oauth2-proxy/providers/ms_entra_id_test.go

package providers

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"fmt"
	"net/http"
	"net/http/httptest"
	"net/url"
	"testing"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/golang-jwt/jwt/v5"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/stretchr/testify/assert"

	. "github.com/onsi/gomega"
)

func TestAzureEntraOIDCProviderNewMultiTenant(t *testing.T) {
	g := NewWithT(t)

	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
		options.Provider{OIDCConfig: options.OIDCOptions{
			IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
			InsecureSkipIssuerVerification: true,
		}},
	)
	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
}

func TestAzureEntraOIDCProviderNewSingleTenant(t *testing.T) {
	g := NewWithT(t)

	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
		options.Provider{OIDCConfig: options.OIDCOptions{
			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
		}},
	)
	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
}

func TestAzureEntraOIDCProviderEnrichSessionGroupOverage(t *testing.T) {
	// Create ID Token that indicates group overage with _claim_names
	key, _ := rsa.GenerateKey(rand.Reader, 2048)
	claimsWithGroupOverage := &claimsWithGroupOverage{
		jwt.RegisteredClaims{
			Issuer: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
		},
		map[string]string{"groups": "src1"},
	}

	jwtWithClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithGroupOverage)
	signedJWT, err := jwtWithClaims.SignedString(key)

	assert.NoError(t, err)

	session := CreateAuthorizedSession()
	session.IDToken = signedJWT
	session.Email = "mock@example.com"

	// Create provider
	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
		options.Provider{OIDCConfig: options.OIDCOptions{
			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
		}},
	)

	// Create mocked Azure Graph server and override Graph URL
	mockedGraph := mockGraphAPI(false)
	mockedGraphURL, _ := url.Parse(mockedGraph.URL)
	updateURL(provider.microsoftGraphURL, mockedGraphURL.Host)

	// Test EnrichSession
	err = provider.EnrichSession(context.Background(), session)

	assert.NoError(t, err)
	assert.Contains(t, session.Groups, "85d7d600-7804-4d92-8d43-9c33c21c130c")
	assert.Contains(t, session.Groups, "916f0604-8a3b-4a69-bda9-06db11a8f0cd")
	assert.Contains(t, session.Groups, "b1aef995-6b55-4ac6-bbfe-e829810e9352", "Pagination using $skiptoken failed")
}

func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {
	// Create multi-tenant Azure Entra provider with allowed tenants
	provider := NewMicrosoftEntraIDProvider(
		&ProviderData{
			Verifier: &mockedVerifier{},
		},
		options.Provider{
			OIDCConfig: options.OIDCOptions{
				IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
				InsecureSkipIssuerVerification: true,
				InsecureSkipNonce:              true,
			},
			MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{
				AllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
			},
		},
	)

	// Check for invalid tenant
	key, _ := rsa.GenerateKey(rand.Reader, 2048)

	idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
		Issuer: "https://login.microsoftonline.com/invalid_tenant/v2.0",
	})
	invalidJWT, err := idToken.SignedString(key)
	assert.NoError(t, err)

	session := CreateAuthorizedSession()
	session.IDToken = invalidJWT

	valid := provider.ValidateSession(context.Background(), session)
	assert.False(t, valid)

	// Check for valid tenant
	idToken = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
		Issuer: "https://login.microsoftonline.com/85d7d600-7804-4d92-8d43-9c33c21c130c/v2.0",
	})
	validJWT, err := idToken.SignedString(key)
	assert.NoError(t, err)

	session = CreateAuthorizedSession()
	session.IDToken = validJWT

	valid = provider.ValidateSession(context.Background(), session)
	assert.True(t, valid)
}

func mockGraphAPI(noGroupMemberPermissions bool) *httptest.Server {
	groupsPath := "/v1.0/me/transitiveMemberOf"

	return httptest.NewServer(http.HandlerFunc(
		func(w http.ResponseWriter, r *http.Request) {
			if noGroupMemberPermissions {
				w.WriteHeader(401)
			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet && len(r.URL.Query()["$skiptoken"]) > 0 {
				// Second page (pagination)
				w.Write([]byte(`{
					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
					"value": [
						{
							"@odata.type": "#microsoft.graph.group",
							"id": "b1aef995-6b55-4ac6-bbfe-e829810e9352"
						}
					]
				}`))

			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet {
				// First page (pagination)
				w.Write([]byte(fmt.Sprintf(`{
					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
					"@odata.nextLink": "http://%s/v1.0/me/transitiveMemberOf?$select=id&$top=2&$skiptoken=TEST_TOKEN",
					"value": [
						{
							"@odata.type": "#microsoft.graph.group",
							"id": "85d7d600-7804-4d92-8d43-9c33c21c130c"
						  },
						  {
							"@odata.type": "#microsoft.graph.group",
							"id": "916f0604-8a3b-4a69-bda9-06db11a8f0cd"
						  }
					]
				}`, r.Host)))
			}
		},
	))
}

type claimsWithGroupOverage struct {
	jwt.RegisteredClaims
	ClaimNames interface{} `json:"_claim_names,omitempty"`
}

func (c *claimsWithGroupOverage) Valid() error {
	return nil
}

type mockedVerifier struct {
}

func (v *mockedVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
	return nil, nil
}
Microsoft Entra ID provider (#2390) * Microsoft Entra ID Provider * fix typo in function name * documentation tweaks * documentation and comment tweak * docs tweaks * final tweaks * refactor: drop flag for skipping graph groups * update legacy / deprecated provider page and sort provider overview * reformat * move entra-id provider into switch (treat like every other provider * fix test case and reformat * fix sidebar configuration * apply review suggestions * add pagination for graph api * fix: do not error when groups unable to retrieve * doc: number of groups fix * restore master packages * docs: tiny docs tweak * address review comments * fix codegen --------- Co-authored-by: tuunit <jan@larwig.com> 2024-12-31 12:46:13 +01:00			`package providers`

			`import (`
			`"context"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"fmt"`
			`"net/http"`
			`"net/http/httptest"`
			`"net/url"`
			`"testing"`

			`"github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/golang-jwt/jwt/v5"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
			`"github.com/stretchr/testify/assert"`

			`. "github.com/onsi/gomega"`
			`)`

			`func TestAzureEntraOIDCProviderNewMultiTenant(t *testing.T) {`
			`g := NewWithT(t)`

			`provider := NewMicrosoftEntraIDProvider(&ProviderData{},`
			`options.Provider{OIDCConfig: options.OIDCOptions{`
			`IssuerURL: "https://login.microsoftonline.com/common/v2.0",`
			`InsecureSkipIssuerVerification: true,`
			`}},`
			`)`
			`g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))`
			`}`

			`func TestAzureEntraOIDCProviderNewSingleTenant(t *testing.T) {`
			`g := NewWithT(t)`

			`provider := NewMicrosoftEntraIDProvider(&ProviderData{},`
			`options.Provider{OIDCConfig: options.OIDCOptions{`
			`IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",`
			`}},`
			`)`
			`g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))`
			`}`

			`func TestAzureEntraOIDCProviderEnrichSessionGroupOverage(t *testing.T) {`
			`// Create ID Token that indicates group overage with _claim_names`
			`key, _ := rsa.GenerateKey(rand.Reader, 2048)`
			`claimsWithGroupOverage := &claimsWithGroupOverage{`
			`jwt.RegisteredClaims{`
			`Issuer: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",`
			`},`
			`map[string]string{"groups": "src1"},`
			`}`

			`jwtWithClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithGroupOverage)`
			`signedJWT, err := jwtWithClaims.SignedString(key)`

			`assert.NoError(t, err)`

			`session := CreateAuthorizedSession()`
			`session.IDToken = signedJWT`
			`session.Email = "mock@example.com"`

			`// Create provider`
			`provider := NewMicrosoftEntraIDProvider(&ProviderData{},`
			`options.Provider{OIDCConfig: options.OIDCOptions{`
			`IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",`
			`}},`
			`)`

			`// Create mocked Azure Graph server and override Graph URL`
			`mockedGraph := mockGraphAPI(false)`
			`mockedGraphURL, _ := url.Parse(mockedGraph.URL)`
			`updateURL(provider.microsoftGraphURL, mockedGraphURL.Host)`

			`// Test EnrichSession`
			`err = provider.EnrichSession(context.Background(), session)`

			`assert.NoError(t, err)`
			`assert.Contains(t, session.Groups, "85d7d600-7804-4d92-8d43-9c33c21c130c")`
			`assert.Contains(t, session.Groups, "916f0604-8a3b-4a69-bda9-06db11a8f0cd")`
			`assert.Contains(t, session.Groups, "b1aef995-6b55-4ac6-bbfe-e829810e9352", "Pagination using $skiptoken failed")`
			`}`

			`func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {`
			`// Create multi-tenant Azure Entra provider with allowed tenants`
			`provider := NewMicrosoftEntraIDProvider(`
			`&ProviderData{`
			`Verifier: &mockedVerifier{},`
			`},`
			`options.Provider{`
			`OIDCConfig: options.OIDCOptions{`
			`IssuerURL: "https://login.microsoftonline.com/common/v2.0",`
			`InsecureSkipIssuerVerification: true,`
			`InsecureSkipNonce: true,`
			`},`
			`MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{`
			`AllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},`
			`},`
			`},`
			`)`

			`// Check for invalid tenant`
			`key, _ := rsa.GenerateKey(rand.Reader, 2048)`

			`idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{`
			`Issuer: "https://login.microsoftonline.com/invalid_tenant/v2.0",`
			`})`
			`invalidJWT, err := idToken.SignedString(key)`
			`assert.NoError(t, err)`

			`session := CreateAuthorizedSession()`
			`session.IDToken = invalidJWT`

			`valid := provider.ValidateSession(context.Background(), session)`
			`assert.False(t, valid)`

			`// Check for valid tenant`
			`idToken = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{`
			`Issuer: "https://login.microsoftonline.com/85d7d600-7804-4d92-8d43-9c33c21c130c/v2.0",`
			`})`
			`validJWT, err := idToken.SignedString(key)`
			`assert.NoError(t, err)`

			`session = CreateAuthorizedSession()`
			`session.IDToken = validJWT`

			`valid = provider.ValidateSession(context.Background(), session)`
			`assert.True(t, valid)`
			`}`

			`func mockGraphAPI(noGroupMemberPermissions bool) *httptest.Server {`
			`groupsPath := "/v1.0/me/transitiveMemberOf"`

			`return httptest.NewServer(http.HandlerFunc(`
			`func(w http.ResponseWriter, r *http.Request) {`
			`if noGroupMemberPermissions {`
			`w.WriteHeader(401)`
			`} else if r.URL.Path == groupsPath && r.Method == http.MethodGet && len(r.URL.Query()["$skiptoken"]) > 0 {`
			`// Second page (pagination)`
			w.Write([]byte(`{
			`"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",`
			`"value": [`
			`{`
			`"@odata.type": "#microsoft.graph.group",`
			`"id": "b1aef995-6b55-4ac6-bbfe-e829810e9352"`
			`}`
			`]`
			}`))

			`} else if r.URL.Path == groupsPath && r.Method == http.MethodGet {`
			`// First page (pagination)`
			w.Write([]byte(fmt.Sprintf(`{
			`"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",`
			`"@odata.nextLink": "http://%s/v1.0/me/transitiveMemberOf?$select=id&$top=2&$skiptoken=TEST_TOKEN",`
			`"value": [`
			`{`
			`"@odata.type": "#microsoft.graph.group",`
			`"id": "85d7d600-7804-4d92-8d43-9c33c21c130c"`
			`},`
			`{`
			`"@odata.type": "#microsoft.graph.group",`
			`"id": "916f0604-8a3b-4a69-bda9-06db11a8f0cd"`
			`}`
			`]`
			}`, r.Host)))
			`}`
			`},`
			`))`
			`}`

			`type claimsWithGroupOverage struct {`
			`jwt.RegisteredClaims`
			ClaimNames interface{} `json:"_claim_names,omitempty"`
			`}`

			`func (c *claimsWithGroupOverage) Valid() error {`
			`return nil`
			`}`

			`type mockedVerifier struct {`
			`}`

			`func (v mockedVerifier) Verify(ctx context.Context, rawIDToken string) (oidc.IDToken, error) {`
			`return nil, nil`
			`}`