mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-01 16:01:26 +02:00
8fa26c63f5
## Summary Remove Authorization header for the MCP server upstream. ## Related issues Fix https://github.com/pomerium/pomerium/issues/5718 ## User Explanation <!-- How would you explain this change to the user? If this change doesn't create any user-facing changes, you can leave this blank. If filled out, add the `docs` label --> ## Checklist - [x] reference any related issues - [x] updated unit tests - [x] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [x] ready for review
708 lines
23 KiB
Go
708 lines
23 KiB
Go
package authorize
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/genproto/googleapis/rpc/status"
|
|
"google.golang.org/protobuf/encoding/protojson"
|
|
|
|
"github.com/pomerium/pomerium/authorize/evaluator"
|
|
"github.com/pomerium/pomerium/authorize/internal/store"
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/internal/atomicutil"
|
|
"github.com/pomerium/pomerium/internal/jsonrpc"
|
|
"github.com/pomerium/pomerium/internal/testutil"
|
|
hpke_handlers "github.com/pomerium/pomerium/pkg/hpke/handlers"
|
|
"github.com/pomerium/pomerium/pkg/policy/criteria"
|
|
"github.com/pomerium/pomerium/pkg/telemetry/requestid"
|
|
)
|
|
|
|
func TestAuthorize_handleResult(t *testing.T) {
|
|
opt := config.NewDefaultOptions()
|
|
opt.DataBrokerURLString = "https://databroker.example.com"
|
|
opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
|
|
|
|
hpkePrivateKey, err := opt.GetHPKEPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
authnSrv := httptest.NewServer(hpke_handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()))
|
|
t.Cleanup(authnSrv.Close)
|
|
opt.AuthenticateURLString = authnSrv.URL
|
|
|
|
a, err := New(t.Context(), &config.Config{Options: opt})
|
|
require.NoError(t, err)
|
|
|
|
t.Run("user-unauthenticated", func(t *testing.T) {
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
|
|
res, err = a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Deny: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("device-unauthenticated", func(t *testing.T) {
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
|
|
t.Run("webauthn path", func(t *testing.T) {
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Path: "/.pomerium/webauthn",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(true, criteria.ReasonPomeriumRoute),
|
|
Deny: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, res.GetOkResponse())
|
|
})
|
|
})
|
|
t.Run("invalid-client-certificate", func(t *testing.T) {
|
|
// Even if the user is unauthenticated, if a client certificate was required and an invalid
|
|
// certificate was provided, access should be denied (no login redirect).
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
Deny: evaluator.NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 495, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("client-certificate-required", func(t *testing.T) {
|
|
// Likewise, if a client certificate was required and no certificate
|
|
// was presented, access should be denied (no login redirect).
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
Deny: evaluator.NewRuleResult(true, criteria.ReasonClientCertificateRequired),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 495, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("mcp-route-unauthenticated, mcp flag is on", func(t *testing.T) {
|
|
opt.RuntimeFlags[config.RuntimeFlagMCP] = true
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{
|
|
Policy: &config.Policy{MCP: &config.MCP{Server: &config.MCPServer{}}},
|
|
},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 401, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("mcp-route-unauthenticated, mcp flag is off", func(t *testing.T) {
|
|
opt.RuntimeFlags[config.RuntimeFlagMCP] = false
|
|
res, err := a.handleResult(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{
|
|
Policy: &config.Policy{MCP: &config.MCP{Server: &config.MCPServer{}}},
|
|
},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("mcp-route-denied", func(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "test-request-id-123")
|
|
|
|
res, err := a.handleResultDenied(ctx,
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Body: `{"jsonrpc":"2.0","id":42,"method":"tools/call","params":{"name":"forbidden_tool","arguments":{"query":"SELECT * FROM secret_data"}}}`,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{
|
|
Policy: &config.Policy{
|
|
MCP: &config.MCP{Server: &config.MCPServer{}},
|
|
},
|
|
MCP: evaluator.RequestMCP{
|
|
ID: jsonrpc.NewNumberID(42),
|
|
Method: "tools/call",
|
|
ToolCall: &evaluator.RequestMCPToolCall{
|
|
Name: "forbidden_tool",
|
|
Arguments: map[string]any{"query": "SELECT * FROM secret_data"},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonMCPToolNoMatch),
|
|
},
|
|
criteria.Reasons{criteria.ReasonMCPToolNoMatch: {}},
|
|
)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, res)
|
|
|
|
assert.NotNil(t, res.GetDeniedResponse())
|
|
assert.Equal(t, int32(200), int32(res.GetDeniedResponse().GetStatus().GetCode())) // MCP uses 200 OK with JSON-RPC error
|
|
|
|
body := res.GetDeniedResponse().GetBody()
|
|
assert.Contains(t, body, `"jsonrpc":"2.0"`)
|
|
assert.Contains(t, body, `"id":42`)
|
|
assert.Contains(t, body, `"error"`)
|
|
assert.Contains(t, body, `"code":-32602`) // Invalid params error code
|
|
assert.Contains(t, body, "access denied")
|
|
assert.Contains(t, body, "test-request-id-123")
|
|
|
|
headers := res.GetDeniedResponse().GetHeaders()
|
|
assert.Len(t, headers, 2)
|
|
|
|
var contentTypeFound, cacheControlFound bool
|
|
for _, header := range headers {
|
|
switch header.GetHeader().GetKey() {
|
|
case "Content-Type":
|
|
assert.Equal(t, "application/json", header.GetHeader().GetValue())
|
|
contentTypeFound = true
|
|
case "Cache-Control":
|
|
assert.Equal(t, "no-cache", header.GetHeader().GetValue())
|
|
cacheControlFound = true
|
|
}
|
|
}
|
|
assert.True(t, contentTypeFound, "Content-Type header should be set")
|
|
assert.True(t, cacheControlFound, "Cache-Control header should be set")
|
|
})
|
|
t.Run("mcp-request-with-tool-call-denied", func(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "integration-test-789")
|
|
|
|
res, err := a.handleResult(ctx,
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Body: `{"jsonrpc":"2.0","id":789,"method":"tools/call","params":{"name":"admin_tool","arguments":{"action":"delete_all"}}}`,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{
|
|
Policy: &config.Policy{
|
|
MCP: &config.MCP{Server: &config.MCPServer{}},
|
|
},
|
|
MCP: evaluator.RequestMCP{
|
|
ID: jsonrpc.NewNumberID(789),
|
|
Method: "tools/call",
|
|
ToolCall: &evaluator.RequestMCPToolCall{
|
|
Name: "admin_tool",
|
|
Arguments: map[string]any{"action": "delete_all"},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Result{
|
|
Deny: evaluator.NewRuleResult(true, criteria.ReasonMCPToolNoMatch),
|
|
},
|
|
)
|
|
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, res)
|
|
|
|
deniedResp := res.GetDeniedResponse()
|
|
assert.NotNil(t, deniedResp)
|
|
assert.Equal(t, int32(200), int32(deniedResp.GetStatus().GetCode()))
|
|
|
|
body := deniedResp.GetBody()
|
|
assert.Contains(t, body, `"jsonrpc":"2.0"`)
|
|
assert.Contains(t, body, `"id":789`)
|
|
assert.Contains(t, body, `"error"`)
|
|
assert.Contains(t, body, "integration-test-789")
|
|
|
|
headers := deniedResp.GetHeaders()
|
|
var foundContentType bool
|
|
for _, header := range headers {
|
|
if header.GetHeader().GetKey() == "Content-Type" {
|
|
assert.Equal(t, "application/json", header.GetHeader().GetValue())
|
|
foundContentType = true
|
|
break
|
|
}
|
|
}
|
|
assert.True(t, foundContentType, "Content-Type header should be application/json for MCP responses")
|
|
})
|
|
}
|
|
|
|
func TestAuthorize_okResponse(t *testing.T) {
|
|
opt := &config.Options{
|
|
AuthenticateURLString: "https://authenticate.example.com",
|
|
Policies: []config.Policy{{
|
|
From: "https://example.com",
|
|
To: mustParseWeightedURLs(t, "https://to.example.com"),
|
|
SubPolicies: []config.SubPolicy{{
|
|
Rego: []string{"allow = true"},
|
|
}},
|
|
}},
|
|
JWTClaimsHeaders: config.NewJWTClaimHeaders("email"),
|
|
}
|
|
a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
|
|
Options: opt,
|
|
}), state: atomicutil.NewValue(new(authorizeState))}
|
|
a.store = store.New()
|
|
pe, err := newPolicyEvaluator(t.Context(), opt, a.store, nil)
|
|
require.NoError(t, err)
|
|
a.state.Load().evaluator = pe
|
|
|
|
tests := []struct {
|
|
name string
|
|
reply *evaluator.Result
|
|
want *envoy_service_auth_v3.CheckResponse
|
|
}{
|
|
{
|
|
"ok reply",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with k8s svc",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with k8s svc impersonate",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with jwt claims header",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with headers to remove",
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(true),
|
|
HeadersToRemove: []string{"x-header-to-remove"},
|
|
},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{
|
|
OkResponse: &envoy_service_auth_v3.OkHttpResponse{
|
|
HeadersToRemove: []string{"x-header-to-remove"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
got := a.okResponse(tc.reply.Headers, tc.reply.HeadersToRemove)
|
|
assert.Equal(t, tc.want.Status.Code, got.Status.Code)
|
|
assert.Equal(t, tc.want.Status.Message, got.Status.Message)
|
|
want, _ := protojson.Marshal(tc.want.GetOkResponse())
|
|
testutil.AssertProtoJSONEqual(t, string(want), got.GetOkResponse())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthorize_deniedResponse(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
|
|
Options: &config.Options{
|
|
Policies: []config.Policy{{
|
|
From: "https://example.com",
|
|
SubPolicies: []config.SubPolicy{{
|
|
Rego: []string{"allow = true"},
|
|
}},
|
|
}},
|
|
},
|
|
}), state: atomicutil.NewValue(new(authorizeState))}
|
|
|
|
t.Run("json", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"body": "{\"error\":\"ERROR\",\"request_id\":\"REQUESTID\"}",
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/json" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("grpc", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"content-type": "application/grpc+json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/grpc+json" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-message", "value": "ERROR" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-status", "value": "13" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("grpc-web", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/grpc-web-text",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/grpc-web+json" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-message", "value": "ERROR" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-status", "value": "13" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("kubernetes", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
for _, tc := range []struct {
|
|
code int32
|
|
reason string
|
|
|
|
expectedMessage string
|
|
expectedReason string
|
|
expectedStatusCode string
|
|
}{
|
|
{401, "Unauthorized", "Unauthorized", "Unauthorized", `"Unauthorized"`},
|
|
{403, "Forbidden", "Forbidden", "Forbidden", `"Forbidden"`},
|
|
{404, "Not Found", "Not Found", "NotFound", `"NotFound"`},
|
|
{400, "Bad Request", "Bad Request", "", `"BadRequest"`},
|
|
{450, "", "your device fails to meet the requirements necessary to access this page, please contact your administrator for assistance", "Unauthorized", `450`},
|
|
{495, "", "a valid client certificate is required to access this page", "Unauthorized", `495`},
|
|
{500, "Internal Server Error", "Internal Server Error", "", `"InternalServerError"`},
|
|
} {
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/json",
|
|
"User-Agent": "kubectl/vX.Y.Z (linux/amd64) kubernetes/000000",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, tc.code, tc.reason, nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, fmt.Sprintf(`{
|
|
"deniedResponse": {
|
|
"body": "{\"apiVersion\":\"v1\",\"code\":%[1]d,\"kind\":\"Status\",\"message\":\"%[2]s\",\"reason\":\"%[3]s\",\"status\":\"Failure\"}",
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/json" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": %[4]s
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, tc.code, tc.expectedMessage, tc.expectedReason, tc.expectedStatusCode), res)
|
|
}
|
|
})
|
|
|
|
t.Run("html", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
assert.Contains(t, res.GetDeniedResponse().GetBody(), "<!DOCTYPE html>")
|
|
res.HttpResponse.(*envoy_service_auth_v3.CheckResponse_DeniedResponse).DeniedResponse.Body = ""
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "text/html; charset=UTF-8" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "X-Pomerium-Intercepted-Response", "value": "true" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
}
|
|
|
|
func mustParseWeightedURLs(t *testing.T, urls ...string) []config.WeightedURL {
|
|
wu, err := config.ParseWeightedUrls(urls...)
|
|
require.NoError(t, err)
|
|
return wu
|
|
}
|
|
|
|
func TestRequireLogin(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
opt := config.NewDefaultOptions()
|
|
opt.DataBrokerURLString = "https://databroker.example.com"
|
|
opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
|
|
opt.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUJlMFRxbXJkSXBZWE03c3pSRERWYndXOS83RWJHVWhTdFFJalhsVHNXM1BvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFb0xaRDI2bEdYREhRQmhhZkdlbEVmRDdlNmYzaURjWVJPVjdUbFlIdHF1Y1BFL2hId2dmYQpNY3FBUEZsRmpueUpySXJhYTFlQ2xZRTJ6UktTQk5kNXBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
|
|
|
|
hpkePrivateKey, err := opt.GetHPKEPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
authnSrv := httptest.NewServer(hpke_handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()))
|
|
t.Cleanup(authnSrv.Close)
|
|
opt.AuthenticateURLString = authnSrv.URL
|
|
|
|
a, err := New(t.Context(), &config.Config{Options: opt})
|
|
require.NoError(t, err)
|
|
|
|
t.Run("accept empty", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("accept html", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"accept": "*/*",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("accept json", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(t.Context(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"accept": "application/json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusUnauthorized, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
}
|
|
|
|
func Test_deniedResponseForMCP(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
t.Run("basic mcp denied response", func(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "test-request-id-456")
|
|
|
|
res := deniedResponseForMCP(ctx, jsonrpc.NewNumberID(123))
|
|
|
|
assert.NotNil(t, res)
|
|
assert.NotNil(t, res.GetDeniedResponse())
|
|
assert.Equal(t, int32(200), int32(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
body := res.GetDeniedResponse().GetBody()
|
|
|
|
var jsonRPCError struct {
|
|
JSONrpc string `json:"jsonrpc"`
|
|
ID int `json:"id"`
|
|
Error struct {
|
|
Code int `json:"code"`
|
|
Message string `json:"message"`
|
|
Data struct {
|
|
RequestID string `json:"request_id"`
|
|
} `json:"data"`
|
|
} `json:"error"`
|
|
}
|
|
|
|
err := json.Unmarshal([]byte(body), &jsonRPCError)
|
|
require.NoError(t, err, "Response body should be valid JSON")
|
|
|
|
assert.Equal(t, "2.0", jsonRPCError.JSONrpc)
|
|
assert.Equal(t, 123, jsonRPCError.ID)
|
|
assert.Equal(t, -32602, jsonRPCError.Error.Code) // Invalid params error
|
|
assert.Contains(t, jsonRPCError.Error.Message, "access denied")
|
|
assert.Contains(t, jsonRPCError.Error.Message, "test-request-id-456")
|
|
assert.Equal(t, "test-request-id-456", jsonRPCError.Error.Data.RequestID)
|
|
|
|
headers := res.GetDeniedResponse().GetHeaders()
|
|
assert.Len(t, headers, 2)
|
|
|
|
headerMap := make(map[string]string)
|
|
for _, header := range headers {
|
|
headerMap[header.GetHeader().GetKey()] = header.GetHeader().GetValue()
|
|
}
|
|
|
|
assert.Equal(t, "application/json", headerMap["Content-Type"])
|
|
assert.Equal(t, "no-cache", headerMap["Cache-Control"])
|
|
})
|
|
|
|
t.Run("different request id", func(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "different-request-id")
|
|
|
|
res := deniedResponseForMCP(ctx, jsonrpc.NewNumberID(999))
|
|
|
|
body := res.GetDeniedResponse().GetBody()
|
|
assert.Contains(t, body, `"id":999`)
|
|
assert.Contains(t, body, "different-request-id")
|
|
})
|
|
|
|
t.Run("zero id", func(t *testing.T) {
|
|
ctx := t.Context()
|
|
ctx = requestid.WithValue(ctx, "zero-id-test")
|
|
|
|
res := deniedResponseForMCP(ctx, jsonrpc.NewNumberID(0))
|
|
|
|
body := res.GetDeniedResponse().GetBody()
|
|
assert.Contains(t, body, `"id":0`)
|
|
assert.Contains(t, body, "zero-id-test")
|
|
})
|
|
}
|