You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-06-23 00:40:46 +02:00
f648c54d87
* Add sensible logging flag to default setup for logger
* Add Redis lock
* Fix default value flag for sensitive logging
* Split RefreshSessionIfNeeded in two methods and use Redis lock
* Small adjustments to doc and code
* Remove sensible logging
* Fix method names in ticket.go
* Revert "Fix method names in ticket.go"
This reverts commit 408ba1a1a5.
* Fix methods name in ticket.go
* Remove block in Redis client get
* Increase lock time to 1 second
* Perform retries, if session store is locked
* Reverse if condition, because it should return if session does not have to be refreshed
* Update go.sum
* Update MockStore
* Return error if loading session fails
* Fix and update tests
* Change validSession to session in docs and strings
* Change validSession to session in docs and strings
* Fix docs
* Fix wrong field name
* Fix linting
* Fix imports for linting
* Revert changes except from locking functionality
* Add lock feature on session state
* Update from master
* Remove errors package, because it is not used
* Only pass context instead of request to lock
* Use lock key
* By default use NoOpLock
* Remove debug output
* Update ticket_test.go
* Map internal error to sessions error
* Add ErrLockNotObtained
* Enable lock peek for all redis clients
* Use lock key prefix consistent
* Fix imports
* Use exists method for peek lock
* Fix imports
* Fix imports
* Fix imports
* Remove own Dockerfile
* Fix imports
* Fix tests for ticket and session store
* Fix session store test
* Update pkg/apis/sessions/interfaces.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Do not wrap lock method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use errors package for lock constants
* Use better naming for initLock function
* Add comments
* Add session store lock test
* Fix tests
* Fix tests
* Fix tests
* Fix tests
* Add cookies after saving session
* Add mock lock
* Fix imports for mock_lock.go
* Store mock lock for key
* Apply elapsed time on mock lock
* Check if lock is initially applied
* Reuse existing lock
* Test all lock methods
* Update CHANGELOG.md
* Use redis client methods in redis.lock for release an refresh
* Use lock key suffix instead of prefix for lock key
* Add comments for Lock interface
* Update comment for Lock interface
* Update CHANGELOG.md
* Change LockSuffix to const
* Check lock on already loaded session
* Use global var for loadedSession in lock tests
* Use lock instance for refreshing and releasing of lock
* Update possible error type for Refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
162 lines
4.5 KiB
Go
162 lines
4.5 KiB
Go
package persistence
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/ginkgo/extensions/table"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Session Ticket Tests", func() {
|
|
Context("encodeTicket & decodeTicket", func() {
|
|
type ticketTableInput struct {
|
|
ticket *ticket
|
|
encodedTicket string
|
|
expectedError error
|
|
}
|
|
|
|
DescribeTable("encodeTicket should decodeTicket back when valid",
|
|
func(in ticketTableInput) {
|
|
if in.ticket != nil {
|
|
enc := in.ticket.encodeTicket()
|
|
Expect(enc).To(Equal(in.encodedTicket))
|
|
|
|
dec, err := decodeTicket(enc, in.ticket.options)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(dec).To(Equal(in.ticket))
|
|
} else {
|
|
_, err := decodeTicket(in.encodedTicket, nil)
|
|
Expect(err).To(MatchError(in.expectedError))
|
|
}
|
|
},
|
|
Entry("with a valid ticket", ticketTableInput{
|
|
ticket: &ticket{
|
|
id: "dummy-0123456789abcdef",
|
|
secret: []byte("0123456789abcdef"),
|
|
options: &options.Cookie{
|
|
Name: "dummy",
|
|
},
|
|
},
|
|
encodedTicket: fmt.Sprintf("%s.%s",
|
|
"dummy-0123456789abcdef",
|
|
base64.RawURLEncoding.EncodeToString([]byte("0123456789abcdef"))),
|
|
expectedError: nil,
|
|
}),
|
|
Entry("with an invalid encoded ticket with 1 part", ticketTableInput{
|
|
ticket: nil,
|
|
encodedTicket: "dummy-0123456789abcdef",
|
|
expectedError: errors.New("failed to decode ticket"),
|
|
}),
|
|
Entry("with an invalid base64 encoded secret", ticketTableInput{
|
|
ticket: nil,
|
|
encodedTicket: "dummy-0123456789abcdef.@)#($*@)#(*$@)#(*$",
|
|
expectedError: fmt.Errorf("failed to decode encryption secret: illegal base64 data at input byte 0"),
|
|
}),
|
|
)
|
|
})
|
|
|
|
Context("saveSession", func() {
|
|
It("uses the passed save function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
c, err := t.makeCipher()
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
ss := &sessions.SessionState{User: "foobar"}
|
|
store := map[string][]byte{}
|
|
err = t.saveSession(ss, func(k string, v []byte, e time.Duration) error {
|
|
store[k] = v
|
|
return nil
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
stored, err := sessions.DecodeSessionState(store[t.id], c, false)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(stored).To(Equal(ss))
|
|
})
|
|
|
|
It("errors when the saveFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = t.saveSession(
|
|
&sessions.SessionState{User: "foobar"},
|
|
func(k string, v []byte, e time.Duration) error {
|
|
return errors.New("save error")
|
|
})
|
|
Expect(err).To(MatchError(errors.New("save error")))
|
|
})
|
|
})
|
|
|
|
Context("loadSession", func() {
|
|
It("uses the passed load function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
c, err := t.makeCipher()
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
ss := &sessions.SessionState{
|
|
User: "foobar",
|
|
Lock: &sessions.NoOpLock{},
|
|
}
|
|
loadedSession, err := t.loadSession(
|
|
func(k string) ([]byte, error) {
|
|
return ss.EncodeSessionState(c, false)
|
|
},
|
|
func(k string) sessions.Lock {
|
|
return &sessions.NoOpLock{}
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(loadedSession).To(Equal(ss))
|
|
})
|
|
|
|
It("errors when the loadFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
data, err := t.loadSession(
|
|
func(k string) ([]byte, error) {
|
|
return nil, errors.New("load error")
|
|
},
|
|
func(k string) sessions.Lock {
|
|
return &sessions.NoOpLock{}
|
|
})
|
|
Expect(data).To(BeNil())
|
|
Expect(err).To(MatchError(errors.New("failed to load the session state with the ticket: load error")))
|
|
})
|
|
})
|
|
|
|
Context("clearSession", func() {
|
|
It("uses the passed clear function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
var tracker string
|
|
err = t.clearSession(func(k string) error {
|
|
tracker = k
|
|
return nil
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(tracker).To(Equal(t.id))
|
|
})
|
|
|
|
It("errors when the clearFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = t.clearSession(func(k string) error {
|
|
return errors.New("clear error")
|
|
})
|
|
Expect(err).To(MatchError(errors.New("clear error")))
|
|
})
|
|
})
|
|
})
|