3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-25 05:58:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: test programmatic api endpoint (#736)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-05-20 08:33:48 -07:00 committed by GitHub
parent d2e463e9ef
commit 2275bb8ad4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 157 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

219
integration/authorization_test.go
View file

@ -16,116 +16,127 @@ func TestAuthorization(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(mainCtx, time.Second*30) ctx, clearTimeout := context.WithTimeout(mainCtx, time.Second*30)
defer clearTimeout() defer clearTimeout()
t.Run("public", func(t *testing.T) { accessType := []string{"direct", "api"}
client := testcluster.NewHTTPClient() for _, at := range accessType {
t.Run(at, func(t *testing.T) {
var withAPI flows.AuthenticateOption
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io", nil) if at == "api" {
if err != nil { withAPI = flows.WithAPI()
t.Fatal(err) }
}
res, err := client.Do(req) t.Run("public", func(t *testing.T) {
if !assert.NoError(t, err, "unexpected http error") { client := testcluster.NewHTTPClient()
return
}
defer res.Body.Close()
assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code, headers=%v", res.Header) req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io", nil)
}) if err != nil {
t.Run("domains", func(t *testing.T) { t.Fatal(err)
t.Run("allowed", func(t *testing.T) { }
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"), res, err := client.Do(req)
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user")) if !assert.NoError(t, err, "unexpected http error") {
if assert.NoError(t, err) { return
}
defer res.Body.Close()
assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code, headers=%v", res.Header)
})
t.Run("domains", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test")
}
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for cats.test")
}
})
})
t.Run("users", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for bob@dogs.test")
}
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for joe@cats.test")
}
})
})
t.Run("groups", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user"))
if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for admin")
}
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode)
}
})
})
t.Run("refresh", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second))
if !assert.NoError(t, err) {
return
}
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test") assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test")
} res.Body.Close()
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for cats.test")
}
})
})
t.Run("users", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for bob@dogs.test")
}
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for joe@cats.test")
}
})
})
t.Run("groups", func(t *testing.T) {
t.Run("allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user"))
if assert.NoError(t, err) {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for admin")
}
})
t.Run("not allowed", func(t *testing.T) {
client := testcluster.NewHTTPClient()
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
if assert.NoError(t, err) {
assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode)
}
})
})
t.Run("refresh", func(t *testing.T) { // poll till we get a new cookie because of a refreshed session
client := testcluster.NewHTTPClient() ticker := time.NewTicker(time.Millisecond * 500)
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"), defer ticker.Stop()
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second)) deadline := time.NewTimer(time.Second * 10)
if !assert.NoError(t, err) { defer deadline.Stop()
return for i := 0; ; i++ {
} select {
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test") case <-ticker.C:
res.Body.Close() case <-deadline.C:
t.Fatal("timed out waiting for refreshed session")
return
case <-ctx.Done():
t.Fatal("timed out waiting for refreshed session")
return
}
// poll till we get a new cookie because of a refreshed session res, err = client.Get(mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain").String())
ticker := time.NewTicker(time.Millisecond * 500) if !assert.NoError(t, err) {
defer ticker.Stop() return
deadline := time.NewTimer(time.Second * 10) }
defer deadline.Stop() res.Body.Close()
for i := 0; ; i++ { if !assert.Equal(t, http.StatusOK, res.StatusCode, "failed after %d times", i+1) {
select { return
case <-ticker.C: }
case <-deadline.C: if res.Header.Get("Set-Cookie") != "" {
t.Fatal("timed out waiting for refreshed session") break
return }
case <-ctx.Done(): }
t.Fatal("timed out waiting for refreshed session") })
return })
} }
res, err = client.Get(mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain").String())
if !assert.NoError(t, err) {
return
}
res.Body.Close()
if !assert.Equal(t, http.StatusOK, res.StatusCode, "failed after %d times", i+1) {
return
}
if res.Header.Get("Set-Cookie") != "" {
break
}
}
})
} }
func mustParseURL(str string) *url.URL { func mustParseURL(str string) *url.URL {

43
integration/internal/flows/flows.go
View file

@ -4,6 +4,7 @@ package flows
import ( import (
"context" "context"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -11,18 +12,21 @@ import (
"time" "time"
"github.com/pomerium/pomerium/integration/internal/forms" "github.com/pomerium/pomerium/integration/internal/forms"
"github.com/pomerium/pomerium/internal/urlutil"
) )
const ( const (
authenticateHostname = "authenticate.localhost.pomerium.io" authenticateHostname = "authenticate.localhost.pomerium.io"
openidHostname = "openid.localhost.pomerium.io" openidHostname = "openid.localhost.pomerium.io"
pomeriumCallbackPath = "/.pomerium/callback/" pomeriumCallbackPath = "/.pomerium/callback/"
pomeriumAPIPath = "/.pomerium/api/v1/login"
) )
type authenticateConfig struct { type authenticateConfig struct {
email string email string
groups []string groups []string
tokenExpiration time.Duration tokenExpiration time.Duration
apiPath string
} }
// An AuthenticateOption is an option for authentication. // An AuthenticateOption is an option for authentication.
@ -33,7 +37,9 @@ func getAuthenticateConfig(options ...AuthenticateOption) *authenticateConfig {
tokenExpiration: time.Hour * 24, tokenExpiration: time.Hour * 24,
} }
for _, option := range options { for _, option := range options {
option(cfg) if option != nil {
option(cfg)
}
} }
return cfg return cfg
} }
@ -59,11 +65,46 @@ func WithTokenExpiration(tokenExpiration time.Duration) AuthenticateOption {
} }
} }
// WithAPI tells authentication to use API authentication flow.
func WithAPI() AuthenticateOption {
return func(cfg *authenticateConfig) {
cfg.apiPath = pomeriumAPIPath
}
}
// Authenticate submits a request to a URL, expects a redirect to authenticate and then openid and logs in. // Authenticate submits a request to a URL, expects a redirect to authenticate and then openid and logs in.
// Finally it expects to redirect back to the original page. // Finally it expects to redirect back to the original page.
func Authenticate(ctx context.Context, client *http.Client, url *url.URL, options ...AuthenticateOption) (*http.Response, error) { func Authenticate(ctx context.Context, client *http.Client, url *url.URL, options ...AuthenticateOption) (*http.Response, error) {
cfg := getAuthenticateConfig(options...) cfg := getAuthenticateConfig(options...)
originalHostname := url.Hostname() originalHostname := url.Hostname()
var err error
if cfg.apiPath != "" {
apiLogin := url
q := apiLogin.Query()
q.Set(urlutil.QueryRedirectURI, url.String())
apiLogin.RawQuery = q.Encode()
apiLogin.Path = cfg.apiPath
req, err := http.NewRequestWithContext(ctx, "GET", apiLogin.String(), nil)
req.Header.Set("Accept", "application/json")
if err != nil {
return nil, err
}
res, err := client.Do(req)
if err != nil {
return nil, err
}
bodyBytes, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
defer res.Body.Close()
url, err = url.Parse(string(bodyBytes))
if err != nil {
return nil, err
}
}
req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil) req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil)
if err != nil { if err != nil {