2019-05-06 15:33:33 +02:00
|
|
|
package sessions_test
|
|
|
|
|
|
|
|
import (
|
2019-05-07 14:55:49 +02:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/base64"
|
2019-05-06 23:34:43 +02:00
|
|
|
"net/http"
|
2019-05-07 01:20:36 +02:00
|
|
|
"net/http/httptest"
|
2019-05-07 17:13:55 +02:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
2019-05-06 15:33:33 +02:00
|
|
|
"testing"
|
2019-05-06 23:34:43 +02:00
|
|
|
"time"
|
2019-05-06 15:33:33 +02:00
|
|
|
|
|
|
|
. "github.com/onsi/ginkgo"
|
|
|
|
. "github.com/onsi/gomega"
|
|
|
|
"github.com/pusher/oauth2_proxy/pkg/apis/options"
|
2019-05-06 23:34:43 +02:00
|
|
|
sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions"
|
2019-05-07 01:20:36 +02:00
|
|
|
"github.com/pusher/oauth2_proxy/pkg/cookies"
|
2019-05-06 15:33:33 +02:00
|
|
|
"github.com/pusher/oauth2_proxy/pkg/sessions"
|
|
|
|
"github.com/pusher/oauth2_proxy/pkg/sessions/cookie"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSessionStore(t *testing.T) {
|
|
|
|
RegisterFailHandler(Fail)
|
|
|
|
RunSpecs(t, "SessionStore")
|
|
|
|
}
|
|
|
|
|
|
|
|
var _ = Describe("NewSessionStore", func() {
|
|
|
|
var opts *options.SessionOptions
|
|
|
|
var cookieOpts *options.CookieOptions
|
|
|
|
|
2019-05-06 23:34:43 +02:00
|
|
|
var request *http.Request
|
2019-05-07 01:20:36 +02:00
|
|
|
var response *httptest.ResponseRecorder
|
2019-05-06 23:34:43 +02:00
|
|
|
var session *sessionsapi.SessionState
|
2019-05-07 14:32:54 +02:00
|
|
|
var ss sessionsapi.SessionStore
|
2019-05-06 23:34:43 +02:00
|
|
|
|
|
|
|
CheckCookieOptions := func() {
|
|
|
|
Context("the cookies returned", func() {
|
|
|
|
var cookies []*http.Cookie
|
|
|
|
BeforeEach(func() {
|
2019-05-07 01:20:36 +02:00
|
|
|
cookies = response.Result().Cookies()
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
It("have the correct name set", func() {
|
|
|
|
if len(cookies) == 1 {
|
|
|
|
Expect(cookies[0].Name).To(Equal(cookieOpts.CookieName))
|
|
|
|
} else {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
Expect(cookie.Name).To(ContainSubstring(cookieOpts.CookieName))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("have the correct path set", func() {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
Expect(cookie.Path).To(Equal(cookieOpts.CookiePath))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("have the correct domain set", func() {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
Expect(cookie.Domain).To(Equal(cookieOpts.CookieDomain))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("have the correct HTTPOnly set", func() {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
Expect(cookie.HttpOnly).To(Equal(cookieOpts.CookieHTTPOnly))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("have the correct secure set", func() {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
Expect(cookie.Secure).To(Equal(cookieOpts.CookieSecure))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2019-05-07 17:13:55 +02:00
|
|
|
It("have a signature timestamp matching session.CreatedAt", func() {
|
|
|
|
for _, cookie := range cookies {
|
|
|
|
if cookie.Value != "" {
|
|
|
|
parts := strings.Split(cookie.Value, "|")
|
|
|
|
Expect(parts).To(HaveLen(3))
|
|
|
|
Expect(parts[1]).To(Equal(strconv.Itoa(int(session.CreatedAt.Unix()))))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-05-07 14:32:54 +02:00
|
|
|
SessionStoreInterfaceTests := func() {
|
2019-05-08 17:36:28 +02:00
|
|
|
Context("when Save is called", func() {
|
2019-05-06 23:34:43 +02:00
|
|
|
BeforeEach(func() {
|
2019-05-08 17:36:28 +02:00
|
|
|
err := ss.Save(response, request, session)
|
2019-05-06 23:34:43 +02:00
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
2019-05-07 14:32:54 +02:00
|
|
|
It("sets a `set-cookie` header in the response", func() {
|
|
|
|
Expect(response.Header().Get("set-cookie")).ToNot(BeEmpty())
|
|
|
|
})
|
2019-05-06 23:34:43 +02:00
|
|
|
|
2019-05-07 17:13:55 +02:00
|
|
|
It("Ensures the session CreatedAt is not zero", func() {
|
|
|
|
Expect(session.CreatedAt.IsZero()).To(BeFalse())
|
|
|
|
})
|
|
|
|
|
2019-05-07 14:32:54 +02:00
|
|
|
CheckCookieOptions()
|
|
|
|
})
|
2019-05-06 23:34:43 +02:00
|
|
|
|
2019-05-08 17:36:28 +02:00
|
|
|
Context("when Clear is called", func() {
|
2019-05-07 14:32:54 +02:00
|
|
|
BeforeEach(func() {
|
|
|
|
cookie := cookies.MakeCookie(request,
|
|
|
|
cookieOpts.CookieName,
|
|
|
|
"foo",
|
|
|
|
cookieOpts.CookiePath,
|
|
|
|
cookieOpts.CookieDomain,
|
|
|
|
cookieOpts.CookieHTTPOnly,
|
|
|
|
cookieOpts.CookieSecure,
|
|
|
|
cookieOpts.CookieExpire,
|
|
|
|
time.Now(),
|
|
|
|
)
|
|
|
|
request.AddCookie(cookie)
|
2019-05-08 17:36:28 +02:00
|
|
|
err := ss.Clear(response, request)
|
2019-05-07 14:32:54 +02:00
|
|
|
Expect(err).ToNot(HaveOccurred())
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
|
|
|
|
2019-05-07 14:32:54 +02:00
|
|
|
It("sets a `set-cookie` header in the response", func() {
|
|
|
|
Expect(response.Header().Get("Set-Cookie")).ToNot(BeEmpty())
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
2019-05-07 14:32:54 +02:00
|
|
|
|
|
|
|
CheckCookieOptions()
|
|
|
|
})
|
2019-05-07 14:42:43 +02:00
|
|
|
|
2019-05-08 17:36:28 +02:00
|
|
|
Context("when Load is called", func() {
|
2019-05-07 14:42:43 +02:00
|
|
|
var loadedSession *sessionsapi.SessionState
|
|
|
|
BeforeEach(func() {
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
2019-05-08 17:36:28 +02:00
|
|
|
err := ss.Save(resp, req, session)
|
2019-05-07 14:42:43 +02:00
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
|
|
|
|
for _, cookie := range resp.Result().Cookies() {
|
|
|
|
request.AddCookie(cookie)
|
|
|
|
}
|
2019-05-08 17:36:28 +02:00
|
|
|
loadedSession, err = ss.Load(request)
|
2019-05-07 14:42:43 +02:00
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("loads a session equal to the original session", func() {
|
|
|
|
if cookieOpts.CookieSecret == "" {
|
|
|
|
// Only Email and User stored in session when encrypted
|
|
|
|
Expect(loadedSession.Email).To(Equal(session.Email))
|
|
|
|
Expect(loadedSession.User).To(Equal(session.User))
|
|
|
|
} else {
|
|
|
|
// All fields stored in session if encrypted
|
2019-05-07 14:55:49 +02:00
|
|
|
|
|
|
|
// Can't compare time.Time using Equal() so remove ExpiresOn from sessions
|
|
|
|
l := *loadedSession
|
2019-05-07 17:13:55 +02:00
|
|
|
l.CreatedAt = time.Time{}
|
2019-05-07 14:55:49 +02:00
|
|
|
l.ExpiresOn = time.Time{}
|
|
|
|
s := *session
|
2019-05-07 17:13:55 +02:00
|
|
|
s.CreatedAt = time.Time{}
|
2019-05-07 14:55:49 +02:00
|
|
|
s.ExpiresOn = time.Time{}
|
|
|
|
Expect(l).To(Equal(s))
|
|
|
|
|
|
|
|
// Compare time.Time separately
|
2019-05-07 17:13:55 +02:00
|
|
|
Expect(loadedSession.CreatedAt.Equal(session.CreatedAt)).To(BeTrue())
|
2019-05-07 14:55:49 +02:00
|
|
|
Expect(loadedSession.ExpiresOn.Equal(session.ExpiresOn)).To(BeTrue())
|
2019-05-07 14:42:43 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
})
|
2019-05-07 14:32:54 +02:00
|
|
|
}
|
|
|
|
|
2019-05-07 14:58:15 +02:00
|
|
|
RunSessionTests := func() {
|
2019-05-07 14:32:54 +02:00
|
|
|
Context("with default options", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
var err error
|
|
|
|
ss, err = sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
SessionStoreInterfaceTests()
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
Context("with non-default options", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
cookieOpts = &options.CookieOptions{
|
|
|
|
CookieName: "_cookie_name",
|
|
|
|
CookiePath: "/path",
|
|
|
|
CookieExpire: time.Duration(72) * time.Hour,
|
|
|
|
CookieRefresh: time.Duration(3600),
|
|
|
|
CookieSecure: false,
|
|
|
|
CookieHTTPOnly: false,
|
|
|
|
CookieDomain: "example.com",
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
ss, err = sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
2019-05-07 14:32:54 +02:00
|
|
|
SessionStoreInterfaceTests()
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
2019-05-07 14:55:49 +02:00
|
|
|
|
2019-05-07 15:27:09 +02:00
|
|
|
Context("with encryption enabled", func() {
|
2019-05-07 14:55:49 +02:00
|
|
|
BeforeEach(func() {
|
|
|
|
secret := make([]byte, 32)
|
|
|
|
_, err := rand.Read(secret)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
cookieOpts.CookieSecret = base64.URLEncoding.EncodeToString(secret)
|
2019-05-07 15:27:09 +02:00
|
|
|
opts.EnableCipher = true
|
2019-05-07 14:55:49 +02:00
|
|
|
|
|
|
|
ss, err = sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
SessionStoreInterfaceTests()
|
|
|
|
})
|
2019-05-07 15:27:09 +02:00
|
|
|
|
|
|
|
Context("with encryption enabled, but no secret", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
opts.EnableCipher = true
|
|
|
|
})
|
|
|
|
|
|
|
|
It("returns an error", func() {
|
|
|
|
ss, err := sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).To(HaveOccurred())
|
|
|
|
Expect(err.Error()).To(Equal("unable to create cipher: crypto/aes: invalid key size 0"))
|
|
|
|
Expect(ss).To(BeNil())
|
|
|
|
})
|
|
|
|
})
|
2019-05-06 23:34:43 +02:00
|
|
|
}
|
|
|
|
|
2019-05-06 15:33:33 +02:00
|
|
|
BeforeEach(func() {
|
2019-05-07 14:32:54 +02:00
|
|
|
ss = nil
|
2019-05-06 15:33:33 +02:00
|
|
|
opts = &options.SessionOptions{}
|
2019-05-06 23:34:43 +02:00
|
|
|
|
|
|
|
// Set default options in CookieOptions
|
|
|
|
cookieOpts = &options.CookieOptions{
|
|
|
|
CookieName: "_oauth2_proxy",
|
|
|
|
CookiePath: "/",
|
|
|
|
CookieExpire: time.Duration(168) * time.Hour,
|
|
|
|
CookieRefresh: time.Duration(0),
|
|
|
|
CookieSecure: true,
|
|
|
|
CookieHTTPOnly: true,
|
|
|
|
}
|
2019-05-07 01:20:36 +02:00
|
|
|
|
2019-05-07 13:18:23 +02:00
|
|
|
session = &sessionsapi.SessionState{
|
|
|
|
AccessToken: "AccessToken",
|
|
|
|
IDToken: "IDToken",
|
|
|
|
ExpiresOn: time.Now().Add(1 * time.Hour),
|
|
|
|
RefreshToken: "RefreshToken",
|
|
|
|
Email: "john.doe@example.com",
|
|
|
|
User: "john.doe",
|
|
|
|
}
|
|
|
|
|
2019-05-07 01:20:36 +02:00
|
|
|
request = httptest.NewRequest("GET", "http://example.com/", nil)
|
|
|
|
response = httptest.NewRecorder()
|
2019-05-06 15:33:33 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
Context("with type 'cookie'", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
opts.Type = options.CookieSessionStoreType
|
|
|
|
})
|
|
|
|
|
2019-05-06 23:34:43 +02:00
|
|
|
It("creates a cookie.SessionStore", func() {
|
2019-05-06 15:33:33 +02:00
|
|
|
ss, err := sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(ss).To(BeAssignableToTypeOf(&cookie.SessionStore{}))
|
|
|
|
})
|
2019-05-06 23:34:43 +02:00
|
|
|
|
|
|
|
Context("the cookie.SessionStore", func() {
|
2019-05-07 14:58:15 +02:00
|
|
|
RunSessionTests()
|
2019-05-06 23:34:43 +02:00
|
|
|
})
|
2019-05-06 15:33:33 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
Context("with an invalid type", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
opts.Type = "invalid-type"
|
|
|
|
})
|
|
|
|
|
|
|
|
It("returns an error", func() {
|
|
|
|
ss, err := sessions.NewSessionStore(opts, cookieOpts)
|
|
|
|
Expect(err).To(HaveOccurred())
|
|
|
|
Expect(err.Error()).To(Equal("unknown session store type 'invalid-type'"))
|
|
|
|
Expect(ss).To(BeNil())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|