feature/databroker: user data and session refactor project (#926)

* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
2025-07-24 12:08:19 +02:00 · 2020-06-19 07:52:44 -06:00 · 2020-06-19 07:52:44 -06:00 · dbd7f55b20
commit dbd7f55b20
parent 39cdb31170
115 changed files with 8479 additions and 3584 deletions
--- a/internal/directory/azure/azure_test.go
+++ b/internal/directory/azure/azure_test.go
@ -0,0 +1,112 @@
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pomerium/pomerium/internal/grpc/directory"
+)
+
+type M = map[string]interface{}
+
+func newMockAPI(t *testing.T, srv *httptest.Server) http.Handler {
+	r := chi.NewRouter()
+	r.Use(middleware.Logger)
+	r.Post("/DIRECTORY_ID/oauth2/v2.0/token", func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "CLIENT_ID", r.FormValue("client_id"))
+		assert.Equal(t, "CLIENT_SECRET", r.FormValue("client_secret"))
+		assert.Equal(t, defaultLoginScope, r.FormValue("scope"))
+		assert.Equal(t, defaultLoginGrantType, r.FormValue("grant_type"))
+
+		_ = json.NewEncoder(w).Encode(M{
+			"access_token":  "ACCESSTOKEN",
+			"token_type":    "Bearer",
+			"refresh_token": "REFRESHTOKEN",
+		})
+	})
+	r.Route("/v1.0", func(r chi.Router) {
+		r.Use(func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.Header.Get("Authorization") != "Bearer ACCESSTOKEN" {
+					http.Error(w, "forbidden", http.StatusForbidden)
+					return
+				}
+				next.ServeHTTP(w, r)
+			})
+		})
+		r.Get("/groups", func(w http.ResponseWriter, r *http.Request) {
+			_ = json.NewEncoder(w).Encode(M{
+				"value": []M{
+					{"id": "admin"},
+					{"id": "test"},
+				},
+			})
+		})
+		r.Get("/groups/{group_name}/members", func(w http.ResponseWriter, r *http.Request) {
+			members := map[string][]M{
+				"admin": {
+					{"id": "user-1"},
+				},
+				"test": {
+					{"id": "user-2"},
+					{"id": "user-3"},
+				},
+			}
+			_ = json.NewEncoder(w).Encode(M{
+				"value": members[chi.URLParam(r, "group_name")],
+			})
+		})
+	})
+	return r
+}
+
+func Test(t *testing.T) {
+	var mockAPI http.Handler
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mockAPI.ServeHTTP(w, r)
+	}))
+	defer srv.Close()
+	mockAPI = newMockAPI(t, srv)
+
+	p := New(
+		WithGraphURL(mustParseURL(srv.URL)),
+		WithLoginURL(mustParseURL(srv.URL)),
+		WithServiceAccount(&ServiceAccount{
+			ClientID:     "CLIENT_ID",
+			ClientSecret: "CLIENT_SECRET",
+			DirectoryID:  "DIRECTORY_ID",
+		}),
+	)
+	users, err := p.UserGroups(context.Background())
+	assert.NoError(t, err)
+	assert.Equal(t, []*directory.User{
+		{
+			Id:     "user-1",
+			Groups: []string{"admin"},
+		},
+		{
+			Id:     "user-2",
+			Groups: []string{"test"},
+		},
+		{
+			Id:     "user-3",
+			Groups: []string{"test"},
+		},
+	}, users)
+}
+
+func mustParseURL(rawurl string) *url.URL {
+	u, err := url.Parse(rawurl)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}