3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-03 19:32:48 +02:00
Code Issues Projects Releases Packages Wiki Activity

add test

Browse source
This commit is contained in:
Caleb Doxsey 2025-02-17 16:51:16 -07:00
parent 2c46e6e6e7
commit 84fcf69bc9
2 changed files with 89 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
config/session.go
View file

@ -361,18 +361,18 @@ func (cfg *Config) GetIncomingIDPAccessTokenForPolicy(policy *Policy, r *http.Re
if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" { if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
prefix := httputil.AuthorizationTypePomeriumIDPAccessToken + " " prefix := httputil.AuthorizationTypePomeriumIDPAccessToken + " "
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) { if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPAccessToken + "-" prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPAccessToken + "-"
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) { if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
prefix = "Bearer " prefix = "Bearer "
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) && if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
bearerTokenFormat == BearerTokenFormatIDPAccessToken { bearerTokenFormat == BearerTokenFormatIDPAccessToken {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
} }
@ -396,18 +396,18 @@ func (cfg *Config) GetIncomingIDPIdentityTokenForPolicy(policy *Policy, r *http.
if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" { if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
prefix := httputil.AuthorizationTypePomeriumIDPIdentityToken + " " prefix := httputil.AuthorizationTypePomeriumIDPIdentityToken + " "
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) { if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPIdentityToken + "-" prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPIdentityToken + "-"
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) { if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
prefix = "Bearer " prefix = "Bearer "
if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) && if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
bearerTokenFormat == BearerTokenFormatIDPIdentityToken { bearerTokenFormat == BearerTokenFormatIDPIdentityToken {
return strings.TrimPrefix(auth, prefix), true return auth[len(prefix):], true
} }
} }

83
config/session_test.go
View file

@ -179,3 +179,86 @@ func Test_getTokenSessionID(t *testing.T) {
Response: &DirectResponse{Status: 204}, Response: &DirectResponse{Status: 204},
}, "TOKEN")) }, "TOKEN"))
} }
func TestGetIncomingIDPIdentityTokenForPolicy(t *testing.T) {
t.Parallel()
bearerTokenFormatIDPIdentityToken := BearerTokenFormatIDPIdentityToken
for _, tc := range []struct {
name string
globalBearerTokenFormat *BearerTokenFormat
routeBearerTokenFormat *BearerTokenFormat
headers http.Header
expectedOK bool
expectedToken string
}{
{
name: "empty headers",
expectedOK: false,
},
{
name: "custom header",
headers: http.Header{"X-Pomerium-Idp-Identity-Token": {"identity token via custom header"}},
expectedOK: true,
expectedToken: "identity token via custom header",
},
{
name: "custom authorization",
headers: http.Header{"Authorization": {"Pomerium-Idp-Identity-Token identity token via custom authorization"}},
expectedOK: true,
expectedToken: "identity token via custom authorization",
},
{
name: "custom bearer",
headers: http.Header{"Authorization": {"Bearer Pomerium-Idp-Identity-Token-identity token via custom bearer"}},
expectedOK: true,
expectedToken: "identity token via custom bearer",
},
{
name: "bearer disabled",
headers: http.Header{"Authorization": {"Bearer identity token via bearer"}},
expectedOK: false,
},
{
name: "bearer enabled via options",
globalBearerTokenFormat: &bearerTokenFormatIDPIdentityToken,
headers: http.Header{"Authorization": {"Bearer identity token via bearer"}},
expectedOK: true,
expectedToken: "identity token via bearer",
},
{
name: "bearer enabled via route",
routeBearerTokenFormat: &bearerTokenFormatIDPIdentityToken,
headers: http.Header{"Authorization": {"Bearer identity token via bearer"}},
expectedOK: true,
expectedToken: "identity token via bearer",
},
} {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
cfg := &Config{
Options: NewDefaultOptions(),
}
cfg.Options.BearerTokenFormat = tc.globalBearerTokenFormat
var route *Policy
if tc.routeBearerTokenFormat != nil {
route = &Policy{
BearerTokenFormat: tc.routeBearerTokenFormat,
}
}
r, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
require.NoError(t, err)
if tc.headers != nil {
r.Header = tc.headers
}
actualToken, actualOK := cfg.GetIncomingIDPIdentityTokenForPolicy(route, r)
assert.Equal(t, tc.expectedOK, actualOK)
assert.Equal(t, tc.expectedToken, actualToken)
})
}
}