From 2bf83e20d8a36fc46ce444336d341a946759f23c Mon Sep 17 00:00:00 2001 From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> Date: Tue, 27 Jun 2023 09:11:54 -0700 Subject: [PATCH] Allow clearing default Azure and Google auth code options (#4315) Allow users to clear the default IdP auth code options, by explicitly setting an empty idp_request_params map. To do this in a YAML config file, set: idp_request_params: {} --- config/options_test.go | 22 ++++++++++++++++++ internal/identity/oidc/azure/microsoft.go | 2 +- .../identity/oidc/azure/microsoft_test.go | 23 +++++++++++++++++++ internal/identity/oidc/google/google.go | 2 +- internal/identity/oidc/google/google_test.go | 23 +++++++++++++++++++ 5 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 internal/identity/oidc/azure/microsoft_test.go create mode 100644 internal/identity/oidc/google/google_test.go diff --git a/config/options_test.go b/config/options_test.go index b52ac0954..4748ab046 100644 --- a/config/options_test.go +++ b/config/options_test.go @@ -977,6 +977,28 @@ func TestOptions_GetCSRFSameSite(t *testing.T) { } } +func TestOptions_RequestParams(t *testing.T) { + cases := []struct { + label string + config string + expected map[string]string + }{ + {"not present", "", nil}, + {"explicitly empty", "idp_request_params: {}", map[string]string{}}, + } + cfg := filepath.Join(t.TempDir(), "config.yaml") + for i := range cases { + c := &cases[i] + t.Run(c.label, func(t *testing.T) { + err := os.WriteFile(cfg, []byte(c.config), 0644) + require.NoError(t, err) + o, err := newOptionsFromConfig(cfg) + require.NoError(t, err) + assert.Equal(t, c.expected, o.RequestParams) + }) + } +} + func encodeCert(cert *tls.Certificate) []byte { return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]}) } diff --git a/internal/identity/oidc/azure/microsoft.go b/internal/identity/oidc/azure/microsoft.go index ba01165ae..98496f546 100644 --- a/internal/identity/oidc/azure/microsoft.go +++ b/internal/identity/oidc/azure/microsoft.go @@ -61,7 +61,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) { p.Provider = genericOidc p.AuthCodeOptions = defaultAuthCodeOptions - if len(o.AuthCodeOptions) != 0 { + if o.AuthCodeOptions != nil { p.AuthCodeOptions = o.AuthCodeOptions } diff --git a/internal/identity/oidc/azure/microsoft_test.go b/internal/identity/oidc/azure/microsoft_test.go new file mode 100644 index 000000000..efdabafcf --- /dev/null +++ b/internal/identity/oidc/azure/microsoft_test.go @@ -0,0 +1,23 @@ +package azure + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/pomerium/pomerium/internal/identity/oauth" +) + +func TestAuthCodeOptions(t *testing.T) { + var options oauth.Options + p, err := New(context.Background(), &options) + require.NoError(t, err) + assert.Equal(t, defaultAuthCodeOptions, p.AuthCodeOptions) + + options.AuthCodeOptions = map[string]string{} + p, err = New(context.Background(), &options) + require.NoError(t, err) + assert.Equal(t, map[string]string{}, p.AuthCodeOptions) +} diff --git a/internal/identity/oidc/google/google.go b/internal/identity/oidc/google/google.go index 1e5f887c6..607a26362 100644 --- a/internal/identity/oidc/google/google.go +++ b/internal/identity/oidc/google/google.go @@ -55,7 +55,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) { p.Provider = genericOidc p.AuthCodeOptions = defaultAuthCodeOptions - if len(o.AuthCodeOptions) != 0 { + if o.AuthCodeOptions != nil { p.AuthCodeOptions = o.AuthCodeOptions } return &p, nil diff --git a/internal/identity/oidc/google/google_test.go b/internal/identity/oidc/google/google_test.go new file mode 100644 index 000000000..4407c94c5 --- /dev/null +++ b/internal/identity/oidc/google/google_test.go @@ -0,0 +1,23 @@ +package google + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/pomerium/pomerium/internal/identity/oauth" +) + +func TestAuthCodeOptions(t *testing.T) { + var options oauth.Options + p, err := New(context.Background(), &options) + require.NoError(t, err) + assert.Equal(t, defaultAuthCodeOptions, p.AuthCodeOptions) + + options.AuthCodeOptions = map[string]string{} + p, err = New(context.Background(), &options) + require.NoError(t, err) + assert.Equal(t, map[string]string{}, p.AuthCodeOptions) +}