mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-28 18:06:34 +02:00
b9fd926618
* identity: add support for verifying access and identity tokens * allow overriding with policy option * authenticate: add verify endpoints * wip * implement session creation * add verify test * implement idp token login * fix tests * add pr permission * make session ids route-specific * rename method * add test * add access token test * test for newUserFromIDPClaims * more tests * make the session id per-idp * use type for * add test * remove nil checks
476 lines
15 KiB
Go
476 lines
15 KiB
Go
package authorize
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/genproto/googleapis/rpc/status"
|
|
"google.golang.org/protobuf/encoding/protojson"
|
|
|
|
"github.com/pomerium/pomerium/authorize/evaluator"
|
|
"github.com/pomerium/pomerium/authorize/internal/store"
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/internal/atomicutil"
|
|
"github.com/pomerium/pomerium/internal/testutil"
|
|
hpke_handlers "github.com/pomerium/pomerium/pkg/hpke/handlers"
|
|
"github.com/pomerium/pomerium/pkg/policy/criteria"
|
|
"github.com/pomerium/pomerium/pkg/telemetry/requestid"
|
|
)
|
|
|
|
func TestAuthorize_handleResult(t *testing.T) {
|
|
opt := config.NewDefaultOptions()
|
|
opt.DataBrokerURLString = "https://databroker.example.com"
|
|
opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
|
|
|
|
hpkePrivateKey, err := opt.GetHPKEPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
authnSrv := httptest.NewServer(hpke_handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()))
|
|
t.Cleanup(authnSrv.Close)
|
|
opt.AuthenticateURLString = authnSrv.URL
|
|
|
|
a, err := New(context.Background(), &config.Config{Options: opt})
|
|
require.NoError(t, err)
|
|
|
|
t.Run("user-unauthenticated", func(t *testing.T) {
|
|
res, err := a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
|
|
res, err = a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Deny: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("device-unauthenticated", func(t *testing.T) {
|
|
res, err := a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
|
|
t.Run("webauthn path", func(t *testing.T) {
|
|
res, err := a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Path: "/.pomerium/webauthn",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(true, criteria.ReasonPomeriumRoute),
|
|
Deny: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, res.GetOkResponse())
|
|
})
|
|
})
|
|
t.Run("invalid-client-certificate", func(t *testing.T) {
|
|
// Even if the user is unauthenticated, if a client certificate was required and an invalid
|
|
// certificate was provided, access should be denied (no login redirect).
|
|
res, err := a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
Deny: evaluator.NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 495, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("client-certificate-required", func(t *testing.T) {
|
|
// Likewise, if a client certificate was required and no certificate
|
|
// was presented, access should be denied (no login redirect).
|
|
res, err := a.handleResult(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{},
|
|
&evaluator.Result{
|
|
Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
|
|
Deny: evaluator.NewRuleResult(true, criteria.ReasonClientCertificateRequired),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, 495, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
}
|
|
|
|
func TestAuthorize_okResponse(t *testing.T) {
|
|
opt := &config.Options{
|
|
AuthenticateURLString: "https://authenticate.example.com",
|
|
Policies: []config.Policy{{
|
|
From: "https://example.com",
|
|
To: mustParseWeightedURLs(t, "https://to.example.com"),
|
|
SubPolicies: []config.SubPolicy{{
|
|
Rego: []string{"allow = true"},
|
|
}},
|
|
}},
|
|
JWTClaimsHeaders: config.NewJWTClaimHeaders("email"),
|
|
}
|
|
a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
|
|
Options: opt,
|
|
}), state: atomicutil.NewValue(new(authorizeState))}
|
|
a.store = store.New()
|
|
pe, err := newPolicyEvaluator(context.Background(), opt, a.store, nil)
|
|
require.NoError(t, err)
|
|
a.state.Load().evaluator = pe
|
|
|
|
tests := []struct {
|
|
name string
|
|
reply *evaluator.Result
|
|
want *envoy_service_auth_v3.CheckResponse
|
|
}{
|
|
{
|
|
"ok reply",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with k8s svc",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with k8s svc impersonate",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
{
|
|
"ok reply with jwt claims header",
|
|
&evaluator.Result{Allow: evaluator.NewRuleResult(true)},
|
|
&envoy_service_auth_v3.CheckResponse{
|
|
Status: &status.Status{Code: 0, Message: "OK"},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
got := a.okResponse(tc.reply.Headers)
|
|
assert.Equal(t, tc.want.Status.Code, got.Status.Code)
|
|
assert.Equal(t, tc.want.Status.Message, got.Status.Message)
|
|
want, _ := protojson.Marshal(tc.want.GetOkResponse())
|
|
testutil.AssertProtoJSONEqual(t, string(want), got.GetOkResponse())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthorize_deniedResponse(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
a := &Authorize{currentConfig: atomicutil.NewValue(&config.Config{
|
|
Options: &config.Options{
|
|
Policies: []config.Policy{{
|
|
From: "https://example.com",
|
|
SubPolicies: []config.SubPolicy{{
|
|
Rego: []string{"allow = true"},
|
|
}},
|
|
}},
|
|
},
|
|
}), state: atomicutil.NewValue(new(authorizeState))}
|
|
|
|
t.Run("json", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := context.Background()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"body": "{\"error\":\"ERROR\",\"request_id\":\"REQUESTID\"}",
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/json" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("grpc", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := context.Background()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"content-type": "application/grpc+json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/grpc+json" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-message", "value": "ERROR" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-status", "value": "13" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("grpc-web", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := context.Background()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/grpc-web-text",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/grpc-web+json" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-message", "value": "ERROR" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "grpc-status", "value": "13" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
|
|
t.Run("kubernetes", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := context.Background()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
for _, tc := range []struct {
|
|
code int32
|
|
reason string
|
|
|
|
expectedMessage string
|
|
expectedReason string
|
|
expectedStatusCode string
|
|
}{
|
|
{401, "Unauthorized", "Unauthorized", "Unauthorized", `"Unauthorized"`},
|
|
{403, "Forbidden", "Forbidden", "Forbidden", `"Forbidden"`},
|
|
{404, "Not Found", "Not Found", "NotFound", `"NotFound"`},
|
|
{400, "Bad Request", "Bad Request", "", `"BadRequest"`},
|
|
{450, "", "your device fails to meet the requirements necessary to access this page, please contact your administrator for assistance", "Unauthorized", `450`},
|
|
{495, "", "a valid client certificate is required to access this page", "Unauthorized", `495`},
|
|
{500, "Internal Server Error", "Internal Server Error", "", `"InternalServerError"`},
|
|
} {
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"Accept": "application/json",
|
|
"User-Agent": "kubectl/vX.Y.Z (linux/amd64) kubernetes/000000",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, tc.code, tc.reason, nil)
|
|
assert.NoError(t, err)
|
|
testutil.AssertProtoJSONEqual(t, fmt.Sprintf(`{
|
|
"deniedResponse": {
|
|
"body": "{\"apiVersion\":\"v1\",\"code\":%[1]d,\"kind\":\"Status\",\"message\":\"%[2]s\",\"reason\":\"%[3]s\",\"status\":\"Failure\"}",
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "application/json" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": %[4]s
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, tc.code, tc.expectedMessage, tc.expectedReason, tc.expectedStatusCode), res)
|
|
}
|
|
})
|
|
|
|
t.Run("html", func(t *testing.T) {
|
|
t.Parallel()
|
|
ctx := context.Background()
|
|
ctx = requestid.WithValue(ctx, "REQUESTID")
|
|
|
|
res, err := a.deniedResponse(ctx, &envoy_service_auth_v3.CheckRequest{}, http.StatusBadRequest, "ERROR", nil)
|
|
assert.NoError(t, err)
|
|
assert.Contains(t, res.GetDeniedResponse().GetBody(), "<!DOCTYPE html>")
|
|
res.HttpResponse.(*envoy_service_auth_v3.CheckResponse_DeniedResponse).DeniedResponse.Body = ""
|
|
testutil.AssertProtoJSONEqual(t, `{
|
|
"deniedResponse": {
|
|
"headers": [
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "Content-Type", "value": "text/html; charset=UTF-8" }
|
|
},
|
|
{
|
|
"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
|
|
"header": { "key": "X-Pomerium-Intercepted-Response", "value": "true" }
|
|
}
|
|
],
|
|
"status": {
|
|
"code": "BadRequest"
|
|
}
|
|
},
|
|
"status": {
|
|
"code": 7,
|
|
"message": "Access Denied"
|
|
}
|
|
}`, res)
|
|
})
|
|
}
|
|
|
|
func mustParseWeightedURLs(t *testing.T, urls ...string) []config.WeightedURL {
|
|
wu, err := config.ParseWeightedUrls(urls...)
|
|
require.NoError(t, err)
|
|
return wu
|
|
}
|
|
|
|
func TestRequireLogin(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
opt := config.NewDefaultOptions()
|
|
opt.DataBrokerURLString = "https://databroker.example.com"
|
|
opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
|
|
opt.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUJlMFRxbXJkSXBZWE03c3pSRERWYndXOS83RWJHVWhTdFFJalhsVHNXM1BvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFb0xaRDI2bEdYREhRQmhhZkdlbEVmRDdlNmYzaURjWVJPVjdUbFlIdHF1Y1BFL2hId2dmYQpNY3FBUEZsRmpueUpySXJhYTFlQ2xZRTJ6UktTQk5kNXBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
|
|
|
|
hpkePrivateKey, err := opt.GetHPKEPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
authnSrv := httptest.NewServer(hpke_handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()))
|
|
t.Cleanup(authnSrv.Close)
|
|
opt.AuthenticateURLString = authnSrv.URL
|
|
|
|
a, err := New(context.Background(), &config.Config{Options: opt})
|
|
require.NoError(t, err)
|
|
|
|
t.Run("accept empty", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("accept html", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"accept": "*/*",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
t.Run("accept json", func(t *testing.T) {
|
|
res, err := a.requireLoginResponse(context.Background(),
|
|
&envoy_service_auth_v3.CheckRequest{
|
|
Attributes: &envoy_service_auth_v3.AttributeContext{
|
|
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
|
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
|
Headers: map[string]string{
|
|
"accept": "application/json",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&evaluator.Request{})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusUnauthorized, int(res.GetDeniedResponse().GetStatus().GetCode()))
|
|
})
|
|
}
|