go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-23 00:40:46 +02:00
Code Issues Releases Activity

Standarize provider refresh implemention & logging

Browse Source
This commit is contained in:
Nick Meves
2021-03-06 15:48:31 -08:00
parent 7fa6d2d024
commit 593125152d
10 changed files with 123 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/middleware/stored_session.go
View File

@ -108,11 +108,7 @@ func (s *storedSessionLoader) getValidatedSession(rw http.ResponseWriter, req *h
// refreshSessionIfNeeded will attempt to refresh a session if the session
// is older than the refresh period.
// It is assumed that if the provider refreshes the session, the session is now
// valid.
// If the session requires refreshing but the provider does not refresh it,
// we must validate the session to ensure that the returned session is still
// valid.
// Success or fail, we will then validate the session.
func (s *storedSessionLoader) refreshSessionIfNeeded(rw http.ResponseWriter, req *http.Request, session *sessionsapi.SessionState) error {
if s.refreshPeriod <= time.Duration(0) || session.Age() < s.refreshPeriod {
// Refresh is disabled or the session is not old enough, do nothing
@ -122,10 +118,12 @@ func (s *storedSessionLoader) refreshSessionIfNeeded(rw http.ResponseWriter, req
logger.Printf("Refreshing %s old session cookie for %s (refresh after %s)", session.Age(), session, s.refreshPeriod)
err := s.refreshSession(rw, req, session)
if err != nil {
return err
// If a preemptive refresh fails, we still keep the session
// if validateSession succeeds.
logger.Errorf("Unable to refresh session: %v", err)
}
// Validate all sessions after any Redeem/Refresh operation
// Validate all sessions after any Redeem/Refresh operation (fail or success)
return s.validateSession(req.Context(), session)
}
@ -134,7 +132,7 @@ func (s *storedSessionLoader) refreshSessionIfNeeded(rw http.ResponseWriter, req
func (s *storedSessionLoader) refreshSession(rw http.ResponseWriter, req *http.Request, session *sessionsapi.SessionState) error {
refreshed, err := s.sessionRefresher(req.Context(), session)
if err != nil {
return fmt.Errorf("error refreshing access token: %v", err)
return fmt.Errorf("error refreshing tokens: %v", err)
}
if !refreshed {
@ -142,6 +140,12 @@ func (s *storedSessionLoader) refreshSession(rw http.ResponseWriter, req *http.R
}
// If we refreshed, update the `CreatedAt` time to reset the refresh timer
//
// HACK:
// Providers that don't implement `RefreshSession` use the default
// implementation. It always returns `refreshed == true`, so the
// `session.CreatedAt` is updated and doesn't trigger `ValidateSession`
// every subsequent request.
session.CreatedAtNow()
// Because the session was refreshed, make sure to save it

64
pkg/middleware/stored_session_test.go
View File

@ -10,6 +10,7 @@ import (
middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock"
. "github.com/onsi/ginkgo"
. "github.com/onsi/ginkgo/extensions/table"
. "github.com/onsi/gomega"
@ -24,8 +25,9 @@ var _ = Describe("Stored Session Suite", func() {
var ctx = context.Background()
Context("StoredSessionLoader", func() {
createdPast := time.Now().Add(-5 * time.Minute)
createdFuture := time.Now().Add(5 * time.Minute)
now := time.Now()
createdPast := now.Add(-5 * time.Minute)
createdFuture := now.Add(5 * time.Minute)
var defaultRefreshFunc = func(_ context.Context, ss *sessionsapi.SessionState) (bool, error) {
switch ss.RefreshToken {
@ -85,6 +87,14 @@ var _ = Describe("Stored Session Suite", func() {
},
}
BeforeEach(func() {
clock.Set(now)
})
AfterEach(func() {
clock.Reset()
})
type storedSessionLoaderTableInput struct {
requestHeaders http.Header
existingSession *sessionsapi.SessionState
@ -208,6 +218,21 @@ var _ = Describe("Stored Session Suite", func() {
existingSession: nil,
expectedSession: &sessionsapi.SessionState{
RefreshToken: "Refreshed",
CreatedAt: &now,
ExpiresOn: &createdFuture,
},
store: defaultSessionStore,
refreshPeriod: 1 * time.Minute,
refreshSession: defaultRefreshFunc,
validateSession: defaultValidateFunc,
}),
Entry("when the provider refresh fails but validation succeeds", storedSessionLoaderTableInput{
requestHeaders: http.Header{
"Cookie": []string{"_oauth2_proxy=RefreshError"},
},
existingSession: nil,
expectedSession: &sessionsapi.SessionState{
RefreshToken: "RefreshError",
CreatedAt: &createdPast,
ExpiresOn: &createdFuture,
},
@ -216,7 +241,7 @@ var _ = Describe("Stored Session Suite", func() {
refreshSession: defaultRefreshFunc,
validateSession: defaultValidateFunc,
}),
Entry("when the provider refresh fails", storedSessionLoaderTableInput{
Entry("when the provider refresh fails and validation fails", storedSessionLoaderTableInput{
requestHeaders: http.Header{
"Cookie": []string{"_oauth2_proxy=RefreshError"},
},
@ -225,7 +250,7 @@ var _ = Describe("Stored Session Suite", func() {
store: defaultSessionStore,
refreshPeriod: 1 * time.Minute,
refreshSession: defaultRefreshFunc,
validateSession: defaultValidateFunc,
validateSession: func(context.Context, *sessionsapi.SessionState) bool { return false },
}),
Entry("when the session is not refreshed and is no longer valid", storedSessionLoaderTableInput{
requestHeaders: http.Header{
@ -326,7 +351,7 @@ var _ = Describe("Stored Session Suite", func() {
},
expectedErr: nil,
expectRefreshed: true,
expectValidated: false,
expectValidated: true,
}),
Entry("when the session is not refreshed by the provider", refreshSessionIfNeededTableInput{
refreshPeriod: 1 * time.Minute,
@ -339,15 +364,15 @@ var _ = Describe("Stored Session Suite", func() {
expectRefreshed: true,
expectValidated: true,
}),
Entry("when the provider refresh fails", refreshSessionIfNeededTableInput{
Entry("when the provider refresh fails but validation succeeds", refreshSessionIfNeededTableInput{
refreshPeriod: 1 * time.Minute,
session: &sessionsapi.SessionState{
RefreshToken: "RefreshError",
CreatedAt: &createdPast,
},
expectedErr: errors.New("error refreshing access token: error refreshing session"),
expectedErr: nil,
expectRefreshed: true,
expectValidated: false,
expectValidated: true,
}),
Entry("when the session is not refreshed by the provider and validation fails", refreshSessionIfNeededTableInput{
refreshPeriod: 1 * time.Minute,
@ -366,10 +391,9 @@ var _ = Describe("Stored Session Suite", func() {
Context("refreshSession", func() {
type refreshSessionWithProviderTableInput struct {
session *sessionsapi.SessionState
expectedErr error
expectRefreshed bool
expectSaved bool
session *sessionsapi.SessionState
expectedErr error
expectSaved bool
}
now := time.Now()
@ -414,15 +438,15 @@ var _ = Describe("Stored Session Suite", func() {
session: &sessionsapi.SessionState{
RefreshToken: noRefresh,
},
expectedErr: nil,
expectSaved: false,
expectedErr: nil,
expectSaved: false,
}),
Entry("when the provider refreshes the session", refreshSessionWithProviderTableInput{
session: &sessionsapi.SessionState{
RefreshToken: refresh,
},
expectedErr: nil,
expectSaved: true,
expectedErr: nil,
expectSaved: true,
}),
Entry("when the provider returns an error", refreshSessionWithProviderTableInput{
session: &sessionsapi.SessionState{
@ -430,16 +454,16 @@ var _ = Describe("Stored Session Suite", func() {
CreatedAt: &now,
ExpiresOn: &now,
},
expectedErr: errors.New("error refreshing access token: error refreshing session"),
expectSaved: false,
expectedErr: errors.New("error refreshing tokens: error refreshing session"),
expectSaved: false,
}),
Entry("when the saving the session returns an error", refreshSessionWithProviderTableInput{
session: &sessionsapi.SessionState{
RefreshToken: refresh,
AccessToken: "NoSave",
},
expectedErr: errors.New("error saving session: unable to save session"),
expectSaved: true,
expectedErr: errors.New("error saving session: unable to save session"),
expectSaved: true,
}),
)
})