package validation
import (
"strings"
"testing"
"time"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
. "github.com/onsi/gomega"
)
func TestValidateCookie(t *testing.T) {
alphabet := "abcdefghijklmnopqrstuvwxyz"
validName := "_oauth2_proxy"
invalidName := "_oauth2;proxy" // Separater character not allowed
// 10 times the alphabet should be longer than 256 characters
longName := strings.Repeat(alphabet, 10)
validSecret := "secretthirtytwobytes+abcdefghijk"
invalidSecret := "abcdef" // 6 bytes is not a valid size
validBase64Secret := "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" // Base64 encoding of "secretthirtytwobytes+abcdefghijk"
invalidBase64Secret := "YWJjZGVmCg" // Base64 encoding of "abcdef"
emptyDomains := []string{}
domains := []string{
"a.localhost",
"ba.localhost",
"ca.localhost",
"cba.localhost",
"a.cba.localhost",
}
invalidNameMsg := "invalid cookie name: \"_oauth2;proxy\""
longNameMsg := "cookie name should be under 256 characters: cookie name is 260 characters"
missingSecretMsg := "missing setting: cookie-secret"
invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes"
invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes"
refreshLongerThanExpireMsg := "cookie_refresh (\"1h0m0s\") must be less than cookie_expire (\"15m0s\")"
invalidSameSiteMsg := "cookie_samesite (\"invalid\") must be one of ['', 'lax', 'strict', 'none']"
testCases := []struct {
name string
cookie options.Cookie
errStrings []string
}{
{
name: "with valid configuration",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: domains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{},
},
{
name: "with no cookie secret",
cookie: options.Cookie{
Name: validName,
Secret: "",
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
missingSecretMsg,
},
},
{
name: "with an invalid cookie secret",
cookie: options.Cookie{
Name: validName,
Secret: invalidSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
invalidSecretMsg,
},
},
{
name: "with a valid Base64 secret",
cookie: options.Cookie{
Name: validName,
Secret: validBase64Secret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{},
},
{
name: "with an invalid Base64 secret",
cookie: options.Cookie{
Name: validName,
Secret: invalidBase64Secret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
invalidBase64SecretMsg,
},
},
{
name: "with an invalid name",
cookie: options.Cookie{
Name: invalidName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
invalidNameMsg,
},
},
{
name: "with a name that is too long",
cookie: options.Cookie{
Name: longName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
longNameMsg,
},
},
{
name: "with refresh longer than expire",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: 15 * time.Minute,
Refresh: time.Hour,
Secure: true,
HTTPOnly: false,
SameSite: "",
},
errStrings: []string{
refreshLongerThanExpireMsg,
},
},
{
name: "with samesite \"none\"",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "none",
},
errStrings: []string{},
},
{
name: "with samesite \"lax\"",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "none",
},
errStrings: []string{},
},
{
name: "with samesite \"strict\"",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "none",
},
errStrings: []string{},
},
{
name: "with samesite \"invalid\"",
cookie: options.Cookie{
Name: validName,
Secret: validSecret,
Domains: emptyDomains,
Path: "",
Expire: time.Hour,
Refresh: 15 * time.Minute,
Secure: true,
HTTPOnly: false,
SameSite: "invalid",
},
errStrings: []string{
invalidSameSiteMsg,
},
},
{
name: "with a combination of configuration errors",
cookie: options.Cookie{
Name: invalidName,
Secret: invalidSecret,
Domains: domains,
Path: "",
Expire: 15 * time.Minute,
Refresh: time.Hour,
Secure: true,
HTTPOnly: false,
SameSite: "invalid",
},
errStrings: []string{
invalidNameMsg,
invalidSecretMsg,
refreshLongerThanExpireMsg,
invalidSameSiteMsg,
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
errStrings := validateCookie(tc.cookie)
g := NewWithT(t)
g.Expect(errStrings).To(ConsistOf(tc.errStrings))
// Check domains were sorted to the right lengths
for i := 0; i < len(tc.cookie.Domains)-1; i++ {
g.Expect(len(tc.cookie.Domains[i])).To(BeNumerically(">=", len(tc.cookie.Domains[i+1])))
}
})
}
}