proxy: fix forward auth, request signing

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-17 19:17:17 +02:00 · 2019-11-25 14:29:52 -08:00 · 2019-11-25 14:29:52 -08:00 · 0f6a9d7f1d
commit 0f6a9d7f1d
parent ec9607d1d5
32 changed files with 928 additions and 522 deletions
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/middleware_test.go
@ -1,7 +1,6 @@
-package middleware // import "github.com/pomerium/pomerium/internal/middleware"
+package middleware

 import (
-	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@ -9,47 +8,10 @@ import (
 	"testing"
 	"time"

-	"github.com/pomerium/pomerium/internal/cryptutil"
+	"github.com/google/go-cmp/cmp"
+	"github.com/pomerium/pomerium/internal/urlutil"
 )

-func hmacHelperFunc(rawRedirect string, timestamp time.Time, secret string) []byte {
-	data := []byte(fmt.Sprint(rawRedirect, timestamp.Unix()))
-	return cryptutil.GenerateHMAC(data, secret)
-}
-
-func Test_ValidSignature(t *testing.T) {
-	t.Parallel()
-	goodURL := "https://example.com/redirect"
-	secretA := "41aOD7VNtQ1/KZDCGrkYpaHwB50JC1y6BDs2KPRVd2A="
-	now := fmt.Sprint(time.Now().Unix())
-	rawSig := hmacHelperFunc(goodURL, time.Now(), secretA)
-	sig := base64.URLEncoding.EncodeToString(rawSig)
-	staleTime := fmt.Sprint(time.Now().Add(-6 * time.Minute).Unix())
-
-	tests := []struct {
-		name        string
-		redirectURI string
-		sigVal      string
-		timestamp   string
-		secret      string
-		want        bool
-	}{
-		{"good signature", goodURL, sig, now, secretA, true},
-		{"empty redirect url", "", sig, now, secretA, false},
-		{"bad redirect url", "https://google.com^", sig, now, secretA, false},
-		{"malformed signature", goodURL, sig + "^", now, "&*&@**($&#(", false},
-		{"malformed timestamp", goodURL, sig, now + "^", secretA, false},
-		{"stale timestamp", goodURL, sig, staleTime, secretA, false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := ValidSignature(tt.redirectURI, tt.sigVal, tt.timestamp, tt.secret); got != tt.want {
-				t.Errorf("ValidSignature() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestSetHeaders(t *testing.T) {
 	tests := []struct {
 		name            string
@ -79,56 +41,6 @@ func TestSetHeaders(t *testing.T) {
 	}
 }

-func TestValidateSignature(t *testing.T) {
-	t.Parallel()
-	secretA := "41aOD7VNtQ1/KZDCGrkYpaHwB50JC1y6BDs2KPRVd2A="
-	now := fmt.Sprint(time.Now().Unix())
-	goodURL := "https://example.com/redirect"
-	rawSig := hmacHelperFunc(goodURL, time.Now(), secretA)
-	sig := base64.URLEncoding.EncodeToString(rawSig)
-	staleTime := fmt.Sprint(time.Now().Add(-6 * time.Minute).Unix())
-
-	tests := []struct {
-		name         string
-		sharedSecret string
-		redirectURI  string
-		sig          string
-		ts           string
-		status       int
-	}{
-		{"valid signature", secretA, goodURL, sig, now, http.StatusOK},
-		{"stale signature", secretA, goodURL, sig, staleTime, http.StatusBadRequest},
-		{"malformed", secretA, goodURL, "%zzzzz", now, http.StatusBadRequest},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			v := url.Values{}
-			v.Set("redirect_uri", tt.redirectURI)
-			v.Set("ts", tt.ts)
-			v.Set("sig", tt.sig)
-
-			req := &http.Request{
-				Method: http.MethodGet,
-				URL:    &url.URL{RawQuery: v.Encode()}}
-			if tt.name == "malformed" {
-				req.URL.RawQuery = "sig=%zzzzz"
-			}
-
-			testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.Write([]byte("Hi"))
-			})
-			rr := httptest.NewRecorder()
-			handler := ValidateSignature(tt.sharedSecret)(testHandler)
-			handler.ServeHTTP(rr, req)
-			if rr.Code != tt.status {
-				t.Errorf("Status code differs. got %d want %d", rr.Code, tt.status)
-				t.Errorf("%s", rr.Body)
-			}
-		})
-	}
-}
-
 func TestHealthCheck(t *testing.T) {
 	t.Parallel()
 	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -212,7 +124,6 @@ func TestTimeoutHandlerFunc(t *testing.T) {
 	t.Parallel()
 	fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
 		fmt.Fprint(w, http.StatusText(http.StatusOK))
 		w.WriteHeader(http.StatusOK)
 	})
@ -242,3 +153,42 @@ func TestTimeoutHandlerFunc(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateSignature(t *testing.T) {
+	t.Parallel()
+	fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		fmt.Fprint(w, http.StatusText(http.StatusOK))
+		w.WriteHeader(http.StatusOK)
+	})
+
+	tests := []struct {
+		name       string
+		secretA    string
+		secretB    string
+		wantStatus int
+		wantBody   string
+	}{
+		{"good", "secret", "secret", http.StatusOK, http.StatusText(http.StatusOK)},
+		{"secret mistmatch", "secret", "hunter42", http.StatusBadRequest, "{\"error\":\"invalid signature\"}\n"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			signedURL := urlutil.NewSignedURL(tt.secretB, &url.URL{Scheme: "https", Host: "pomerium.io"})
+
+			r := httptest.NewRequest(http.MethodGet, signedURL.String(), nil)
+			r.Header.Set("Accept", "application/json")
+			w := httptest.NewRecorder()
+			got := ValidateSignature(tt.secretA)(fn)
+			got.ServeHTTP(w, r)
+			if status := w.Code; status != tt.wantStatus {
+				t.Errorf("SignRequest() error = %v, wantErr %v\n%v", w.Result().StatusCode, tt.wantStatus, w.Body.String())
+			}
+			body := w.Body.String()
+			if diff := cmp.Diff(body, tt.wantBody); diff != "" {
+				t.Errorf("SignRequest() %s", diff)
+				t.Errorf("%s", signedURL)
+			}
+		})
+	}
+}