2020-09-22 18:54:32 -07:00
|
|
|
package validation
|
|
|
|
|
|
|
|
import (
|
2020-09-23 20:37:58 -07:00
|
|
|
. "github.com/onsi/ginkgo"
|
|
|
|
. "github.com/onsi/ginkgo/extensions/table"
|
|
|
|
. "github.com/onsi/gomega"
|
2020-10-05 12:39:44 -07:00
|
|
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
2020-09-22 18:54:32 -07:00
|
|
|
)
|
|
|
|
|
2020-09-23 20:37:58 -07:00
|
|
|
var _ = Describe("Allowlist", func() {
|
|
|
|
type validateRoutesTableInput struct {
|
|
|
|
routes []string
|
|
|
|
errStrings []string
|
|
|
|
}
|
|
|
|
|
|
|
|
type validateRegexesTableInput struct {
|
|
|
|
regexes []string
|
|
|
|
errStrings []string
|
|
|
|
}
|
|
|
|
|
|
|
|
type validateTrustedIPsTableInput struct {
|
|
|
|
trustedIPs []string
|
|
|
|
errStrings []string
|
2020-09-22 18:54:32 -07:00
|
|
|
}
|
|
|
|
|
2020-09-23 20:37:58 -07:00
|
|
|
DescribeTable("validateRoutes",
|
|
|
|
func(r *validateRoutesTableInput) {
|
|
|
|
opts := &options.Options{
|
|
|
|
SkipAuthRoutes: r.routes,
|
|
|
|
}
|
2022-09-11 17:09:32 +02:00
|
|
|
Expect(validateAuthRoutes(opts)).To(ConsistOf(r.errStrings))
|
2020-09-23 20:37:58 -07:00
|
|
|
},
|
|
|
|
Entry("Valid regex routes", &validateRoutesTableInput{
|
|
|
|
routes: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"/foo",
|
|
|
|
"POST=/foo/bar",
|
|
|
|
"PUT=^/foo/bar$",
|
|
|
|
"DELETE=/crazy/(?:regex)?/[^/]+/stuff$",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{},
|
|
|
|
}),
|
|
|
|
Entry("Bad regexes do not compile", &validateRoutesTableInput{
|
|
|
|
routes: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"POST=/(foo",
|
|
|
|
"OPTIONS=/foo/bar)",
|
|
|
|
"GET=^]/foo/bar[$",
|
|
|
|
"GET=^]/foo/bar[$",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"error compiling regex //(foo/: error parsing regexp: missing closing ): `/(foo`",
|
|
|
|
"error compiling regex //foo/bar)/: error parsing regexp: unexpected ): `/foo/bar)`",
|
|
|
|
"error compiling regex /^]/foo/bar[$/: error parsing regexp: missing closing ]: `[$`",
|
|
|
|
"error compiling regex /^]/foo/bar[$/: error parsing regexp: missing closing ]: `[$`",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
}),
|
|
|
|
)
|
2020-09-22 18:54:32 -07:00
|
|
|
|
2020-09-23 20:37:58 -07:00
|
|
|
DescribeTable("validateRegexes",
|
|
|
|
func(r *validateRegexesTableInput) {
|
2020-09-22 18:54:32 -07:00
|
|
|
opts := &options.Options{
|
2020-09-23 20:37:58 -07:00
|
|
|
SkipAuthRegex: r.regexes,
|
2020-09-22 18:54:32 -07:00
|
|
|
}
|
2022-09-11 17:09:32 +02:00
|
|
|
Expect(validateAuthRegexes(opts)).To(ConsistOf(r.errStrings))
|
2020-09-23 20:37:58 -07:00
|
|
|
},
|
|
|
|
Entry("Valid regex routes", &validateRegexesTableInput{
|
|
|
|
regexes: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"/foo",
|
|
|
|
"/foo/bar",
|
|
|
|
"^/foo/bar$",
|
|
|
|
"/crazy/(?:regex)?/[^/]+/stuff$",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{},
|
|
|
|
}),
|
|
|
|
Entry("Bad regexes do not compile", &validateRegexesTableInput{
|
|
|
|
regexes: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"/(foo",
|
|
|
|
"/foo/bar)",
|
|
|
|
"^]/foo/bar[$",
|
|
|
|
"^]/foo/bar[$",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"error compiling regex //(foo/: error parsing regexp: missing closing ): `/(foo`",
|
|
|
|
"error compiling regex //foo/bar)/: error parsing regexp: unexpected ): `/foo/bar)`",
|
|
|
|
"error compiling regex /^]/foo/bar[$/: error parsing regexp: missing closing ]: `[$`",
|
|
|
|
"error compiling regex /^]/foo/bar[$/: error parsing regexp: missing closing ]: `[$`",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
}),
|
|
|
|
)
|
2020-09-22 18:54:32 -07:00
|
|
|
|
2020-09-23 20:37:58 -07:00
|
|
|
DescribeTable("validateTrustedIPs",
|
|
|
|
func(t *validateTrustedIPsTableInput) {
|
2020-09-22 18:54:32 -07:00
|
|
|
opts := &options.Options{
|
2020-09-23 20:37:58 -07:00
|
|
|
TrustedIPs: t.trustedIPs,
|
2020-09-22 18:54:32 -07:00
|
|
|
}
|
2020-09-23 20:37:58 -07:00
|
|
|
Expect(validateTrustedIPs(opts)).To(ConsistOf(t.errStrings))
|
|
|
|
},
|
|
|
|
Entry("Non-overlapping valid IPs", &validateTrustedIPsTableInput{
|
|
|
|
trustedIPs: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"127.0.0.1",
|
|
|
|
"10.32.0.1/32",
|
|
|
|
"43.36.201.0/24",
|
|
|
|
"::1",
|
|
|
|
"2a12:105:ee7:9234:0:0:0:0/64",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{},
|
|
|
|
}),
|
|
|
|
Entry("Overlapping valid IPs", &validateTrustedIPsTableInput{
|
|
|
|
trustedIPs: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"135.180.78.199",
|
|
|
|
"135.180.78.199/32",
|
|
|
|
"d910:a5a1:16f8:ddf5:e5b9:5cef:a65e:41f4",
|
|
|
|
"d910:a5a1:16f8:ddf5:e5b9:5cef:a65e:41f4/128",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
errStrings: []string{},
|
|
|
|
}),
|
|
|
|
Entry("Invalid IPs", &validateTrustedIPsTableInput{
|
|
|
|
trustedIPs: []string{"[::1]", "alkwlkbn/32"},
|
|
|
|
errStrings: []string{
|
2020-09-22 18:54:32 -07:00
|
|
|
"trusted_ips[0] ([::1]) could not be recognized",
|
|
|
|
"trusted_ips[1] (alkwlkbn/32) could not be recognized",
|
|
|
|
},
|
2020-09-23 20:37:58 -07:00
|
|
|
}),
|
|
|
|
)
|
|
|
|
})
|