1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-02 09:21:48 +02:00
oauth2-proxy/pkg/middleware/basic_session_test.go

145 lines
4.9 KiB
Go

package middleware
import (
"fmt"
"net/http"
"net/http/httptest"
middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
. "github.com/onsi/ginkgo"
. "github.com/onsi/ginkgo/extensions/table"
. "github.com/onsi/gomega"
)
const (
adminUser = "admin"
adminPassword = "Adm1n1str$t0r"
user1 = "user1"
user1Password = "UsErOn3P455"
user2 = "user2"
user2Password = "us3r2P455W0Rd!"
)
var _ = Describe("Basic Auth Session Suite", func() {
Context("BasicAuthSessionLoader", func() {
type basicAuthSessionLoaderTableInput struct {
authorizationHeader string
preferEmail bool
sessionGroups []string
existingSession *sessionsapi.SessionState
expectedSession *sessionsapi.SessionState
}
DescribeTable("with an authorization header",
func(in basicAuthSessionLoaderTableInput) {
scope := &middlewareapi.RequestScope{
Session: in.existingSession,
}
// Set up the request with the authorization header and a request scope
req := httptest.NewRequest("", "/", nil)
req.Header.Set("Authorization", in.authorizationHeader)
req = middlewareapi.AddRequestScope(req, scope)
rw := httptest.NewRecorder()
validator := fakeBasicValidator{
users: map[string]string{
adminUser: adminPassword,
user1: user1Password,
user2: user2Password,
},
}
// Create the handler with a next handler that will capture the session
// from the scope
var gotSession *sessionsapi.SessionState
handler := NewBasicAuthSessionLoader(validator, in.sessionGroups, in.preferEmail)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotSession = middlewareapi.GetRequestScope(r).Session
}))
handler.ServeHTTP(rw, req)
Expect(gotSession).To(Equal(in.expectedSession))
},
Entry("<no value>", basicAuthSessionLoaderTableInput{
authorizationHeader: "",
existingSession: nil,
expectedSession: nil,
}),
Entry("abcdef", basicAuthSessionLoaderTableInput{
authorizationHeader: "abcdef",
existingSession: nil,
expectedSession: nil,
}),
Entry("abcdef (with existing session)", basicAuthSessionLoaderTableInput{
authorizationHeader: "abcdef",
existingSession: &sessionsapi.SessionState{User: "user"},
expectedSession: &sessionsapi.SessionState{User: "user"},
}),
Entry("Bearer <password>", basicAuthSessionLoaderTableInput{
authorizationHeader: fmt.Sprintf("Bearer %s", adminPassword),
existingSession: nil,
expectedSession: nil,
}),
Entry("Basic <password>", basicAuthSessionLoaderTableInput{
authorizationHeader: fmt.Sprintf("Basic %s", adminPassword),
existingSession: nil,
expectedSession: nil,
}),
Entry("Basic Base64(:<password>) (with existing session)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic OlVzRXJPbjNQNDU1",
existingSession: &sessionsapi.SessionState{User: "user"},
expectedSession: &sessionsapi.SessionState{User: "user"},
}),
Entry("Basic Base64(user1:<user1Password>)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic dXNlcjE6VXNFck9uM1A0NTU=",
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "user1"},
}),
Entry("Basic Base64(user2:<user1Password>)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic dXNlcjI6VXNFck9uM1A0NTU=",
existingSession: nil,
expectedSession: nil,
}),
Entry("Basic Base64(user2:<user2Password>)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic dXNlcjI6dXMzcjJQNDU1VzBSZCE=",
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "user2"},
}),
Entry("Basic Base64(admin:<adminPassword>)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic YWRtaW46QWRtMW4xc3RyJHQwcg==",
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "admin"},
}),
Entry("Basic with groups", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic YWRtaW46QWRtMW4xc3RyJHQwcg==",
sessionGroups: []string{"a", "b"},
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "admin", Groups: []string{"a", "b"}},
}),
Entry("Basic Base64(user1:<user1Password>) (with PreferEmailToUser)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic dXNlcjE6VXNFck9uM1A0NTU=",
preferEmail: true,
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "user1", Email: "user1"},
}),
)
})
})
type fakeBasicValidator struct {
users map[string]string
}
func (f fakeBasicValidator) Validate(user, password string) bool {
if f.users == nil {
return false
}
if realPassword, ok := f.users[user]; ok {
return realPassword == password
}
return false
}