authenticate/proxy: add backend refresh (#438)

2025-06-25 05:58:16 +02:00 · 2019-12-30 10:47:54 -08:00 · 2019-12-30 10:47:54 -08:00 · ec029c679b
commit ec029c679b
parent 9a330613aa
35 changed files with 1226 additions and 445 deletions
--- a/internal/sessions/middleware_test.go
+++ b/internal/sessions/middleware_test.go
@ -2,16 +2,14 @@ package sessions

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"

 	"github.com/google/go-cmp/cmp"
-	"github.com/pomerium/pomerium/internal/cryptutil"
-	"github.com/pomerium/pomerium/internal/encoding/ecjson"
 	"gopkg.in/square/go-jose.v2/jwt"
 )

@ -39,103 +37,6 @@ func TestNewContext(t *testing.T) {
 	}
 }

-func testAuthorizer(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, err := FromContext(r.Context())
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return
-		}
-		next.ServeHTTP(w, r)
-	})
-}
-
-func TestVerifier(t *testing.T) {
-	fnh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		fmt.Fprint(w, http.StatusText(http.StatusOK))
-		w.WriteHeader(http.StatusOK)
-	})
-
-	tests := []struct {
-		name string
-		// s     SessionStore
-		state State
-
-		cookie bool
-		header bool
-		param  bool
-
-		wantBody   string
-		wantStatus int
-	}{
-		{"good cookie session", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, true, false, false, http.StatusText(http.StatusOK), http.StatusOK},
-		{"expired cookie", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, true, false, false, "internal/sessions: validation failed, token is expired (exp)\n", http.StatusUnauthorized},
-		{"malformed cookie", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, true, false, false, "internal/sessions: session is malformed\n", http.StatusUnauthorized},
-		{"good auth header session", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, false, true, false, http.StatusText(http.StatusOK), http.StatusOK},
-		{"expired auth header", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, false, true, false, "internal/sessions: validation failed, token is expired (exp)\n", http.StatusUnauthorized},
-		{"malformed auth header", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, false, true, false, "internal/sessions: session is malformed\n", http.StatusUnauthorized},
-		{"good auth query param session", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, false, true, true, http.StatusText(http.StatusOK), http.StatusOK},
-		{"expired auth query param", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, false, false, true, "internal/sessions: validation failed, token is expired (exp)\n", http.StatusUnauthorized},
-		{"malformed auth query param", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, false, false, true, "internal/sessions: session is malformed\n", http.StatusUnauthorized},
-		{"no session", State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, false, false, false, "internal/sessions: session is not found\n", http.StatusUnauthorized},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cipher, err := cryptutil.NewAEADCipherFromBase64(cryptutil.NewBase64Key())
-			encoder := ecjson.New(cipher)
-			if err != nil {
-				t.Fatal(err)
-			}
-			encSession, err := encoder.Marshal(&tt.state)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if strings.Contains(tt.name, "malformed") {
-				// add some garbage to the end of the string
-				encSession = append(encSession, cryptutil.NewKey()...)
-			}
-
-			cs, err := NewCookieStore(&CookieOptions{
-				Name: "_pomerium",
-			}, encoder)
-			if err != nil {
-				t.Fatal(err)
-			}
-			as := NewHeaderStore(encoder, "")
-
-			qp := NewQueryParamStore(encoder, "")
-
-			r := httptest.NewRequest(http.MethodGet, "/", nil)
-			r.Header.Set("Accept", "application/json")
-			w := httptest.NewRecorder()
-			if tt.cookie {
-				r.AddCookie(&http.Cookie{Name: "_pomerium", Value: string(encSession)})
-			} else if tt.header {
-				r.Header.Set("Authorization", "Bearer "+string(encSession))
-			} else if tt.param {
-				q := r.URL.Query()
-
-				q.Set("pomerium_session", string(encSession))
-				r.URL.RawQuery = q.Encode()
-			}
-
-			got := RetrieveSession(cs, as, qp)(testAuthorizer((fnh)))
-			got.ServeHTTP(w, r)
-
-			gotBody := w.Body.String()
-			gotStatus := w.Result().StatusCode
-
-			if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
-				t.Errorf("RetrieveSession() = %v", diff)
-			}
-			if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
-				t.Errorf("RetrieveSession() = %v", diff)
-			}
-		})
-	}
-}
-
 func Test_contextKey_String(t *testing.T) {
 	tests := []struct {
 		name    string
@ -155,3 +56,80 @@ func Test_contextKey_String(t *testing.T) {
 		})
 	}
 }
+
+func testAuthorizer(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, err := FromContext(r.Context())
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+var _ SessionStore = &store{}
+
+// Store is a mock implementation of the SessionStore interface
+type store struct {
+	ResponseSession string
+	Session         *State
+	SaveError       error
+	LoadError       error
+}
+
+// ClearSession clears the ResponseSession
+func (ms *store) ClearSession(http.ResponseWriter, *http.Request) {
+	ms.ResponseSession = ""
+}
+
+// LoadSession returns the session and a error
+func (ms store) LoadSession(*http.Request) (*State, error) {
+	return ms.Session, ms.LoadError
+}
+
+// SaveSession returns a save error.
+func (ms store) SaveSession(http.ResponseWriter, *http.Request, interface{}) error {
+	return ms.SaveError
+}
+
+func TestVerifier(t *testing.T) {
+	fnh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		fmt.Fprint(w, http.StatusText(http.StatusOK))
+		w.WriteHeader(http.StatusOK)
+	})
+
+	tests := []struct {
+		name       string
+		store      store
+		state      State
+		wantBody   string
+		wantStatus int
+	}{
+		{"empty session", store{}, State{}, "internal/sessions: session is not found\n", 401},
+		{"simple good load", store{Session: &State{Subject: "hi", Expiry: jwt.NewNumericDate(time.Now().Add(time.Second))}}, State{}, "OK", 200},
+		{"empty session", store{LoadError: errors.New("err")}, State{}, "err\n", 401},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+
+			r := httptest.NewRequest(http.MethodGet, "/", nil)
+			r.Header.Set("Accept", "application/json")
+			w := httptest.NewRecorder()
+
+			got := RetrieveSession(tt.store)(testAuthorizer((fnh)))
+			got.ServeHTTP(w, r)
+
+			gotBody := w.Body.String()
+			gotStatus := w.Result().StatusCode
+
+			if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
+				t.Errorf("RetrieveSession() = %v", diff)
+			}
+			if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
+				t.Errorf("RetrieveSession() = %v", diff)
+			}
+		})
+	}
+}