1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
oauth2-proxy/pkg/cookies/cookies_test.go
Nick Meves 7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00

80 lines
2.6 KiB
Go

package cookies
import (
"fmt"
"net/http"
middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
. "github.com/onsi/ginkgo"
. "github.com/onsi/ginkgo/extensions/table"
. "github.com/onsi/gomega"
)
var _ = Describe("Cookie Tests", func() {
Context("GetCookieDomain", func() {
type getCookieDomainTableInput struct {
host string
xForwardedHost string
cookieDomains []string
expectedOutput string
}
DescribeTable("should return expected results",
func(in getCookieDomainTableInput) {
req, err := http.NewRequest(
http.MethodGet,
fmt.Sprintf("https://%s/%s", in.host, cookiePath),
nil,
)
Expect(err).ToNot(HaveOccurred())
if in.xForwardedHost != "" {
req.Header.Add("X-Forwarded-Host", in.xForwardedHost)
req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{
ReverseProxy: true,
})
}
Expect(GetCookieDomain(req, in.cookieDomains)).To(Equal(in.expectedOutput))
},
Entry("a single exact match for the Host header", getCookieDomainTableInput{
host: "www.cookies.test",
cookieDomains: []string{"www.cookies.test"},
expectedOutput: "www.cookies.test",
}),
Entry("a single exact match for the X-Forwarded-Host header", getCookieDomainTableInput{
host: "backend.cookies.internal",
xForwardedHost: "www.cookies.test",
cookieDomains: []string{"www.cookies.test"},
expectedOutput: "www.cookies.test",
}),
Entry("a single suffix match for the Host header", getCookieDomainTableInput{
host: "www.cookies.test",
cookieDomains: []string{".cookies.test"},
expectedOutput: ".cookies.test",
}),
Entry("a single suffix match for the X-Forwarded-Host header", getCookieDomainTableInput{
host: "backend.cookies.internal",
xForwardedHost: "www.cookies.test",
cookieDomains: []string{".cookies.test"},
expectedOutput: ".cookies.test",
}),
Entry("the first match is used", getCookieDomainTableInput{
host: "www.cookies.test",
cookieDomains: []string{"www.cookies.test", ".cookies.test"},
expectedOutput: "www.cookies.test",
}),
Entry("the only match is used", getCookieDomainTableInput{
host: "www.cookies.test",
cookieDomains: []string{".cookies.wrong", ".cookies.test"},
expectedOutput: ".cookies.test",
}),
Entry("blank is returned for no matches", getCookieDomainTableInput{
host: "www.cookies.test",
cookieDomains: []string{".cookies.wrong", ".cookies.false"},
expectedOutput: "",
}),
)
})
})