mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-04 10:28:10 +02:00
b0c2e2dede
Bumps the go group with 24 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.53.0` | `1.55.0` | | [github.com/VictoriaMetrics/fastcache](https://github.com/VictoriaMetrics/fastcache) | `1.12.2` | `1.12.4` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.79.3` | `1.80.0` | | [github.com/docker/docker](https://github.com/docker/docker) | `28.1.1+incompatible` | `28.2.2+incompatible` | | [github.com/exaring/otelpgx](https://github.com/exaring/otelpgx) | `0.9.1` | `0.9.3` | | [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) | `0.20.0` | `0.21.0` | | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.4` | `5.7.5` | | [github.com/miekg/dns](https://github.com/miekg/dns) | `1.1.65` | `1.1.66` | | [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.91` | `7.0.92` | | [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.4.2` | `1.5.0` | | [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) | `0.8.0` | `0.8.1` | | [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `0.51.0` | `0.52.0` | | [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go) | `1.6.0` | `1.7.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.230.0` | `0.235.0` | | [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20250428153025-10db94c68c34` | `0.0.0-20250528174236-200df99c418a` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.72.0` | `1.72.2` | Updates `cloud.google.com/go/storage` from 1.53.0 to 1.55.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@spanner/v1.53.0...spanner/v1.55.0) Updates `github.com/VictoriaMetrics/fastcache` from 1.12.2 to 1.12.4 - [Release notes](https://github.com/VictoriaMetrics/fastcache/releases) - [Commits](VictoriaMetrics/fastcache@v1.12.2...v1.12.4) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.3 to 1.80.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.79.3...service/s3/v1.80.0) Updates `github.com/docker/docker` from 28.1.1+incompatible to 28.2.2+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.1.1...v28.2.2) Updates `github.com/exaring/otelpgx` from 0.9.1 to 0.9.3 - [Release notes](https://github.com/exaring/otelpgx/releases) - [Commits](exaring/otelpgx@v0.9.1...v0.9.3) Updates `github.com/google/go-jsonnet` from 0.20.0 to 0.21.0 - [Release notes](https://github.com/google/go-jsonnet/releases) - [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml) - [Commits](google/go-jsonnet@v0.20.0...v0.21.0) Updates `github.com/jackc/pgx/v5` from 5.7.4 to 5.7.5 - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.7.4...v5.7.5) Updates `github.com/miekg/dns` from 1.1.65 to 1.1.66 - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](miekg/dns@v1.1.65...v1.1.66) Updates `github.com/minio/minio-go/v7` from 7.0.91 to 7.0.92 - [Release notes](https://github.com/minio/minio-go/releases) - [Commits](minio/minio-go@v7.0.91...v7.0.92) Updates `github.com/open-policy-agent/opa` from 1.4.2 to 1.5.0 - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.4.2...v1.5.0) Updates `github.com/pires/go-proxyproto` from 0.8.0 to 0.8.1 - [Release notes](https://github.com/pires/go-proxyproto/releases) - [Commits](pires/go-proxyproto@v0.8.0...v0.8.1) Updates `github.com/quic-go/quic-go` from 0.51.0 to 0.52.0 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.51.0...v0.52.0) Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/proto/otlp` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases) - [Commits](open-telemetry/opentelemetry-proto-go@v1.6.0...v1.7.0) Updates `google.golang.org/api` from 0.230.0 to 0.235.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.230.0...v0.235.0) Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250428153025-10db94c68c34 to 0.0.0-20250528174236-200df99c418a - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.72.0 to 1.72.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.72.0...v1.72.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-version: 1.55.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/VictoriaMetrics/fastcache dependency-version: 1.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.80.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/docker/docker dependency-version: 28.2.2+incompatible dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/exaring/otelpgx dependency-version: 0.9.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/google/go-jsonnet dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.7.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/miekg/dns dependency-version: 1.1.66 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/minio/minio-go/v7 dependency-version: 7.0.92 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/pires/go-proxyproto dependency-version: 0.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/quic-go/quic-go dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/propagators/autoprop dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/bridge/opencensus dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/proto/otlp dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/api dependency-version: 0.235.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/genproto/googleapis/rpc dependency-version: 0.0.0-20250528174236-200df99c418a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.72.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com>
603 lines
18 KiB
Go
603 lines
18 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"regexp"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/gorilla/websocket"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/pomerium/pomerium/integration/flows"
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
)
|
|
|
|
func TestQueryStringParams(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
qs := url.Values{
|
|
"q1": {"a&b&c"},
|
|
"q2": {"x?y?z"},
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/?"+qs.Encode(), nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
res, err := getClient(t, false).Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Query map[string]string
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
assert.Equal(t, map[string]string{
|
|
"q1": "a&b&c",
|
|
"q2": "x?y?z",
|
|
}, result.Query,
|
|
"expected custom request header to be sent upstream")
|
|
}
|
|
|
|
func TestCORS(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
t.Run("enabled", func(t *testing.T) {
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodOptions, "https://httpdetails.localhost.pomerium.io/cors-enabled", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req.Header.Set("Access-Control-Request-Method", http.MethodGet)
|
|
req.Header.Set("Origin", "https://httpdetails.localhost.pomerium.io")
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code")
|
|
})
|
|
})
|
|
t.Run("disabled", func(t *testing.T) {
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodOptions, "https://httpdetails.localhost.pomerium.io/cors-disabled", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req.Header.Set("Access-Control-Request-Method", http.MethodGet)
|
|
req.Header.Set("Origin", "https://httpdetails.localhost.pomerium.io")
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
assert.NotEqual(t, http.StatusOK, res.StatusCode, "unexpected status code")
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestPreserveHostHeader(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
t.Run("enabled", func(t *testing.T) {
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/preserve-host-header-enabled", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers struct {
|
|
Host string `json:"host"`
|
|
} `json:"headers"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
assert.Equal(t, "httpdetails.localhost.pomerium.io", result.Headers.Host,
|
|
"destination host should be preserved in %v", result)
|
|
})
|
|
})
|
|
t.Run("disabled", func(t *testing.T) {
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/preserve-host-header-disabled", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers struct {
|
|
Host string `json:"host"`
|
|
} `json:"headers"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
assert.NotEqual(t, "httpdetails.localhost.pomerium.io", result.Headers.Host,
|
|
"destination host should not be preserved in %v", result)
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestSetRequestHeaders(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers map[string]string `json:"headers"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
assert.Equal(t, "custom-request-header-value", result.Headers["x-custom-request-header"],
|
|
"expected custom request header to be sent upstream")
|
|
})
|
|
}
|
|
|
|
func TestRemoveRequestHeaders(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req.Header.Add("X-Custom-Request-Header-To-Remove", "foo")
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers map[string]string `json:"headers"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
_, exist := result.Headers["X-Custom-Request-Header-To-Remove"]
|
|
assert.False(t, exist, "expected X-Custom-Request-Header-To-Remove not to be present.")
|
|
})
|
|
}
|
|
|
|
func TestWebsocket(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
t.Run("disabled", func(t *testing.T) {
|
|
ws, _, err := (&websocket.Dialer{
|
|
TLSClientConfig: &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
},
|
|
}).DialContext(ctx, "wss://disabled-ws-echo.localhost.pomerium.io", nil)
|
|
if !assert.Error(t, err, "expected bad handshake when websocket is not enabled") {
|
|
ws.Close()
|
|
return
|
|
}
|
|
})
|
|
t.Run("enabled", func(t *testing.T) {
|
|
ws, _, err := (&websocket.Dialer{
|
|
TLSClientConfig: &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
},
|
|
}).DialContext(ctx, "wss://enabled-ws-echo.localhost.pomerium.io", nil)
|
|
if !assert.NoError(t, err, "expected no error when creating websocket") {
|
|
return
|
|
}
|
|
defer ws.Close()
|
|
|
|
msg := "hello world"
|
|
err = ws.WriteJSON("hello world")
|
|
assert.NoError(t, err, "expected no error when writing json to websocket")
|
|
err = ws.ReadJSON(&msg)
|
|
assert.NoError(t, err, "expected no error when reading json from websocket")
|
|
})
|
|
}
|
|
|
|
func TestGoogleCloudRun(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudrun.localhost.pomerium.io/", nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
res, err := client.Do(req)
|
|
if !assert.NoError(t, err, "unexpected http error") {
|
|
return
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers map[string]string `json:"headers"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
|
|
if result.Headers["x-idp"] == "google" {
|
|
assert.NotEmpty(t, result.Headers["authorization"], "expected authorization header when cloudrun is enabled")
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestLoadBalancer(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Minute*10)
|
|
defer clearTimeout()
|
|
|
|
getDistribution := func(t *testing.T, path string) map[string]float64 {
|
|
distribution := map[string]float64{}
|
|
|
|
client := getClient(t, false)
|
|
|
|
res, err := flows.Authenticate(ctx, client,
|
|
mustParseURL("https://httpdetails.localhost.pomerium.io/"+path),
|
|
flows.WithEmail("user1@dogs.test"))
|
|
if !assert.NoError(t, err) {
|
|
return distribution
|
|
}
|
|
_, _ = io.ReadAll(res.Body)
|
|
_ = res.Body.Close()
|
|
|
|
for i := 0; i < 100; i++ {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://httpdetails.localhost.pomerium.io/"+path, nil)
|
|
if !assert.NoError(t, err) {
|
|
return distribution
|
|
}
|
|
|
|
res, err = client.Do(req)
|
|
if !assert.NoError(t, err) {
|
|
return distribution
|
|
}
|
|
defer res.Body.Close()
|
|
|
|
bs, err := io.ReadAll(res.Body)
|
|
if !assert.NoError(t, err) {
|
|
return distribution
|
|
}
|
|
|
|
var result struct {
|
|
Hostname string `json:"hostname"`
|
|
}
|
|
err = json.Unmarshal(bs, &result)
|
|
if !assert.NoError(t, err, "invalid json: %s", bs) {
|
|
return distribution
|
|
}
|
|
distribution[result.Hostname]++
|
|
}
|
|
|
|
return distribution
|
|
}
|
|
|
|
t.Run("round robin", func(t *testing.T) {
|
|
distribution := getDistribution(t, "round-robin")
|
|
var xs []float64
|
|
for _, x := range distribution {
|
|
xs = append(xs, x)
|
|
}
|
|
assert.Lessf(t, standardDeviation(xs), 10.0, "should distribute requests evenly, got: %v",
|
|
distribution)
|
|
})
|
|
|
|
t.Run("ring hash", func(t *testing.T) {
|
|
distribution := getDistribution(t, "ring-hash")
|
|
assert.Lenf(t, distribution, 1, "should distribute requests to a single backend, got: %v",
|
|
distribution)
|
|
})
|
|
|
|
t.Run("maglev", func(t *testing.T) {
|
|
distribution := getDistribution(t, "maglev")
|
|
assert.Lenf(t, distribution, 1, "should distribute requests to a single backend, got: %v",
|
|
distribution)
|
|
})
|
|
}
|
|
|
|
func TestDownstreamClientCA(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Minute*10)
|
|
defer clearTimeout()
|
|
|
|
t.Run("no client cert", func(t *testing.T) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-required.localhost.pomerium.io/", nil)
|
|
require.NoError(t, err)
|
|
|
|
res, err := getClient(t, false).Do(req)
|
|
require.NoError(t, err)
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
})
|
|
t.Run("untrusted client cert", func(t *testing.T) {
|
|
// Configure an http.Client with an untrusted client certificate.
|
|
cert := loadCertificate(t, "downstream-2-client")
|
|
client, transport := getClientWithTransport(t)
|
|
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-required.localhost.pomerium.io/", nil)
|
|
require.NoError(t, err)
|
|
|
|
res, err := client.Do(req)
|
|
require.NoError(t, err)
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
})
|
|
t.Run("valid client cert", func(t *testing.T) {
|
|
// Configure an http.Client with a trusted client certificate.
|
|
cert := loadCertificate(t, "downstream-1-client")
|
|
client, transport := getClientWithTransport(t)
|
|
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
|
|
|
|
res, err := flows.Authenticate(ctx, client,
|
|
mustParseURL("https://client-cert-required.localhost.pomerium.io/"),
|
|
flows.WithEmail("user1@dogs.test"))
|
|
require.NoError(t, err)
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Path string `json:"path"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
if !assert.NoError(t, err) {
|
|
return
|
|
}
|
|
assert.Equal(t, "/", result.Path)
|
|
})
|
|
t.Run("revoked client cert", func(t *testing.T) {
|
|
// Configure an http.Client with a revoked client certificate.
|
|
cert := loadCertificate(t, "downstream-1-client-revoked")
|
|
client, transport := getClientWithTransport(t)
|
|
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-required.localhost.pomerium.io/", nil)
|
|
require.NoError(t, err)
|
|
|
|
res, err := client.Do(req)
|
|
require.NoError(t, err)
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
})
|
|
}
|
|
|
|
func TestMultipleDownstreamClientCAs(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Minute*10)
|
|
defer clearTimeout()
|
|
|
|
// Initializes a new http.Client with the given certificate.
|
|
newClientWithCert := func(certName string) *http.Client {
|
|
cert := loadCertificate(t, certName)
|
|
client, transport := getClientWithTransport(t)
|
|
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
|
|
return client
|
|
}
|
|
|
|
// Asserts that we get a successful JSON response from the httpdetails
|
|
// service, matching the given path.
|
|
assertOK := func(t *testing.T, res *http.Response, err error, path string) {
|
|
require.NoError(t, err, "unexpected http error")
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Path string `json:"path"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, path, result.Path)
|
|
}
|
|
|
|
t.Run("cert1", func(t *testing.T) {
|
|
client := newClientWithCert("downstream-1-client")
|
|
|
|
// With cert1, we should get a valid response for the /ca1 path
|
|
// (after login).
|
|
res, err := flows.Authenticate(ctx, client,
|
|
mustParseURL("https://client-cert-overlap.localhost.pomerium.io/ca1"),
|
|
flows.WithEmail("user1@dogs.test"))
|
|
assertOK(t, res, err, "/ca1")
|
|
|
|
// With cert1, we should get an HTML error page for the /ca2 path.
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-overlap.localhost.pomerium.io/ca2", nil)
|
|
require.NoError(t, err)
|
|
res, err = client.Do(req)
|
|
require.NoError(t, err, "unexpected http error")
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
})
|
|
t.Run("cert2", func(t *testing.T) {
|
|
client := newClientWithCert("downstream-2-client")
|
|
|
|
// With cert2, we should get an HTML error page for the /ca1 path
|
|
// (before login).
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-overlap.localhost.pomerium.io/ca1", nil)
|
|
require.NoError(t, err)
|
|
res, err := client.Do(req)
|
|
require.NoError(t, err, "unexpected http error")
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
|
|
// With cert2, we should get a valid response for the /ca2 path
|
|
// (after login).
|
|
res, err = flows.Authenticate(ctx, client,
|
|
mustParseURL("https://client-cert-overlap.localhost.pomerium.io/ca2"),
|
|
flows.WithEmail("user1@dogs.test"))
|
|
assertOK(t, res, err, "/ca2")
|
|
})
|
|
t.Run("no cert", func(t *testing.T) {
|
|
client := getClient(t, false)
|
|
|
|
// Without a client certificate, both paths should return an HTML error
|
|
// page (no login redirect).
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-overlap.localhost.pomerium.io/ca1", nil)
|
|
require.NoError(t, err)
|
|
res, err := client.Do(req)
|
|
require.NoError(t, err, "unexpected http error")
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
|
|
req, err = http.NewRequestWithContext(ctx, http.MethodGet,
|
|
"https://client-cert-overlap.localhost.pomerium.io/ca2", nil)
|
|
require.NoError(t, err)
|
|
res, err = client.Do(req)
|
|
require.NoError(t, err, "unexpected http error")
|
|
res.Body.Close()
|
|
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
|
|
})
|
|
}
|
|
|
|
func TestPomeriumJWT(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*30)
|
|
defer clearTimeout()
|
|
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
// Obtain a Pomerium attestation JWT from the httpdetails service.
|
|
res, err := flows.Authenticate(ctx, client,
|
|
mustParseURL("https://restricted-httpdetails.localhost.pomerium.io/"),
|
|
flows.WithEmail("user1@dogs.test"))
|
|
require.NoError(t, err)
|
|
defer res.Body.Close()
|
|
|
|
var m map[string]any
|
|
err = json.NewDecoder(res.Body).Decode(&m)
|
|
require.NoError(t, err)
|
|
|
|
headers, ok := m["headers"].(map[string]any)
|
|
require.True(t, ok)
|
|
headerJWT, ok := headers["x-pomerium-jwt-assertion"].(string)
|
|
require.True(t, ok)
|
|
|
|
// Manually decode the payload section of the JWT in order to verify the
|
|
// format of the iat and exp timestamps.
|
|
// (https://github.com/pomerium/pomerium/issues/4149)
|
|
p := rawJWTPayload(t, headerJWT)
|
|
digitsOnly := regexp.MustCompile(`^\d+$`)
|
|
assert.Regexp(t, digitsOnly, p["iat"])
|
|
assert.Regexp(t, digitsOnly, p["exp"])
|
|
|
|
// Also verify the issuer and audience claims.
|
|
assert.Equal(t, "restricted-httpdetails.localhost.pomerium.io", p["iss"])
|
|
assert.Equal(t, "restricted-httpdetails.localhost.pomerium.io", p["aud"])
|
|
|
|
// Obtain a Pomerium attestation JWT from the /.pomerium/jwt endpoint. The
|
|
// contents should be identical to the JWT header (except possibly the
|
|
// timestamps and the jtis). (https://github.com/pomerium/pomerium/issues/4210)
|
|
res, err = client.Get("https://restricted-httpdetails.localhost.pomerium.io/.pomerium/jwt")
|
|
require.NoError(t, err)
|
|
defer res.Body.Close()
|
|
spaJWT, err := io.ReadAll(res.Body)
|
|
require.NoError(t, err)
|
|
|
|
p2 := rawJWTPayload(t, string(spaJWT))
|
|
|
|
// Remove timestamps before comparing.
|
|
delete(p, "iat")
|
|
delete(p, "exp")
|
|
delete(p, "jti")
|
|
delete(p2, "iat")
|
|
delete(p2, "exp")
|
|
delete(p2, "jti")
|
|
assert.Equal(t, p, p2)
|
|
})
|
|
}
|
|
|
|
func rawJWTPayload(t *testing.T, jwt string) map[string]any {
|
|
t.Helper()
|
|
s := strings.Split(jwt, ".")
|
|
require.Equal(t, 3, len(s), "unexpected JWT format")
|
|
payload, err := base64.RawURLEncoding.DecodeString(s[1])
|
|
require.NoError(t, err, "JWT payload could not be decoded")
|
|
d := json.NewDecoder(bytes.NewReader(payload))
|
|
d.UseNumber()
|
|
var decoded map[string]any
|
|
err = d.Decode(&decoded)
|
|
require.NoError(t, err, "JWT payload could not be deserialized")
|
|
return decoded
|
|
}
|
|
|
|
func TestUpstreamViaIPAddress(t *testing.T) {
|
|
testHTTPClient(t, func(t *testing.T, client *http.Client) {
|
|
// Verify that we can make a successful request to a route with a 'to' URL
|
|
// that uses https with an IP address.
|
|
res, err := client.Get("https://httpdetails-ip-address.localhost.pomerium.io/")
|
|
require.NoError(t, err, "unexpected http error")
|
|
defer res.Body.Close()
|
|
|
|
var result struct {
|
|
Headers map[string]string `json:"headers"`
|
|
Protocol string `json:"protocol"`
|
|
}
|
|
err = json.NewDecoder(res.Body).Decode(&result)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "https", result.Protocol)
|
|
})
|
|
}
|