mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
c13459bb88
* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
158 lines
4.4 KiB
Go
158 lines
4.4 KiB
Go
package authenticate
|
|
|
|
import (
|
|
"net/url"
|
|
"os"
|
|
"reflect"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func testOptions() *Options {
|
|
redirectURL, _ := url.Parse("https://example.com/oauth2/callback")
|
|
return &Options{
|
|
ProxyRootDomains: []string{"example.com"},
|
|
RedirectURL: redirectURL,
|
|
SharedKey: "80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ=",
|
|
ClientID: "test-client-id",
|
|
ClientSecret: "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw=",
|
|
CookieSecret: "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw=",
|
|
CookieRefresh: time.Duration(1) * time.Hour,
|
|
CookieExpire: time.Duration(168) * time.Hour,
|
|
CookieName: "pomerium",
|
|
}
|
|
}
|
|
|
|
func TestOptions_Validate(t *testing.T) {
|
|
good := testOptions()
|
|
badRedirectURL := testOptions()
|
|
badRedirectURL.RedirectURL = nil
|
|
malformedRedirectURL := testOptions()
|
|
redirectURL, _ := url.Parse("https://example.com/oauth3/callback")
|
|
malformedRedirectURL.RedirectURL = redirectURL
|
|
emptyClientID := testOptions()
|
|
emptyClientID.ClientID = ""
|
|
emptyClientSecret := testOptions()
|
|
emptyClientSecret.ClientSecret = ""
|
|
proxyRootDomains := testOptions()
|
|
proxyRootDomains.ProxyRootDomains = nil
|
|
emptyCookieSecret := testOptions()
|
|
emptyCookieSecret.CookieSecret = ""
|
|
invalidCookieSecret := testOptions()
|
|
invalidCookieSecret.CookieSecret = "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw^"
|
|
shortCookieLength := testOptions()
|
|
shortCookieLength.CookieSecret = "gN3xnvfsAwfCXxnJorGLKUG4l2wC8sS8nfLMhcStPg=="
|
|
badSharedKey := testOptions()
|
|
badSharedKey.SharedKey = ""
|
|
|
|
tests := []struct {
|
|
name string
|
|
o *Options
|
|
wantErr bool
|
|
}{
|
|
{"minimum options", good, false},
|
|
{"nil options", &Options{}, true},
|
|
{"bad redirect url", badRedirectURL, true},
|
|
{"malformed redirect url", malformedRedirectURL, true},
|
|
{"no cookie secret", emptyCookieSecret, true},
|
|
{"invalid cookie secret", invalidCookieSecret, true},
|
|
{"short cookie secret", shortCookieLength, true},
|
|
{"no shared secret", badSharedKey, true},
|
|
{"no client id", emptyClientID, true},
|
|
{"no client secret", emptyClientSecret, true},
|
|
{"empty root domains", proxyRootDomains, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
o := tt.o
|
|
if err := o.Validate(); (err != nil) != tt.wantErr {
|
|
t.Errorf("Options.Validate() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestOptionsFromEnvConfig(t *testing.T) {
|
|
os.Clearenv()
|
|
|
|
tests := []struct {
|
|
name string
|
|
want *Options
|
|
envKey string
|
|
envValue string
|
|
wantErr bool
|
|
}{
|
|
{"good default, no env settings", defaultOptions, "", "", false},
|
|
{"bad url", nil, "REDIRECT_URL", "%.rjlw", true},
|
|
{"good duration", defaultOptions, "COOKIE_EXPIRE", "1m", false},
|
|
{"bad duration", nil, "COOKIE_REFRESH", "1sm", true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if tt.envKey != "" {
|
|
os.Setenv(tt.envKey, tt.envValue)
|
|
defer os.Unsetenv(tt.envKey)
|
|
}
|
|
got, err := OptionsFromEnvConfig()
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("OptionsFromEnvConfig() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("OptionsFromEnvConfig() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_dotPrependDomains(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
name string
|
|
d []string
|
|
want []string
|
|
}{
|
|
{"single domain", []string{"google.com"}, []string{".google.com"}},
|
|
{"multiple domain", []string{"google.com", "bing.com"}, []string{".google.com", ".bing.com"}},
|
|
{"empty", []string{""}, []string{""}},
|
|
{"nested subdomain", []string{"some.really.long.domain.com"}, []string{".some.really.long.domain.com"}},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := dotPrependDomains(tt.d); !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("dotPrependDomains() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNew(t *testing.T) {
|
|
good := testOptions()
|
|
good.Provider = "google"
|
|
|
|
badRedirectURL := testOptions()
|
|
badRedirectURL.RedirectURL = nil
|
|
|
|
tests := []struct {
|
|
name string
|
|
opts *Options
|
|
// want *Authenticate
|
|
wantErr bool
|
|
}{
|
|
{"good", good, false},
|
|
{"empty opts", nil, true},
|
|
{"fails to validate", badRedirectURL, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
_, err := New(tt.opts)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
// if !reflect.DeepEqual(got, tt.want) {
|
|
// t.Errorf("New() = %v, want %v", got, tt.want)
|
|
// }
|
|
})
|
|
}
|
|
}
|