From 351a4490233dd3fcd63cbb27e38c21a745ee1f1b Mon Sep 17 00:00:00 2001 From: Cuong Manh Le Date: Tue, 4 Aug 2020 21:20:30 +0700 Subject: [PATCH] authorize: add test for denied response (#1197) --- authorize/check_response_test.go | 90 +++++++++++++++++++++++++++++++- go.sum | 8 +-- 2 files changed, 91 insertions(+), 7 deletions(-) diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go index 3f005283b..1bbb53295 100644 --- a/authorize/check_response_test.go +++ b/authorize/check_response_test.go @@ -1,6 +1,7 @@ package authorize import ( + "html/template" "net/http" "net/http/httptest" "net/url" @@ -9,12 +10,15 @@ import ( envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoy_type "github.com/envoyproxy/go-control-plane/envoy/type" "github.com/stretchr/testify/assert" "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc/codes" "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/frontend" ) func TestAuthorize_okResponse(t *testing.T) { @@ -141,7 +145,6 @@ func TestAuthorize_okResponse(t *testing.T) { } for _, tc := range tests { - tc := tc t.Run(tc.name, func(t *testing.T) { got := a.okResponse(tc.reply) assert.Equal(t, tc.want.Status.Code, got.Status.Code) @@ -150,3 +153,88 @@ func TestAuthorize_okResponse(t *testing.T) { }) } } + +func TestAuthorize_deniedResponse(t *testing.T) { + a := new(Authorize) + encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") + a.currentEncoder.Store(encoder) + a.currentOptions.Store(&config.Options{ + Policies: []config.Policy{{ + Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, + SubPolicies: []config.SubPolicy{{ + Rego: []string{"allow = true"}, + }}, + }}, + }) + a.templates = template.Must(frontend.NewTemplates()) + + tests := []struct { + name string + in *envoy_service_auth_v2.CheckRequest + code int32 + reason string + headers map[string]string + want *envoy_service_auth_v2.CheckResponse + }{ + { + "html denied", + nil, + http.StatusBadRequest, + "Access Denied", + nil, + &envoy_service_auth_v2.CheckResponse{ + Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, + HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ + Status: &envoy_type.HttpStatus{ + Code: envoy_type.StatusCode(codes.InvalidArgument), + }, + Headers: []*envoy_api_v2_core.HeaderValueOption{ + mkHeader("Content-Type", "text/html", false), + }, + Body: "Access Denied", + }, + }, + }, + }, + { + "plain text denied", + &envoy_service_auth_v2.CheckRequest{ + Attributes: &envoy_service_auth_v2.AttributeContext{ + Request: &envoy_service_auth_v2.AttributeContext_Request{ + Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Headers: map[string]string{}, + }, + }, + }, + }, + http.StatusBadRequest, + "Access Denied", + map[string]string{}, + &envoy_service_auth_v2.CheckResponse{ + Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, + HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ + Status: &envoy_type.HttpStatus{ + Code: envoy_type.StatusCode(codes.InvalidArgument), + }, + Headers: []*envoy_api_v2_core.HeaderValueOption{ + mkHeader("Content-Type", "text/plain", false), + }, + Body: "Access Denied", + }, + }, + }, + }, + } + for _, tc := range tests { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + got := a.deniedResponse(tc.in, tc.code, tc.reason, tc.headers) + assert.Equal(t, tc.want.Status.Code, got.Status.Code) + assert.Equal(t, tc.want.Status.Message, got.Status.Message) + assert.Equal(t, tc.want.GetDeniedResponse().GetHeaders(), got.GetDeniedResponse().GetHeaders()) + }) + } +} diff --git a/go.sum b/go.sum index 4a845affc..2ca112227 100644 --- a/go.sum +++ b/go.sum @@ -28,8 +28,6 @@ contrib.go.opencensus.io/exporter/jaeger v0.2.1/go.mod h1:Y8IsLgdxqh1QxYxPC5IgXV contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA= contrib.go.opencensus.io/exporter/prometheus v0.2.0 h1:9PUk0/8V0LGoPqVCrf8fQZJkFGBxudu8jOjQSMwoD6w= contrib.go.opencensus.io/exporter/prometheus v0.2.0/go.mod h1:TYmVAyE8Tn1lyPcltF5IYYfWp2KHu7lQGIZnj8iZMys= -contrib.go.opencensus.io/exporter/zipkin v0.1.1 h1:PR+1zWqY8ceXs1qDQQIlgXe+sdiwCf0n32bH4+Epk8g= -contrib.go.opencensus.io/exporter/zipkin v0.1.1/go.mod h1:GMvdSl3eJ2gapOaLKzTKE3qDgUkJ86k9k3yY2eqwkzc= contrib.go.opencensus.io/exporter/zipkin v0.1.2 h1:YqE293IZrKtqPnpwDPH/lOqTWD/s3Iwabycam74JV3g= contrib.go.opencensus.io/exporter/zipkin v0.1.2/go.mod h1:mP5xM3rrgOjpn79MM8fZbj3gsxcuytSqtH0dxSWW1RE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= @@ -815,8 +813,7 @@ google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d h1:HJaAqDnKreMkv+AQyf1Mcw0jEmL9kKBNL07RDJu1N/k= -google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485 h1:wTk5DQB3+1darAz4Ldomo0r5bUOCKX7gilxQ4sb2kno= google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -831,8 +828,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.30.0 h1:M5a8xTlYTxwMn5ZFkwhRabsygDY5G8TYLyQDBxJNAxE= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=