mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-28 09:08:44 +02:00
7eeaea0b3f
* Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring
80 lines
2.6 KiB
Go
80 lines
2.6 KiB
Go
package cookies
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/ginkgo/extensions/table"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Cookie Tests", func() {
|
|
Context("GetCookieDomain", func() {
|
|
type getCookieDomainTableInput struct {
|
|
host string
|
|
xForwardedHost string
|
|
cookieDomains []string
|
|
expectedOutput string
|
|
}
|
|
|
|
DescribeTable("should return expected results",
|
|
func(in getCookieDomainTableInput) {
|
|
req, err := http.NewRequest(
|
|
http.MethodGet,
|
|
fmt.Sprintf("https://%s/%s", in.host, cookiePath),
|
|
nil,
|
|
)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
if in.xForwardedHost != "" {
|
|
req.Header.Add("X-Forwarded-Host", in.xForwardedHost)
|
|
req = middlewareapi.AddRequestScope(req, &middlewareapi.RequestScope{
|
|
ReverseProxy: true,
|
|
})
|
|
}
|
|
|
|
Expect(GetCookieDomain(req, in.cookieDomains)).To(Equal(in.expectedOutput))
|
|
},
|
|
Entry("a single exact match for the Host header", getCookieDomainTableInput{
|
|
host: "www.cookies.test",
|
|
cookieDomains: []string{"www.cookies.test"},
|
|
expectedOutput: "www.cookies.test",
|
|
}),
|
|
Entry("a single exact match for the X-Forwarded-Host header", getCookieDomainTableInput{
|
|
host: "backend.cookies.internal",
|
|
xForwardedHost: "www.cookies.test",
|
|
cookieDomains: []string{"www.cookies.test"},
|
|
expectedOutput: "www.cookies.test",
|
|
}),
|
|
Entry("a single suffix match for the Host header", getCookieDomainTableInput{
|
|
host: "www.cookies.test",
|
|
cookieDomains: []string{".cookies.test"},
|
|
expectedOutput: ".cookies.test",
|
|
}),
|
|
Entry("a single suffix match for the X-Forwarded-Host header", getCookieDomainTableInput{
|
|
host: "backend.cookies.internal",
|
|
xForwardedHost: "www.cookies.test",
|
|
cookieDomains: []string{".cookies.test"},
|
|
expectedOutput: ".cookies.test",
|
|
}),
|
|
Entry("the first match is used", getCookieDomainTableInput{
|
|
host: "www.cookies.test",
|
|
cookieDomains: []string{"www.cookies.test", ".cookies.test"},
|
|
expectedOutput: "www.cookies.test",
|
|
}),
|
|
Entry("the only match is used", getCookieDomainTableInput{
|
|
host: "www.cookies.test",
|
|
cookieDomains: []string{".cookies.wrong", ".cookies.test"},
|
|
expectedOutput: ".cookies.test",
|
|
}),
|
|
Entry("blank is returned for no matches", getCookieDomainTableInput{
|
|
host: "www.cookies.test",
|
|
cookieDomains: []string{".cookies.wrong", ".cookies.false"},
|
|
expectedOutput: "",
|
|
}),
|
|
)
|
|
})
|
|
})
|