go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-08-08 22:46:33 +02:00
Code Issues Releases Activity
Files
release/v7.10.0
oauth2-proxy/pkg/validation/sessions_test.go

410 lines
12 KiB
Go
Raw Permalink Normal View History

Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
package validation
import (
"time"
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
"github.com/Bose/minisentinel"
"github.com/alicebob/miniredis/v2"
Fix import path for v7 (#800) * fix import path for v7 find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|' * fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-30 01:44:42 +09:00
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
chore(deps): Updated to ginkgo v2 (#2459) * chore(deps): Updated to ginkgo v2 * fix basic auth test suite cleanup * fix redis store tests * add changelog entry --------- Co-authored-by: Jan Larwig <jan@larwig.com>
2024-07-18 22:41:02 +02:00
. "github.com/onsi/ginkgo/v2"
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
. "github.com/onsi/gomega"
)
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
var _ = Describe("Sessions", func() {
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
const (
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
idTokenConflictMsg = "id_token claim for header \"X-ID-Token\" requires oauth tokens in sessions. session_cookie_minimal cannot be set"
accessTokenConflictMsg = "access_token claim for header \"X-Access-Token\" requires oauth tokens in sessions. session_cookie_minimal cannot be set"
cookieRefreshMsg = "cookie_refresh > 0 requires oauth tokens in sessions. session_cookie_minimal cannot be set"
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
)
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
type cookieMinimalTableInput struct {
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts *options.Options
errStrings []string
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}
DescribeTable("validateSessionCookieMinimal",
func(o *cookieMinimalTableInput) {
Expect(validateSessionCookieMinimal(o.opts)).To(ConsistOf(o.errStrings))
},
Entry("No minimal cookie session", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: false,
},
},
},
errStrings: []string{},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
Entry("No minimal cookie session & request header has access_token claim", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: false,
},
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
InjectRequestHeaders: []options.Header{
{
Name: "X-Access-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "access_token",
},
},
},
},
},
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
},
errStrings: []string{},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Entry("Minimal cookie session no conflicts", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
},
errStrings: []string{},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
Entry("Request Header id_token conflict", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
InjectRequestHeaders: []options.Header{
{
Name: "X-ID-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "id_token",
},
},
},
},
},
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
errStrings: []string{idTokenConflictMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
Entry("Response Header id_token conflict", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
InjectResponseHeaders: []options.Header{
{
Name: "X-ID-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "id_token",
},
},
},
},
},
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
errStrings: []string{idTokenConflictMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
Entry("Request Header access_token conflict", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
InjectRequestHeaders: []options.Header{
{
Name: "X-Access-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "access_token",
},
},
},
},
},
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
errStrings: []string{accessTokenConflictMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Entry("CookieRefresh conflict", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Cookie: options.Cookie{
Refresh: time.Hour,
},
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
},
errStrings: []string{cookieRefreshMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Entry("Multiple conflicts", &cookieMinimalTableInput{
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
opts: &options.Options{
Session: options.SessionOptions{
Cookie: options.CookieStoreOptions{
Minimal: true,
},
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
InjectResponseHeaders: []options.Header{
{
Name: "X-ID-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "id_token",
},
},
},
},
},
InjectRequestHeaders: []options.Header{
{
Name: "X-Access-Token",
Values: []options.HeaderValue{
{
ClaimSource: &options.ClaimSource{
Claim: "access_token",
},
},
},
},
},
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
},
Integrate new header injectors with OAuth2 Proxy
2020-07-29 20:10:14 +01:00
errStrings: []string{idTokenConflictMsg, accessTokenConflictMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
)
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
const (
clusterAndSentinelMsg = "unable to initialize a redis client: options redis-use-sentinel and redis-use-cluster are mutually exclusive"
Update go-redis/redis to v8 (#801) * update go-redis/redis to v8 testify, ginko and gomega have also been updated. * update changelog * Update pkg/sessions/redis/redis_store_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 19:49:27 +09:00
parseWrongSchemeMsg = "unable to initialize a redis client: unable to parse redis url: redis: invalid URL scheme: https"
parseWrongFormatMsg = "unable to initialize a redis client: unable to parse redis url: redis: invalid database number: \"wrong\""
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
invalidPasswordSetMsg = "unable to set a redis initialization key: WRONGPASS invalid username-password pair"
invalidPasswordDelMsg = "unable to delete the redis initialization key: WRONGPASS invalid username-password pair"
unreachableRedisSetMsg = "unable to set a redis initialization key: dial tcp 127.0.0.1:65535: connect: connection refused"
unreachableRedisDelMsg = "unable to delete the redis initialization key: dial tcp 127.0.0.1:65535: connect: connection refused"
feat: bump to go1.24.5 and full dependency update (#3116) * upgrade to go1.24.5 dependency updates lint fixes chore(deps): upgrade github.com/spf13/viper to v1.20.1 Note that this upgrade also implied to upgrade github.com/mitchellh/mapstructure (nowadays unmaintained: https://gist.github.com/mitchellh/90029601268e59a29e64e55bab1c5bdc) to github.com/go-viper/mapstructure/v2. fix: adapt tests to match mapstructure v2 error messages pkg/apis/options/load_test.go: skip tests on Go 1.23 Add a compile guard for Go < 1.24 for the pkg/apis/options/load_test.go because the LoadYAML test depends on error messages produced by encoding/json that changed slightly (names of embedded structs are now reported). As we updated the test for go1.24, the test now fails on 1.23, but just for a slight difference, so we disable the test there. fix: adapt tests to match mapstructure v2 error messages remove pre 1.24 disclaimer add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> Co-Authored-By: Olivier Mengué <dolmen@cpan.org> * add exclusion for 'avoid meaningless package names' in .golangci.yml * chore(dep): upgrade all dependencies Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Olivier Mengué <dolmen@cpan.org> Co-authored-by: Jan Larwig <jan@larwig.com>
2025-07-13 14:55:57 -05:00
unreachableSentinelSetMsg = "unable to set a redis initialization key: redis: all sentinels specified in configuration are unreachable: redis: nil"
unrechableSentinelDelMsg = "unable to delete the redis initialization key: redis: all sentinels specified in configuration are unreachable: redis: nil"
refusedSentinelSetMsg = "unable to set a redis initialization key: redis: all sentinels specified in configuration are unreachable: dial tcp 127.0.0.1:65535: connect: connection refused"
refusedSentinelDelMsg = "unable to delete the redis initialization key: redis: all sentinels specified in configuration are unreachable: dial tcp 127.0.0.1:65535: connect: connection refused"
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
)
type redisStoreTableInput struct {
// miniredis setup details
password string
useSentinel bool
setAddr bool
setSentinelAddr bool
setMasterName bool
opts *options.Options
errStrings []string
Add option to remove tokens from cookie sessions (#673) * Add option to remove tokens from cookie sessions * Move Minimal to be an option on CookieSession * Add sessionOptionsDefaults helper
2020-07-14 15:02:10 -07:00
}
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
DescribeTable("validateRedisSessionStore",
func(o *redisStoreTableInput) {
mr, err := miniredis.Run()
Expect(err).ToNot(HaveOccurred())
mr.RequireAuth(o.password)
defer mr.Close()
if o.setAddr && !o.useSentinel {
o.opts.Session.Redis.ConnectionURL = "redis://" + mr.Addr()
}
if o.useSentinel {
ms := minisentinel.NewSentinel(mr)
Expect(ms.Start()).To(Succeed())
defer ms.Close()
if o.setSentinelAddr {
o.opts.Session.Redis.SentinelConnectionURLs = []string{"redis://" + ms.Addr()}
}
if o.setMasterName {
o.opts.Session.Redis.SentinelMasterName = ms.MasterInfo().Name
}
}
Expect(validateRedisSessionStore(o.opts)).To(ConsistOf(o.errStrings))
},
Entry("cookie sessions are skipped", &redisStoreTableInput{
opts: &options.Options{
Session: options.SessionOptions{
Type: options.CookieSessionStoreType,
},
},
errStrings: []string{},
}),
Entry("connect successfully to pure redis", &redisStoreTableInput{
setAddr: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
},
},
errStrings: []string{},
}),
Entry("failed redis connection with wrong address", &redisStoreTableInput{
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
ConnectionURL: "redis://127.0.0.1:65535",
},
},
},
errStrings: []string{unreachableRedisSetMsg, unreachableRedisDelMsg},
}),
Entry("fail to parse an invalid connection URL with wrong scheme", &redisStoreTableInput{
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
ConnectionURL: "https://example.com",
},
},
},
errStrings: []string{parseWrongSchemeMsg},
}),
Entry("fail to parse an invalid connection URL with invalid format", &redisStoreTableInput{
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
ConnectionURL: "redis://127.0.0.1:6379/wrong",
},
},
},
errStrings: []string{parseWrongFormatMsg},
}),
Entry("connect successfully to pure redis with password", &redisStoreTableInput{
password: "abcdef123",
setAddr: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
Password: "abcdef123",
},
},
},
errStrings: []string{},
}),
Entry("failed connection with wrong password", &redisStoreTableInput{
password: "abcdef123",
setAddr: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
Password: "zyxwtuv987",
},
},
},
errStrings: []string{invalidPasswordSetMsg, invalidPasswordDelMsg},
}),
Entry("connect successfully to sentinel redis", &redisStoreTableInput{
useSentinel: true,
setSentinelAddr: true,
setMasterName: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
UseSentinel: true,
},
},
},
errStrings: []string{},
}),
Entry("connect successfully to sentinel redis with password", &redisStoreTableInput{
password: "abcdef123",
useSentinel: true,
setSentinelAddr: true,
setMasterName: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
Password: "abcdef123",
UseSentinel: true,
},
},
},
errStrings: []string{},
}),
Entry("failed connection to sentinel redis with wrong password", &redisStoreTableInput{
password: "abcdef123",
useSentinel: true,
setSentinelAddr: true,
setMasterName: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
Password: "zyxwtuv987",
UseSentinel: true,
},
},
},
errStrings: []string{invalidPasswordSetMsg, invalidPasswordDelMsg},
}),
Entry("failed connection to sentinel redis with wrong master name", &redisStoreTableInput{
useSentinel: true,
setSentinelAddr: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
UseSentinel: true,
SentinelMasterName: "WRONG",
},
},
},
errStrings: []string{unreachableSentinelSetMsg, unrechableSentinelDelMsg},
}),
Entry("failed connection to sentinel redis with wrong address", &redisStoreTableInput{
useSentinel: true,
setMasterName: true,
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
UseSentinel: true,
SentinelConnectionURLs: []string{"redis://127.0.0.1:65535"},
},
},
},
feat: bump to go1.24.5 and full dependency update (#3116) * upgrade to go1.24.5 dependency updates lint fixes chore(deps): upgrade github.com/spf13/viper to v1.20.1 Note that this upgrade also implied to upgrade github.com/mitchellh/mapstructure (nowadays unmaintained: https://gist.github.com/mitchellh/90029601268e59a29e64e55bab1c5bdc) to github.com/go-viper/mapstructure/v2. fix: adapt tests to match mapstructure v2 error messages pkg/apis/options/load_test.go: skip tests on Go 1.23 Add a compile guard for Go < 1.24 for the pkg/apis/options/load_test.go because the LoadYAML test depends on error messages produced by encoding/json that changed slightly (names of embedded structs are now reported). As we updated the test for go1.24, the test now fails on 1.23, but just for a slight difference, so we disable the test there. fix: adapt tests to match mapstructure v2 error messages remove pre 1.24 disclaimer add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> Co-Authored-By: Olivier Mengué <dolmen@cpan.org> * add exclusion for 'avoid meaningless package names' in .golangci.yml * chore(dep): upgrade all dependencies Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Olivier Mengué <dolmen@cpan.org> Co-authored-by: Jan Larwig <jan@larwig.com>
2025-07-13 14:55:57 -05:00
errStrings: []string{refusedSentinelSetMsg, refusedSentinelDelMsg},
Validate Redis session store health on startup
2020-08-06 15:43:01 -07:00
}),
Entry("sentinel and cluster both enabled fails", &redisStoreTableInput{
opts: &options.Options{
Session: options.SessionOptions{
Type: options.RedisSessionStoreType,
Redis: options.RedisStoreOptions{
UseSentinel: true,
UseCluster: true,
},
},
},
errStrings: []string{clusterAndSentinelMsg},
}),
)
})
Reference in New Issue Copy Permalink