package authorize
import (
"html/template"
"net/http"
"net/http/httptest"
"net/url"
"testing"
"time"
envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/genproto/googleapis/rpc/status"
"google.golang.org/grpc/codes"
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/frontend"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
)
func TestAuthorize_okResponse(t *testing.T) {
opt := &config.Options{
AuthenticateURL: mustParseURL("https://authenticate.example.com"),
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
}},
JWTClaimsHeaders: []string{"email"},
}
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
a.state.Load().encoder = encoder
a.currentOptions.Store(opt)
a.store = evaluator.NewStore()
pe, err := newPolicyEvaluator(opt, a.store)
require.NoError(t, err)
a.state.Load().evaluator = pe
validJWT, _ := pe.SignedJWT(pe.JWTPayload(&evaluator.Request{
DataBrokerData: evaluator.DataBrokerData{
"type.googleapis.com/session.Session": map[string]interface{}{
"SESSION_ID": &session.Session{
UserId: "USER_ID",
},
},
"type.googleapis.com/user.User": map[string]interface{}{
"USER_ID": &user.User{
Id: "USER_ID",
Name: "foo",
Email: "foo@example.com",
},
},
},
HTTP: evaluator.RequestHTTP{URL: "https://example.com"},
Session: evaluator.RequestSession{
ID: "SESSION_ID",
},
}))
originalGCPIdentityDocURL := gcpIdentityDocURL
defer func() {
gcpIdentityDocURL = originalGCPIdentityDocURL
gcpIdentityNow = time.Now
}()
now := time.Date(2020, 1, 1, 1, 0, 0, 0, time.UTC)
gcpIdentityNow = func() time.Time {
return now
}
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
_, _ = w.Write([]byte(now.Format(time.RFC3339)))
}))
defer srv.Close()
gcpIdentityDocURL = srv.URL
tests := []struct {
name string
reply *evaluator.Result
want *envoy_service_auth_v2.CheckResponse
}{
{
"ok reply",
&evaluator.Result{Status: 0, Message: "ok", SignedJWT: "valid-signed-jwt"},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("x-pomerium-jwt-assertion", "valid-signed-jwt", false),
},
},
},
},
},
{
"ok reply with k8s svc",
&evaluator.Result{
Status: 0,
Message: "ok",
SignedJWT: "valid-signed-jwt",
MatchingPolicy: &config.Policy{
KubernetesServiceAccountToken: "k8s-svc-account",
},
},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("x-pomerium-jwt-assertion", "valid-signed-jwt", false),
mkHeader("Authorization", "Bearer k8s-svc-account", false),
},
},
},
},
},
{
"ok reply with k8s svc impersonate",
&evaluator.Result{
Status: 0,
Message: "ok",
SignedJWT: "valid-signed-jwt",
MatchingPolicy: &config.Policy{
KubernetesServiceAccountToken: "k8s-svc-account",
},
UserEmail: "foo@example.com",
UserGroups: []string{"admin", "test"},
},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("x-pomerium-jwt-assertion", "valid-signed-jwt", false),
mkHeader("Authorization", "Bearer k8s-svc-account", false),
mkHeader("Impersonate-User", "foo@example.com", false),
mkHeader("Impersonate-Group", "admin", false),
mkHeader("Impersonate-Group", "test", true),
},
},
},
},
},
{
"ok reply with google cloud serverless",
&evaluator.Result{
Status: 0,
Message: "ok",
SignedJWT: "valid-signed-jwt",
MatchingPolicy: &config.Policy{
EnableGoogleCloudServerlessAuthentication: true,
Destination: mustParseURL("https://example.com"),
},
},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("x-pomerium-jwt-assertion", "valid-signed-jwt", false),
mkHeader("Authorization", "Bearer 2020-01-01T01:00:00Z", false),
},
},
},
},
},
{
"ok reply with jwt claims header",
&evaluator.Result{
Status: 0,
Message: "ok",
SignedJWT: validJWT,
},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("x-pomerium-claim-email", "foo@example.com", false),
mkHeader("x-pomerium-jwt-assertion", validJWT, false),
},
},
},
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := a.okResponse(tc.reply)
assert.Equal(t, tc.want.Status.Code, got.Status.Code)
assert.Equal(t, tc.want.Status.Message, got.Status.Message)
assert.Equal(t, tc.want.GetOkResponse().GetHeaders(), got.GetOkResponse().GetHeaders())
})
}
}
func TestAuthorize_deniedResponse(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
a.state.Load().encoder = encoder
a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
}},
})
a.templates = template.Must(frontend.NewTemplates())
tests := []struct {
name string
in *envoy_service_auth_v2.CheckRequest
code int32
reason string
headers map[string]string
want *envoy_service_auth_v2.CheckResponse
}{
{
"html denied",
nil,
http.StatusBadRequest,
"Access Denied",
nil,
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{
Code: envoy_type.StatusCode(codes.InvalidArgument),
},
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("Content-Type", "text/html", false),
},
Body: "Access Denied",
},
},
},
},
{
"plain text denied",
&envoy_service_auth_v2.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{
Request: &envoy_service_auth_v2.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
Headers: map[string]string{},
},
},
},
},
http.StatusBadRequest,
"Access Denied",
map[string]string{},
&envoy_service_auth_v2.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{
Code: envoy_type.StatusCode(codes.InvalidArgument),
},
Headers: []*envoy_api_v2_core.HeaderValueOption{
mkHeader("Content-Type", "text/plain", false),
},
Body: "Access Denied",
},
},
},
},
}
for _, tc := range tests {
tc := tc
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
got := a.deniedResponse(tc.in, tc.code, tc.reason, tc.headers)
assert.Equal(t, tc.want.Status.Code, got.Status.Code)
assert.Equal(t, tc.want.Status.Message, got.Status.Message)
assert.Equal(t, tc.want.GetDeniedResponse().GetHeaders(), got.GetDeniedResponse().GetHeaders())
})
}
}