fix gitea token validation by allowing custom validation url and extracting the proper base api url for github cloud, github enterprise and gitea (#2194)

2025-06-15 00:15:00 +02:00 · 2023-09-14 11:09:57 +02:00
parent 225dc92adf
commit 13af1b4786
8 changed files with 306 additions and 72 deletions
--- a/providers/github_test.go
+++ b/providers/github_test.go
@ -34,11 +34,15 @@ func testGitHubProvider(hostname string, opts options.GitHubOptions) *GitHubProv

 func testGitHubBackend(payloads map[string][]string) *httptest.Server {
 	pathToQueryMap := map[string][]string{
-		"/repos/oauth2-proxy/oauth2-proxy":                      {""},
+		"/":                                {""},
+		"/repos/oauth2-proxy/oauth2-proxy": {""},
 		"/repos/oauth2-proxy/oauth2-proxy/collaborators/mbland": {""},
 		"/user":        {""},
 		"/user/emails": {""},
 		"/user/orgs":   {"page=1&per_page=100", "page=2&per_page=100", "page=3&per_page=100"},
+		// GitHub Enterprise Server API
+		"/api/v3":             {""},
+		"/api/v3/user/emails": {""},
 	}

 	return httptest.NewServer(http.HandlerFunc(
@ -75,10 +79,10 @@ func TestNewGitHubProvider(t *testing.T) {
 	// Test that defaults are set when calling for a new provider with nothing set
 	providerData := NewGitHubProvider(&ProviderData{}, options.GitHubOptions{}).Data()
 	g.Expect(providerData.ProviderName).To(Equal("GitHub"))
-	g.Expect(providerData.LoginURL.String()).To(Equal("https://github.com/login/oauth/authorize"))
-	g.Expect(providerData.RedeemURL.String()).To(Equal("https://github.com/login/oauth/access_token"))
+	g.Expect(providerData.LoginURL.String()).To(Equal(githubDefaultLoginURL.String()))
+	g.Expect(providerData.RedeemURL.String()).To(Equal(githubDefaultRedeemURL.String()))
 	g.Expect(providerData.ProfileURL.String()).To(Equal(""))
-	g.Expect(providerData.ValidateURL.String()).To(Equal("https://api.github.com/"))
+	g.Expect(providerData.ValidateURL.String()).To(Equal(githubDefaultValidateURL.String()))
 	g.Expect(providerData.Scope).To(Equal("user:email"))
 }

@ -440,3 +444,50 @@ func TestGitHubProvider_getEmailWithUsernameAndNoAccessToPrivateRepo(t *testing.
 	assert.NoError(t, err)
 	assert.Equal(t, "michael.bland@gsa.gov", session.Email)
 }
+
+func TestGitHubProvider_ValidateSessionWithBaseUrl(t *testing.T) {
+	b := testGitHubBackend(map[string][]string{
+		"/": {`[]`},
+	})
+	defer b.Close()
+
+	bURL, _ := url.Parse(b.URL)
+	p := testGitHubProvider(bURL.Host, options.GitHubOptions{})
+
+	session := CreateAuthorizedSession()
+
+	valid := p.ValidateSession(context.Background(), session)
+	assert.True(t, valid)
+}
+
+func TestGitHubProvider_ValidateSessionWithEnterpriseBaseUrl(t *testing.T) {
+	b := testGitHubBackend(map[string][]string{
+		"/api/v3": {`[]`},
+	})
+	defer b.Close()
+
+	bURL, _ := url.Parse(b.URL)
+	p := testGitHubProvider(bURL.Host, options.GitHubOptions{})
+	p.ValidateURL.Path = "/api/v3"
+
+	session := CreateAuthorizedSession()
+
+	valid := p.ValidateSession(context.Background(), session)
+	assert.True(t, valid)
+}
+
+func TestGitHubProvider_ValidateSessionWithUserEmails(t *testing.T) {
+	b := testGitHubBackend(map[string][]string{
+		"/user/emails": {`[ {"email": "michael.bland@gsa.gov", "verified": true, "primary": true} ]`},
+	})
+	defer b.Close()
+
+	bURL, _ := url.Parse(b.URL)
+	p := testGitHubProvider(bURL.Host, options.GitHubOptions{})
+	p.ValidateURL.Path = "/user/emails"
+
+	session := CreateAuthorizedSession()
+
+	valid := p.ValidateSession(context.Background(), session)
+	assert.True(t, valid)
+}