3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-25 05:58:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: test programmatic api endpoint (#736)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-05-20 08:33:48 -07:00 committed by GitHub
parent d2e463e9ef
commit 2275bb8ad4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 157 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

25
integration/authorization_test.go
View file

@ -16,6 +16,15 @@ func TestAuthorization(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(mainCtx, time.Second*30) ctx, clearTimeout := context.WithTimeout(mainCtx, time.Second*30)
defer clearTimeout() defer clearTimeout()
accessType := []string{"direct", "api"}
for _, at := range accessType {
t.Run(at, func(t *testing.T) {
var withAPI flows.AuthenticateOption
if at == "api" {
withAPI = flows.WithAPI()
}
t.Run("public", func(t *testing.T) { t.Run("public", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
@ -36,7 +45,7 @@ func TestAuthorization(t *testing.T) {
t.Run("allowed", func(t *testing.T) { t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user")) withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test") assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test")
} }
@ -44,7 +53,7 @@ func TestAuthorization(t *testing.T) {
t.Run("not allowed", func(t *testing.T) { t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user")) withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for cats.test") assertDeniedAccess(t, res, "expected Forbidden for cats.test")
} }
@ -54,7 +63,7 @@ func TestAuthorization(t *testing.T) {
t.Run("allowed", func(t *testing.T) { t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user")) withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for bob@dogs.test") assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for bob@dogs.test")
} }
@ -62,7 +71,7 @@ func TestAuthorization(t *testing.T) {
t.Run("not allowed", func(t *testing.T) { t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user")) withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for joe@cats.test") assertDeniedAccess(t, res, "expected Forbidden for joe@cats.test")
} }
@ -72,7 +81,7 @@ func TestAuthorization(t *testing.T) {
t.Run("allowed", func(t *testing.T) { t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user")) withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for admin") assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for admin")
} }
@ -80,7 +89,7 @@ func TestAuthorization(t *testing.T) {
t.Run("not allowed", func(t *testing.T) { t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user")) withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) { if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode) assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode)
} }
@ -90,7 +99,7 @@ func TestAuthorization(t *testing.T) {
t.Run("refresh", func(t *testing.T) { t.Run("refresh", func(t *testing.T) {
client := testcluster.NewHTTPClient() client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"), res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second)) withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second))
if !assert.NoError(t, err) { if !assert.NoError(t, err) {
return return
} }
@ -126,6 +135,8 @@ func TestAuthorization(t *testing.T) {
} }
} }
}) })
})
}
} }
func mustParseURL(str string) *url.URL { func mustParseURL(str string) *url.URL {

41
integration/internal/flows/flows.go
View file

@ -4,6 +4,7 @@ package flows
import ( import (
"context" "context"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -11,18 +12,21 @@ import (
"time" "time"
"github.com/pomerium/pomerium/integration/internal/forms" "github.com/pomerium/pomerium/integration/internal/forms"
"github.com/pomerium/pomerium/internal/urlutil"
) )
const ( const (
authenticateHostname = "authenticate.localhost.pomerium.io" authenticateHostname = "authenticate.localhost.pomerium.io"
openidHostname = "openid.localhost.pomerium.io" openidHostname = "openid.localhost.pomerium.io"
pomeriumCallbackPath = "/.pomerium/callback/" pomeriumCallbackPath = "/.pomerium/callback/"
pomeriumAPIPath = "/.pomerium/api/v1/login"
) )
type authenticateConfig struct { type authenticateConfig struct {
email string email string
groups []string groups []string
tokenExpiration time.Duration tokenExpiration time.Duration
apiPath string
} }
// An AuthenticateOption is an option for authentication. // An AuthenticateOption is an option for authentication.
@ -33,8 +37,10 @@ func getAuthenticateConfig(options ...AuthenticateOption) *authenticateConfig {
tokenExpiration: time.Hour * 24, tokenExpiration: time.Hour * 24,
} }
for _, option := range options { for _, option := range options {
if option != nil {
option(cfg) option(cfg)
} }
}
return cfg return cfg
} }
@ -59,11 +65,46 @@ func WithTokenExpiration(tokenExpiration time.Duration) AuthenticateOption {
} }
} }
// WithAPI tells authentication to use API authentication flow.
func WithAPI() AuthenticateOption {
return func(cfg *authenticateConfig) {
cfg.apiPath = pomeriumAPIPath
}
}
// Authenticate submits a request to a URL, expects a redirect to authenticate and then openid and logs in. // Authenticate submits a request to a URL, expects a redirect to authenticate and then openid and logs in.
// Finally it expects to redirect back to the original page. // Finally it expects to redirect back to the original page.
func Authenticate(ctx context.Context, client *http.Client, url *url.URL, options ...AuthenticateOption) (*http.Response, error) { func Authenticate(ctx context.Context, client *http.Client, url *url.URL, options ...AuthenticateOption) (*http.Response, error) {
cfg := getAuthenticateConfig(options...) cfg := getAuthenticateConfig(options...)
originalHostname := url.Hostname() originalHostname := url.Hostname()
var err error
if cfg.apiPath != "" {
apiLogin := url
q := apiLogin.Query()
q.Set(urlutil.QueryRedirectURI, url.String())
apiLogin.RawQuery = q.Encode()
apiLogin.Path = cfg.apiPath
req, err := http.NewRequestWithContext(ctx, "GET", apiLogin.String(), nil)
req.Header.Set("Accept", "application/json")
if err != nil {
return nil, err
}
res, err := client.Do(req)
if err != nil {
return nil, err
}
bodyBytes, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
defer res.Body.Close()
url, err = url.Parse(string(bodyBytes))
if err != nil {
return nil, err
}
}
req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil) req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil)
if err != nil { if err != nil {