mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-24 08:52:25 +02:00
Validate access_token when auto-refreshing cookie
This commit is contained in:
parent
25372567ac
commit
b6e07d51b2
@ -299,7 +299,10 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
|
||||
} else if p.CookieRefresh != time.Duration(0) {
|
||||
refresh_threshold := time.Now().Add(p.CookieRefresh)
|
||||
if refresh_threshold.Unix() > timestamp.Unix() {
|
||||
p.SetCookie(rw, req, value)
|
||||
ok = p.ValidateToken(access_token)
|
||||
if ok {
|
||||
p.SetCookie(rw, req, value)
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
|
@ -391,10 +391,12 @@ func TestValidateTokenValidToken(t *testing.T) {
|
||||
}
|
||||
|
||||
type ProcessCookieTest struct {
|
||||
opts *Options
|
||||
proxy *OauthProxy
|
||||
rw *httptest.ResponseRecorder
|
||||
req *http.Request
|
||||
opts *Options
|
||||
proxy *OauthProxy
|
||||
rw *httptest.ResponseRecorder
|
||||
req *http.Request
|
||||
backend *httptest.Server
|
||||
response_code int
|
||||
}
|
||||
|
||||
func NewProcessCookieTest() *ProcessCookieTest {
|
||||
@ -405,6 +407,8 @@ func NewProcessCookieTest() *ProcessCookieTest {
|
||||
pc_test.opts.CookieSecret = "foobar"
|
||||
pc_test.opts.ClientID = "bazquux"
|
||||
pc_test.opts.ClientSecret = "xyzzyplugh"
|
||||
pc_test.opts.PassAccessToken = true
|
||||
pc_test.opts.CookieSecret = "0123456789abcdef"
|
||||
pc_test.opts.Validate()
|
||||
|
||||
pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
|
||||
@ -416,12 +420,32 @@ func NewProcessCookieTest() *ProcessCookieTest {
|
||||
return &pc_test
|
||||
}
|
||||
|
||||
func (p *ProcessCookieTest) MakeCookie(value string) *http.Cookie {
|
||||
return p.proxy.MakeCookie(p.req, value, p.opts.CookieExpire)
|
||||
func (p *ProcessCookieTest) InstantiateBackend() {
|
||||
p.backend = httptest.NewServer(
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(p.response_code)
|
||||
}))
|
||||
backend_url, _ := url.Parse(p.backend.URL)
|
||||
p.proxy.oauthValidateUrl = &url.URL{
|
||||
Scheme: "http",
|
||||
Host: backend_url.Host,
|
||||
Path: "/oauth/tokeninfo",
|
||||
}
|
||||
p.response_code = 200
|
||||
}
|
||||
|
||||
func (p *ProcessCookieTest) AddCookie(value string) {
|
||||
p.req.AddCookie(p.MakeCookie(value))
|
||||
func (p *ProcessCookieTest) Close() {
|
||||
p.backend.Close()
|
||||
}
|
||||
|
||||
func (p *ProcessCookieTest) MakeCookie(value, access_token string) *http.Cookie {
|
||||
cookie_value, _ := buildCookieValue(
|
||||
value, p.proxy.AesCipher, access_token)
|
||||
return p.proxy.MakeCookie(p.req, cookie_value, p.opts.CookieExpire)
|
||||
}
|
||||
|
||||
func (p *ProcessCookieTest) AddCookie(value, access_token string) {
|
||||
p.req.AddCookie(p.MakeCookie(value, access_token))
|
||||
}
|
||||
|
||||
func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, ok bool) {
|
||||
@ -430,11 +454,13 @@ func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, o
|
||||
|
||||
func TestProcessCookie(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
pc_test.AddCookie("michael.bland@gsa.gov")
|
||||
email, user, _, ok := pc_test.ProcessCookie()
|
||||
|
||||
pc_test.AddCookie("michael.bland@gsa.gov", "my_access_token")
|
||||
email, user, access_token, ok := pc_test.ProcessCookie()
|
||||
assert.Equal(t, true, ok)
|
||||
assert.Equal(t, "michael.bland@gsa.gov", email)
|
||||
assert.Equal(t, "michael.bland", user)
|
||||
assert.Equal(t, "my_access_token", access_token)
|
||||
}
|
||||
|
||||
func TestProcessCookieNoCookieError(t *testing.T) {
|
||||
@ -445,7 +471,10 @@ func TestProcessCookieNoCookieError(t *testing.T) {
|
||||
|
||||
func TestProcessCookieRefreshNotSet(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
||||
pc_test.InstantiateBackend()
|
||||
defer pc_test.Close()
|
||||
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "")
|
||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||
pc_test.req.AddCookie(cookie)
|
||||
|
||||
@ -456,7 +485,10 @@ func TestProcessCookieRefreshNotSet(t *testing.T) {
|
||||
|
||||
func TestProcessCookieRefresh(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
||||
pc_test.InstantiateBackend()
|
||||
defer pc_test.Close()
|
||||
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token")
|
||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||
pc_test.req.AddCookie(cookie)
|
||||
|
||||
@ -465,3 +497,19 @@ func TestProcessCookieRefresh(t *testing.T) {
|
||||
assert.Equal(t, true, ok)
|
||||
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||
}
|
||||
|
||||
func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
pc_test.InstantiateBackend()
|
||||
defer pc_test.Close()
|
||||
pc_test.response_code = 401
|
||||
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token")
|
||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||
pc_test.req.AddCookie(cookie)
|
||||
|
||||
pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour
|
||||
_, _, _, ok := pc_test.ProcessCookie()
|
||||
assert.Equal(t, false, ok)
|
||||
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user