oauth2-proxy/pkg/validation/cookie_test.go

package validation

import (
	"strings"
	"testing"
	"time"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	. "github.com/onsi/gomega"
)

func TestValidateCookie(t *testing.T) {
	alphabet := "abcdefghijklmnopqrstuvwxyz"

	validName := "_oauth2_proxy"
	invalidName := "_oauth2;proxy" // Separater character not allowed
	// 10 times the alphabet should be longer than 256 characters
	longName := strings.Repeat(alphabet, 10)
	validSecret := "secretthirtytwobytes+abcdefghijk"
	invalidSecret := "abcdef"                                          // 6 bytes is not a valid size
	validBase64Secret := "c2VjcmV0dGhpcnR5dHdvYnl0ZXMrYWJjZGVmZ2hpams" // Base64 encoding of "secretthirtytwobytes+abcdefghijk"
	invalidBase64Secret := "YWJjZGVmCg"                                // Base64 encoding of "abcdef"
	emptyDomains := []string{}
	domains := []string{
		"a.localhost",
		"ba.localhost",
		"ca.localhost",
		"cba.localhost",
		"a.cba.localhost",
	}

	invalidNameMsg := "invalid cookie name: \"_oauth2;proxy\""
	longNameMsg := "cookie name should be under 256 characters: cookie name is 260 characters"
	missingSecretMsg := "missing setting: cookie-secret"
	invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes"
	invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes"
	refreshLongerThanExpireMsg := "cookie_refresh (\"1h0m0s\") must be less than cookie_expire (\"15m0s\")"
	invalidSameSiteMsg := "cookie_samesite (\"invalid\") must be one of ['', 'lax', 'strict', 'none']"

	testCases := []struct {
		name       string
		cookie     options.Cookie
		errStrings []string
	}{
		{
			name: "with valid configuration",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  domains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{},
		},
		{
			name: "with no cookie secret",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   "",
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				missingSecretMsg,
			},
		},
		{
			name: "with an invalid cookie secret",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   invalidSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				invalidSecretMsg,
			},
		},
		{
			name: "with a valid Base64 secret",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validBase64Secret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{},
		},
		{
			name: "with an invalid Base64 secret",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   invalidBase64Secret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				invalidBase64SecretMsg,
			},
		},
		{
			name: "with an invalid name",
			cookie: options.Cookie{
				Name:     invalidName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				invalidNameMsg,
			},
		},
		{
			name: "with a name that is too long",
			cookie: options.Cookie{
				Name:     longName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				longNameMsg,
			},
		},
		{
			name: "with refresh longer than expire",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   15 * time.Minute,
				Refresh:  time.Hour,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "",
			},
			errStrings: []string{
				refreshLongerThanExpireMsg,
			},
		},
		{
			name: "with samesite \"none\"",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "none",
			},
			errStrings: []string{},
		},
		{
			name: "with samesite \"lax\"",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "none",
			},
			errStrings: []string{},
		},
		{
			name: "with samesite \"strict\"",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "none",
			},
			errStrings: []string{},
		},
		{
			name: "with samesite \"invalid\"",
			cookie: options.Cookie{
				Name:     validName,
				Secret:   validSecret,
				Domains:  emptyDomains,
				Path:     "",
				Expire:   time.Hour,
				Refresh:  15 * time.Minute,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "invalid",
			},
			errStrings: []string{
				invalidSameSiteMsg,
			},
		},
		{
			name: "with a combination of configuration errors",
			cookie: options.Cookie{
				Name:     invalidName,
				Secret:   invalidSecret,
				Domains:  domains,
				Path:     "",
				Expire:   15 * time.Minute,
				Refresh:  time.Hour,
				Secure:   true,
				HTTPOnly: false,
				SameSite: "invalid",
			},
			errStrings: []string{
				invalidNameMsg,
				invalidSecretMsg,
				refreshLongerThanExpireMsg,
				invalidSameSiteMsg,
			},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			errStrings := validateCookie(tc.cookie)
			g := NewWithT(t)

			g.Expect(errStrings).To(ConsistOf(tc.errStrings))
			// Check domains were sorted to the right lengths
			for i := 0; i < len(tc.cookie.Domains)-1; i++ {
				g.Expect(len(tc.cookie.Domains[i])).To(BeNumerically(">=", len(tc.cookie.Domains[i+1])))
			}
		})
	}
}