2014-12-01 04:12:33 +03:00
package main
import (
2019-04-27 05:16:45 +03:00
"context"
2015-11-16 06:08:30 +03:00
"crypto"
2015-07-24 12:17:43 +03:00
"encoding/base64"
2019-04-24 18:25:29 +03:00
"fmt"
2015-11-16 06:08:30 +03:00
"io"
2014-12-01 04:12:33 +03:00
"io/ioutil"
"net"
"net/http"
"net/http/httptest"
"net/url"
2015-04-07 05:10:03 +03:00
"regexp"
2015-04-03 03:57:17 +03:00
"strings"
2014-12-01 04:12:33 +03:00
"testing"
2015-04-03 03:57:17 +03:00
"time"
2017-06-22 01:02:34 +03:00
2019-04-27 05:47:53 +03:00
"github.com/coreos/go-oidc"
2017-09-13 01:59:00 +03:00
"github.com/mbland/hmacauth"
2020-04-13 15:50:34 +03:00
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"
2020-03-29 16:54:36 +03:00
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"
"github.com/oauth2-proxy/oauth2-proxy/pkg/sessions/cookie"
2020-04-13 15:50:34 +03:00
"github.com/oauth2-proxy/oauth2-proxy/pkg/validation"
2020-03-29 16:54:36 +03:00
"github.com/oauth2-proxy/oauth2-proxy/providers"
2017-10-23 19:23:46 +03:00
"github.com/stretchr/testify/assert"
2019-01-29 15:13:02 +03:00
"github.com/stretchr/testify/require"
2019-03-08 11:15:21 +03:00
"golang.org/x/net/websocket"
2014-12-01 04:12:33 +03:00
)
2015-05-21 06:23:48 +03:00
func init ( ) {
2019-02-10 19:37:45 +03:00
logger . SetFlags ( logger . Lshortfile )
2015-05-21 06:23:48 +03:00
}
2019-03-08 11:15:21 +03:00
type WebSocketOrRestHandler struct {
restHandler http . Handler
wsHandler http . Handler
}
func ( h * WebSocketOrRestHandler ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) {
if r . Header . Get ( "Upgrade" ) == "websocket" {
h . wsHandler . ServeHTTP ( w , r )
} else {
h . restHandler . ServeHTTP ( w , r )
}
}
func TestWebSocketProxy ( t * testing . T ) {
handler := WebSocketOrRestHandler {
restHandler : http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( 200 )
hostname , _ , _ := net . SplitHostPort ( r . Host )
w . Write ( [ ] byte ( hostname ) )
} ) ,
wsHandler : websocket . Handler ( func ( ws * websocket . Conn ) {
defer ws . Close ( )
var data [ ] byte
err := websocket . Message . Receive ( ws , & data )
if err != nil {
t . Fatalf ( "err %s" , err )
return
}
err = websocket . Message . Send ( ws , data )
if err != nil {
t . Fatalf ( "err %s" , err )
}
} ) ,
}
backend := httptest . NewServer ( & handler )
defer backend . Close ( )
backendURL , _ := url . Parse ( backend . URL )
2020-04-13 15:50:34 +03:00
options := options . NewOptions ( )
2019-03-08 11:15:21 +03:00
var auth hmacauth . HmacAuth
options . PassHostHeader = true
proxyHandler := NewWebSocketOrRestReverseProxy ( backendURL , options , auth )
frontend := httptest . NewServer ( proxyHandler )
defer frontend . Close ( )
frontendURL , _ := url . Parse ( frontend . URL )
frontendWSURL := "ws://" + frontendURL . Host + "/"
ws , err := websocket . Dial ( frontendWSURL , "" , "http://localhost/" )
if err != nil {
t . Fatalf ( "err %s" , err )
}
request := [ ] byte ( "hello, world!" )
err = websocket . Message . Send ( ws , request )
if err != nil {
t . Fatalf ( "err %s" , err )
}
var response = make ( [ ] byte , 1024 )
websocket . Message . Receive ( ws , & response )
if err != nil {
t . Fatalf ( "err %s" , err )
}
if g , e := string ( request ) , string ( response ) ; g != e {
t . Errorf ( "got body %q; expected %q" , g , e )
}
getReq , _ := http . NewRequest ( "GET" , frontend . URL , nil )
res , _ := http . DefaultClient . Do ( getReq )
bodyBytes , _ := ioutil . ReadAll ( res . Body )
backendHostname , _ , _ := net . SplitHostPort ( backendURL . Host )
if g , e := string ( bodyBytes ) , backendHostname ; g != e {
t . Errorf ( "got body %q; expected %q" , g , e )
}
}
2014-12-01 04:12:33 +03:00
func TestNewReverseProxy ( t * testing . T ) {
backend := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( 200 )
2015-03-17 22:15:15 +03:00
hostname , _ , _ := net . SplitHostPort ( r . Host )
2014-12-01 04:12:33 +03:00
w . Write ( [ ] byte ( hostname ) )
} ) )
defer backend . Close ( )
backendURL , _ := url . Parse ( backend . URL )
2015-04-03 04:06:37 +03:00
backendHostname , backendPort , _ := net . SplitHostPort ( backendURL . Host )
2014-12-01 04:12:33 +03:00
backendHost := net . JoinHostPort ( backendHostname , backendPort )
proxyURL , _ := url . Parse ( backendURL . Scheme + "://" + backendHost + "/" )
2020-04-13 15:50:34 +03:00
proxyHandler := NewReverseProxy ( proxyURL , & options . Options { FlushInterval : time . Second } )
2015-03-17 22:15:15 +03:00
setProxyUpstreamHostHeader ( proxyHandler , proxyURL )
2014-12-01 04:12:33 +03:00
frontend := httptest . NewServer ( proxyHandler )
defer frontend . Close ( )
getReq , _ := http . NewRequest ( "GET" , frontend . URL , nil )
res , _ := http . DefaultClient . Do ( getReq )
bodyBytes , _ := ioutil . ReadAll ( res . Body )
if g , e := string ( bodyBytes ) , backendHostname ; g != e {
t . Errorf ( "got body %q; expected %q" , g , e )
}
}
2015-03-18 00:17:40 +03:00
func TestEncodedSlashes ( t * testing . T ) {
var seen string
backend := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( 200 )
seen = r . RequestURI
} ) )
defer backend . Close ( )
b , _ := url . Parse ( backend . URL )
2020-04-13 15:50:34 +03:00
proxyHandler := NewReverseProxy ( b , & options . Options { FlushInterval : time . Second } )
2015-03-18 00:17:40 +03:00
setProxyDirector ( proxyHandler )
frontend := httptest . NewServer ( proxyHandler )
defer frontend . Close ( )
f , _ := url . Parse ( frontend . URL )
2015-03-21 22:29:07 +03:00
encodedPath := "/a%2Fb/?c=1"
2015-03-18 00:17:40 +03:00
getReq := & http . Request { URL : & url . URL { Scheme : "http" , Host : f . Host , Opaque : encodedPath } }
_ , err := http . DefaultClient . Do ( getReq )
if err != nil {
t . Fatalf ( "err %s" , err )
}
2015-03-21 22:29:07 +03:00
if seen != encodedPath {
t . Errorf ( "got bad request %q expected %q" , seen , encodedPath )
2015-03-18 00:17:40 +03:00
}
}
2015-04-03 03:57:17 +03:00
2015-05-10 22:15:52 +03:00
func TestRobotsTxt ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2019-06-23 22:41:23 +03:00
opts . ClientID = "asdlkjx"
opts . ClientSecret = "alkgks"
2020-04-12 16:00:59 +03:00
opts . Cookie . Secret = "asdkugkj"
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2015-05-10 22:15:52 +03:00
2015-11-09 02:57:01 +03:00
proxy := NewOAuthProxy ( opts , func ( string ) bool { return true } )
2015-05-10 22:15:52 +03:00
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "GET" , "/robots.txt" , nil )
proxy . ServeHTTP ( rw , req )
assert . Equal ( t , 200 , rw . Code )
assert . Equal ( t , "User-agent: *\nDisallow: /" , rw . Body . String ( ) )
}
2017-10-02 12:19:24 +03:00
func TestIsValidRedirect ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2019-06-23 22:41:23 +03:00
opts . ClientID = "skdlfj"
opts . ClientSecret = "fgkdsgj"
2020-04-12 16:00:59 +03:00
opts . Cookie . Secret = "ljgiogbj"
2017-12-11 12:33:52 +03:00
// Should match domains that are exactly foo.bar and any subdomain of bar.foo
2019-10-23 16:38:44 +03:00
opts . WhitelistDomains = [ ] string {
"foo.bar" ,
".bar.foo" ,
"port.bar:8080" ,
".sub.port.bar:8080" ,
"anyport.bar:*" ,
".sub.anyport.bar:*" ,
}
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2017-10-02 12:19:24 +03:00
proxy := NewOAuthProxy ( opts , func ( string ) bool { return true } )
2019-10-23 16:38:44 +03:00
testCases := [ ] struct {
Desc , Redirect string
ExpectedResult bool
} {
{
Desc : "noRD" ,
Redirect : "" ,
ExpectedResult : false ,
} ,
{
Desc : "singleSlash" ,
Redirect : "/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "doubleSlash" ,
Redirect : "//redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "validHTTP" ,
Redirect : "http://foo.bar/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validHTTPS" ,
Redirect : "https://foo.bar/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "invalidHTTPSubdomain" ,
Redirect : "http://baz.foo.bar/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidHTTPSSubdomain" ,
Redirect : "https://baz.foo.bar/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "validHTTPSubdomain" ,
Redirect : "http://baz.bar.foo/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validHTTPSSubdomain" ,
Redirect : "https://baz.bar.foo/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validHTTPDomain" ,
Redirect : "http://bar.foo/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "invalidHTTP1" ,
Redirect : "http://foo.bar.evil.corp/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidHTTPS1" ,
Redirect : "https://foo.bar.evil.corp/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidHTTP2" ,
Redirect : "http://evil.corp/redirect?rd=foo.bar" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidHTTPS2" ,
Redirect : "https://evil.corp/redirect?rd=foo.bar" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidPort" ,
Redirect : "https://evil.corp:3838/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidEmptyPort" ,
Redirect : "http://foo.bar:3838/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "invalidEmptyPortSubdomain" ,
Redirect : "http://baz.bar.foo:3838/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "validSpecificPort" ,
Redirect : "http://port.bar:8080/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "invalidSpecificPort" ,
Redirect : "http://port.bar:3838/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "validSpecificPortSubdomain" ,
Redirect : "http://foo.sub.port.bar:8080/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "invalidSpecificPortSubdomain" ,
Redirect : "http://foo.sub.port.bar:3838/redirect" ,
ExpectedResult : false ,
} ,
{
Desc : "validAnyPort1" ,
Redirect : "http://anyport.bar:8080/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validAnyPort2" ,
Redirect : "http://anyport.bar:8081/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validAnyPortSubdomain1" ,
Redirect : "http://a.sub.anyport.bar:8080/redirect" ,
ExpectedResult : true ,
} ,
{
Desc : "validAnyPortSubdomain2" ,
Redirect : "http://a.sub.anyport.bar:8081/redirect" ,
ExpectedResult : true ,
} ,
2020-05-06 14:42:02 +03:00
{
Desc : "openRedirect1" ,
Redirect : "/\\evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectSpace1" ,
Redirect : "/ /evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectSpace2" ,
Redirect : "/ \\evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectTab1" ,
Redirect : "/\t/evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectTab2" ,
Redirect : "/\t\\evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectVerticalTab1" ,
Redirect : "/\v/evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectVerticalTab2" ,
Redirect : "/\v\\evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectNewLine1" ,
Redirect : "/\n/evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectNewLine2" ,
Redirect : "/\n\\evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectCarriageReturn1" ,
Redirect : "/\r/evil.com" ,
ExpectedResult : false ,
} ,
{
Desc : "openRedirectCarriageReturn2" ,
Redirect : "/\r\\evil.com" ,
ExpectedResult : false ,
} ,
2019-10-23 16:38:44 +03:00
}
2019-10-12 23:47:23 +03:00
2019-10-23 16:38:44 +03:00
for _ , tc := range testCases {
t . Run ( tc . Desc , func ( t * testing . T ) {
result := proxy . IsValidRedirect ( tc . Redirect )
2019-10-12 23:47:23 +03:00
2019-10-23 16:38:44 +03:00
if result != tc . ExpectedResult {
t . Errorf ( "expected %t got %t" , tc . ExpectedResult , result )
}
} )
}
2017-10-02 12:19:24 +03:00
}
2015-11-16 06:08:30 +03:00
type TestProvider struct {
* providers . ProviderData
2019-06-21 02:57:20 +03:00
EmailAddress string
ValidToken bool
GroupValidator func ( string ) bool
2015-11-16 06:08:30 +03:00
}
2020-05-05 18:53:33 +03:00
var _ providers . Provider = ( * TestProvider ) ( nil )
2018-11-29 17:26:41 +03:00
func NewTestProvider ( providerURL * url . URL , emailAddress string ) * TestProvider {
2015-11-16 06:08:30 +03:00
return & TestProvider {
ProviderData : & providers . ProviderData {
ProviderName : "Test Provider" ,
LoginURL : & url . URL {
Scheme : "http" ,
2018-11-29 17:26:41 +03:00
Host : providerURL . Host ,
2015-11-16 06:08:30 +03:00
Path : "/oauth/authorize" ,
} ,
RedeemURL : & url . URL {
Scheme : "http" ,
2018-11-29 17:26:41 +03:00
Host : providerURL . Host ,
2015-11-16 06:08:30 +03:00
Path : "/oauth/token" ,
} ,
ProfileURL : & url . URL {
Scheme : "http" ,
2018-11-29 17:26:41 +03:00
Host : providerURL . Host ,
2015-11-16 06:08:30 +03:00
Path : "/api/v1/profile" ,
} ,
Scope : "profile.email" ,
} ,
2018-11-29 17:26:41 +03:00
EmailAddress : emailAddress ,
2019-06-21 02:57:20 +03:00
GroupValidator : func ( s string ) bool {
return true
} ,
2015-11-16 06:08:30 +03:00
}
}
2020-05-05 18:53:33 +03:00
func ( tp * TestProvider ) GetEmailAddress ( ctx context . Context , session * sessions . SessionState ) ( string , error ) {
2015-11-16 06:08:30 +03:00
return tp . EmailAddress , nil
}
2020-05-05 18:53:33 +03:00
func ( tp * TestProvider ) ValidateSessionState ( ctx context . Context , session * sessions . SessionState ) bool {
2015-11-16 06:08:30 +03:00
return tp . ValidToken
}
2015-07-24 12:17:43 +03:00
func TestBasicAuthPassword ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
providerServer := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
2019-02-10 19:37:45 +03:00
logger . Printf ( "%#v" , r )
2018-11-29 17:26:41 +03:00
var payload string
switch r . URL . Path {
2015-07-24 12:17:43 +03:00
case "/oauth/token" :
payload = ` { "access_token": "my_auth_token"} `
default :
payload = r . Header . Get ( "Authorization" )
if payload == "" {
payload = "No Authorization header found."
}
}
w . WriteHeader ( 200 )
w . Write ( [ ] byte ( payload ) )
} ) )
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2018-11-29 17:26:41 +03:00
opts . Upstreams = append ( opts . Upstreams , providerServer . URL )
2015-07-24 12:17:43 +03:00
// The CookieSecret must be 32 bytes in order to create the AES
// cipher.
2020-04-12 16:00:59 +03:00
opts . Cookie . Secret = "xyzzyplughxyzzyplughxyzzyplughxp"
2019-06-23 22:41:23 +03:00
opts . ClientID = "dlgkj"
opts . ClientSecret = "alkgret"
2020-04-12 16:00:59 +03:00
opts . Cookie . Secure = false
2015-07-24 12:17:43 +03:00
opts . PassBasicAuth = true
2020-04-10 16:41:28 +03:00
opts . SetBasicAuth = true
2016-02-08 18:57:47 +03:00
opts . PassUserHeaders = true
2020-02-29 20:38:32 +03:00
opts . PreferEmailToUser = true
2015-07-24 12:17:43 +03:00
opts . BasicAuthPassword = "This is a secure password"
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2015-07-24 12:17:43 +03:00
2018-11-29 17:26:41 +03:00
providerURL , _ := url . Parse ( providerServer . URL )
2019-05-07 12:36:00 +03:00
const emailAddress = "john.doe@example.com"
2015-07-24 12:17:43 +03:00
2020-04-13 15:50:34 +03:00
opts . SetProvider ( NewTestProvider ( providerURL , emailAddress ) )
2015-11-09 02:57:01 +03:00
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
2018-11-29 17:26:41 +03:00
return email == emailAddress
2015-07-24 12:17:43 +03:00
} )
rw := httptest . NewRecorder ( )
2017-03-28 04:14:38 +03:00
req , _ := http . NewRequest ( "GET" , "/oauth2/callback?code=callback_code&state=nonce:" ,
2015-07-24 12:17:43 +03:00
strings . NewReader ( "" ) )
2017-03-28 04:14:38 +03:00
req . AddCookie ( proxy . MakeCSRFCookie ( req , "nonce" , proxy . CookieExpire , time . Now ( ) ) )
2015-07-24 12:17:43 +03:00
proxy . ServeHTTP ( rw , req )
2017-03-28 04:14:38 +03:00
if rw . Code >= 400 {
t . Fatalf ( "expected 3xx got %d" , rw . Code )
}
2020-04-14 11:36:44 +03:00
cookie := rw . Header ( ) . Values ( "Set-Cookie" ) [ 1 ]
2015-07-24 12:17:43 +03:00
cookieName := proxy . CookieName
var value string
2018-11-29 17:26:41 +03:00
keyPrefix := cookieName + "="
2015-07-24 12:17:43 +03:00
for _ , field := range strings . Split ( cookie , "; " ) {
2018-11-29 17:26:41 +03:00
value = strings . TrimPrefix ( field , keyPrefix )
2015-07-24 12:17:43 +03:00
if value != field {
break
} else {
value = ""
}
}
req , _ = http . NewRequest ( "GET" , "/" , strings . NewReader ( "" ) )
req . AddCookie ( & http . Cookie {
Name : cookieName ,
Value : value ,
Path : "/" ,
Expires : time . Now ( ) . Add ( time . Duration ( 24 ) ) ,
HttpOnly : true ,
} )
2017-03-28 04:14:38 +03:00
req . AddCookie ( proxy . MakeCSRFCookie ( req , "nonce" , proxy . CookieExpire , time . Now ( ) ) )
2015-07-24 12:17:43 +03:00
rw = httptest . NewRecorder ( )
proxy . ServeHTTP ( rw , req )
2017-03-28 04:14:38 +03:00
2019-05-09 12:14:01 +03:00
// The username in the basic auth credentials is expected to be equal to the email address from the
// auth response, so we use the same variable here.
2019-05-07 12:36:00 +03:00
expectedHeader := "Basic " + base64 . StdEncoding . EncodeToString ( [ ] byte ( emailAddress + ":" + opts . BasicAuthPassword ) )
2015-07-24 12:17:43 +03:00
assert . Equal ( t , expectedHeader , rw . Body . String ( ) )
2018-11-29 17:26:41 +03:00
providerServer . Close ( )
2015-07-24 12:17:43 +03:00
}
2020-02-29 20:38:32 +03:00
func TestBasicAuthWithEmail ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-02-29 20:38:32 +03:00
opts . PassBasicAuth = true
opts . PassUserHeaders = false
opts . PreferEmailToUser = false
opts . BasicAuthPassword = "This is a secure password"
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2020-02-29 20:38:32 +03:00
const emailAddress = "john.doe@example.com"
const userName = "9fcab5c9b889a557"
// The username in the basic auth credentials is expected to be equal to the email address from the
expectedEmailHeader := "Basic " + base64 . StdEncoding . EncodeToString ( [ ] byte ( emailAddress + ":" + opts . BasicAuthPassword ) )
expectedUserHeader := "Basic " + base64 . StdEncoding . EncodeToString ( [ ] byte ( userName + ":" + opts . BasicAuthPassword ) )
session := & sessions . SessionState {
User : userName ,
Email : emailAddress ,
AccessToken : "oauth_token" ,
CreatedAt : time . Now ( ) ,
}
{
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "GET" , opts . ProxyPrefix + "/testCase0" , nil )
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
return email == emailAddress
} )
proxy . addHeadersForProxying ( rw , req , session )
assert . Equal ( t , expectedUserHeader , req . Header [ "Authorization" ] [ 0 ] )
assert . Equal ( t , userName , req . Header [ "X-Forwarded-User" ] [ 0 ] )
}
opts . PreferEmailToUser = true
{
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "GET" , opts . ProxyPrefix + "/testCase1" , nil )
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
return email == emailAddress
} )
proxy . addHeadersForProxying ( rw , req , session )
assert . Equal ( t , expectedEmailHeader , req . Header [ "Authorization" ] [ 0 ] )
assert . Equal ( t , emailAddress , req . Header [ "X-Forwarded-User" ] [ 0 ] )
}
2020-03-04 01:27:43 +03:00
}
2020-02-29 20:38:32 +03:00
2020-03-04 01:27:43 +03:00
func TestPassUserHeadersWithEmail ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-03-04 01:27:43 +03:00
opts . PassBasicAuth = false
2020-02-29 20:38:32 +03:00
opts . PassUserHeaders = true
2020-03-04 01:27:43 +03:00
opts . PreferEmailToUser = false
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2020-03-04 01:27:43 +03:00
const emailAddress = "john.doe@example.com"
const userName = "9fcab5c9b889a557"
session := & sessions . SessionState {
User : userName ,
Email : emailAddress ,
AccessToken : "oauth_token" ,
CreatedAt : time . Now ( ) ,
}
2020-02-29 20:38:32 +03:00
{
rw := httptest . NewRecorder ( )
2020-03-04 01:27:43 +03:00
req , _ := http . NewRequest ( "GET" , opts . ProxyPrefix + "/testCase0" , nil )
2020-02-29 20:38:32 +03:00
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
return email == emailAddress
} )
proxy . addHeadersForProxying ( rw , req , session )
assert . Equal ( t , userName , req . Header [ "X-Forwarded-User" ] [ 0 ] )
}
2020-03-04 01:27:43 +03:00
opts . PreferEmailToUser = true
{
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "GET" , opts . ProxyPrefix + "/testCase1" , nil )
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
return email == emailAddress
} )
proxy . addHeadersForProxying ( rw , req , session )
assert . Equal ( t , emailAddress , req . Header [ "X-Forwarded-User" ] [ 0 ] )
}
2020-02-29 20:38:32 +03:00
}
2015-04-03 03:57:17 +03:00
type PassAccessTokenTest struct {
2018-11-29 17:26:41 +03:00
providerServer * httptest . Server
proxy * OAuthProxy
2020-04-13 15:50:34 +03:00
opts * options . Options
2015-04-03 03:57:17 +03:00
}
type PassAccessTokenTestOptions struct {
PassAccessToken bool
2019-09-19 12:03:38 +03:00
ProxyUpstream string
2015-04-03 03:57:17 +03:00
}
func NewPassAccessTokenTest ( opts PassAccessTokenTestOptions ) * PassAccessTokenTest {
t := & PassAccessTokenTest { }
2018-11-29 17:26:41 +03:00
t . providerServer = httptest . NewServer (
2015-04-03 03:57:17 +03:00
http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
2018-11-29 17:26:41 +03:00
var payload string
switch r . URL . Path {
2015-04-03 03:57:17 +03:00
case "/oauth/token" :
payload = ` { "access_token": "my_auth_token"} `
default :
2015-05-21 06:23:48 +03:00
payload = r . Header . Get ( "X-Forwarded-Access-Token" )
if payload == "" {
2015-04-03 03:57:17 +03:00
payload = "No access token found."
}
}
w . WriteHeader ( 200 )
w . Write ( [ ] byte ( payload ) )
} ) )
2020-04-13 15:50:34 +03:00
t . opts = options . NewOptions ( )
2018-11-29 17:26:41 +03:00
t . opts . Upstreams = append ( t . opts . Upstreams , t . providerServer . URL )
2019-09-19 12:03:38 +03:00
if opts . ProxyUpstream != "" {
t . opts . Upstreams = append ( t . opts . Upstreams , opts . ProxyUpstream )
}
2015-04-03 03:57:17 +03:00
// The CookieSecret must be 32 bytes in order to create the AES
// cipher.
2020-04-12 16:00:59 +03:00
t . opts . Cookie . Secret = "xyzzyplughxyzzyplughxyzzyplughxp"
2019-06-23 22:41:23 +03:00
t . opts . ClientID = "slgkj"
t . opts . ClientSecret = "gfjgojl"
2020-04-12 16:00:59 +03:00
t . opts . Cookie . Secure = false
2015-04-03 03:57:17 +03:00
t . opts . PassAccessToken = opts . PassAccessToken
2020-04-13 15:50:34 +03:00
validation . Validate ( t . opts )
2015-04-03 03:57:17 +03:00
2018-11-29 17:26:41 +03:00
providerURL , _ := url . Parse ( t . providerServer . URL )
const emailAddress = "michael.bland@gsa.gov"
2015-04-03 03:57:17 +03:00
2020-04-13 15:50:34 +03:00
t . opts . SetProvider ( NewTestProvider ( providerURL , emailAddress ) )
2015-11-09 02:57:01 +03:00
t . proxy = NewOAuthProxy ( t . opts , func ( email string ) bool {
2018-11-29 17:26:41 +03:00
return email == emailAddress
2015-04-03 03:57:17 +03:00
} )
return t
}
2018-11-29 17:26:41 +03:00
func ( patTest * PassAccessTokenTest ) Close ( ) {
patTest . providerServer . Close ( )
2015-04-03 03:57:17 +03:00
}
2018-11-29 17:26:41 +03:00
func ( patTest * PassAccessTokenTest ) getCallbackEndpoint ( ) ( httpCode int ,
2015-04-07 04:35:58 +03:00
cookie string ) {
2015-04-03 03:57:17 +03:00
rw := httptest . NewRecorder ( )
2017-03-28 04:14:38 +03:00
req , err := http . NewRequest ( "GET" , "/oauth2/callback?code=callback_code&state=nonce:" ,
2015-04-03 03:57:17 +03:00
strings . NewReader ( "" ) )
if err != nil {
return 0 , ""
}
2018-11-29 17:26:41 +03:00
req . AddCookie ( patTest . proxy . MakeCSRFCookie ( req , "nonce" , time . Hour , time . Now ( ) ) )
patTest . proxy . ServeHTTP ( rw , req )
2020-04-14 11:36:44 +03:00
return rw . Code , rw . Header ( ) . Values ( "Set-Cookie" ) [ 1 ]
2015-04-03 03:57:17 +03:00
}
2019-10-04 16:39:31 +03:00
// getEndpointWithCookie makes a requests againt the oauthproxy with passed requestPath
// and cookie and returns body and status code.
func ( patTest * PassAccessTokenTest ) getEndpointWithCookie ( cookie string , endpoint string ) ( httpCode int , accessToken string ) {
2018-11-29 17:26:41 +03:00
cookieName := patTest . proxy . CookieName
2015-04-03 03:57:17 +03:00
var value string
2018-11-29 17:26:41 +03:00
keyPrefix := cookieName + "="
2015-04-03 03:57:17 +03:00
for _ , field := range strings . Split ( cookie , "; " ) {
2018-11-29 17:26:41 +03:00
value = strings . TrimPrefix ( field , keyPrefix )
2015-04-03 03:57:17 +03:00
if value != field {
break
} else {
value = ""
}
}
if value == "" {
return 0 , ""
}
2019-10-04 16:39:31 +03:00
req , err := http . NewRequest ( "GET" , endpoint , strings . NewReader ( "" ) )
2015-04-03 03:57:17 +03:00
if err != nil {
return 0 , ""
}
req . AddCookie ( & http . Cookie {
2015-06-08 06:52:28 +03:00
Name : cookieName ,
2015-04-03 03:57:17 +03:00
Value : value ,
Path : "/" ,
Expires : time . Now ( ) . Add ( time . Duration ( 24 ) ) ,
HttpOnly : true ,
} )
rw := httptest . NewRecorder ( )
2018-11-29 17:26:41 +03:00
patTest . proxy . ServeHTTP ( rw , req )
2015-04-03 03:57:17 +03:00
return rw . Code , rw . Body . String ( )
}
func TestForwardAccessTokenUpstream ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
patTest := NewPassAccessTokenTest ( PassAccessTokenTestOptions {
2015-04-03 03:57:17 +03:00
PassAccessToken : true ,
} )
2018-11-29 17:26:41 +03:00
defer patTest . Close ( )
2015-04-03 03:57:17 +03:00
// A successful validation will redirect and set the auth cookie.
2018-11-29 17:26:41 +03:00
code , cookie := patTest . getCallbackEndpoint ( )
2017-03-28 04:14:38 +03:00
if code != 302 {
t . Fatalf ( "expected 302; got %d" , code )
}
2015-04-03 03:57:17 +03:00
assert . NotEqual ( t , nil , cookie )
// Now we make a regular request; the access_token from the cookie is
// forwarded as the "X-Forwarded-Access-Token" header. The token is
// read by the test provider server and written in the response body.
2019-10-04 16:39:31 +03:00
code , payload := patTest . getEndpointWithCookie ( cookie , "/" )
2017-03-28 04:14:38 +03:00
if code != 200 {
t . Fatalf ( "expected 200; got %d" , code )
}
2015-04-03 03:57:17 +03:00
assert . Equal ( t , "my_auth_token" , payload )
}
2019-09-19 12:03:38 +03:00
func TestStaticProxyUpstream ( t * testing . T ) {
patTest := NewPassAccessTokenTest ( PassAccessTokenTestOptions {
PassAccessToken : true ,
ProxyUpstream : "static://200/static-proxy" ,
} )
defer patTest . Close ( )
// A successful validation will redirect and set the auth cookie.
code , cookie := patTest . getCallbackEndpoint ( )
if code != 302 {
t . Fatalf ( "expected 302; got %d" , code )
}
assert . NotEqual ( t , nil , cookie )
2020-04-14 11:36:44 +03:00
// Now we make a regular request against the upstream proxy; And validate
2019-10-04 16:39:31 +03:00
// the returned status code through the static proxy.
code , payload := patTest . getEndpointWithCookie ( cookie , "/static-proxy" )
2019-09-19 12:03:38 +03:00
if code != 200 {
t . Fatalf ( "expected 200; got %d" , code )
}
assert . Equal ( t , "Authenticated" , payload )
}
2015-04-03 03:57:17 +03:00
func TestDoNotForwardAccessTokenUpstream ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
patTest := NewPassAccessTokenTest ( PassAccessTokenTestOptions {
2015-04-03 03:57:17 +03:00
PassAccessToken : false ,
} )
2018-11-29 17:26:41 +03:00
defer patTest . Close ( )
2015-04-03 03:57:17 +03:00
// A successful validation will redirect and set the auth cookie.
2018-11-29 17:26:41 +03:00
code , cookie := patTest . getCallbackEndpoint ( )
2017-03-28 04:14:38 +03:00
if code != 302 {
t . Fatalf ( "expected 302; got %d" , code )
}
2015-04-03 03:57:17 +03:00
assert . NotEqual ( t , nil , cookie )
// Now we make a regular request, but the access token header should
// not be present.
2019-10-04 16:39:31 +03:00
code , payload := patTest . getEndpointWithCookie ( cookie , "/" )
2017-03-28 04:14:38 +03:00
if code != 200 {
t . Fatalf ( "expected 200; got %d" , code )
}
2015-04-03 03:57:17 +03:00
assert . Equal ( t , "No access token found." , payload )
}
2015-04-07 05:10:03 +03:00
type SignInPageTest struct {
2020-04-13 15:50:34 +03:00
opts * options . Options
2018-11-29 17:26:41 +03:00
proxy * OAuthProxy
signInRegexp * regexp . Regexp
signInProviderRegexp * regexp . Regexp
2015-04-07 05:10:03 +03:00
}
const signInRedirectPattern = ` <input type="hidden" name="rd" value="(.*)"> `
2017-06-22 01:02:34 +03:00
const signInSkipProvider = ` >Found< `
2015-04-07 05:10:03 +03:00
2017-06-22 01:02:34 +03:00
func NewSignInPageTest ( skipProvider bool ) * SignInPageTest {
2018-11-29 17:26:41 +03:00
var sipTest SignInPageTest
2015-04-07 05:10:03 +03:00
2020-04-13 15:50:34 +03:00
sipTest . opts = options . NewOptions ( )
2020-04-12 16:00:59 +03:00
sipTest . opts . Cookie . Secret = "adklsj2"
2019-06-23 22:41:23 +03:00
sipTest . opts . ClientID = "lkdgj"
sipTest . opts . ClientSecret = "sgiufgoi"
2018-11-29 17:26:41 +03:00
sipTest . opts . SkipProviderButton = skipProvider
2020-04-13 15:50:34 +03:00
validation . Validate ( sipTest . opts )
2015-04-07 05:10:03 +03:00
2018-11-29 17:26:41 +03:00
sipTest . proxy = NewOAuthProxy ( sipTest . opts , func ( email string ) bool {
2015-04-07 05:10:03 +03:00
return true
} )
2018-11-29 17:26:41 +03:00
sipTest . signInRegexp = regexp . MustCompile ( signInRedirectPattern )
sipTest . signInProviderRegexp = regexp . MustCompile ( signInSkipProvider )
2015-04-07 05:10:03 +03:00
2018-11-29 17:26:41 +03:00
return & sipTest
2015-04-07 05:10:03 +03:00
}
2018-11-29 17:26:41 +03:00
func ( sipTest * SignInPageTest ) GetEndpoint ( endpoint string ) ( int , string ) {
2015-04-07 05:10:03 +03:00
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "GET" , endpoint , strings . NewReader ( "" ) )
2018-11-29 17:26:41 +03:00
sipTest . proxy . ServeHTTP ( rw , req )
2015-04-07 05:10:03 +03:00
return rw . Code , rw . Body . String ( )
}
func TestSignInPageIncludesTargetRedirect ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
sipTest := NewSignInPageTest ( false )
2015-04-07 05:10:03 +03:00
const endpoint = "/some/random/endpoint"
2018-11-29 17:26:41 +03:00
code , body := sipTest . GetEndpoint ( endpoint )
2015-04-07 05:10:03 +03:00
assert . Equal ( t , 403 , code )
2018-11-29 17:26:41 +03:00
match := sipTest . signInRegexp . FindStringSubmatch ( body )
2015-04-07 05:10:03 +03:00
if match == nil {
t . Fatal ( "Did not find pattern in body: " +
signInRedirectPattern + "\nBody:\n" + body )
}
if match [ 1 ] != endpoint {
t . Fatal ( ` expected redirect to " ` + endpoint +
` ", but was " ` + match [ 1 ] + ` " ` )
}
}
func TestSignInPageDirectAccessRedirectsToRoot ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
sipTest := NewSignInPageTest ( false )
code , body := sipTest . GetEndpoint ( "/oauth2/sign_in" )
2015-04-07 05:10:03 +03:00
assert . Equal ( t , 200 , code )
2018-11-29 17:26:41 +03:00
match := sipTest . signInRegexp . FindStringSubmatch ( body )
2015-04-07 05:10:03 +03:00
if match == nil {
t . Fatal ( "Did not find pattern in body: " +
signInRedirectPattern + "\nBody:\n" + body )
}
if match [ 1 ] != "/" {
t . Fatal ( ` expected redirect to "/", but was " ` + match [ 1 ] + ` " ` )
}
}
2015-05-08 18:52:03 +03:00
2017-06-22 01:02:34 +03:00
func TestSignInPageSkipProvider ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
sipTest := NewSignInPageTest ( true )
2017-06-22 01:02:34 +03:00
const endpoint = "/some/random/endpoint"
2018-11-29 17:26:41 +03:00
code , body := sipTest . GetEndpoint ( endpoint )
2017-06-22 01:02:34 +03:00
assert . Equal ( t , 302 , code )
2018-11-29 17:26:41 +03:00
match := sipTest . signInProviderRegexp . FindStringSubmatch ( body )
2017-06-22 01:02:34 +03:00
if match == nil {
t . Fatal ( "Did not find pattern in body: " +
signInSkipProvider + "\nBody:\n" + body )
}
}
func TestSignInPageSkipProviderDirect ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
sipTest := NewSignInPageTest ( true )
2017-06-22 01:02:34 +03:00
const endpoint = "/sign_in"
2018-11-29 17:26:41 +03:00
code , body := sipTest . GetEndpoint ( endpoint )
2017-06-22 01:02:34 +03:00
assert . Equal ( t , 302 , code )
2018-11-29 17:26:41 +03:00
match := sipTest . signInProviderRegexp . FindStringSubmatch ( body )
2017-06-22 01:02:34 +03:00
if match == nil {
t . Fatal ( "Did not find pattern in body: " +
signInSkipProvider + "\nBody:\n" + body )
}
}
2015-05-08 18:52:03 +03:00
type ProcessCookieTest struct {
2020-04-13 15:50:34 +03:00
opts * options . Options
2018-11-29 17:26:41 +03:00
proxy * OAuthProxy
rw * httptest . ResponseRecorder
req * http . Request
validateUser bool
2015-05-08 18:52:03 +03:00
}
2015-05-13 04:48:13 +03:00
type ProcessCookieTestOpts struct {
2018-11-29 17:26:41 +03:00
providerValidateCookieResponse bool
2015-05-13 04:48:13 +03:00
}
2020-04-13 15:50:34 +03:00
type OptionsModifier func ( * options . Options )
2019-05-07 18:13:55 +03:00
func NewProcessCookieTest ( opts ProcessCookieTestOpts , modifiers ... OptionsModifier ) * ProcessCookieTest {
2018-11-29 17:26:41 +03:00
var pcTest ProcessCookieTest
2015-05-08 18:52:03 +03:00
2020-04-13 15:50:34 +03:00
pcTest . opts = options . NewOptions ( )
2019-05-07 18:13:55 +03:00
for _ , modifier := range modifiers {
modifier ( pcTest . opts )
}
2019-06-23 22:41:23 +03:00
pcTest . opts . ClientID = "asdfljk"
pcTest . opts . ClientSecret = "lkjfdsig"
2020-05-21 21:29:45 +03:00
pcTest . opts . Cookie . Secret = "0123456789abcdef0123456789abcdef"
2015-05-09 23:08:55 +03:00
// First, set the CookieRefresh option so proxy.AesCipher is created,
// needed to encrypt the access_token.
2020-04-12 16:00:59 +03:00
pcTest . opts . Cookie . Refresh = time . Hour
2020-04-13 15:50:34 +03:00
validation . Validate ( pcTest . opts )
2015-05-08 18:52:03 +03:00
2018-11-29 17:26:41 +03:00
pcTest . proxy = NewOAuthProxy ( pcTest . opts , func ( email string ) bool {
return pcTest . validateUser
2015-05-08 18:52:03 +03:00
} )
2018-11-29 17:26:41 +03:00
pcTest . proxy . provider = & TestProvider {
ValidToken : opts . providerValidateCookieResponse ,
2015-05-13 04:48:13 +03:00
}
2015-05-08 18:52:03 +03:00
2015-05-09 23:08:55 +03:00
// Now, zero-out proxy.CookieRefresh for the cases that don't involve
// access_token validation.
2018-11-29 17:26:41 +03:00
pcTest . proxy . CookieRefresh = time . Duration ( 0 )
pcTest . rw = httptest . NewRecorder ( )
pcTest . req , _ = http . NewRequest ( "GET" , "/" , strings . NewReader ( "" ) )
pcTest . validateUser = true
return & pcTest
2015-05-08 18:52:03 +03:00
}
2015-05-13 04:48:13 +03:00
func NewProcessCookieTestWithDefaults ( ) * ProcessCookieTest {
return NewProcessCookieTest ( ProcessCookieTestOpts {
2018-11-29 17:26:41 +03:00
providerValidateCookieResponse : true ,
2015-05-13 04:48:13 +03:00
} )
2015-05-09 22:09:31 +03:00
}
2019-05-07 18:13:55 +03:00
func NewProcessCookieTestWithOptionsModifiers ( modifiers ... OptionsModifier ) * ProcessCookieTest {
return NewProcessCookieTest ( ProcessCookieTestOpts {
providerValidateCookieResponse : true ,
} , modifiers ... )
}
func ( p * ProcessCookieTest ) SaveSession ( s * sessions . SessionState ) error {
err := p . proxy . SaveSession ( p . rw , p . req , s )
2015-06-23 14:23:39 +03:00
if err != nil {
return err
}
2019-05-07 18:13:55 +03:00
for _ , cookie := range p . rw . Result ( ) . Cookies ( ) {
p . req . AddCookie ( cookie )
2018-01-28 01:48:52 +03:00
}
2015-06-23 14:23:39 +03:00
return nil
2015-05-08 18:52:03 +03:00
}
2019-05-07 18:13:55 +03:00
func ( p * ProcessCookieTest ) LoadCookiedSession ( ) ( * sessions . SessionState , error ) {
2015-06-23 14:23:39 +03:00
return p . proxy . LoadCookiedSession ( p . req )
2015-05-08 18:52:03 +03:00
}
2015-06-23 14:23:39 +03:00
func TestLoadCookiedSession ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
pcTest := NewProcessCookieTestWithDefaults ( )
2015-05-09 22:09:31 +03:00
2019-05-07 18:13:55 +03:00
startSession := & sessions . SessionState { Email : "john.doe@example.com" , AccessToken : "my_access_token" , CreatedAt : time . Now ( ) }
pcTest . SaveSession ( startSession )
2015-06-23 14:23:39 +03:00
2019-05-07 18:13:55 +03:00
session , err := pcTest . LoadCookiedSession ( )
2015-06-23 14:23:39 +03:00
assert . Equal ( t , nil , err )
assert . Equal ( t , startSession . Email , session . Email )
2020-05-12 18:04:51 +03:00
assert . Equal ( t , "" , session . User )
2015-06-23 14:23:39 +03:00
assert . Equal ( t , startSession . AccessToken , session . AccessToken )
2015-05-08 18:52:03 +03:00
}
2015-05-08 17:00:57 +03:00
func TestProcessCookieNoCookieError ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
pcTest := NewProcessCookieTestWithDefaults ( )
2015-05-08 17:00:57 +03:00
2019-05-07 18:13:55 +03:00
session , err := pcTest . LoadCookiedSession ( )
2020-04-14 11:36:44 +03:00
assert . Equal ( t , "cookie \"_oauth2_proxy\" not present" , err . Error ( ) )
2015-06-23 14:23:39 +03:00
if session != nil {
t . Errorf ( "expected nil session. got %#v" , session )
}
2015-05-09 23:31:18 +03:00
}
2015-05-08 17:00:57 +03:00
func TestProcessCookieRefreshNotSet ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
pcTest := NewProcessCookieTestWithOptionsModifiers ( func ( opts * options . Options ) {
2020-04-12 16:00:59 +03:00
opts . Cookie . Expire = time . Duration ( 23 ) * time . Hour
2019-05-07 18:13:55 +03:00
} )
2015-06-22 22:10:08 +03:00
reference := time . Now ( ) . Add ( time . Duration ( - 2 ) * time . Hour )
2015-05-08 17:00:57 +03:00
2019-05-07 18:13:55 +03:00
startSession := & sessions . SessionState { Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : reference }
pcTest . SaveSession ( startSession )
2015-05-09 22:09:31 +03:00
2019-05-07 18:13:55 +03:00
session , err := pcTest . LoadCookiedSession ( )
2015-06-23 14:23:39 +03:00
assert . Equal ( t , nil , err )
2019-05-07 18:13:55 +03:00
if session . Age ( ) < time . Duration ( - 2 ) * time . Hour {
t . Errorf ( "cookie too young %v" , session . Age ( ) )
2015-06-23 14:23:39 +03:00
}
assert . Equal ( t , startSession . Email , session . Email )
2015-05-10 07:11:26 +03:00
}
2015-06-22 22:10:08 +03:00
func TestProcessCookieFailIfCookieExpired ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
pcTest := NewProcessCookieTestWithOptionsModifiers ( func ( opts * options . Options ) {
2020-04-12 16:00:59 +03:00
opts . Cookie . Expire = time . Duration ( 24 ) * time . Hour
2019-05-07 18:13:55 +03:00
} )
2015-06-22 22:10:08 +03:00
reference := time . Now ( ) . Add ( time . Duration ( 25 ) * time . Hour * - 1 )
2019-05-07 18:13:55 +03:00
startSession := & sessions . SessionState { Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : reference }
pcTest . SaveSession ( startSession )
2015-06-22 22:10:08 +03:00
2019-05-07 18:13:55 +03:00
session , err := pcTest . LoadCookiedSession ( )
2015-06-23 14:23:39 +03:00
assert . NotEqual ( t , nil , err )
if session != nil {
t . Errorf ( "expected nil session %#v" , session )
2015-06-22 22:10:08 +03:00
}
}
func TestProcessCookieFailIfRefreshSetAndCookieExpired ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
pcTest := NewProcessCookieTestWithOptionsModifiers ( func ( opts * options . Options ) {
2020-04-12 16:00:59 +03:00
opts . Cookie . Expire = time . Duration ( 24 ) * time . Hour
2019-05-07 18:13:55 +03:00
} )
2015-06-22 22:10:08 +03:00
reference := time . Now ( ) . Add ( time . Duration ( 25 ) * time . Hour * - 1 )
2019-05-07 18:13:55 +03:00
startSession := & sessions . SessionState { Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : reference }
pcTest . SaveSession ( startSession )
2015-06-22 22:10:08 +03:00
2018-11-29 17:26:41 +03:00
pcTest . proxy . CookieRefresh = time . Hour
2019-05-07 18:13:55 +03:00
session , err := pcTest . LoadCookiedSession ( )
2015-06-23 14:23:39 +03:00
assert . NotEqual ( t , nil , err )
if session != nil {
t . Errorf ( "expected nil session %#v" , session )
2015-06-22 22:10:08 +03:00
}
}
2015-10-08 16:27:00 +03:00
2019-11-08 01:38:36 +03:00
func NewUserInfoEndpointTest ( ) * ProcessCookieTest {
pcTest := NewProcessCookieTestWithDefaults ( )
pcTest . req , _ = http . NewRequest ( "GET" ,
pcTest . opts . ProxyPrefix + "/userinfo" , nil )
return pcTest
}
func TestUserInfoEndpointAccepted ( t * testing . T ) {
test := NewUserInfoEndpointTest ( )
startSession := & sessions . SessionState {
Email : "john.doe@example.com" , AccessToken : "my_access_token" }
test . SaveSession ( startSession )
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusOK , test . rw . Code )
bodyBytes , _ := ioutil . ReadAll ( test . rw . Body )
assert . Equal ( t , "{\"email\":\"john.doe@example.com\"}\n" , string ( bodyBytes ) )
}
func TestUserInfoEndpointUnauthorizedOnNoCookieSetError ( t * testing . T ) {
test := NewUserInfoEndpointTest ( )
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusUnauthorized , test . rw . Code )
}
2019-05-07 18:13:55 +03:00
func NewAuthOnlyEndpointTest ( modifiers ... OptionsModifier ) * ProcessCookieTest {
pcTest := NewProcessCookieTestWithOptionsModifiers ( modifiers ... )
2018-11-29 17:26:41 +03:00
pcTest . req , _ = http . NewRequest ( "GET" ,
pcTest . opts . ProxyPrefix + "/auth" , nil )
return pcTest
2015-10-08 16:27:00 +03:00
}
func TestAuthOnlyEndpointAccepted ( t * testing . T ) {
test := NewAuthOnlyEndpointTest ( )
2019-05-05 15:33:13 +03:00
startSession := & sessions . SessionState {
2019-05-07 18:13:55 +03:00
Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : time . Now ( ) }
test . SaveSession ( startSession )
2015-10-08 16:27:00 +03:00
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusAccepted , test . rw . Code )
bodyBytes , _ := ioutil . ReadAll ( test . rw . Body )
assert . Equal ( t , "" , string ( bodyBytes ) )
}
func TestAuthOnlyEndpointUnauthorizedOnNoCookieSetError ( t * testing . T ) {
test := NewAuthOnlyEndpointTest ( )
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusUnauthorized , test . rw . Code )
bodyBytes , _ := ioutil . ReadAll ( test . rw . Body )
assert . Equal ( t , "unauthorized request\n" , string ( bodyBytes ) )
}
func TestAuthOnlyEndpointUnauthorizedOnExpiration ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
test := NewAuthOnlyEndpointTest ( func ( opts * options . Options ) {
2020-04-12 16:00:59 +03:00
opts . Cookie . Expire = time . Duration ( 24 ) * time . Hour
2019-05-07 18:13:55 +03:00
} )
2015-10-08 16:27:00 +03:00
reference := time . Now ( ) . Add ( time . Duration ( 25 ) * time . Hour * - 1 )
2019-05-05 15:33:13 +03:00
startSession := & sessions . SessionState {
2019-05-07 18:13:55 +03:00
Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : reference }
test . SaveSession ( startSession )
2015-10-08 16:27:00 +03:00
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusUnauthorized , test . rw . Code )
bodyBytes , _ := ioutil . ReadAll ( test . rw . Body )
assert . Equal ( t , "unauthorized request\n" , string ( bodyBytes ) )
}
func TestAuthOnlyEndpointUnauthorizedOnEmailValidationFailure ( t * testing . T ) {
test := NewAuthOnlyEndpointTest ( )
2019-05-05 15:33:13 +03:00
startSession := & sessions . SessionState {
2019-05-07 18:13:55 +03:00
Email : "michael.bland@gsa.gov" , AccessToken : "my_access_token" , CreatedAt : time . Now ( ) }
test . SaveSession ( startSession )
2018-11-29 17:26:41 +03:00
test . validateUser = false
2015-10-08 16:27:00 +03:00
test . proxy . ServeHTTP ( test . rw , test . req )
assert . Equal ( t , http . StatusUnauthorized , test . rw . Code )
bodyBytes , _ := ioutil . ReadAll ( test . rw . Body )
assert . Equal ( t , "unauthorized request\n" , string ( bodyBytes ) )
}
2015-11-16 06:08:30 +03:00
2016-10-20 15:19:59 +03:00
func TestAuthOnlyEndpointSetXAuthRequestHeaders ( t * testing . T ) {
2018-11-29 17:26:41 +03:00
var pcTest ProcessCookieTest
2016-10-20 15:19:59 +03:00
2020-04-13 15:50:34 +03:00
pcTest . opts = options . NewOptions ( )
2018-11-29 17:26:41 +03:00
pcTest . opts . SetXAuthRequest = true
2020-04-13 15:50:34 +03:00
validation . Validate ( pcTest . opts )
2016-10-20 15:19:59 +03:00
2018-11-29 17:26:41 +03:00
pcTest . proxy = NewOAuthProxy ( pcTest . opts , func ( email string ) bool {
return pcTest . validateUser
2016-10-20 15:19:59 +03:00
} )
2018-11-29 17:26:41 +03:00
pcTest . proxy . provider = & TestProvider {
2016-10-20 15:19:59 +03:00
ValidToken : true ,
}
2018-11-29 17:26:41 +03:00
pcTest . validateUser = true
2016-10-20 15:19:59 +03:00
2018-11-29 17:26:41 +03:00
pcTest . rw = httptest . NewRecorder ( )
pcTest . req , _ = http . NewRequest ( "GET" ,
pcTest . opts . ProxyPrefix + "/auth" , nil )
2016-10-20 15:19:59 +03:00
2019-05-05 15:33:13 +03:00
startSession := & sessions . SessionState {
2019-05-07 18:13:55 +03:00
User : "oauth_user" , Email : "oauth_user@example.com" , AccessToken : "oauth_token" , CreatedAt : time . Now ( ) }
pcTest . SaveSession ( startSession )
2016-10-20 15:19:59 +03:00
2018-11-29 17:26:41 +03:00
pcTest . proxy . ServeHTTP ( pcTest . rw , pcTest . req )
assert . Equal ( t , http . StatusAccepted , pcTest . rw . Code )
2020-04-14 11:36:44 +03:00
assert . Equal ( t , "oauth_user" , pcTest . rw . Header ( ) . Get ( "X-Auth-Request-User" ) )
assert . Equal ( t , "oauth_user@example.com" , pcTest . rw . Header ( ) . Get ( "X-Auth-Request-Email" ) )
2016-10-20 15:19:59 +03:00
}
2020-04-10 16:41:28 +03:00
func TestAuthOnlyEndpointSetBasicAuthTrueRequestHeaders ( t * testing . T ) {
var pcTest ProcessCookieTest
2020-04-13 15:50:34 +03:00
pcTest . opts = options . NewOptions ( )
2020-04-10 16:41:28 +03:00
pcTest . opts . SetXAuthRequest = true
pcTest . opts . SetBasicAuth = true
2020-04-13 15:50:34 +03:00
validation . Validate ( pcTest . opts )
2020-04-10 16:41:28 +03:00
pcTest . proxy = NewOAuthProxy ( pcTest . opts , func ( email string ) bool {
return pcTest . validateUser
} )
pcTest . proxy . provider = & TestProvider {
ValidToken : true ,
}
pcTest . validateUser = true
pcTest . rw = httptest . NewRecorder ( )
pcTest . req , _ = http . NewRequest ( "GET" ,
pcTest . opts . ProxyPrefix + "/auth" , nil )
startSession := & sessions . SessionState {
User : "oauth_user" , Email : "oauth_user@example.com" , AccessToken : "oauth_token" , CreatedAt : time . Now ( ) }
pcTest . SaveSession ( startSession )
pcTest . proxy . ServeHTTP ( pcTest . rw , pcTest . req )
assert . Equal ( t , http . StatusAccepted , pcTest . rw . Code )
2020-04-14 11:36:44 +03:00
assert . Equal ( t , "oauth_user" , pcTest . rw . Header ( ) . Values ( "X-Auth-Request-User" ) [ 0 ] )
assert . Equal ( t , "oauth_user@example.com" , pcTest . rw . Header ( ) . Values ( "X-Auth-Request-Email" ) [ 0 ] )
2020-04-10 16:41:28 +03:00
expectedHeader := "Basic " + base64 . StdEncoding . EncodeToString ( [ ] byte ( "oauth_user:" + pcTest . opts . BasicAuthPassword ) )
2020-04-14 11:36:44 +03:00
assert . Equal ( t , expectedHeader , pcTest . rw . Header ( ) . Values ( "Authorization" ) [ 0 ] )
2020-04-10 16:41:28 +03:00
}
func TestAuthOnlyEndpointSetBasicAuthFalseRequestHeaders ( t * testing . T ) {
var pcTest ProcessCookieTest
2020-04-13 15:50:34 +03:00
pcTest . opts = options . NewOptions ( )
2020-04-10 16:41:28 +03:00
pcTest . opts . SetXAuthRequest = true
pcTest . opts . SetBasicAuth = false
2020-04-13 15:50:34 +03:00
validation . Validate ( pcTest . opts )
2020-04-10 16:41:28 +03:00
pcTest . proxy = NewOAuthProxy ( pcTest . opts , func ( email string ) bool {
return pcTest . validateUser
} )
pcTest . proxy . provider = & TestProvider {
ValidToken : true ,
}
pcTest . validateUser = true
pcTest . rw = httptest . NewRecorder ( )
pcTest . req , _ = http . NewRequest ( "GET" ,
pcTest . opts . ProxyPrefix + "/auth" , nil )
startSession := & sessions . SessionState {
User : "oauth_user" , Email : "oauth_user@example.com" , AccessToken : "oauth_token" , CreatedAt : time . Now ( ) }
pcTest . SaveSession ( startSession )
pcTest . proxy . ServeHTTP ( pcTest . rw , pcTest . req )
assert . Equal ( t , http . StatusAccepted , pcTest . rw . Code )
2020-04-14 11:36:44 +03:00
assert . Equal ( t , "oauth_user" , pcTest . rw . Header ( ) . Values ( "X-Auth-Request-User" ) [ 0 ] )
assert . Equal ( t , "oauth_user@example.com" , pcTest . rw . Header ( ) . Values ( "X-Auth-Request-Email" ) [ 0 ] )
assert . Equal ( t , 0 , len ( pcTest . rw . Header ( ) . Values ( "Authorization" ) ) , "should not have Authorization header entries" )
2020-04-10 16:41:28 +03:00
}
2017-04-07 14:55:48 +03:00
func TestAuthSkippedForPreflightRequests ( t * testing . T ) {
upstream := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( 200 )
w . Write ( [ ] byte ( "response" ) )
} ) )
defer upstream . Close ( )
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2017-04-07 14:55:48 +03:00
opts . Upstreams = append ( opts . Upstreams , upstream . URL )
2019-06-23 22:41:23 +03:00
opts . ClientID = "aljsal"
opts . ClientSecret = "jglkfsdgj"
2020-04-12 16:00:59 +03:00
opts . Cookie . Secret = "dkfjgdls"
2017-04-07 14:55:48 +03:00
opts . SkipAuthPreflight = true
2020-04-13 15:50:34 +03:00
validation . Validate ( opts )
2017-04-07 14:55:48 +03:00
2018-11-29 17:26:41 +03:00
upstreamURL , _ := url . Parse ( upstream . URL )
2020-04-13 15:50:34 +03:00
opts . SetProvider ( NewTestProvider ( upstreamURL , "" ) )
2017-04-07 14:55:48 +03:00
proxy := NewOAuthProxy ( opts , func ( string ) bool { return false } )
rw := httptest . NewRecorder ( )
req , _ := http . NewRequest ( "OPTIONS" , "/preflight-request" , nil )
proxy . ServeHTTP ( rw , req )
assert . Equal ( t , 200 , rw . Code )
assert . Equal ( t , "response" , rw . Body . String ( ) )
}
2015-11-16 06:08:30 +03:00
type SignatureAuthenticator struct {
auth hmacauth . HmacAuth
}
2017-03-23 06:18:34 +03:00
func ( v * SignatureAuthenticator ) Authenticate ( w http . ResponseWriter , r * http . Request ) {
2015-11-16 06:08:30 +03:00
result , headerSig , computedSig := v . auth . AuthenticateRequest ( r )
if result == hmacauth . ResultNoSignature {
w . Write ( [ ] byte ( "no signature received" ) )
} else if result == hmacauth . ResultMatch {
w . Write ( [ ] byte ( "signatures match" ) )
} else if result == hmacauth . ResultMismatch {
w . Write ( [ ] byte ( "signatures do not match:" +
"\n received: " + headerSig +
"\n computed: " + computedSig ) )
} else {
panic ( "Unknown result value: " + result . String ( ) )
}
}
type SignatureTest struct {
2020-04-13 15:50:34 +03:00
opts * options . Options
2015-11-16 06:08:30 +03:00
upstream * httptest . Server
2018-11-29 17:26:41 +03:00
upstreamHost string
2015-11-16 06:08:30 +03:00
provider * httptest . Server
header http . Header
rw * httptest . ResponseRecorder
authenticator * SignatureAuthenticator
}
func NewSignatureTest ( ) * SignatureTest {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-04-12 16:00:59 +03:00
opts . Cookie . Secret = "cookie secret"
2015-11-16 06:08:30 +03:00
opts . ClientID = "client ID"
opts . ClientSecret = "client secret"
opts . EmailDomains = [ ] string { "acm.org" }
authenticator := & SignatureAuthenticator { }
upstream := httptest . NewServer (
http . HandlerFunc ( authenticator . Authenticate ) )
2018-11-29 17:26:41 +03:00
upstreamURL , _ := url . Parse ( upstream . URL )
2015-11-16 06:08:30 +03:00
opts . Upstreams = append ( opts . Upstreams , upstream . URL )
providerHandler := func ( w http . ResponseWriter , r * http . Request ) {
w . Write ( [ ] byte ( ` { "access_token": "my_auth_token"} ` ) )
}
provider := httptest . NewServer ( http . HandlerFunc ( providerHandler ) )
2018-11-29 17:26:41 +03:00
providerURL , _ := url . Parse ( provider . URL )
2020-04-13 15:50:34 +03:00
opts . SetProvider ( NewTestProvider ( providerURL , "mbland@acm.org" ) )
2015-11-16 06:08:30 +03:00
return & SignatureTest {
opts ,
upstream ,
2018-11-29 17:26:41 +03:00
upstreamURL . Host ,
2015-11-16 06:08:30 +03:00
provider ,
make ( http . Header ) ,
httptest . NewRecorder ( ) ,
authenticator ,
}
}
func ( st * SignatureTest ) Close ( ) {
st . provider . Close ( )
st . upstream . Close ( )
}
// fakeNetConn simulates an http.Request.Body buffer that will be consumed
// when it is read by the hmacauth.HmacAuth if not handled properly. See:
// https://github.com/18F/hmacauth/pull/4
type fakeNetConn struct {
reqBody string
}
func ( fnc * fakeNetConn ) Read ( p [ ] byte ) ( n int , err error ) {
if bodyLen := len ( fnc . reqBody ) ; bodyLen != 0 {
copy ( p , fnc . reqBody )
fnc . reqBody = ""
return bodyLen , io . EOF
}
return 0 , io . EOF
}
func ( st * SignatureTest ) MakeRequestWithExpectedKey ( method , body , key string ) {
2020-04-13 15:50:34 +03:00
err := validation . Validate ( st . opts )
2015-11-16 06:08:30 +03:00
if err != nil {
panic ( err )
}
proxy := NewOAuthProxy ( st . opts , func ( email string ) bool { return true } )
var bodyBuf io . ReadCloser
if body != "" {
bodyBuf = ioutil . NopCloser ( & fakeNetConn { reqBody : body } )
}
2017-03-23 06:18:34 +03:00
req := httptest . NewRequest ( method , "/foo/bar" , bodyBuf )
2015-11-16 06:08:30 +03:00
req . Header = st . header
2019-05-05 15:33:13 +03:00
state := & sessions . SessionState {
2015-11-16 06:08:30 +03:00
Email : "mbland@acm.org" , AccessToken : "my_access_token" }
2019-05-07 19:01:52 +03:00
err = proxy . SaveSession ( st . rw , req , state )
2015-11-16 06:08:30 +03:00
if err != nil {
panic ( err )
}
2019-05-07 19:01:52 +03:00
for _ , c := range st . rw . Result ( ) . Cookies ( ) {
2018-01-28 01:48:52 +03:00
req . AddCookie ( c )
}
2015-11-16 06:08:30 +03:00
// This is used by the upstream to validate the signature.
st . authenticator . auth = hmacauth . NewHmacAuth (
crypto . SHA1 , [ ] byte ( key ) , SignatureHeader , SignatureHeaders )
proxy . ServeHTTP ( st . rw , req )
}
func TestNoRequestSignature ( t * testing . T ) {
st := NewSignatureTest ( )
defer st . Close ( )
st . MakeRequestWithExpectedKey ( "GET" , "" , "" )
assert . Equal ( t , 200 , st . rw . Code )
assert . Equal ( t , st . rw . Body . String ( ) , "no signature received" )
}
func TestRequestSignatureGetRequest ( t * testing . T ) {
st := NewSignatureTest ( )
defer st . Close ( )
2019-06-23 22:41:23 +03:00
st . opts . SignatureKey = "sha1:7d9e1aa87a5954e6f9fc59266b3af9d7c35fda2d"
st . MakeRequestWithExpectedKey ( "GET" , "" , "7d9e1aa87a5954e6f9fc59266b3af9d7c35fda2d" )
2015-11-16 06:08:30 +03:00
assert . Equal ( t , 200 , st . rw . Code )
assert . Equal ( t , st . rw . Body . String ( ) , "signatures match" )
}
func TestRequestSignaturePostRequest ( t * testing . T ) {
st := NewSignatureTest ( )
defer st . Close ( )
2019-06-23 22:41:23 +03:00
st . opts . SignatureKey = "sha1:d90df39e2d19282840252612dd7c81421a372f61"
2015-11-16 06:08:30 +03:00
payload := ` { "hello": "world!" } `
2019-06-23 22:41:23 +03:00
st . MakeRequestWithExpectedKey ( "POST" , payload , "d90df39e2d19282840252612dd7c81421a372f61" )
2015-11-16 06:08:30 +03:00
assert . Equal ( t , 200 , st . rw . Code )
assert . Equal ( t , st . rw . Body . String ( ) , "signatures match" )
}
2019-01-29 15:13:02 +03:00
func TestGetRedirect ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
options := options . NewOptions ( )
_ = validation . Validate ( options )
2019-01-29 15:13:02 +03:00
require . NotEmpty ( t , options . ProxyPrefix )
proxy := NewOAuthProxy ( options , func ( s string ) bool { return false } )
tests := [ ] struct {
name string
url string
expectedRedirect string
} {
{
name : "request outside of ProxyPrefix redirects to original URL" ,
url : "/foo/bar" ,
expectedRedirect : "/foo/bar" ,
} ,
{
name : "request under ProxyPrefix redirects to root" ,
url : proxy . ProxyPrefix + "/foo/bar" ,
expectedRedirect : "/" ,
} ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
req , _ := http . NewRequest ( "GET" , tt . url , nil )
redirect , err := proxy . GetRedirect ( req )
assert . NoError ( t , err )
assert . Equal ( t , tt . expectedRedirect , redirect )
} )
}
}
2019-01-30 13:13:12 +03:00
type ajaxRequestTest struct {
2020-04-13 15:50:34 +03:00
opts * options . Options
2019-01-30 13:13:12 +03:00
proxy * OAuthProxy
}
func newAjaxRequestTest ( ) * ajaxRequestTest {
test := & ajaxRequestTest { }
2020-04-13 15:50:34 +03:00
test . opts = options . NewOptions ( )
2020-04-12 16:00:59 +03:00
test . opts . Cookie . Secret = "sdflsw"
2019-06-23 22:41:23 +03:00
test . opts . ClientID = "gkljfdl"
test . opts . ClientSecret = "sdflkjs"
2020-04-13 15:50:34 +03:00
validation . Validate ( test . opts )
2019-01-30 13:13:12 +03:00
test . proxy = NewOAuthProxy ( test . opts , func ( email string ) bool {
return true
} )
return test
}
func ( test * ajaxRequestTest ) getEndpoint ( endpoint string , header http . Header ) ( int , http . Header , error ) {
rw := httptest . NewRecorder ( )
req , err := http . NewRequest ( http . MethodGet , endpoint , strings . NewReader ( "" ) )
if err != nil {
return 0 , nil , err
}
req . Header = header
test . proxy . ServeHTTP ( rw , req )
return rw . Code , rw . Header ( ) , nil
}
func testAjaxUnauthorizedRequest ( t * testing . T , header http . Header ) {
test := newAjaxRequestTest ( )
2019-01-31 18:22:30 +03:00
endpoint := "/test"
2019-01-30 13:13:12 +03:00
code , rh , err := test . getEndpoint ( endpoint , header )
assert . NoError ( t , err )
assert . Equal ( t , http . StatusUnauthorized , code )
mime := rh . Get ( "Content-Type" )
2019-01-31 18:22:30 +03:00
assert . Equal ( t , applicationJSON , mime )
2019-01-30 13:13:12 +03:00
}
func TestAjaxUnauthorizedRequest1 ( t * testing . T ) {
header := make ( http . Header )
2019-01-31 18:22:30 +03:00
header . Add ( "accept" , applicationJSON )
2019-01-30 13:13:12 +03:00
testAjaxUnauthorizedRequest ( t , header )
}
func TestAjaxUnauthorizedRequest2 ( t * testing . T ) {
header := make ( http . Header )
2019-01-31 18:22:30 +03:00
header . Add ( "Accept" , applicationJSON )
2019-01-30 13:13:12 +03:00
testAjaxUnauthorizedRequest ( t , header )
}
func TestAjaxForbiddendRequest ( t * testing . T ) {
test := newAjaxRequestTest ( )
2019-01-31 18:22:30 +03:00
endpoint := "/test"
2019-01-30 13:13:12 +03:00
header := make ( http . Header )
code , rh , err := test . getEndpoint ( endpoint , header )
assert . NoError ( t , err )
assert . Equal ( t , http . StatusForbidden , code )
mime := rh . Get ( "Content-Type" )
2019-01-31 18:22:30 +03:00
assert . NotEqual ( t , applicationJSON , mime )
2019-01-30 13:13:12 +03:00
}
2019-03-15 10:18:37 +03:00
func TestClearSplitCookie ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-04-12 16:00:59 +03:00
opts . Cookie . Name = "oauth2"
opts . Cookie . Domains = [ ] string { "abc" }
2020-04-12 16:55:30 +03:00
store , err := cookie . NewCookieSessionStore ( & opts . Session , & opts . Cookie )
2019-05-07 18:13:55 +03:00
assert . Equal ( t , err , nil )
2020-04-12 16:00:59 +03:00
p := OAuthProxy { CookieName : opts . Cookie . Name , CookieDomains : opts . Cookie . Domains , sessionStore : store }
2019-03-15 10:18:37 +03:00
var rw = httptest . NewRecorder ( )
req := httptest . NewRequest ( "get" , "/" , nil )
req . AddCookie ( & http . Cookie {
Name : "test1" ,
Value : "test1" ,
} )
req . AddCookie ( & http . Cookie {
Name : "oauth2_0" ,
Value : "oauth2_0" ,
} )
req . AddCookie ( & http . Cookie {
Name : "oauth2_1" ,
Value : "oauth2_1" ,
} )
p . ClearSessionCookie ( rw , req )
header := rw . Header ( )
assert . Equal ( t , 2 , len ( header [ "Set-Cookie" ] ) , "should have 3 set-cookie header entries" )
}
func TestClearSingleCookie ( t * testing . T ) {
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-04-12 16:00:59 +03:00
opts . Cookie . Name = "oauth2"
opts . Cookie . Domains = [ ] string { "abc" }
2020-04-12 16:55:30 +03:00
store , err := cookie . NewCookieSessionStore ( & opts . Session , & opts . Cookie )
2019-05-07 18:13:55 +03:00
assert . Equal ( t , err , nil )
2020-04-12 16:00:59 +03:00
p := OAuthProxy { CookieName : opts . Cookie . Name , CookieDomains : opts . Cookie . Domains , sessionStore : store }
2019-03-15 10:18:37 +03:00
var rw = httptest . NewRecorder ( )
req := httptest . NewRequest ( "get" , "/" , nil )
req . AddCookie ( & http . Cookie {
Name : "test1" ,
Value : "test1" ,
} )
req . AddCookie ( & http . Cookie {
Name : "oauth2" ,
Value : "oauth2" ,
} )
p . ClearSessionCookie ( rw , req )
header := rw . Header ( )
assert . Equal ( t , 1 , len ( header [ "Set-Cookie" ] ) , "should have 1 set-cookie header entries" )
}
2019-04-24 18:25:29 +03:00
2019-04-27 05:16:45 +03:00
type NoOpKeySet struct {
}
func ( NoOpKeySet ) VerifySignature ( ctx context . Context , jwt string ) ( payload [ ] byte , err error ) {
splitStrings := strings . Split ( jwt , "." )
payloadString := splitStrings [ 1 ]
2020-04-14 11:36:44 +03:00
return base64 . RawURLEncoding . DecodeString ( payloadString )
2019-04-27 05:16:45 +03:00
}
func TestGetJwtSession ( t * testing . T ) {
/ * token payload :
{
"sub" : "1234567890" ,
"aud" : "https://test.myapp.com" ,
"name" : "John Doe" ,
"email" : "john@example.com" ,
"iss" : "https://issuer.example.com" ,
"iat" : 1553691215 ,
"exp" : 1912151821
}
* /
goodJwt := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9." +
"eyJzdWIiOiIxMjM0NTY3ODkwIiwiYXVkIjoiaHR0cHM6Ly90ZXN0Lm15YXBwLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImVtY" +
"WlsIjoiam9obkBleGFtcGxlLmNvbSIsImlzcyI6Imh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwiaWF0IjoxNTUzNjkxMj" +
"E1LCJleHAiOjE5MTIxNTE4MjF9." +
"rLVyzOnEldUq_pNkfa-WiV8TVJYWyZCaM2Am_uo8FGg11zD7l-qmz3x1seTvqpH6Y0Ty00fmv6dJnGnC8WMnPXQiodRTfhBSe" +
"OKZMu0HkMD2sg52zlKkbfLTO6ic5VnbVgwjjrB8am_Ta6w7kyFUaB5C1BsIrrLMldkWEhynbb8"
keyset := NoOpKeySet { }
verifier := oidc . NewVerifier ( "https://issuer.example.com" , keyset ,
& oidc . Config { ClientID : "https://test.myapp.com" , SkipExpiryCheck : true } )
2020-04-13 15:50:34 +03:00
test := NewAuthOnlyEndpointTest ( func ( opts * options . Options ) {
2019-06-21 02:57:20 +03:00
opts . PassAuthorization = true
opts . SetAuthorization = true
opts . SetXAuthRequest = true
opts . SkipJwtBearerTokens = true
2020-04-13 15:50:34 +03:00
opts . SetJWTBearerVerifiers ( append ( opts . GetJWTBearerVerifiers ( ) , verifier ) )
2019-06-21 02:57:20 +03:00
} )
tp , _ := test . proxy . provider . ( * TestProvider )
tp . GroupValidator = func ( s string ) bool {
return true
}
2019-05-01 00:06:11 +03:00
authHeader := fmt . Sprintf ( "Bearer %s" , goodJwt )
2019-06-21 02:57:20 +03:00
test . req . Header = map [ string ] [ ] string {
2019-05-01 00:06:11 +03:00
"Authorization" : { authHeader } ,
2019-04-27 05:16:45 +03:00
}
2019-05-01 00:06:11 +03:00
// Bearer
2019-06-21 02:57:20 +03:00
session , _ := test . proxy . GetJwtSession ( test . req )
2019-06-17 23:11:49 +03:00
assert . Equal ( t , session . User , "john@example.com" )
2019-04-27 05:16:45 +03:00
assert . Equal ( t , session . Email , "john@example.com" )
assert . Equal ( t , session . ExpiresOn , time . Unix ( 1912151821 , 0 ) )
assert . Equal ( t , session . IDToken , goodJwt )
2019-05-01 00:06:11 +03:00
2019-06-21 02:57:20 +03:00
test . proxy . ServeHTTP ( test . rw , test . req )
if test . rw . Code >= 400 {
t . Fatalf ( "expected 3xx got %d" , test . rw . Code )
}
2019-05-01 00:06:11 +03:00
2019-06-21 02:57:20 +03:00
// Check PassAuthorization, should overwrite Basic header
assert . Equal ( t , test . req . Header . Get ( "Authorization" ) , authHeader )
assert . Equal ( t , test . req . Header . Get ( "X-Forwarded-User" ) , "john@example.com" )
assert . Equal ( t , test . req . Header . Get ( "X-Forwarded-Email" ) , "john@example.com" )
2019-05-01 00:06:11 +03:00
2019-06-21 02:57:20 +03:00
// SetAuthorization and SetXAuthRequest
assert . Equal ( t , test . rw . Header ( ) . Get ( "Authorization" ) , authHeader )
assert . Equal ( t , test . rw . Header ( ) . Get ( "X-Auth-Request-User" ) , "john@example.com" )
assert . Equal ( t , test . rw . Header ( ) . Get ( "X-Auth-Request-Email" ) , "john@example.com" )
}
2019-05-01 00:06:11 +03:00
2019-04-24 18:25:29 +03:00
func TestFindJwtBearerToken ( t * testing . T ) {
2020-04-12 14:00:44 +03:00
p := OAuthProxy { CookieName : "oauth2" , CookieDomains : [ ] string { "abc" } }
2019-04-24 18:25:29 +03:00
getReq := & http . Request { URL : & url . URL { Scheme : "http" , Host : "example.com" } }
validToken := "eyJfoobar.eyJfoobar.12345asdf"
var token string
// Bearer
getReq . Header = map [ string ] [ ] string {
"Authorization" : { fmt . Sprintf ( "Bearer %s" , validToken ) } ,
}
token , _ = p . findBearerToken ( getReq )
assert . Equal ( t , validToken , token )
// Basic - no password
getReq . SetBasicAuth ( token , "" )
token , _ = p . findBearerToken ( getReq )
assert . Equal ( t , validToken , token )
// Basic - sentinel password
getReq . SetBasicAuth ( token , "x-oauth-basic" )
token , _ = p . findBearerToken ( getReq )
assert . Equal ( t , validToken , token )
// Basic - any username, password matching jwt pattern
getReq . SetBasicAuth ( "any-username-you-could-wish-for" , token )
token , _ = p . findBearerToken ( getReq )
assert . Equal ( t , validToken , token )
failures := [ ] string {
// Too many parts
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA.dGVzdA" ,
// Not enough parts
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA" ,
// Invalid encrypted key
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.//////.dGVzdA.dGVzdA.dGVzdA" ,
// Invalid IV
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.//////.dGVzdA.dGVzdA" ,
// Invalid ciphertext
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.//////.dGVzdA" ,
// Invalid tag
"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.//////" ,
// Invalid header
"W10.dGVzdA.dGVzdA.dGVzdA.dGVzdA" ,
// Invalid header
"######.dGVzdA.dGVzdA.dGVzdA.dGVzdA" ,
// Missing alc/enc params
"e30.dGVzdA.dGVzdA.dGVzdA.dGVzdA" ,
}
for _ , failure := range failures {
getReq . Header = map [ string ] [ ] string {
"Authorization" : { fmt . Sprintf ( "Bearer %s" , failure ) } ,
}
_ , err := p . findBearerToken ( getReq )
assert . Error ( t , err )
}
fmt . Printf ( "%s" , token )
}
2020-04-09 17:39:07 +03:00
func Test_prepareNoCache ( t * testing . T ) {
handler := http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
prepareNoCache ( w )
} )
mux := http . NewServeMux ( )
mux . Handle ( "/" , handler )
rec := httptest . NewRecorder ( )
req := httptest . NewRequest ( http . MethodGet , "/" , nil )
mux . ServeHTTP ( rec , req )
for k , v := range noCacheHeaders {
assert . Equal ( t , rec . Header ( ) . Get ( k ) , v )
}
}
func Test_noCacheHeadersDoesNotExistsInResponseHeadersFromUpstream ( t * testing . T ) {
upstream := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . Write ( [ ] byte ( "upstream" ) )
} ) )
t . Cleanup ( upstream . Close )
2020-04-13 15:50:34 +03:00
opts := options . NewOptions ( )
2020-04-09 17:39:07 +03:00
opts . Upstreams = [ ] string { upstream . URL }
opts . SkipAuthRegex = [ ] string { ".*" }
2020-04-13 15:50:34 +03:00
_ = validation . Validate ( opts )
2020-04-09 17:39:07 +03:00
proxy := NewOAuthProxy ( opts , func ( email string ) bool {
return true
} )
rec := httptest . NewRecorder ( )
req := httptest . NewRequest ( http . MethodGet , "/upstream" , nil )
proxy . ServeHTTP ( rec , req )
assert . Equal ( t , http . StatusOK , rec . Code )
assert . Equal ( t , "upstream" , rec . Body . String ( ) )
// checking noCacheHeaders does not exists in response headers from upstream
for k := range noCacheHeaders {
assert . Equal ( t , "" , rec . Header ( ) . Get ( k ) )
}
}