("", rootPath, pathFrontendAuthForwardTLSCa),
+			CAOptional:         p.getBool(false, rootPath, pathFrontendAuthForwardTLSCaOptional),
+			Cert:               p.get("", rootPath, pathFrontendAuthForwardTLSCert),
+			InsecureSkipVerify: p.getBool(false, rootPath, pathFrontendAuthForwardTLSInsecureSkipVerify),
+			Key:                p.get("", rootPath, pathFrontendAuthForwardTLSKey),
+		}
+	}
+
+	return forwardAuth
+}
+
 func (p *Provider) getRoutes(rootPath string) map[string]types.Route {
 	var routes map[string]types.Route

--- a/provider/kv/kv_config_test.go
+++ b/provider/kv/kv_config_test.go
@ -52,7 +52,6 @@ func TestProviderBuildConfiguration(t *testing.T) {
 						Backend:        "backend.with.dot.too",
 						PassHostHeader: true,
 						EntryPoints:    []string{},
-						BasicAuth:      []string{},
 						Routes: map[string]types.Route{
 							"route.with.dot": {
 								Rule: "Host:test.localhost",
@ -62,6 +61,157 @@ func TestProviderBuildConfiguration(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "basic auth",
+			kvPairs: filler("traefik",
+				frontend("frontend",
+					withPair(pathFrontendBackend, "backend"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+					withList(pathFrontendAuthBasicUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthBasicUsersFile, ".htpasswd"),
+				),
+				backend("backend"),
+			),
+			expected: &types.Configuration{
+				Backends: map[string]*types.Backend{
+					"backend": {
+						LoadBalancer: &types.LoadBalancer{
+							Method: "wrr",
+						},
+					},
+				},
+				Frontends: map[string]*types.Frontend{
+					"frontend": {
+						Backend:        "backend",
+						PassHostHeader: true,
+						EntryPoints:    []string{},
+						Auth: &types.Auth{
+							HeaderField: "X-WebAuth-User",
+							Basic: &types.Basic{
+								Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+									"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+								UsersFile: ".htpasswd",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "basic auth (backward compatibility)",
+			kvPairs: filler("traefik",
+				frontend("frontend",
+					withPair(pathFrontendBackend, "backend"),
+					withList(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+				),
+				backend("backend"),
+			),
+			expected: &types.Configuration{
+				Backends: map[string]*types.Backend{
+					"backend": {
+						LoadBalancer: &types.LoadBalancer{
+							Method: "wrr",
+						},
+					},
+				},
+				Frontends: map[string]*types.Frontend{
+					"frontend": {
+						Backend:        "backend",
+						PassHostHeader: true,
+						EntryPoints:    []string{},
+						Auth: &types.Auth{
+							Basic: &types.Basic{
+								Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+									"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "digest auth",
+			kvPairs: filler("traefik",
+				frontend("frontend",
+					withPair(pathFrontendBackend, "backend"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+					withList(pathFrontendAuthDigestUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthDigestUsersFile, ".htpasswd"),
+				),
+				backend("backend"),
+			),
+			expected: &types.Configuration{
+				Backends: map[string]*types.Backend{
+					"backend": {
+						LoadBalancer: &types.LoadBalancer{
+							Method: "wrr",
+						},
+					},
+				},
+				Frontends: map[string]*types.Frontend{
+					"frontend": {
+						Backend:        "backend",
+						PassHostHeader: true,
+						EntryPoints:    []string{},
+						Auth: &types.Auth{
+							HeaderField: "X-WebAuth-User",
+							Digest: &types.Digest{
+								Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+									"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+								UsersFile: ".htpasswd",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "forward auth",
+			kvPairs: filler("traefik",
+				frontend("frontend",
+					withPair(pathFrontendBackend, "backend"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+					withPair(pathFrontendAuthForwardAddress, "auth.server"),
+					withPair(pathFrontendAuthForwardTrustForwardHeader, "true"),
+					withPair(pathFrontendAuthForwardTLSCa, "ca.crt"),
+					withPair(pathFrontendAuthForwardTLSCaOptional, "true"),
+					withPair(pathFrontendAuthForwardTLSCert, "server.crt"),
+					withPair(pathFrontendAuthForwardTLSKey, "server.key"),
+					withPair(pathFrontendAuthForwardTLSInsecureSkipVerify, "true"),
+				),
+				backend("backend"),
+			),
+			expected: &types.Configuration{
+				Backends: map[string]*types.Backend{
+					"backend": {
+						LoadBalancer: &types.LoadBalancer{
+							Method: "wrr",
+						},
+					},
+				},
+				Frontends: map[string]*types.Frontend{
+					"frontend": {
+						Backend:        "backend",
+						PassHostHeader: true,
+						EntryPoints:    []string{},
+						Auth: &types.Auth{
+							HeaderField: "X-WebAuth-User",
+							Forward: &types.Forward{
+								Address:            "auth.server",
+								TrustForwardHeader: true,
+								TLS: &types.ClientTLS{
+									CA:                 "ca.crt",
+									CAOptional:         true,
+									InsecureSkipVerify: true,
+									Cert:               "server.crt",
+									Key:                "server.key",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			desc: "all parameters",
 			kvPairs: filler("traefik",
@ -96,7 +246,21 @@ func TestProviderBuildConfiguration(t *testing.T) {
 					withList(pathFrontendEntryPoints, "http", "https"),
 					withList(pathFrontendWhiteListSourceRange, "1.1.1.1/24", "1234:abcd::42/32"),
 					withPair(pathFrontendWhiteListUseXForwardedFor, "true"),
+
 					withList(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withList(pathFrontendAuthBasicUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthBasicUsersFile, ".htpasswd"),
+					withList(pathFrontendAuthDigestUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthDigestUsersFile, ".htpasswd"),
+					withPair(pathFrontendAuthForwardAddress, "auth.server"),
+					withPair(pathFrontendAuthForwardTrustForwardHeader, "true"),
+					withPair(pathFrontendAuthForwardTLSCa, "ca.crt"),
+					withPair(pathFrontendAuthForwardTLSCaOptional, "true"),
+					withPair(pathFrontendAuthForwardTLSCert, "server.crt"),
+					withPair(pathFrontendAuthForwardTLSKey, "server.key"),
+					withPair(pathFrontendAuthForwardTLSInsecureSkipVerify, "true"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+
 					withPair(pathFrontendRedirectEntryPoint, "https"),
 					withPair(pathFrontendRedirectRegex, "nope"),
 					withPair(pathFrontendRedirectReplacement, "nope"),
@ -200,7 +364,14 @@ func TestProviderBuildConfiguration(t *testing.T) {
 							SourceRange:      []string{"1.1.1.1/24", "1234:abcd::42/32"},
 							UseXForwardedFor: true,
 						},
-						BasicAuth: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+						Auth: &types.Auth{
+							HeaderField: "X-WebAuth-User",
+							Basic: &types.Basic{
+								Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+									"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+								UsersFile: ".htpasswd",
+							},
+						},
 						Redirect: &types.Redirect{
 							EntryPoint: "https",
 							Permanent:  true,
@ -1939,6 +2110,166 @@ func TestProviderGetTLSes(t *testing.T) {
 	}
 }

+func TestProviderGetAuth(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		rootPath string
+		kvPairs  []*store.KVPair
+		expected *types.Auth
+	}{
+		{
+			desc:     "should return nil when no data",
+			expected: nil,
+		},
+		{
+			desc:     "should return a valid basic auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withList(pathFrontendAuthBasicUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthBasicUsersFile, ".htpasswd"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"))),
+			expected: &types.Auth{
+				HeaderField: "X-WebAuth-User",
+				Basic: &types.Basic{
+					Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+						"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+					UsersFile: ".htpasswd",
+				},
+			},
+		},
+		{
+			desc:     "should return a valid basic auth (backward compatibility)",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withPair(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+				)),
+			expected: &types.Auth{
+				Basic: &types.Basic{
+					Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+						"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+				},
+			},
+		},
+		{
+			desc:     "should return a valid digest auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withList(pathFrontendAuthDigestUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withPair(pathFrontendAuthDigestUsersFile, ".htpasswd"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+				)),
+			expected: &types.Auth{
+				HeaderField: "X-WebAuth-User",
+				Digest: &types.Digest{
+					Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+						"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+					UsersFile: ".htpasswd",
+				},
+			},
+		},
+		{
+			desc:     "should return a valid forward auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withPair(pathFrontendAuthForwardAddress, "auth.server"),
+					withPair(pathFrontendAuthForwardTrustForwardHeader, "true"),
+					withPair(pathFrontendAuthForwardTLSCa, "ca.crt"),
+					withPair(pathFrontendAuthForwardTLSCaOptional, "true"),
+					withPair(pathFrontendAuthForwardTLSCert, "server.crt"),
+					withPair(pathFrontendAuthForwardTLSKey, "server.key"),
+					withPair(pathFrontendAuthForwardTLSInsecureSkipVerify, "true"),
+					withPair(pathFrontendAuthHeaderField, "X-WebAuth-User"),
+				)),
+			expected: &types.Auth{
+				HeaderField: "X-WebAuth-User",
+				Forward: &types.Forward{
+					Address:            "auth.server",
+					TrustForwardHeader: true,
+					TLS: &types.ClientTLS{
+						CA:                 "ca.crt",
+						CAOptional:         true,
+						InsecureSkipVerify: true,
+						Cert:               "server.crt",
+						Key:                "server.key",
+					},
+				},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			p := newProviderMock(test.kvPairs)
+
+			result := p.getAuth(test.rootPath)
+
+			assert.Equal(t, test.expected, result)
+		})
+	}
+}
+
+func TestProviderHasDeprecatedBasicAuth(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		rootPath string
+		kvPairs  []*store.KVPair
+		expected bool
+	}{
+		{
+			desc:     "should return nil when no data",
+			expected: false,
+		},
+		{
+			desc:     "should return a valid basic auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withList(pathFrontendAuthBasicUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+				)),
+			expected: false,
+		},
+		{
+			desc:     "should return a valid basic auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withList(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+				)),
+			expected: true,
+		},
+		{
+			desc:     "should return a valid basic auth",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withList(pathFrontendAuthBasicUsers, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+					withList(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
+				)),
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			p := newProviderMock(test.kvPairs)
+
+			result := p.hasDeprecatedBasicAuth(test.rootPath)
+
+			assert.Equal(t, test.expected, result)
+		})
+	}
+}
+
 func TestProviderGetRoutes(t *testing.T) {
 	testCases := []struct {
 		desc     string