1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-23 00:40:46 +02:00

SessionState refactoring; improve token renewal and cookie refresh

* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
This commit is contained in:
Jehiah Czebotar
2015-06-23 07:23:39 -04:00
parent b9ae5dc8d7
commit d49c3e167f
21 changed files with 883 additions and 597 deletions

@ -94,11 +94,11 @@ type TestProvider struct {
ValidToken bool
}
func (tp *TestProvider) GetEmailAddress(body []byte, access_token string) (string, error) {
func (tp *TestProvider) GetEmailAddress(session *providers.SessionState) (string, error) {
return tp.EmailAddress, nil
}
func (tp *TestProvider) ValidateToken(access_token string) bool {
func (tp *TestProvider) ValidateSessionState(session *providers.SessionState) bool {
return tp.ValidToken
}
@ -378,97 +378,73 @@ func NewProcessCookieTestWithDefaults() *ProcessCookieTest {
})
}
func (p *ProcessCookieTest) MakeCookie(value, access_token string, ref time.Time) *http.Cookie {
cookie_value, _ := buildCookieValue(value, p.proxy.AesCipher, access_token)
return p.proxy.MakeCookie(p.req, cookie_value, p.opts.CookieExpire, ref)
func (p *ProcessCookieTest) MakeCookie(value string, ref time.Time) *http.Cookie {
return p.proxy.MakeCookie(p.req, value, p.opts.CookieExpire, ref)
}
func (p *ProcessCookieTest) AddCookie(value, access_token string) {
p.req.AddCookie(p.MakeCookie(value, access_token, time.Now()))
func (p *ProcessCookieTest) SaveSession(s *providers.SessionState, ref time.Time) error {
value, err := p.proxy.provider.CookieForSession(s, p.proxy.CookieCipher)
if err != nil {
return err
}
p.req.AddCookie(p.proxy.MakeCookie(p.req, value, p.proxy.CookieExpire, ref))
return nil
}
func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, ok bool) {
return p.proxy.ProcessCookie(p.rw, p.req)
func (p *ProcessCookieTest) LoadCookiedSession() (*providers.SessionState, time.Duration, error) {
return p.proxy.LoadCookiedSession(p.req)
}
func TestProcessCookie(t *testing.T) {
func TestLoadCookiedSession(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.AddCookie("michael.bland@gsa.gov", "my_access_token")
email, user, access_token, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.Equal(t, "michael.bland@gsa.gov", email)
assert.Equal(t, "michael.bland", user)
assert.Equal(t, "my_access_token", access_token)
startSession := &providers.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token"}
pc_test.SaveSession(startSession, time.Now())
session, _, err := pc_test.LoadCookiedSession()
assert.Equal(t, nil, err)
assert.Equal(t, startSession.Email, session.Email)
assert.Equal(t, "michael.bland", session.User)
assert.Equal(t, startSession.AccessToken, session.AccessToken)
}
func TestProcessCookieNoCookieError(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, false, ok)
}
func TestProcessCookieFailIfParsingCookieValueFails(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
value, _ := buildCookieValue("michael.bland@gsa.gov",
pc_test.proxy.AesCipher, "my_access_token")
pc_test.req.AddCookie(pc_test.proxy.MakeCookie(
pc_test.req, value+"some bogus bytes",
pc_test.opts.CookieExpire, time.Now()))
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, false, ok)
session, _, err := pc_test.LoadCookiedSession()
assert.Equal(t, "Cookie \"_oauth2_proxy\" not present", err.Error())
if session != nil {
t.Errorf("expected nil session. got %#v", session)
}
}
func TestProcessCookieRefreshNotSet(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.proxy.CookieExpire = time.Duration(23) * time.Hour
reference := time.Now().Add(time.Duration(-2) * time.Hour)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "", reference)
pc_test.req.AddCookie(cookie)
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}
startSession := &providers.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token"}
pc_test.SaveSession(startSession, reference)
func TestProcessCookieRefresh(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.proxy.CookieExpire = time.Duration(23) * time.Hour
reference := time.Now().Add(time.Duration(-2) * time.Hour)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
pc_test.proxy.CookieRefresh = time.Hour
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}
func TestProcessCookieRefreshThresholdNotCrossed(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.proxy.CookieExpire = time.Duration(23) * time.Hour
reference := time.Now().Add(time.Duration(-30) * time.Minute)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
pc_test.proxy.CookieRefresh = time.Hour
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, true, ok)
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
session, age, err := pc_test.LoadCookiedSession()
assert.Equal(t, nil, err)
if age < time.Duration(-2)*time.Hour {
t.Errorf("cookie too young %v", age)
}
assert.Equal(t, startSession.Email, session.Email)
}
func TestProcessCookieFailIfCookieExpired(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.proxy.CookieExpire = time.Duration(24) * time.Hour
reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
startSession := &providers.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token"}
pc_test.SaveSession(startSession, reference)
if _, _, _, ok := pc_test.ProcessCookie(); ok {
t.Error("ProcessCookie() should have failed")
}
if set_cookie := pc_test.rw.HeaderMap["Set-Cookie"]; set_cookie != nil {
t.Error("expected Set-Cookie to be nil, instead was: ", set_cookie)
session, _, err := pc_test.LoadCookiedSession()
assert.NotEqual(t, nil, err)
if session != nil {
t.Errorf("expected nil session %#v", session)
}
}
@ -476,44 +452,13 @@ func TestProcessCookieFailIfRefreshSetAndCookieExpired(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.proxy.CookieExpire = time.Duration(24) * time.Hour
reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
startSession := &providers.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token"}
pc_test.SaveSession(startSession, reference)
pc_test.proxy.CookieRefresh = time.Hour
if _, _, _, ok := pc_test.ProcessCookie(); ok {
t.Error("ProcessCookie() should have failed")
}
if set_cookie := pc_test.rw.HeaderMap["Set-Cookie"]; set_cookie != nil {
t.Error("expected Set-Cookie to be nil, instead was: ", set_cookie)
session, _, err := pc_test.LoadCookiedSession()
assert.NotEqual(t, nil, err)
if session != nil {
t.Errorf("expected nil session %#v", session)
}
}
func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) {
pc_test := NewProcessCookieTest(ProcessCookieTestOpts{
provider_validate_cookie_response: false,
})
pc_test.proxy.CookieExpire = time.Duration(23) * time.Hour
reference := time.Now().Add(time.Duration(-24) * time.Hour)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
pc_test.proxy.CookieRefresh = time.Hour
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, false, ok)
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}
func TestProcessCookieFailIfRefreshSetAndUserNoLongerValid(t *testing.T) {
pc_test := NewProcessCookieTestWithDefaults()
pc_test.validate_user = false
pc_test.proxy.CookieExpire = time.Duration(23) * time.Hour
reference := time.Now().Add(time.Duration(-2) * time.Hour)
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token", reference)
pc_test.req.AddCookie(cookie)
pc_test.proxy.CookieRefresh = time.Hour
_, _, _, ok := pc_test.ProcessCookie()
assert.Equal(t, false, ok)
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
}