add test

2025-06-05 20:32:57 +02:00 · 2025-02-17 16:51:16 -07:00 · 2025-02-17 16:51:16 -07:00 · 84fcf69bc9
commit 84fcf69bc9
parent 2c46e6e6e7
2 changed files with 89 additions and 6 deletions
--- a/config/session.go
+++ b/config/session.go
@ -361,18 +361,18 @@ func (cfg *Config) GetIncomingIDPAccessTokenForPolicy(policy *Policy, r *http.Re
 	if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
 		prefix := httputil.AuthorizationTypePomeriumIDPAccessToken + " "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}

 		prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPAccessToken + "-"
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}

 		prefix = "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
 			bearerTokenFormat == BearerTokenFormatIDPAccessToken {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}
 	}

@ -396,18 +396,18 @@ func (cfg *Config) GetIncomingIDPIdentityTokenForPolicy(policy *Policy, r *http.
 	if auth := r.Header.Get(httputil.HeaderAuthorization); auth != "" {
 		prefix := httputil.AuthorizationTypePomeriumIDPIdentityToken + " "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}

 		prefix = "Bearer " + httputil.AuthorizationTypePomeriumIDPIdentityToken + "-"
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}

 		prefix = "Bearer "
 		if strings.HasPrefix(strings.ToLower(auth), strings.ToLower(prefix)) &&
 			bearerTokenFormat == BearerTokenFormatIDPIdentityToken {
-			return strings.TrimPrefix(auth, prefix), true
+			return auth[len(prefix):], true
 		}
 	}

--- a/config/session_test.go
+++ b/config/session_test.go
@ -179,3 +179,86 @@ func Test_getTokenSessionID(t *testing.T) {
 		Response: &DirectResponse{Status: 204},
 	}, "TOKEN"))
 }
+
+func TestGetIncomingIDPIdentityTokenForPolicy(t *testing.T) {
+	t.Parallel()
+
+	bearerTokenFormatIDPIdentityToken := BearerTokenFormatIDPIdentityToken
+
+	for _, tc := range []struct {
+		name                    string
+		globalBearerTokenFormat *BearerTokenFormat
+		routeBearerTokenFormat  *BearerTokenFormat
+		headers                 http.Header
+		expectedOK              bool
+		expectedToken           string
+	}{
+		{
+			name:       "empty headers",
+			expectedOK: false,
+		},
+		{
+			name:          "custom header",
+			headers:       http.Header{"X-Pomerium-Idp-Identity-Token": {"identity token via custom header"}},
+			expectedOK:    true,
+			expectedToken: "identity token via custom header",
+		},
+		{
+			name:          "custom authorization",
+			headers:       http.Header{"Authorization": {"Pomerium-Idp-Identity-Token identity token via custom authorization"}},
+			expectedOK:    true,
+			expectedToken: "identity token via custom authorization",
+		},
+		{
+			name:          "custom bearer",
+			headers:       http.Header{"Authorization": {"Bearer Pomerium-Idp-Identity-Token-identity token via custom bearer"}},
+			expectedOK:    true,
+			expectedToken: "identity token via custom bearer",
+		},
+		{
+			name:       "bearer disabled",
+			headers:    http.Header{"Authorization": {"Bearer identity token via bearer"}},
+			expectedOK: false,
+		},
+		{
+			name:                    "bearer enabled via options",
+			globalBearerTokenFormat: &bearerTokenFormatIDPIdentityToken,
+			headers:                 http.Header{"Authorization": {"Bearer identity token via bearer"}},
+			expectedOK:              true,
+			expectedToken:           "identity token via bearer",
+		},
+		{
+			name:                   "bearer enabled via route",
+			routeBearerTokenFormat: &bearerTokenFormatIDPIdentityToken,
+			headers:                http.Header{"Authorization": {"Bearer identity token via bearer"}},
+			expectedOK:             true,
+			expectedToken:          "identity token via bearer",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg := &Config{
+				Options: NewDefaultOptions(),
+			}
+			cfg.Options.BearerTokenFormat = tc.globalBearerTokenFormat
+
+			var route *Policy
+			if tc.routeBearerTokenFormat != nil {
+				route = &Policy{
+					BearerTokenFormat: tc.routeBearerTokenFormat,
+				}
+			}
+
+			r, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
+			require.NoError(t, err)
+			if tc.headers != nil {
+				r.Header = tc.headers
+			}
+
+			actualToken, actualOK := cfg.GetIncomingIDPIdentityTokenForPolicy(route, r)
+			assert.Equal(t, tc.expectedOK, actualOK)
+			assert.Equal(t, tc.expectedToken, actualToken)
+		})
+	}
+}