oauth2-proxy/pkg/app/pagewriter/error_page_test.go

package pagewriter

import (
	"errors"
	"html/template"
	"io/ioutil"
	"net/http/httptest"

	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
)

var _ = Describe("Error Page Writer", func() {
	var errorPage *errorPageWriter

	BeforeEach(func() {
		tmpl, err := template.New("").Parse("{{.Title}} {{.Message}} {{.ProxyPrefix}} {{.StatusCode}} {{.Redirect}} {{.RequestID}} {{.Footer}} {{.Version}}")
		Expect(err).ToNot(HaveOccurred())

		errorPage = &errorPageWriter{
			template:    tmpl,
			proxyPrefix: "/prefix/",
			footer:      "Custom Footer Text",
			version:     "v0.0.0-test",
		}
	})

	Context("WriteErrorPage", func() {
		It("Writes the template to the response writer", func() {
			recorder := httptest.NewRecorder()
			errorPage.WriteErrorPage(recorder, ErrorPageOpts{
				Status:      403,
				RedirectURL: "/redirect",
				RequestID:   testRequestID,
				AppError:    "Access Denied",
			})

			body, err := ioutil.ReadAll(recorder.Result().Body)
			Expect(err).ToNot(HaveOccurred())
			Expect(string(body)).To(Equal("Forbidden You do not have permission to access this resource. /prefix/ 403 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))
		})

		It("With a different code, uses the stock message for the correct code", func() {
			recorder := httptest.NewRecorder()
			errorPage.WriteErrorPage(recorder, ErrorPageOpts{
				Status:      500,
				RedirectURL: "/redirect",
				RequestID:   testRequestID,
				AppError:    "Access Denied",
			})

			body, err := ioutil.ReadAll(recorder.Result().Body)
			Expect(err).ToNot(HaveOccurred())
			Expect(string(body)).To(Equal("Internal Server Error Oops! Something went wrong. For more information contact your server administrator. /prefix/ 500 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))
		})

		It("With a message override, uses the message", func() {
			recorder := httptest.NewRecorder()
			errorPage.WriteErrorPage(recorder, ErrorPageOpts{
				Status:      403,
				RedirectURL: "/redirect",
				RequestID:   testRequestID,
				AppError:    "Access Denied",
				Messages: []interface{}{
					"An extra message: %s",
					"with more context.",
				},
			})

			body, err := ioutil.ReadAll(recorder.Result().Body)
			Expect(err).ToNot(HaveOccurred())
			Expect(string(body)).To(Equal("Forbidden An extra message: with more context. /prefix/ 403 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))
		})

		It("Sanitizes malicious user input", func() {
			recorder := httptest.NewRecorder()
			errorPage.WriteErrorPage(recorder, ErrorPageOpts{
				Status:      403,
				RedirectURL: "/redirect",
				RequestID:   "<script>alert(1)</script>",
				AppError:    "Access Denied",
			})

			body, err := ioutil.ReadAll(recorder.Result().Body)
			Expect(err).ToNot(HaveOccurred())
			Expect(string(body)).To(Equal("Forbidden You do not have permission to access this resource. /prefix/ 403 /redirect &lt;script&gt;alert(1)&lt;/script&gt; Custom Footer Text v0.0.0-test"))
		})
	})

	Context("ProxyErrorHandler", func() {
		It("Writes a bad gateway error the response writer", func() {
			req := httptest.NewRequest("", "/bad-gateway", nil)
			req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{
				RequestID: testRequestID,
			})
			recorder := httptest.NewRecorder()
			errorPage.ProxyErrorHandler(recorder, req, errors.New("some upstream error"))

			body, err := ioutil.ReadAll(recorder.Result().Body)
			Expect(err).ToNot(HaveOccurred())
			Expect(string(body)).To(Equal("Bad Gateway There was a problem connecting to the upstream server. /prefix/ 502  11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))
		})
	})

	Context("With Debug enabled", func() {
		BeforeEach(func() {
			tmpl, err := template.New("").Parse("{{.Message}}")
			Expect(err).ToNot(HaveOccurred())

			errorPage.template = tmpl
			errorPage.debug = true
		})

		Context("WriteErrorPage", func() {
			It("Writes the detailed error in place of the message", func() {
				recorder := httptest.NewRecorder()
				errorPage.WriteErrorPage(recorder, ErrorPageOpts{
					Status:      403,
					RedirectURL: "/redirect",
					AppError:    "Debug error",
				})

				body, err := ioutil.ReadAll(recorder.Result().Body)
				Expect(err).ToNot(HaveOccurred())
				Expect(string(body)).To(Equal("Debug error"))
			})
		})

		Context("ProxyErrorHandler", func() {
			It("Writes a bad gateway error the response writer", func() {
				req := httptest.NewRequest("", "/bad-gateway", nil)
				req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{
					RequestID: testRequestID,
				})
				recorder := httptest.NewRecorder()
				errorPage.ProxyErrorHandler(recorder, req, errors.New("some upstream error"))

				body, err := ioutil.ReadAll(recorder.Result().Body)
				Expect(err).ToNot(HaveOccurred())
				Expect(string(body)).To(Equal("some upstream error"))
			})
		})
	})
})
Move all pagewriter related code to dedicated pagewriter package 2021-02-13 13:38:33 +02:00			`package pagewriter`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00
			`import (`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`"errors"`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00			`"html/template"`
			`"io/ioutil"`
			`"net/http/httptest"`

Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/gomega"`
			`)`

Wrap templates and page rendering in PageWriter interface 2021-02-12 20:25:46 +02:00			`var _ = Describe("Error Page Writer", func() {`
			`var errorPage *errorPageWriter`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00
			`BeforeEach(func() {`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`tmpl, err := template.New("").Parse("{{.Title}} {{.Message}} {{.ProxyPrefix}} {{.StatusCode}} {{.Redirect}} {{.RequestID}} {{.Footer}} {{.Version}}")`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`Expect(err).ToNot(HaveOccurred())`

Wrap templates and page rendering in PageWriter interface 2021-02-12 20:25:46 +02:00			`errorPage = &errorPageWriter{`
			`template: tmpl,`
			`proxyPrefix: "/prefix/",`
			`footer: "Custom Footer Text",`
			`version: "v0.0.0-test",`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`}`
			`})`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00
Wrap templates and page rendering in PageWriter interface 2021-02-12 20:25:46 +02:00			`Context("WriteErrorPage", func() {`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00			`It("Writes the template to the response writer", func() {`
			`recorder := httptest.NewRecorder()`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`errorPage.WriteErrorPage(recorder, ErrorPageOpts{`
			`Status: 403,`
			`RedirectURL: "/redirect",`
			`RequestID: testRequestID,`
			`AppError: "Access Denied",`
			`})`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00
			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`Expect(string(body)).To(Equal("Forbidden You do not have permission to access this resource. /prefix/ 403 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`})`

			`It("With a different code, uses the stock message for the correct code", func() {`
			`recorder := httptest.NewRecorder()`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`errorPage.WriteErrorPage(recorder, ErrorPageOpts{`
			`Status: 500,`
			`RedirectURL: "/redirect",`
			`RequestID: testRequestID,`
			`AppError: "Access Denied",`
			`})`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00
			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`Expect(string(body)).To(Equal("Internal Server Error Oops! Something went wrong. For more information contact your server administrator. /prefix/ 500 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`})`

			`It("With a message override, uses the message", func() {`
			`recorder := httptest.NewRecorder()`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`errorPage.WriteErrorPage(recorder, ErrorPageOpts{`
			`Status: 403,`
			`RedirectURL: "/redirect",`
			`RequestID: testRequestID,`
			`AppError: "Access Denied",`
			`Messages: []interface{}{`
			`"An extra message: %s",`
			`"with more context.",`
			`},`
			`})`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00
			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`Expect(string(body)).To(Equal("Forbidden An extra message: with more context. /prefix/ 403 /redirect 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))`
			`})`

			`It("Sanitizes malicious user input", func() {`
			`recorder := httptest.NewRecorder()`
			`errorPage.WriteErrorPage(recorder, ErrorPageOpts{`
			`Status: 403,`
			`RedirectURL: "/redirect",`
			`RequestID: "<script>alert(1)</script>",`
			`AppError: "Access Denied",`
			`})`

			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(string(body)).To(Equal("Forbidden You do not have permission to access this resource. /prefix/ 403 /redirect <script>alert(1)</script> Custom Footer Text v0.0.0-test"))`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00			`})`
			`})`

Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`Context("ProxyErrorHandler", func() {`
			`It("Writes a bad gateway error the response writer", func() {`
			`req := httptest.NewRequest("", "/bad-gateway", nil)`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{`
			`RequestID: testRequestID,`
			`})`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`recorder := httptest.NewRecorder()`
			`errorPage.ProxyErrorHandler(recorder, req, errors.New("some upstream error"))`

			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`Expect(string(body)).To(Equal("Bad Gateway There was a problem connecting to the upstream server. /prefix/ 502 11111111-2222-4333-8444-555555555555 Custom Footer Text v0.0.0-test"))`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`})`
			`})`

			`Context("With Debug enabled", func() {`
			`BeforeEach(func() {`
			`tmpl, err := template.New("").Parse("{{.Message}}")`
			`Expect(err).ToNot(HaveOccurred())`

Wrap templates and page rendering in PageWriter interface 2021-02-12 20:25:46 +02:00			`errorPage.template = tmpl`
			`errorPage.debug = true`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`})`

Wrap templates and page rendering in PageWriter interface 2021-02-12 20:25:46 +02:00			`Context("WriteErrorPage", func() {`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`It("Writes the detailed error in place of the message", func() {`
			`recorder := httptest.NewRecorder()`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`errorPage.WriteErrorPage(recorder, ErrorPageOpts{`
			`Status: 403,`
			`RedirectURL: "/redirect",`
			`AppError: "Debug error",`
			`})`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00
			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(string(body)).To(Equal("Debug error"))`
			`})`
			`})`

			`Context("ProxyErrorHandler", func() {`
			`It("Writes a bad gateway error the response writer", func() {`
			`req := httptest.NewRequest("", "/bad-gateway", nil)`
Request ID Logging (#1087) * Add RequestID to the RequestScope * Expose RequestID to auth & request loggers * Use the RequestID in templated HTML pages * Allow customizing the RequestID header * Document new Request ID support * Add more cases to scope/requestID tests * Split Get vs Generate RequestID funtionality * Add {{.RequestID}} to the request logger tests * Move RequestID management to RequestScope * Use HTML escape instead of sanitization for Request ID rendering 2021-03-21 20:20:57 +02:00			`req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{`
			`RequestID: testRequestID,`
			`})`
Allow users to choose detailed error messages on error pages 2021-02-10 21:34:19 +02:00			`recorder := httptest.NewRecorder()`
			`errorPage.ProxyErrorHandler(recorder, req, errors.New("some upstream error"))`

			`body, err := ioutil.ReadAll(recorder.Result().Body)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(string(body)).To(Equal("some upstream error"))`
			`})`
Use ErrorPage to render proxy error page 2021-02-07 00:17:59 +02:00			`})`
			`})`
Move Error page rendering to app package 2021-02-07 00:05:45 +02:00			`})`