mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
dbd7f55b20
* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
165 lines
5.3 KiB
Go
165 lines
5.3 KiB
Go
package cookie
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"errors"
|
|
"fmt"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
"github.com/pomerium/pomerium/internal/encoding"
|
|
"github.com/pomerium/pomerium/internal/encoding/ecjson"
|
|
"github.com/pomerium/pomerium/internal/encoding/mock"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
"github.com/google/go-cmp/cmp/cmpopts"
|
|
)
|
|
|
|
func TestNewStore(t *testing.T) {
|
|
cipher, err := cryptutil.NewAEADCipher(cryptutil.NewKey())
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
encoder := ecjson.New(cipher)
|
|
tests := []struct {
|
|
name string
|
|
opts *Options
|
|
encoder encoding.MarshalUnmarshaler
|
|
want sessions.SessionStore
|
|
wantErr bool
|
|
}{
|
|
{"good", &Options{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, encoder, &Store{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, false},
|
|
{"missing name", &Options{Name: "", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, encoder, nil, true},
|
|
{"missing encoder", &Options{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, nil, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := NewStore(tt.opts, tt.encoder)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("NewStore() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
cmpOpts := []cmp.Option{
|
|
cmpopts.IgnoreUnexported(Store{}),
|
|
}
|
|
|
|
if diff := cmp.Diff(got, tt.want, cmpOpts...); diff != "" {
|
|
t.Errorf("NewStore() = %s", diff)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
func TestNewCookieLoader(t *testing.T) {
|
|
cipher, err := cryptutil.NewAEADCipher(cryptutil.NewKey())
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
encoder := ecjson.New(cipher)
|
|
tests := []struct {
|
|
name string
|
|
opts *Options
|
|
encoder encoding.MarshalUnmarshaler
|
|
want *Store
|
|
wantErr bool
|
|
}{
|
|
{"good", &Options{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, encoder, &Store{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, false},
|
|
{"missing name", &Options{Name: "", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, encoder, nil, true},
|
|
{"missing encoder", &Options{Name: "_cookie", Secure: true, HTTPOnly: true, Domain: "pomerium.io", Expire: 10 * time.Second}, nil, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := NewCookieLoader(tt.opts, tt.encoder)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("NewCookieLoader() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
cmpOpts := []cmp.Option{
|
|
cmpopts.IgnoreUnexported(Store{}),
|
|
}
|
|
|
|
if diff := cmp.Diff(got, tt.want, cmpOpts...); diff != "" {
|
|
t.Errorf("NewCookieLoader() = %s", diff)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_SaveSession(t *testing.T) {
|
|
c, err := cryptutil.NewAEADCipher(cryptutil.NewKey())
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
hugeString := make([]byte, 4097)
|
|
if _, err := rand.Read(hugeString); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
State interface{}
|
|
encoder encoding.Marshaler
|
|
decoder encoding.Unmarshaler
|
|
wantErr bool
|
|
wantLoadErr bool
|
|
}{
|
|
{"good", &sessions.State{Version: "v1", ID: "xyz"}, ecjson.New(c), ecjson.New(c), false, false},
|
|
{"bad cipher", &sessions.State{Version: "v1", ID: "xyz"}, nil, nil, true, true},
|
|
{"huge cookie", &sessions.State{Version: "v1", ID: "xyz", Subject: fmt.Sprintf("%x", hugeString)}, ecjson.New(c), ecjson.New(c), false, false},
|
|
{"marshal error", &sessions.State{Version: "v1", ID: "xyz"}, mock.Encoder{MarshalError: errors.New("error")}, ecjson.New(c), true, true},
|
|
{"nil encoder cannot save non string type", &sessions.State{Version: "v1", ID: "xyz"}, nil, ecjson.New(c), true, true},
|
|
{"good marshal string directly", cryptutil.NewBase64Key(), nil, ecjson.New(c), false, true},
|
|
{"good marshal bytes directly", cryptutil.NewKey(), nil, ecjson.New(c), false, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
s := &Store{
|
|
Name: "_pomerium",
|
|
Secure: true,
|
|
HTTPOnly: true,
|
|
Domain: "pomerium.io",
|
|
Expire: 10 * time.Second,
|
|
encoder: tt.encoder,
|
|
decoder: tt.decoder,
|
|
}
|
|
|
|
r := httptest.NewRequest("GET", "/", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
if err := s.SaveSession(w, r, tt.State); (err != nil) != tt.wantErr {
|
|
t.Errorf("Store.SaveSession() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
r = httptest.NewRequest("GET", "/", nil)
|
|
for _, cookie := range w.Result().Cookies() {
|
|
r.AddCookie(cookie)
|
|
}
|
|
|
|
enc := ecjson.New(c)
|
|
jwt, err := s.LoadSession(r)
|
|
if (err != nil) != tt.wantLoadErr {
|
|
t.Errorf("LoadSession() error = %v, wantErr %v", err, tt.wantLoadErr)
|
|
return
|
|
}
|
|
var state sessions.State
|
|
enc.Unmarshal([]byte(jwt), &state)
|
|
|
|
cmpOpts := []cmp.Option{
|
|
cmpopts.IgnoreUnexported(sessions.State{}),
|
|
}
|
|
if err == nil {
|
|
if diff := cmp.Diff(&state, tt.State, cmpOpts...); diff != "" {
|
|
t.Errorf("Store.LoadSession() got = %s", diff)
|
|
}
|
|
}
|
|
w = httptest.NewRecorder()
|
|
s.ClearSession(w, r)
|
|
x := w.Header().Get("Set-Cookie")
|
|
if !strings.Contains(x, "_pomerium=; Path=/;") {
|
|
t.Errorf(x)
|
|
}
|
|
})
|
|
}
|
|
}
|