all: refactor handler logic

- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s - all: refactor authentication stack to be checked by middleware, and accessible via request context. - all: replace http.ServeMux with gorilla/mux’s router - all: replace custom CSRF checks with gorilla/csrf middleware - authenticate: extract callback path as constant. - internal/config: implement stringer interface for policy - internal/cryptutil: add helper func `NewBase64Key` - internal/cryptutil: rename `GenerateKey` to `NewKey` - internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN` - internal/middleware: removed alice in favor of gorilla/mux - internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret` - internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection - internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs - internal/urlutil: add `ValidateURL` helper to parse URL options - internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL. - proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them. - proxy: replace un-named http.ServeMux with named domain routes. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-24 14:37:12 +02:00 · 2019-09-12 13:54:30 -07:00 · 2019-09-12 13:54:30 -07:00 · dc12947241
commit dc12947241
parent a793249386
37 changed files with 1132 additions and 1384 deletions
--- a/internal/sessions/cookie_store_test.go
+++ b/internal/sessions/cookie_store_test.go
@ -1,4 +1,4 @@
-package sessions
+package sessions // import "github.com/pomerium/pomerium/internal/sessions"

 import (
 	"crypto/rand"
@ -38,7 +38,7 @@ func (a mockCipher) Unmarshal(s string, i interface{}) error {
 	return nil
 }
 func TestNewCookieStore(t *testing.T) {
-	cipher, err := cryptutil.NewCipher(cryptutil.GenerateKey())
+	cipher, err := cryptutil.NewCipher(cryptutil.NewKey())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -111,7 +111,7 @@ func TestNewCookieStore(t *testing.T) {
 }

 func TestCookieStore_makeCookie(t *testing.T) {
-	cipher, err := cryptutil.NewCipher(cryptutil.GenerateKey())
+	cipher, err := cryptutil.NewCipher(cryptutil.NewKey())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -155,62 +155,13 @@ func TestCookieStore_makeCookie(t *testing.T) {
 			if diff := cmp.Diff(s.makeSessionCookie(r, tt.value, tt.expiration, now), tt.want); diff != "" {
 				t.Errorf("CookieStore.makeSessionCookie() = \n%s", diff)
 			}
-			got := s.makeCSRFCookie(r, tt.value, tt.expiration, now)
-			tt.wantCSRF.Name = "_pomerium_csrf"
-			if !reflect.DeepEqual(got, tt.wantCSRF) {
-				t.Errorf("CookieStore.makeCookie() = \n%#v, \nwant\n%#v", got, tt.wantCSRF)
-			}
-			w := httptest.NewRecorder()
-			want := "new-csrf"
-			s.SetCSRF(w, r, want)
-			found := false
-			for _, cookie := range w.Result().Cookies() {
-				if cookie.Name == s.Name+"_csrf" && cookie.Value == want {
-					found = true
-					break
-				}
-			}
-			if !found {
-				t.Error("SetCSRF failed")
-			}
-
-			w = httptest.NewRecorder()
-			s.ClearCSRF(w, r)
-			for _, cookie := range w.Result().Cookies() {
-				if cookie.Name == s.Name+"_csrf" && cookie.Value == want {
-					t.Error("clear csrf failed")
-					break
-
-				}
-			}
-			w = httptest.NewRecorder()
-			want = "new-session"
-			s.setSessionCookie(w, r, want)
-			found = false
-			for _, cookie := range w.Result().Cookies() {
-				if cookie.Name == s.Name && cookie.Value == want {
-					found = true
-					break
-				}
-			}
-			if !found {
-				t.Error("SetCSRF failed")
-			}
-			w = httptest.NewRecorder()
-			s.ClearSession(w, r)
-			for _, cookie := range w.Result().Cookies() {
-				if cookie.Name == s.Name && cookie.Value == want {
-					t.Error("clear csrf failed")
-					break
-				}
-			}

 		})
 	}
 }

 func TestCookieStore_SaveSession(t *testing.T) {
-	cipher, err := cryptutil.NewCipher(cryptutil.GenerateKey())
+	cipher, err := cryptutil.NewCipher(cryptutil.NewKey())
 	if err != nil {
 		t.Fatal(err)
 	}
@ -265,38 +216,6 @@ func TestCookieStore_SaveSession(t *testing.T) {
 	}
 }

-func TestMockCSRFStore(t *testing.T) {
-	tests := []struct {
-		name         string
-		mockCSRF     *MockCSRFStore
-		newCSRFValue string
-		wantErr      bool
-	}{
-		{"basic",
-			&MockCSRFStore{
-				ResponseCSRF: "ok",
-				Cookie:       &http.Cookie{Name: "hi"}},
-			"newcsrf",
-			false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ms := tt.mockCSRF
-			ms.SetCSRF(nil, nil, tt.newCSRFValue)
-			ms.ClearCSRF(nil, nil)
-			got, err := ms.GetCSRF(nil)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("MockCSRFStore.GetCSRF() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !reflect.DeepEqual(got, tt.mockCSRF.Cookie) {
-				t.Errorf("MockCSRFStore.GetCSRF() = %v, want %v", got, tt.mockCSRF.Cookie)
-			}
-
-		})
-	}
-}
-
 func TestMockSessionStore(t *testing.T) {
 	tests := []struct {
 		name        string
@ -341,7 +260,7 @@ func TestMockSessionStore(t *testing.T) {
 	}
 }

-func Test_splitDomain(t *testing.T) {
+func Test_ParentSubdomain(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		s    string
@ -354,8 +273,8 @@ func Test_splitDomain(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.s, func(t *testing.T) {
-			if got := splitDomain(tt.s); got != tt.want {
-				t.Errorf("splitDomain() = %v, want %v", got, tt.want)
+			if got := ParentSubdomain(tt.s); got != tt.want {
+				t.Errorf("ParentSubdomain() = %v, want %v", got, tt.want)
 			}
 		})
 	}