mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-24 13:38:17 +02:00
envoy: test programmatic api endpoint (#736)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
GitHub
parent
d2e463e9ef
commit
2275bb8ad4
2 changed files with 157 additions and 105 deletions
|
|
@ -16,6 +16,15 @@ func TestAuthorization(t *testing.T) {
|
|||
ctx, clearTimeout := context.WithTimeout(mainCtx, time.Second*30)
|
||||
defer clearTimeout()
|
||||
|
||||
accessType := []string{"direct", "api"}
|
||||
for _, at := range accessType {
|
||||
t.Run(at, func(t *testing.T) {
|
||||
var withAPI flows.AuthenticateOption
|
||||
|
||||
if at == "api" {
|
||||
withAPI = flows.WithAPI()
|
||||
}
|
||||
|
||||
t.Run("public", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
|
||||
|
|
@ -36,7 +45,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
|
||||
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
|
||||
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
|
||||
if assert.NoError(t, err) {
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for dogs.test")
|
||||
}
|
||||
|
|
@ -44,7 +53,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("not allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
|
||||
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
if assert.NoError(t, err) {
|
||||
assertDeniedAccess(t, res, "expected Forbidden for cats.test")
|
||||
}
|
||||
|
|
@ -54,7 +63,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
|
||||
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
|
||||
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"))
|
||||
if assert.NoError(t, err) {
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for bob@dogs.test")
|
||||
}
|
||||
|
|
@ -62,7 +71,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("not allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-user"),
|
||||
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
if assert.NoError(t, err) {
|
||||
assertDeniedAccess(t, res, "expected Forbidden for joe@cats.test")
|
||||
}
|
||||
|
|
@ -72,7 +81,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
|
||||
flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user"))
|
||||
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("admin", "user"))
|
||||
if assert.NoError(t, err) {
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode, "expected OK for admin")
|
||||
}
|
||||
|
|
@ -80,7 +89,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("not allowed", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"),
|
||||
flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
withAPI, flows.WithEmail("joe@cats.test"), flows.WithGroups("user"))
|
||||
if assert.NoError(t, err) {
|
||||
assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode)
|
||||
}
|
||||
|
|
@ -90,7 +99,7 @@ func TestAuthorization(t *testing.T) {
|
|||
t.Run("refresh", func(t *testing.T) {
|
||||
client := testcluster.NewHTTPClient()
|
||||
res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain"),
|
||||
flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second))
|
||||
withAPI, flows.WithEmail("bob@dogs.test"), flows.WithGroups("user"), flows.WithTokenExpiration(time.Second))
|
||||
if !assert.NoError(t, err) {
|
||||
return
|
||||
}
|
||||
|
|
@ -126,6 +135,8 @@ func TestAuthorization(t *testing.T) {
|
|||
}
|
||||
}
|
||||
})
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func mustParseURL(str string) *url.URL {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ package flows
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
|
|
@ -11,18 +12,21 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/pomerium/pomerium/integration/internal/forms"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
)
|
||||
|
||||
const (
|
||||
authenticateHostname = "authenticate.localhost.pomerium.io"
|
||||
openidHostname = "openid.localhost.pomerium.io"
|
||||
pomeriumCallbackPath = "/.pomerium/callback/"
|
||||
pomeriumAPIPath = "/.pomerium/api/v1/login"
|
||||
)
|
||||
|
||||
type authenticateConfig struct {
|
||||
email string
|
||||
groups []string
|
||||
tokenExpiration time.Duration
|
||||
apiPath string
|
||||
}
|
||||
|
||||
// An AuthenticateOption is an option for authentication.
|
||||
|
|
@ -33,8 +37,10 @@ func getAuthenticateConfig(options ...AuthenticateOption) *authenticateConfig {
|
|||
tokenExpiration: time.Hour * 24,
|
||||
}
|
||||
for _, option := range options {
|
||||
if option != nil {
|
||||
option(cfg)
|
||||
}
|
||||
}
|
||||
return cfg
|
||||
}
|
||||
|
||||
|
|
@ -59,11 +65,46 @@ func WithTokenExpiration(tokenExpiration time.Duration) AuthenticateOption {
|
|||
}
|
||||
}
|
||||
|
||||
// WithAPI tells authentication to use API authentication flow.
|
||||
func WithAPI() AuthenticateOption {
|
||||
return func(cfg *authenticateConfig) {
|
||||
cfg.apiPath = pomeriumAPIPath
|
||||
}
|
||||
}
|
||||
|
||||
// Authenticate submits a request to a URL, expects a redirect to authenticate and then openid and logs in.
|
||||
// Finally it expects to redirect back to the original page.
|
||||
func Authenticate(ctx context.Context, client *http.Client, url *url.URL, options ...AuthenticateOption) (*http.Response, error) {
|
||||
cfg := getAuthenticateConfig(options...)
|
||||
originalHostname := url.Hostname()
|
||||
var err error
|
||||
|
||||
if cfg.apiPath != "" {
|
||||
apiLogin := url
|
||||
q := apiLogin.Query()
|
||||
q.Set(urlutil.QueryRedirectURI, url.String())
|
||||
apiLogin.RawQuery = q.Encode()
|
||||
|
||||
apiLogin.Path = cfg.apiPath
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", apiLogin.String(), nil)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
res, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
bodyBytes, err := ioutil.ReadAll(res.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer res.Body.Close()
|
||||
url, err = url.Parse(string(bodyBytes))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue