mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-04-15 11:56:49 +02:00
f648c54d87
* Add sensible logging flag to default setup for logger * Add Redis lock * Fix default value flag for sensitive logging * Split RefreshSessionIfNeeded in two methods and use Redis lock * Small adjustments to doc and code * Remove sensible logging * Fix method names in ticket.go * Revert "Fix method names in ticket.go" This reverts commit 408ba1a1a5c55a3cad507a0be8634af1977769cb. * Fix methods name in ticket.go * Remove block in Redis client get * Increase lock time to 1 second * Perform retries, if session store is locked * Reverse if condition, because it should return if session does not have to be refreshed * Update go.sum * Update MockStore * Return error if loading session fails * Fix and update tests * Change validSession to session in docs and strings * Change validSession to session in docs and strings * Fix docs * Fix wrong field name * Fix linting * Fix imports for linting * Revert changes except from locking functionality * Add lock feature on session state * Update from master * Remove errors package, because it is not used * Only pass context instead of request to lock * Use lock key * By default use NoOpLock * Remove debug output * Update ticket_test.go * Map internal error to sessions error * Add ErrLockNotObtained * Enable lock peek for all redis clients * Use lock key prefix consistent * Fix imports * Use exists method for peek lock * Fix imports * Fix imports * Fix imports * Remove own Dockerfile * Fix imports * Fix tests for ticket and session store * Fix session store test * Update pkg/apis/sessions/interfaces.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Do not wrap lock method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Use errors package for lock constants * Use better naming for initLock function * Add comments * Add session store lock test * Fix tests * Fix tests * Fix tests * Fix tests * Add cookies after saving session * Add mock lock * Fix imports for mock_lock.go * Store mock lock for key * Apply elapsed time on mock lock * Check if lock is initially applied * Reuse existing lock * Test all lock methods * Update CHANGELOG.md * Use redis client methods in redis.lock for release an refresh * Use lock key suffix instead of prefix for lock key * Add comments for Lock interface * Update comment for Lock interface * Update CHANGELOG.md * Change LockSuffix to const * Check lock on already loaded session * Use global var for loadedSession in lock tests * Use lock instance for refreshing and releasing of lock * Update possible error type for Refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
162 lines
4.5 KiB
Go
162 lines
4.5 KiB
Go
package persistence
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/ginkgo/extensions/table"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Session Ticket Tests", func() {
|
|
Context("encodeTicket & decodeTicket", func() {
|
|
type ticketTableInput struct {
|
|
ticket *ticket
|
|
encodedTicket string
|
|
expectedError error
|
|
}
|
|
|
|
DescribeTable("encodeTicket should decodeTicket back when valid",
|
|
func(in ticketTableInput) {
|
|
if in.ticket != nil {
|
|
enc := in.ticket.encodeTicket()
|
|
Expect(enc).To(Equal(in.encodedTicket))
|
|
|
|
dec, err := decodeTicket(enc, in.ticket.options)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(dec).To(Equal(in.ticket))
|
|
} else {
|
|
_, err := decodeTicket(in.encodedTicket, nil)
|
|
Expect(err).To(MatchError(in.expectedError))
|
|
}
|
|
},
|
|
Entry("with a valid ticket", ticketTableInput{
|
|
ticket: &ticket{
|
|
id: "dummy-0123456789abcdef",
|
|
secret: []byte("0123456789abcdef"),
|
|
options: &options.Cookie{
|
|
Name: "dummy",
|
|
},
|
|
},
|
|
encodedTicket: fmt.Sprintf("%s.%s",
|
|
"dummy-0123456789abcdef",
|
|
base64.RawURLEncoding.EncodeToString([]byte("0123456789abcdef"))),
|
|
expectedError: nil,
|
|
}),
|
|
Entry("with an invalid encoded ticket with 1 part", ticketTableInput{
|
|
ticket: nil,
|
|
encodedTicket: "dummy-0123456789abcdef",
|
|
expectedError: errors.New("failed to decode ticket"),
|
|
}),
|
|
Entry("with an invalid base64 encoded secret", ticketTableInput{
|
|
ticket: nil,
|
|
encodedTicket: "dummy-0123456789abcdef.@)#($*@)#(*$@)#(*$",
|
|
expectedError: fmt.Errorf("failed to decode encryption secret: illegal base64 data at input byte 0"),
|
|
}),
|
|
)
|
|
})
|
|
|
|
Context("saveSession", func() {
|
|
It("uses the passed save function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
c, err := t.makeCipher()
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
ss := &sessions.SessionState{User: "foobar"}
|
|
store := map[string][]byte{}
|
|
err = t.saveSession(ss, func(k string, v []byte, e time.Duration) error {
|
|
store[k] = v
|
|
return nil
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
stored, err := sessions.DecodeSessionState(store[t.id], c, false)
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(stored).To(Equal(ss))
|
|
})
|
|
|
|
It("errors when the saveFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = t.saveSession(
|
|
&sessions.SessionState{User: "foobar"},
|
|
func(k string, v []byte, e time.Duration) error {
|
|
return errors.New("save error")
|
|
})
|
|
Expect(err).To(MatchError(errors.New("save error")))
|
|
})
|
|
})
|
|
|
|
Context("loadSession", func() {
|
|
It("uses the passed load function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
c, err := t.makeCipher()
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
ss := &sessions.SessionState{
|
|
User: "foobar",
|
|
Lock: &sessions.NoOpLock{},
|
|
}
|
|
loadedSession, err := t.loadSession(
|
|
func(k string) ([]byte, error) {
|
|
return ss.EncodeSessionState(c, false)
|
|
},
|
|
func(k string) sessions.Lock {
|
|
return &sessions.NoOpLock{}
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(loadedSession).To(Equal(ss))
|
|
})
|
|
|
|
It("errors when the loadFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
data, err := t.loadSession(
|
|
func(k string) ([]byte, error) {
|
|
return nil, errors.New("load error")
|
|
},
|
|
func(k string) sessions.Lock {
|
|
return &sessions.NoOpLock{}
|
|
})
|
|
Expect(data).To(BeNil())
|
|
Expect(err).To(MatchError(errors.New("failed to load the session state with the ticket: load error")))
|
|
})
|
|
})
|
|
|
|
Context("clearSession", func() {
|
|
It("uses the passed clear function", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
var tracker string
|
|
err = t.clearSession(func(k string) error {
|
|
tracker = k
|
|
return nil
|
|
})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
Expect(tracker).To(Equal(t.id))
|
|
})
|
|
|
|
It("errors when the clearFunc errors", func() {
|
|
t, err := newTicket(&options.Cookie{Name: "dummy"})
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = t.clearSession(func(k string) error {
|
|
return errors.New("clear error")
|
|
})
|
|
Expect(err).To(MatchError(errors.New("clear error")))
|
|
})
|
|
})
|
|
})
|