From 10f65e03814afd55534fafc828860348d883dbe8 Mon Sep 17 00:00:00 2001 From: Brian Van Klaveren Date: Tue, 30 Apr 2019 14:06:11 -0700 Subject: [PATCH] Add a more realistic test for JWT passthrough --- oauthproxy_test.go | 60 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 0704596a..bff36826 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -1170,17 +1170,67 @@ func TestGetJwtSession(t *testing.T) { &oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true}) p := OAuthProxy{} p.jwtBearerVerifiers = append(p.jwtBearerVerifiers, verifier) - getReq := &http.Request{URL: &url.URL{Scheme: "http", Host: "example.com"}} + + req, _ := http.NewRequest("GET", "/", strings.NewReader("")) + authHeader := fmt.Sprintf("Bearer %s", goodJwt) + req.Header = map[string][]string{ + "Authorization": {authHeader}, + } // Bearer - getReq.Header = map[string][]string{ - "Authorization": {fmt.Sprintf("Bearer %s", goodJwt)}, - } - session, _ := p.GetJwtSession(getReq) + session, _ := p.GetJwtSession(req) assert.Equal(t, session.User, "john") assert.Equal(t, session.Email, "john@example.com") assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0)) assert.Equal(t, session.IDToken, goodJwt) + + jwtProviderServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + log.Printf("%#v", r) + var payload string + payload = r.Header.Get("Authorization") + if payload == "" { + payload = "No Authorization header found." + } + w.WriteHeader(200) + w.Write([]byte(payload)) + })) + + opts := NewOptions() + opts.Upstreams = append(opts.Upstreams, jwtProviderServer.URL) + opts.PassAuthorization = true + opts.SetAuthorization = true + opts.SetXAuthRequest = true + opts.CookieSecret = "0123456789abcdef0123" + opts.SkipJwtBearerTokens = true + opts.Validate() + + // We can't actually use opts.Validate() because it will attempt to find a jwks URI + opts.jwtBearerVerifiers = append(opts.jwtBearerVerifiers, verifier) + + providerURL, _ := url.Parse(jwtProviderServer.URL) + const emailAddress = "john@example.com" + + opts.provider = NewTestProvider(providerURL, emailAddress) + jwtTestProxy := NewOAuthProxy(opts, func(email string) bool { + return email == emailAddress + }) + + rw := httptest.NewRecorder() + jwtTestProxy.ServeHTTP(rw, req) + if rw.Code >= 400 { + t.Fatalf("expected 3xx got %d", rw.Code) + } + + // Check PassAuthorization, should overwrite Basic header + assert.Equal(t, req.Header.Get("Authorization"), authHeader) + assert.Equal(t, req.Header.Get("X-Forwarded-User"), "john") + assert.Equal(t, req.Header.Get("X-Forwarded-Email"), "john@example.com") + + // SetAuthorization and SetXAuthRequest + assert.Equal(t, rw.Header().Get("Authorization"), authHeader) + assert.Equal(t, rw.Header().Get("X-Auth-Request-User"), "john") + assert.Equal(t, rw.Header().Get("X-Auth-Request-Email"), "john@example.com") + } func TestFindJwtBearerToken(t *testing.T) {