2020-04-13 13:50:34 +01:00
package validation
2015-03-15 12:23:13 -04:00
import (
2015-11-15 22:08:30 -05:00
"crypto"
2020-02-15 14:44:39 +01:00
"io/ioutil"
2015-03-17 15:15:15 -04:00
"net/url"
2020-02-15 14:44:39 +01:00
"os"
2015-03-15 12:23:13 -04:00
"strings"
"testing"
2015-05-09 17:16:19 -04:00
"time"
2015-03-15 12:23:13 -04:00
2020-09-30 01:44:42 +09:00
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
2017-10-23 12:23:46 -04:00
"github.com/stretchr/testify/assert"
2015-03-15 12:23:13 -04:00
)
2020-03-14 19:14:15 +09:00
const (
2020-02-24 12:23:35 +01:00
cookieSecret = "secretthirtytwobytes+abcdefghijk"
2020-03-14 19:14:15 +09:00
clientID = "bazquux"
clientSecret = "xyzzyplugh"
2021-04-03 19:06:30 +03:00
providerID = "providerID"
2020-03-14 19:14:15 +09:00
)
2020-03-14 05:58:29 -04:00
2020-04-13 13:50:34 +01:00
func testOptions ( ) * options . Options {
o := options . NewOptions ( )
2021-09-17 11:08:18 +00:00
o . UpstreamServers . Upstreams = append ( o . UpstreamServers . Upstreams , options . Upstream {
2020-05-26 19:56:10 +01:00
ID : "upstream" ,
Path : "/" ,
URI : "http://127.0.0.1:8080/" ,
} )
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = cookieSecret
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . ID = providerID
o . Providers [ 0 ] . ClientID = clientID
o . Providers [ 0 ] . ClientSecret = clientSecret
2015-07-24 16:23:19 -04:00
o . EmailDomains = [ ] string { "*" }
2015-03-15 12:23:13 -04:00
return o
}
2015-03-17 15:15:15 -04:00
func errorMsg ( msgs [ ] string ) string {
2015-03-15 12:23:13 -04:00
result := make ( [ ] string , 0 )
2020-04-14 17:36:44 +09:00
result = append ( result , "invalid configuration:" )
2015-03-15 12:23:13 -04:00
result = append ( result , msgs ... )
return strings . Join ( result , "\n " )
}
func TestNewOptions ( t * testing . T ) {
2020-04-13 13:50:34 +01:00
o := options . NewOptions ( )
2015-07-24 16:23:19 -04:00
o . EmailDomains = [ ] string { "*" }
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2015-03-15 12:23:13 -04:00
assert . NotEqual ( t , nil , err )
expected := errorMsg ( [ ] string {
"missing setting: cookie-secret" ,
2021-04-03 19:06:30 +03:00
"provider has empty id: ids are required for all providers" ,
"provider missing setting: client-id" ,
2020-02-15 14:44:39 +01:00
"missing setting: client-secret or client-secret-file" } )
2015-03-15 12:23:13 -04:00
assert . Equal ( t , expected , err . Error ( ) )
}
2020-02-15 14:44:39 +01:00
func TestClientSecretFileOptionFails ( t * testing . T ) {
2020-04-13 13:50:34 +01:00
o := options . NewOptions ( )
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = cookieSecret
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . ID = providerID
o . Providers [ 0 ] . ClientID = clientID
o . Providers [ 0 ] . ClientSecretFile = clientSecret
2020-02-15 14:44:39 +01:00
o . EmailDomains = [ ] string { "*" }
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2020-02-15 14:44:39 +01:00
assert . NotEqual ( t , nil , err )
2020-04-13 13:50:34 +01:00
p := o . GetProvider ( ) . Data ( )
2020-03-14 05:58:29 -04:00
assert . Equal ( t , clientSecret , p . ClientSecretFile )
2020-02-15 14:44:39 +01:00
assert . Equal ( t , "" , p . ClientSecret )
s , err := p . GetClientSecret ( )
assert . NotEqual ( t , nil , err )
assert . Equal ( t , "" , s )
}
func TestClientSecretFileOption ( t * testing . T ) {
var err error
f , err := ioutil . TempFile ( "" , "client_secret_temp_file_" )
if err != nil {
t . Fatalf ( "failed to create temp file: %v" , err )
}
2020-09-22 18:54:32 -07:00
_ , err = f . WriteString ( "testcase" )
if err != nil {
t . Fatalf ( "failed to write to temp file: %v" , err )
}
2020-02-15 14:44:39 +01:00
if err := f . Close ( ) ; err != nil {
t . Fatalf ( "failed to close temp file: %v" , err )
}
clientSecretFileName := f . Name ( )
2020-09-22 18:54:32 -07:00
defer func ( t * testing . T ) {
if err := os . Remove ( clientSecretFileName ) ; err != nil {
t . Fatalf ( "failed to delete temp file: %v" , err )
}
} ( t )
2020-02-15 14:44:39 +01:00
2020-04-13 13:50:34 +01:00
o := options . NewOptions ( )
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = cookieSecret
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . ID = providerID
o . Providers [ 0 ] . ClientID = clientID
o . Providers [ 0 ] . ClientSecretFile = clientSecretFileName
2020-02-15 14:44:39 +01:00
o . EmailDomains = [ ] string { "*" }
2020-04-13 13:50:34 +01:00
err = Validate ( o )
2020-02-15 14:44:39 +01:00
assert . Equal ( t , nil , err )
2020-04-13 13:50:34 +01:00
p := o . GetProvider ( ) . Data ( )
2020-02-15 14:44:39 +01:00
assert . Equal ( t , clientSecretFileName , p . ClientSecretFile )
assert . Equal ( t , "" , p . ClientSecret )
s , err := p . GetClientSecret ( )
assert . Equal ( t , nil , err )
assert . Equal ( t , "testcase" , s )
}
2015-08-20 03:07:02 -07:00
func TestGoogleGroupOptions ( t * testing . T ) {
o := testOptions ( )
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . GoogleConfig . Groups = [ ] string { "googlegroup" }
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2015-08-20 03:07:02 -07:00
assert . NotEqual ( t , nil , err )
expected := errorMsg ( [ ] string {
"missing setting: google-admin-email" ,
"missing setting: google-service-account-json" } )
assert . Equal ( t , expected , err . Error ( ) )
}
func TestGoogleGroupInvalidFile ( t * testing . T ) {
o := testOptions ( )
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . GoogleConfig . Groups = [ ] string { "test_group" }
o . Providers [ 0 ] . GoogleConfig . AdminEmail = "admin@example.com"
o . Providers [ 0 ] . GoogleConfig . ServiceAccountJSON = "file_doesnt_exist.json"
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2015-08-20 03:07:02 -07:00
assert . NotEqual ( t , nil , err )
expected := errorMsg ( [ ] string {
"invalid Google credentials file: file_doesnt_exist.json" ,
} )
assert . Equal ( t , expected , err . Error ( ) )
}
2015-03-15 12:23:13 -04:00
func TestInitializedOptions ( t * testing . T ) {
o := testOptions ( )
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2015-03-15 12:23:13 -04:00
}
// Note that it's not worth testing nonparseable URLs, since url.Parse()
// seems to parse damn near anything.
2015-11-09 00:47:44 +01:00
func TestRedirectURL ( t * testing . T ) {
2015-03-15 12:23:13 -04:00
o := testOptions ( )
2020-04-13 13:50:34 +01:00
o . RawRedirectURL = "https://myhost.com/oauth2/callback"
assert . Equal ( t , nil , Validate ( o ) )
2015-03-15 12:23:13 -04:00
expected := & url . URL {
Scheme : "https" , Host : "myhost.com" , Path : "/oauth2/callback" }
2020-04-13 13:50:34 +01:00
assert . Equal ( t , expected , o . GetRedirectURL ( ) )
2015-03-15 12:23:13 -04:00
}
2015-03-30 15:48:30 -04:00
func TestDefaultProviderApiSettings ( t * testing . T ) {
o := testOptions ( )
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
p := o . GetProvider ( ) . Data ( )
2015-06-23 13:23:47 -04:00
assert . Equal ( t , "https://accounts.google.com/o/oauth2/auth?access_type=offline" ,
2015-11-09 00:47:44 +01:00
p . LoginURL . String ( ) )
2015-06-23 13:23:47 -04:00
assert . Equal ( t , "https://www.googleapis.com/oauth2/v3/token" ,
2015-11-09 00:47:44 +01:00
p . RedeemURL . String ( ) )
assert . Equal ( t , "" , p . ProfileURL . String ( ) )
2015-03-30 15:48:30 -04:00
assert . Equal ( t , "profile email" , p . Scope )
}
2015-04-05 09:43:40 -04:00
2015-05-09 17:16:19 -04:00
func TestCookieRefreshMustBeLessThanCookieExpire ( t * testing . T ) {
o := testOptions ( )
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2015-05-09 17:16:19 -04:00
2020-05-21 11:29:45 -07:00
o . Cookie . Secret = "0123456789abcdef"
2020-04-12 14:00:59 +01:00
o . Cookie . Refresh = o . Cookie . Expire
2020-04-13 13:50:34 +01:00
assert . NotEqual ( t , nil , Validate ( o ) )
2015-05-09 17:16:19 -04:00
2020-04-12 14:00:59 +01:00
o . Cookie . Refresh -= time . Duration ( 1 )
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2015-05-09 17:16:19 -04:00
}
2015-11-15 22:08:30 -05:00
2016-06-20 07:17:39 -04:00
func TestBase64CookieSecret ( t * testing . T ) {
o := testOptions ( )
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
// 32 byte, base64 (urlsafe) encoded key
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = "yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ="
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
// 32 byte, base64 (urlsafe) encoded key, w/o padding
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = "yHBw2lh2Cvo6aI_jn_qMTr-pRAjtq0nzVgDJNb36jgQ"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
// 24 byte, base64 (urlsafe) encoded key
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = "Kp33Gj-GQmYtz4zZUyUDdqQKx5_Hgkv3"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
// 16 byte, base64 (urlsafe) encoded key
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = "LFEqZYvYUwKwzn0tEuTpLA=="
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
// 16 byte, base64 (urlsafe) encoded key, w/o padding
2020-04-12 14:00:59 +01:00
o . Cookie . Secret = "LFEqZYvYUwKwzn0tEuTpLA"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2016-06-20 07:17:39 -04:00
}
2015-11-15 22:08:30 -05:00
func TestValidateSignatureKey ( t * testing . T ) {
o := testOptions ( )
o . SignatureKey = "sha1:secret"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
assert . Equal ( t , o . GetSignatureData ( ) . Hash , crypto . SHA1 )
assert . Equal ( t , o . GetSignatureData ( ) . Key , "secret" )
2015-11-15 22:08:30 -05:00
}
func TestValidateSignatureKeyInvalidSpec ( t * testing . T ) {
o := testOptions ( )
o . SignatureKey = "invalid spec"
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2020-04-14 17:36:44 +09:00
assert . Equal ( t , err . Error ( ) , "invalid configuration:\n" +
2015-11-15 22:08:30 -05:00
" invalid signature hash:key spec: " + o . SignatureKey )
}
func TestValidateSignatureKeyUnsupportedAlgorithm ( t * testing . T ) {
o := testOptions ( )
o . SignatureKey = "unsupported:default secret"
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2020-04-14 17:36:44 +09:00
assert . Equal ( t , err . Error ( ) , "invalid configuration:\n" +
2015-11-15 22:08:30 -05:00
" unsupported signature hash algorithm: " + o . SignatureKey )
}
2016-07-19 20:51:25 +01:00
2019-03-04 14:54:22 +01:00
func TestSkipOIDCDiscovery ( t * testing . T ) {
o := testOptions ( )
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . Type = "oidc"
o . Providers [ 0 ] . OIDCConfig . IssuerURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/"
o . Providers [ 0 ] . OIDCConfig . SkipDiscovery = true
2019-03-04 14:54:22 +01:00
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2020-04-14 17:36:44 +09:00
assert . Equal ( t , "invalid configuration:\n" +
" missing setting: login-url\n missing setting: redeem-url\n missing setting: oidc-jwks-url" , err . Error ( ) )
2019-03-04 14:54:22 +01:00
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . LoginURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_sign_in"
o . Providers [ 0 ] . RedeemURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in"
o . Providers [ 0 ] . OIDCConfig . JwksURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys"
2019-03-04 14:54:22 +01:00
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2019-03-04 14:54:22 +01:00
}
2019-03-25 09:56:56 -07:00
func TestGCPHealthcheck ( t * testing . T ) {
o := testOptions ( )
o . GCPHealthChecks = true
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
2019-03-25 09:56:56 -07:00
}
2020-05-12 19:41:25 +02:00
func TestRealClientIPHeader ( t * testing . T ) {
// Ensure nil if ReverseProxy not set.
2020-04-13 13:50:34 +01:00
o := testOptions ( )
2020-05-12 19:41:25 +02:00
o . RealClientIPHeader = "X-Real-IP"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
assert . Nil ( t , o . GetRealClientIPParser ( ) )
2020-05-12 19:41:25 +02:00
// Ensure simple use case works.
o = testOptions ( )
o . ReverseProxy = true
o . RealClientIPHeader = "X-Forwarded-For"
2020-04-13 13:50:34 +01:00
assert . Equal ( t , nil , Validate ( o ) )
assert . NotNil ( t , o . GetRealClientIPParser ( ) )
2020-05-12 19:41:25 +02:00
// Ensure unknown header format process an error.
o = testOptions ( )
o . ReverseProxy = true
o . RealClientIPHeader = "Forwarded"
2020-04-13 13:50:34 +01:00
err := Validate ( o )
2020-05-12 19:41:25 +02:00
assert . NotEqual ( t , nil , err )
2020-04-13 13:50:34 +01:00
expected := errorMsg ( [ ] string {
2020-05-12 19:41:25 +02:00
"real_client_ip_header (Forwarded) not accepted parameter value: the http header key (Forwarded) is either invalid or unsupported" ,
} )
assert . Equal ( t , expected , err . Error ( ) )
2020-04-13 13:50:34 +01:00
assert . Nil ( t , o . GetRealClientIPParser ( ) )
2020-05-12 19:41:25 +02:00
// Ensure invalid header format produces an error.
o = testOptions ( )
o . ReverseProxy = true
o . RealClientIPHeader = "!934invalidheader-23:"
2020-04-13 13:50:34 +01:00
err = Validate ( o )
2020-05-12 19:41:25 +02:00
assert . NotEqual ( t , nil , err )
expected = errorMsg ( [ ] string {
"real_client_ip_header (!934invalidheader-23:) not accepted parameter value: the http header key (!934invalidheader-23:) is either invalid or unsupported" ,
} )
assert . Equal ( t , expected , err . Error ( ) )
2020-04-13 13:50:34 +01:00
assert . Nil ( t , o . GetRealClientIPParser ( ) )
2020-05-12 19:41:25 +02:00
}
2020-07-03 16:09:17 +01:00
func TestProviderCAFilesError ( t * testing . T ) {
file , err := ioutil . TempFile ( "" , "absent.*.crt" )
assert . NoError ( t , err )
assert . NoError ( t , file . Close ( ) )
assert . NoError ( t , os . Remove ( file . Name ( ) ) )
o := testOptions ( )
2021-04-03 19:06:30 +03:00
o . Providers [ 0 ] . CAFiles = append ( o . Providers [ 0 ] . CAFiles , file . Name ( ) )
2020-07-03 16:09:17 +01:00
err = Validate ( o )
assert . Error ( t , err )
assert . Contains ( t , err . Error ( ) , "unable to load provider CA file(s)" )
}