authorize: add databroker url check (#1228)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-04-29 18:36:30 +02:00 · 2020-08-07 09:31:27 -07:00 · 2020-08-07 09:31:27 -07:00 · 1b365e52f3
commit 1b365e52f3
parent 02edbb7748
4 changed files with 47 additions and 23 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -56,6 +56,9 @@ func ValidateOptions(o *config.Options) error {
 	if o.AuthenticateCallbackPath == "" {
 		return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
 	}
+	if err := urlutil.ValidateURL(o.DataBrokerURL); err != nil {
+		return fmt.Errorf("authenticate: invalid 'DATABROKER_SERVICE_URL': %w", err)
+	}
 	return nil
 }

--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -105,10 +105,13 @@ func New(opts *config.Options) (*Authorize, error) {

 func validateOptions(o *config.Options) error {
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
-		return fmt.Errorf("bad shared_secret: %w", err)
+		return fmt.Errorf("authorize: bad 'SHARED_SECRET': %w", err)
 	}
 	if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
-		return fmt.Errorf("invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
+		return fmt.Errorf("authorize: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
+	}
+	if err := urlutil.ValidateURL(o.DataBrokerURL); err != nil {
+		return fmt.Errorf("authorize: invalid 'DATABROKER_SERVICE_URL': %w", err)
 	}
 	return nil
 }
--- a/authorize/authorize_test.go
+++ b/authorize/authorize_test.go
@ -1,6 +1,7 @@
 package authorize

 import (
+	"net/url"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -13,31 +14,49 @@ func TestNew(t *testing.T) {
 	t.Parallel()
 	policies := testPolicies(t)
 	tests := []struct {
-		name      string
-		SharedKey string
-		Policies  []config.Policy
-		wantErr   bool
+		name    string
+		config  config.Options
+		wantErr bool
 	}{
-		{"good", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, false},
-		{"bad shared secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
-		{"really bad shared secret", "sup", policies, true},
-		{"validation error, short secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
-		{"empty options", "", []config.Policy{}, true}, // special case
-
+		{"good",
+			config.Options{
+				AuthenticateURL: mustParseURL("https://authN.example.com"),
+				DataBrokerURL:   mustParseURL("https://cache.example.com"),
+				SharedKey:       "2p/Wi2Q6bYDfzmoSEbKqYKtg+DUoLWTEHHs7vOhvL7w=",
+				Policies:        policies},
+			false},
+		{"bad shared secret",
+			config.Options{
+				AuthenticateURL: mustParseURL("https://authN.example.com"),
+				DataBrokerURL:   mustParseURL("https://cache.example.com"),
+				SharedKey:       "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
+				Policies:        policies}, true},
+		{"really bad shared secret",
+			config.Options{
+				AuthenticateURL: mustParseURL("https://authN.example.com"),
+				DataBrokerURL:   mustParseURL("https://cache.example.com"),
+				SharedKey:       "sup",
+				Policies:        policies}, true},
+		{"validation error, short secret",
+			config.Options{
+				AuthenticateURL: mustParseURL("https://authN.example.com"),
+				DataBrokerURL:   mustParseURL("https://cache.example.com"),
+				SharedKey:       "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
+				Policies:        policies}, true},
+		{"empty options", config.Options{}, true},
+		{"bad cache url",
+			config.Options{
+				AuthenticateURL: mustParseURL("https://authN.example.com"),
+				DataBrokerURL:   &url.URL{},
+				SharedKey:       "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
+				Policies:        policies},
+			true},
 	}
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			o := &config.Options{
-				AuthenticateURL: mustParseURL("https://authN.example.com"),
-				DataBrokerURL:   mustParseURL("https://cache.example.com"),
-				SharedKey:       tt.SharedKey,
-				Policies:        tt.Policies}
-			if tt.name == "empty options" {
-				o = &config.Options{}
-			}
-			_, err := New(o)
+			_, err := New(&tt.config)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
 				return
--- a/cache/cache_test.go
+++ b/cache/cache_test.go
@ -23,10 +23,9 @@ func TestNew(t *testing.T) {
 		opts    config.Options
 		wantErr bool
 	}{
-		{"good - autocache", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false},
+		{"good", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false},
 		{"bad shared secret", config.Options{SharedKey: string([]byte(cryptutil.NewBase64Key())[:31]), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, true},
 		{"bad cache url", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{}}, true},
-		{"good - bolt", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {