authorize: refactor and add additional unit tests (#757)

* authorize: clean up code, add test * authorize: additional test * authorize: additional test
2025-06-24 13:38:17 +02:00 · 2020-05-22 13:25:59 -06:00 · 2020-05-22 13:25:59 -06:00 · a969f33d88
commit a969f33d88
parent 5c3c020508
4 changed files with 314 additions and 157 deletions
--- a/authorize/grpc_test.go
+++ b/authorize/grpc_test.go
@ -0,0 +1,150 @@
+package authorize
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pomerium/pomerium/authorize/evaluator"
+	"github.com/pomerium/pomerium/config"
+)
+
+const certPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
+BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
+cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
+WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
+TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
+bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
+5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
+7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
+BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
+BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
+LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
+cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
+BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
+AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
+L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
+gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
+TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
+0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
+RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
+yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
+-----END CERTIFICATE-----`
+
+func Test_getEvaluatorRequest(t *testing.T) {
+	actual := getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{
+		Attributes: &envoy_service_auth_v2.AttributeContext{
+			Source: &envoy_service_auth_v2.AttributeContext_Peer{
+				Certificate: url.QueryEscape(certPEM),
+			},
+			Request: &envoy_service_auth_v2.AttributeContext_Request{
+				Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Id:     "id-1234",
+					Method: "GET",
+					Headers: map[string]string{
+						"accept":            "text/html",
+						"x-forwarded-proto": "https",
+					},
+					Path:   "/some/path?qs=1",
+					Host:   "example.com",
+					Scheme: "http",
+					Body:   "BODY",
+				},
+			},
+		},
+	}, []byte("HELLO WORLD"))
+	expect := &evaluator.Request{
+		User:   "HELLO WORLD",
+		Method: "GET",
+		URL:    "https://example.com/some/path?qs=1",
+		Header: map[string][]string{
+			"Accept":            {"text/html"},
+			"X-Forwarded-Proto": {"https"},
+		},
+		Host:              "example.com",
+		RequestURI:        "https://example.com/some/path?qs=1",
+		ClientCertificate: certPEM,
+	}
+	assert.Equal(t, expect, actual)
+}
+
+func Test_handleForwardAuth(t *testing.T) {
+	checkReq := &envoy_service_auth_v2.CheckRequest{
+		Attributes: &envoy_service_auth_v2.AttributeContext{
+			Source: &envoy_service_auth_v2.AttributeContext_Peer{
+				Certificate: url.QueryEscape(certPEM),
+			},
+			Request: &envoy_service_auth_v2.AttributeContext_Request{
+				Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Method: "GET",
+					Path:   "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"),
+					Host:   "forward-auth.example.com",
+					Scheme: "https",
+				},
+			},
+		},
+	}
+
+	t.Run("enabled", func(t *testing.T) {
+		a := new(Authorize)
+		a.currentOptions.Store(config.Options{
+			ForwardAuthURL: mustParseURL("https://forward-auth.example.com"),
+		})
+		isForwardAuth := a.handleForwardAuth(checkReq)
+		assert.True(t, isForwardAuth)
+		assert.Equal(t, &envoy_service_auth_v2.AttributeContext_HttpRequest{
+			Method: "GET",
+			Path:   "/some/path?qs=1",
+			Host:   "example.com",
+			Scheme: "https",
+		}, checkReq.Attributes.Request.Http)
+	})
+	t.Run("disabled", func(t *testing.T) {
+		a := new(Authorize)
+		a.currentOptions.Store(config.Options{
+			ForwardAuthURL: nil,
+		})
+		isForwardAuth := a.handleForwardAuth(checkReq)
+		assert.False(t, isForwardAuth)
+	})
+}
+
+func Test_refreshSession(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = json.NewEncoder(w).Encode(struct {
+			Authorization string
+		}{
+			Authorization: r.Header.Get("Authorization"),
+		})
+	}))
+	defer srv.Close()
+
+	sharedKey := make([]byte, 32)
+	a := new(Authorize)
+	a.currentOptions.Store(config.Options{
+		AuthenticateURL: mustParseURL(srv.URL),
+		SharedKey:       base64.StdEncoding.EncodeToString(sharedKey),
+	})
+
+	newSession, err := a.refreshSession(context.Background(), []byte("ABCD"))
+	assert.NoError(t, err)
+	assert.Equal(t, `{"Authorization":"Pomerium ABCD"}`, strings.TrimSpace(string(newSession)))
+}
+
+func mustParseURL(str string) *url.URL {
+	u, err := url.Parse(str)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}