authorize: increase test coverage

- Add test cases for sync functions
 - Add test for valid JWT
 - Add session state to Test_getEvaluatorRequest

authorize/grpc_test.go

@@ -1,16 +1,25 @@
 package authorize
 
 import (
+	"context"
+	"errors"
 	"net/url"
 	"testing"
 
 	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	"github.com/golang/protobuf/ptypes"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
 
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 const certPEM = `
@@ -50,29 +59,40 @@ func Test_getEvaluatorRequest(t *testing.T) {
 		}},
 	})
 
-	actual := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{
-		Attributes: &envoy_service_auth_v2.AttributeContext{
-			Source: &envoy_service_auth_v2.AttributeContext_Peer{
-				Certificate: url.QueryEscape(certPEM),
-			},
-			Request: &envoy_service_auth_v2.AttributeContext_Request{
-				Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
-					Id:     "id-1234",
-					Method: "GET",
-					Headers: map[string]string{
-						"accept":            "text/html",
-						"x-forwarded-proto": "https",
+	actual := a.getEvaluatorRequestFromCheckRequest(
+		&envoy_service_auth_v2.CheckRequest{
+			Attributes: &envoy_service_auth_v2.AttributeContext{
+				Source: &envoy_service_auth_v2.AttributeContext_Peer{
+					Certificate: url.QueryEscape(certPEM),
+				},
+				Request: &envoy_service_auth_v2.AttributeContext_Request{
+					Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+						Id:     "id-1234",
+						Method: "GET",
+						Headers: map[string]string{
+							"accept":            "text/html",
+							"x-forwarded-proto": "https",
+						},
+						Path:   "/some/path?qs=1",
+						Host:   "example.com",
+						Scheme: "http",
+						Body:   "BODY",
 					},
-					Path:   "/some/path?qs=1",
-					Host:   "example.com",
-					Scheme: "http",
-					Body:   "BODY",
 				},
 			},
 		},
-	}, nil)
+		&sessions.State{
+			ID:                "SESSION_ID",
+			ImpersonateEmail:  "foo@example.com",
+			ImpersonateGroups: []string{"admin", "test"},
+		},
+	)
 	expect := &evaluator.Request{
-		Session: evaluator.RequestSession{},
+		Session: evaluator.RequestSession{
+			ID:                "SESSION_ID",
+			ImpersonateEmail:  "foo@example.com",
+			ImpersonateGroups: []string{"admin", "test"},
+		},
 		HTTP: evaluator.RequestHTTP{
 			Method: "GET",
 			URL:    "https://example.com/some/path?qs=1",
@@ -254,7 +274,7 @@ func Test_handleForwardAuth(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			a := new(Authorize)
-			fau := new(url.URL)
+			var fau *url.URL
 			if tc.forwardAuthURL != "" {
 				fau = mustParseURL(tc.forwardAuthURL)
 			}
@@ -317,6 +337,138 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
 	assert.Equal(t, expect, actual)
 }
 
+func TestSync(t *testing.T) {
+	mockSession := func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+		data, _ := ptypes.MarshalAny(&session.Session{
+			Id:     in.GetId(),
+			UserId: "user1",
+		})
+		return &databroker.GetResponse{
+			Record: &databroker.Record{
+				Version: "0001",
+				Type:    data.GetTypeUrl(),
+				Id:      in.GetId(),
+				Data:    data,
+			},
+		}, nil
+	}
+	mockUser := func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+		data, _ := ptypes.MarshalAny(&user.User{Id: in.GetId()})
+		return &databroker.GetResponse{
+			Record: &databroker.Record{
+				Version: "0001",
+				Type:    data.GetTypeUrl(),
+				Id:      in.GetId(),
+				Data:    data,
+			},
+		}, nil
+	}
+
+	mockGetByType := map[string]func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error){
+		"type.googleapis.com/session.Session": mockSession,
+		"type.googleapis.com/user.User":       mockUser,
+	}
+	dbdClient := mockDataBrokerServiceClient{
+		get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+			if in.GetId() == "not-existed-id" {
+				return nil, errors.New("not found")
+			}
+			f, ok := mockGetByType[in.GetType()]
+			if !ok {
+				return nil, errors.New("not found")
+			}
+			return f(ctx, in, opts...)
+		},
+	}
+	o := &config.Options{
+		AuthenticateURL: mustParseURL("https://authN.example.com"),
+		DataBrokerURL:   mustParseURL("https://cache.example.com"),
+		SharedKey:       "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=",
+		Policies:        testPolicies(t),
+	}
+
+	ctx := context.Background()
+
+	tests := []struct {
+		name             string
+		sessionState     *sessions.State
+		databrokerClient mockDataBrokerServiceClient
+		wantErr          bool
+	}{
+		{
+			"good with data in databroker data",
+			&sessions.State{ID: "dbd_session_id"},
+			mockDataBrokerServiceClient{
+				get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+					data, _ := ptypes.MarshalAny(&session.Session{
+						Id:     in.GetId(),
+						UserId: "dbd_user1",
+					})
+					if in.GetType() == "type.googleapis.com/user.User" {
+						data, _ = ptypes.MarshalAny(&user.User{
+							Id: "dbd_user1",
+						})
+					}
+					return &databroker.GetResponse{
+						Record: &databroker.Record{
+							Version: "0001",
+							Type:    data.GetTypeUrl(),
+							Id:      in.GetId(),
+							Data:    data,
+						},
+					}, nil
+				},
+			},
+			false,
+		},
+		{"good", &sessions.State{ID: "SESSION_ID"}, dbdClient, false},
+		{"nil session state", nil, dbdClient, false},
+		{"not found session state", &sessions.State{ID: "not-existed-id"}, dbdClient, true},
+		{
+			"user not found",
+			&sessions.State{ID: "session_with_not_found_user"},
+			mockDataBrokerServiceClient{
+				get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+					if in.GetType() == "type.googleapis.com/user.User" {
+						return nil, errors.New("user not found")
+					}
+					data, _ := ptypes.MarshalAny(&session.Session{
+						Id:     in.GetId(),
+						UserId: "user1",
+					})
+					return &databroker.GetResponse{
+						Record: &databroker.Record{
+							Version: "0001",
+							Type:    data.GetTypeUrl(),
+							Id:      in.GetId(),
+							Data:    data,
+						},
+					}, nil
+				},
+			},
+			false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			a, err := New(o)
+			require.NoError(t, err)
+			a.dataBrokerData = evaluator.DataBrokerData{
+				"type.googleapis.com/session.Session": map[string]interface{}{
+					"dbd_session_id": &session.Session{UserId: "dbd_user1"},
+				},
+				"type.googleapis.com/user.User": map[string]interface{}{
+					"dbd_user1": &user.User{Id: "dbd_user1"},
+				},
+			}
+			a.dataBrokerClient = tc.databrokerClient
+			assert.True(t, (a.forceSync(ctx, tc.sessionState) != nil) == tc.wantErr)
+		})
+	}
+}
 func mustParseURL(str string) *url.URL {
 	u, err := url.Parse(str)
 	if err != nil {
@@ -324,3 +476,13 @@ func mustParseURL(str string) *url.URL {
 	}
 	return u
 }
+
+type mockDataBrokerServiceClient struct {
+	databroker.DataBrokerServiceClient
+
+	get func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error)
+}
+
+func (m mockDataBrokerServiceClient) Get(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+	return m.get(ctx, in, opts...)
+}