package providers import ( "context" "errors" "fmt" "net/http" "net/http/httptest" "net/url" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" ) const ( keycloakAccessToken = "eyJKeycloak.eyJAccess.Token" keycloakUserinfoPath = "/api/v3/user" ) func testKeycloakProvider(backend *httptest.Server) (*KeycloakProvider, error) { p := NewKeycloakProvider( &ProviderData{ ProviderName: "", LoginURL: &url.URL{}, RedeemURL: &url.URL{}, ProfileURL: &url.URL{}, ValidateURL: &url.URL{}, Scope: ""}, options.KeycloakOptions{}) if backend != nil { bURL, err := url.Parse(backend.URL) if err != nil { return nil, err } hostname := bURL.Host updateURL(p.Data().LoginURL, hostname) updateURL(p.Data().RedeemURL, hostname) updateURL(p.Data().ProfileURL, hostname) updateURL(p.Data().ValidateURL, hostname) } return p, nil } var _ = Describe("Keycloak Provider Tests", func() { Context("New Provider Init", func() { It("uses defaults", func() { providerData := NewKeycloakProvider(&ProviderData{}, options.KeycloakOptions{}).Data() Expect(providerData.ProviderName).To(Equal("Keycloak")) Expect(providerData.LoginURL.String()).To(Equal("https://keycloak.org/oauth/authorize")) Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak.org/oauth/token")) Expect(providerData.ProfileURL.String()).To(Equal("")) Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak.org/api/v3/user")) Expect(providerData.Scope).To(Equal("api")) }) It("overrides defaults", func() { p := NewKeycloakProvider( &ProviderData{ LoginURL: &url.URL{ Scheme: "https", Host: "example.com", Path: "/oauth/auth"}, RedeemURL: &url.URL{ Scheme: "https", Host: "example.com", Path: "/oauth/token"}, ProfileURL: &url.URL{ Scheme: "https", Host: "example.com", Path: "/api/v3/user"}, ValidateURL: &url.URL{ Scheme: "https", Host: "example.com", Path: "/api/v3/user"}, Scope: "profile"}, options.KeycloakOptions{}) providerData := p.Data() Expect(providerData.ProviderName).To(Equal("Keycloak")) Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth")) Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token")) Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user")) Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user")) Expect(providerData.Scope).To(Equal("profile")) }) }) Context("EnrichSession", func() { type enrichSessionTableInput struct { backendHandler http.HandlerFunc expectedError error expectedEmail string expectedGroups []string } DescribeTable("should return expected results", func(in enrichSessionTableInput) { backend := httptest.NewServer(in.backendHandler) p, err := testKeycloakProvider(backend) Expect(err).To(BeNil()) p.ProfileURL, err = url.Parse( fmt.Sprintf("%s%s", backend.URL, keycloakUserinfoPath), ) Expect(err).To(BeNil()) session := &sessions.SessionState{AccessToken: keycloakAccessToken} err = p.EnrichSession(context.Background(), session) if in.expectedError != nil { Expect(err).To(Equal(in.expectedError)) } else { Expect(err).To(BeNil()) } Expect(session.Email).To(Equal(in.expectedEmail)) if in.expectedGroups != nil { Expect(session.Groups).To(Equal(in.expectedGroups)) } else { Expect(session.Groups).To(BeNil()) } }, Entry("email and multiple groups", enrichSessionTableInput{ backendHandler: func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(200) _, err := w.Write([]byte(` { "email": "michael.bland@gsa.gov", "groups": [ "test-grp1", "test-grp2" ] } `)) if err != nil { panic(err) } }, expectedError: nil, expectedEmail: "michael.bland@gsa.gov", expectedGroups: []string{"test-grp1", "test-grp2"}, }), Entry("email and single group", enrichSessionTableInput{ backendHandler: func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(200) _, err := w.Write([]byte(` { "email": "michael.bland@gsa.gov", "groups": ["test-grp1"] } `)) if err != nil { panic(err) } }, expectedError: nil, expectedEmail: "michael.bland@gsa.gov", expectedGroups: []string{"test-grp1"}, }), Entry("email and no groups", enrichSessionTableInput{ backendHandler: func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(200) _, err := w.Write([]byte(` { "email": "michael.bland@gsa.gov" } `)) if err != nil { panic(err) } }, expectedError: nil, expectedEmail: "michael.bland@gsa.gov", expectedGroups: nil, }), Entry("missing email", enrichSessionTableInput{ backendHandler: func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(200) _, err := w.Write([]byte(` { "groups": [ "test-grp1", "test-grp2" ] } `)) if err != nil { panic(err) } }, expectedError: errors.New( "unable to extract email from userinfo endpoint: type assertion to string failed"), expectedEmail: "", expectedGroups: []string{"test-grp1", "test-grp2"}, }), Entry("request failure", enrichSessionTableInput{ backendHandler: func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(500) }, expectedError: errors.New(`unexpected status "500": `), expectedEmail: "", expectedGroups: nil, }), ) }) })