3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: add databroker url check (#1228) (#1231)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
This commit is contained in:
github-actions[bot] 2020-08-07 12:58:17 -07:00 committed by GitHub
parent e86989e248
commit 4e1c99c897
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 47 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
authenticate/authenticate.go
View file

@ -56,6 +56,9 @@ func ValidateOptions(o *config.Options) error {
if o.AuthenticateCallbackPath == "" { if o.AuthenticateCallbackPath == "" {
return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required") return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
} }
if err := urlutil.ValidateURL(o.DataBrokerURL); err != nil {
return fmt.Errorf("authenticate: invalid 'DATABROKER_SERVICE_URL': %w", err)
}
return nil return nil
} }

7
authorize/authorize.go
View file

@ -105,10 +105,13 @@ func New(opts *config.Options) (*Authorize, error) {
func validateOptions(o *config.Options) error { func validateOptions(o *config.Options) error {
if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil { if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
return fmt.Errorf("bad shared_secret: %w", err) return fmt.Errorf("authorize: bad 'SHARED_SECRET': %w", err)
} }
if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil { if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
return fmt.Errorf("invalid 'AUTHENTICATE_SERVICE_URL': %w", err) return fmt.Errorf("authorize: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
}
if err := urlutil.ValidateURL(o.DataBrokerURL); err != nil {
return fmt.Errorf("authorize: invalid 'DATABROKER_SERVICE_URL': %w", err)
} }
return nil return nil
} }

57
authorize/authorize_test.go
View file

@ -1,6 +1,7 @@
package authorize package authorize
import ( import (
"net/url"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -13,31 +14,49 @@ func TestNew(t *testing.T) {
t.Parallel() t.Parallel()
policies := testPolicies(t) policies := testPolicies(t)
tests := []struct { tests := []struct {
name string name string
SharedKey string config config.Options
Policies []config.Policy wantErr bool
wantErr bool
}{ }{
{"good", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", policies, false}, {"good",
{"bad shared secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true}, config.Options{
{"really bad shared secret", "sup", policies, true}, AuthenticateURL: mustParseURL("https://authN.example.com"),
{"validation error, short secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true}, DataBrokerURL: mustParseURL("https://cache.example.com"),
{"empty options", "", []config.Policy{}, true}, // special case SharedKey: "2p/Wi2Q6bYDfzmoSEbKqYKtg+DUoLWTEHHs7vOhvL7w=",
Policies: policies},
false},
{"bad shared secret",
config.Options{
AuthenticateURL: mustParseURL("https://authN.example.com"),
DataBrokerURL: mustParseURL("https://cache.example.com"),
SharedKey: "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
Policies: policies}, true},
{"really bad shared secret",
config.Options{
AuthenticateURL: mustParseURL("https://authN.example.com"),
DataBrokerURL: mustParseURL("https://cache.example.com"),
SharedKey: "sup",
Policies: policies}, true},
{"validation error, short secret",
config.Options{
AuthenticateURL: mustParseURL("https://authN.example.com"),
DataBrokerURL: mustParseURL("https://cache.example.com"),
SharedKey: "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
Policies: policies}, true},
{"empty options", config.Options{}, true},
{"bad cache url",
config.Options{
AuthenticateURL: mustParseURL("https://authN.example.com"),
DataBrokerURL: &url.URL{},
SharedKey: "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==",
Policies: policies},
true},
} }
for _, tt := range tests { for _, tt := range tests {
tt := tt tt := tt
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
t.Parallel() t.Parallel()
o := &config.Options{ _, err := New(&tt.config)
AuthenticateURL: mustParseURL("https://authN.example.com"),
DataBrokerURL: mustParseURL("https://cache.example.com"),
SharedKey: tt.SharedKey,
Policies: tt.Policies}
if tt.name == "empty options" {
o = &config.Options{}
}
_, err := New(o)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
return return

3
cache/cache_test.go vendored
View file

@ -23,10 +23,9 @@ func TestNew(t *testing.T) {
opts config.Options opts config.Options
wantErr bool wantErr bool
}{ }{
{"good - autocache", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false}, {"good", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false},
{"bad shared secret", config.Options{SharedKey: string([]byte(cryptutil.NewBase64Key())[:31]), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, true}, {"bad shared secret", config.Options{SharedKey: string([]byte(cryptutil.NewBase64Key())[:31]), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, true},
{"bad cache url", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{}}, true}, {"bad cache url", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{}}, true},
{"good - bolt", config.Options{SharedKey: cryptutil.NewBase64Key(), DataBrokerURL: &url.URL{Scheme: "http", Host: "example"}}, false},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {