Compare commits
9 Commits
v2.0.0-rc2
...
v2.0.0-bet
| Author | SHA1 | Date | |
|---|---|---|---|
| d890a4aad6 | |||
| 43775591fa | |||
| daec9f591a | |||
| 091590d391 | |||
| 8ca16a88d2 | |||
| 814892a88b | |||
| 19c249a6d1 | |||
| 0f278d516b | |||
| ae95e8b2e5 |
316
README.md
316
README.md
@ -1,308 +1,90 @@
|
||||
|
||||
# Traefik Forward Auth [](https://travis-ci.org/thomseddon/traefik-forward-auth) [](https://goreportcard.com/report/github.com/thomseddon/traefik-forward-auth)  [](https://GitHub.com/thomseddon/traefik-forward-auth/releases/)
|
||||
# Traefik Forward Auth [](https://travis-ci.org/thomseddon/traefik-forward-auth) [](https://goreportcard.com/badge/github.com/thomseddon/traefik-forward-auth)
|
||||
|
||||
|
||||
A minimal forward authentication service that provides Google oauth based login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.
|
||||
A minimal forward authentication service that provides Google oauth based login and authentication for the traefik reverse proxy.
|
||||
|
||||
|
||||
## Why?
|
||||
|
||||
- Seamlessly overlays any http service with a single endpoint (see: `url-path` in [Configuration](#configuration))
|
||||
- Seamlessly overlays any http service with a single endpoint (see: `-url-path` in [Configuration](#configuration))
|
||||
- Supports multiple domains/subdomains by dynamically generating redirect_uri's
|
||||
- Allows authentication to be selectively applied/bypassed based on request parameters (see `rules` in [Configuration](#configuration)))
|
||||
- Supports use of centralised authentication host/redirect_uri (see `auth-host` in [Configuration](#configuration)))
|
||||
- Allows authentication to persist across multiple domains (see [Cookie Domains](#cookie-domains))
|
||||
- Supports extended authentication beyond Google token lifetime (see: `lifetime` in [Configuration](#configuration))
|
||||
- Supports extended authentication beyond Google token lifetime (see: `-lifetime` in [Configuration](#configuration))
|
||||
|
||||
# Contents
|
||||
## Quick Start
|
||||
|
||||
- [Usage](#usage)
|
||||
- [Simple](#simple)
|
||||
- [Advanced](#advanced)
|
||||
- [OAuth Configuration](#oauth-configuration)
|
||||
- [Configuration](#configuration)
|
||||
- [Overview](#overview)
|
||||
- [Option Details](#option-details)
|
||||
- [Concepts](#concepts)
|
||||
- [Forwarded Headers](#forwarded-headers)
|
||||
- [User Restriction](#user-restriction)
|
||||
- [Operation Modes](#operation-modes)
|
||||
- [Overlay Mode](#overlay-mode)
|
||||
- [Auth Host Mode](#auth-host-mode)
|
||||
- [Copyright](#copyright)
|
||||
- [License](#license)
|
||||
|
||||
## Usage
|
||||
|
||||
#### Simple:
|
||||
|
||||
See below for instructions on how to setup your [OAuth Configuration](#oauth-configuration).
|
||||
|
||||
docker-compose.yml:
|
||||
|
||||
```yaml
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:1.7
|
||||
ports:
|
||||
- "8085:80"
|
||||
volumes:
|
||||
- ./traefik.toml:/traefik.toml
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
|
||||
traefik-forward-auth:
|
||||
image: thomseddon/traefik-forward-auth:2
|
||||
environment:
|
||||
- CLIENT_ID=your-client-id
|
||||
- CLIENT_SECRET=your-client-secret
|
||||
- SECRET=something-random
|
||||
- INSECURE_COOKIE=true # Example assumes no https, do not use in production
|
||||
|
||||
whoami:
|
||||
image: emilevauge/whoami:latest
|
||||
labels:
|
||||
- "traefik.frontend.rule=Host:whoami.mycompany.com"
|
||||
```
|
||||
|
||||
traefik.toml:
|
||||
|
||||
```toml
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.http.auth.forward]
|
||||
address = "http://traefik-forward-auth:4181"
|
||||
authResponseHeaders = ["X-Forwarded-User"]
|
||||
|
||||
[docker]
|
||||
endpoint = "unix:///var/run/docker.sock"
|
||||
network = "traefik"
|
||||
```
|
||||
|
||||
#### Advanced:
|
||||
|
||||
Please see the examples directory for a more complete [docker-compose.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose.yml) and full [traefik.toml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/traefik.toml).
|
||||
|
||||
Also in the examples directory is [docker-compose-auth-host.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml) which shows how to configure a central auth host, along with some other options.
|
||||
|
||||
#### OAuth Configuration
|
||||
|
||||
Head to https://console.developers.google.com and make sure you've switched to the correct email account.
|
||||
|
||||
Create a new project then search for and select "Credentials" in the search bar. Fill out the "OAuth Consent Screen" tab.
|
||||
|
||||
Click "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
|
||||
|
||||
#### Upgrade Guide
|
||||
|
||||
v2 was released in April 2019, whilst this is fully backwards compatibile, a number of configuration options were modified, please see the [upgrade guide](https://github.com/thomseddon/traefik-forward-auth/wiki/v2-Upgrade-Guide) to prevent warnings on startup and ensure you are using the current configuration.
|
||||
See the (examples) directory for example docker compose and traefik configuration files that demonstrates the forward authentication configuration for traefik and passing required configuration values to traefik-forward-auth.
|
||||
|
||||
## Configuration
|
||||
|
||||
### Overview
|
||||
The following configuration is supported:
|
||||
|
||||
The following configuration options are supported:
|
||||
|
||||
```
|
||||
Usage:
|
||||
traefik-forward-auth [OPTIONS]
|
||||
|Flag |Type |Description|
|
||||
|-----------------------|------|-----------|
|
||||
|-client-id|string|*Google Client ID (required)|
|
||||
|-client-secret|string|*Google Client Secret (required)|
|
||||
|-secret|string|*Secret used for signing (required)|
|
||||
|-config|string|Path to config file|
|
||||
|-auth-host|string|Central auth login (see below)|
|
||||
|-cookie-domains|string|Comma separated list of cookie domains (see below)|
|
||||
|-cookie-name|string|Cookie Name (default "_forward_auth")|
|
||||
|-cookie-secure|bool|Use secure cookies (default true)|
|
||||
|-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
|
||||
|-domain|string|Comma separated list of email domains to allow|
|
||||
|-whitelist|string|Comma separated list of email addresses to allow|
|
||||
|-lifetime|int|Session length in seconds (default 43200)|
|
||||
|-url-path|string|Callback URL (default "_oauth")|
|
||||
|-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
|
||||
|-log-level|string|Log level: trace, debug, info, warn, error, fatal, panic (default "warn")|
|
||||
|-log-format|string|Log format: text, json, pretty (default "text")|
|
||||
|
||||
Application Options:
|
||||
--log-level=[trace|debug|info|warn|error|fatal|panic] Log level (default: warn) [$LOG_LEVEL]
|
||||
--log-format=[text|json|pretty] Log format (default: text) [$LOG_FORMAT]
|
||||
--auth-host= Single host to use when returning from 3rd party auth [$AUTH_HOST]
|
||||
--config= Path to config file [$CONFIG]
|
||||
--cookie-domain= Domain to set auth cookie on, can be set multiple times [$COOKIE_DOMAIN]
|
||||
--insecure-cookie Use insecure cookies [$INSECURE_COOKIE]
|
||||
--cookie-name= Cookie Name (default: _forward_auth) [$COOKIE_NAME]
|
||||
--csrf-cookie-name= CSRF Cookie Name (default: _forward_auth_csrf) [$CSRF_COOKIE_NAME]
|
||||
--default-action=[auth|allow] Default action (default: auth) [$DEFAULT_ACTION]
|
||||
--domain= Only allow given email domains, can be set multiple times [$DOMAIN]
|
||||
--lifetime= Lifetime in seconds (default: 43200) [$LIFETIME]
|
||||
--url-path= Callback URL Path (default: /_oauth) [$URL_PATH]
|
||||
--secret= Secret used for signing (required) [$SECRET]
|
||||
--whitelist= Only allow given email addresses, can be set multiple times [$WHITELIST]
|
||||
--rules.<name>.<param>= Rule definitions, param can be: "action" or "rule"
|
||||
Configuration can also be supplied as environment variables (use upper case and swap `-`'s for `_`'s e.g. `-client-id` becomes `CLIENT_ID`)
|
||||
|
||||
Google Provider:
|
||||
--providers.google.client-id= Client ID [$PROVIDERS_GOOGLE_CLIENT_ID]
|
||||
--providers.google.client-secret= Client Secret [$PROVIDERS_GOOGLE_CLIENT_SECRET]
|
||||
--providers.google.prompt= Space separated list of OpenID prompt options [$PROVIDERS_GOOGLE_PROMPT]
|
||||
Configuration can also be supplied via a file, you can specify the location with `-config` flag, the format is `flag value` one per line, e.g. `client-id your-client-id`)
|
||||
|
||||
Help Options:
|
||||
-h, --help Show this help message
|
||||
```
|
||||
## OAuth Configuration
|
||||
|
||||
All options can be supplied in any of the following ways, in the following precedence (first is highest precedence):
|
||||
Head to https://console.developers.google.com & make sure you've switched to the correct email account.
|
||||
|
||||
1. **Command Arguments/Flags** - As shown above
|
||||
2. **Environment Variables** - As shown in square brackets above
|
||||
3. **File**
|
||||
1. Use INI format (e.g. `url-path = _oauthpath`)
|
||||
2. Specify the file location via the `--config` flag or `$CONFIG` environment variable
|
||||
3. Can be specified multiple times, each file will be read in the order they are passed
|
||||
Create a new project then search for and select "Credentials" in the search bar. Fill out the "OAuth Consent Screen" tab.
|
||||
|
||||
### Option Details
|
||||
Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
|
||||
|
||||
- `auth-host`
|
||||
## Usage
|
||||
|
||||
When set, when a user returns from authentication with a 3rd party provider they will always be forwarded to this host. By using one central host, this means you only need to add this `auth-host` as a valid redirect uri to your 3rd party provider.
|
||||
The authenticated user is set in the `X-Forwarded-User` header, to pass this on add this to the `authResponseHeaders` as shown [here](https://github.com/thomseddon/traefik-forward-auth/blob/master/example/docker-compose-dev.yml).
|
||||
|
||||
The host should be specified without protocol or path, for example:
|
||||
|
||||
```
|
||||
--auth-host="auth.example.com"
|
||||
```
|
||||
|
||||
For more details, please also read the [Auth Host Mode](#auth-host-mode), operation mode in the concepts section.
|
||||
|
||||
Please Note - this should be considered advanced usage, if you are having problems please try disabling this option and then re-read the [Auth Host Mode](#auth-host-mode) section.
|
||||
|
||||
- `config`
|
||||
|
||||
Used to specify the path to a configuration file, can be set multiple times, each file will be read in the order they are passed. Options should be set in an INI format, for example:
|
||||
|
||||
```
|
||||
url-path = _oauthpath
|
||||
```
|
||||
|
||||
- `cookie-domain`
|
||||
|
||||
When set, if a user successfully completes authentication, then if the host of the original request requiring authentication is a subdomain of a given cookie domain, then the authentication cookie will be set for the higher level cookie domain. This means that a cookie can allow access to multiple subdomains without re-authentication. Can be specificed multiple times.
|
||||
|
||||
For example:
|
||||
```
|
||||
--cookie-domain="example.com" --cookie-domain="test.org"
|
||||
```
|
||||
|
||||
For example, if the cookie domain `test.com` has been set, and a request comes in on `app1.test.com`, following authentication the auth cookie will be set for the whole `test.com` domain. As such, if another request is forwarded for authentication from `app2.test.com`, the original cookie will be sent and so the request will be allowed without further authentication.
|
||||
|
||||
Beware however, if using cookie domains whilst running multiple instances of traefik/traefik-forward-auth for the same domain, the cookies will clash. You can fix this by using a different `cookie-name` in each host/cluster or by using the same `cookie-secret` in both instances.
|
||||
|
||||
- `insecure-cookie`
|
||||
|
||||
If you are not using HTTPS between the client and traefik, you will need to pass the `insecure-cookie` option which will mean the `Secure` attribute on the cookie will not be set.
|
||||
|
||||
- `cookie-name`
|
||||
|
||||
Set the name of the cookie set following successful authentication.
|
||||
|
||||
Default: `_forward_auth`
|
||||
|
||||
- `csrf-cookie-name`
|
||||
|
||||
Set the name of the temporary CSRF cookie set during authentication.
|
||||
|
||||
Default: `_forward_auth_csrf`
|
||||
|
||||
- `default-action`
|
||||
|
||||
Specifies the behavior when a request does not match any [rules](#rules). Valid options are `auth` or `allow`.
|
||||
|
||||
Default: `auth` (i.e. all requests require authentication)
|
||||
|
||||
- `domain`
|
||||
|
||||
When set, only users matching a given domain will be permitted to access.
|
||||
|
||||
For example, setting `--domain=example.com --domain=test.org` would mean that only users from example.com or test.org will be permitted. So thom@example.com would be allowed but thom@another.com would not.
|
||||
|
||||
For more details, please also read [User Restriction](#user-restriction) in the concepts section.
|
||||
|
||||
- `lifetime`
|
||||
|
||||
How long a successful authentication session should last, in seconds.
|
||||
|
||||
Default: `43200` (12 hours)
|
||||
|
||||
- `url-path`
|
||||
|
||||
Customise the path that this service uses to handle the callback following authentication.
|
||||
|
||||
Default: `/_oauth`
|
||||
|
||||
Please note that when using the default [Overlay Mode](#overlay-mode) requests to this exact path will be intercepted by this service and not forwarded to your application. Use this option (or [Auth Host Mode](#auth-host-mode)) if the default `/_oauth` path will collide with an existing route in your application.
|
||||
|
||||
- `secret`
|
||||
|
||||
Used to sign cookies authentication, should be a random (e.g. `openssl rand -hex 16`)
|
||||
|
||||
- `whitelist`
|
||||
|
||||
When set, only specified users will be permitted.
|
||||
|
||||
For example, setting `--whitelist=thom@example.com --whitelist=alice@example.com` would mean that only those two exact users will be permitted. So thom@example.com would be allowed but john@example.com would not.
|
||||
|
||||
For more details, please also read [User Restriction](#user-restriction) in the concepts section.
|
||||
|
||||
- `rules`
|
||||
|
||||
Specify selective authentication rules. Rules are specified in the following format: `rule.<name>.<param>=<value>`
|
||||
|
||||
- `<name>` can be any string and is only used to group rules together
|
||||
- `<param>` can be:
|
||||
- `action` - same usage as [`default-action`](#default-action), supported values:
|
||||
- `auth` (default)
|
||||
- `allow`
|
||||
- `rule` - a rule to match a request, this uses traefik's v2 rule parser for which you can find the documentation here: https://docs.traefik.io/v2.0/routing/routers/#rule, supported values are summarised here:
|
||||
- ``Headers(`key`, `value`)``
|
||||
- ``HeadersRegexp(`key`, `regexp`)``
|
||||
- ``Host(`example.com`, ...)``
|
||||
- ``HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``
|
||||
- ``Method(methods, ...)``
|
||||
- ``Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)``
|
||||
- ``PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)``
|
||||
- ``Query(`foo=bar`, `bar=baz`)``
|
||||
|
||||
For example:
|
||||
```
|
||||
rule.1.action = allow
|
||||
rule.1.rule = PathPrefix(`/api/public`) && Headers(`Content-Type`, `application/json`)
|
||||
|
||||
rule.two.action = allow
|
||||
rule.two.rule = Path(`/public`)
|
||||
```
|
||||
|
||||
In the above example, the first rule would allow requests that begin with `/api/public` and contain the `Content-Type` header with a value of `application/json`. It would also allow requests that had the exact path `/public`.
|
||||
|
||||
## Concepts
|
||||
|
||||
### User Restriction
|
||||
## User Restriction
|
||||
|
||||
You can restrict who can login with the following parameters:
|
||||
|
||||
* `domain` - Use this to limit logins to a specific domain, e.g. test.com only
|
||||
* `whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
|
||||
* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only
|
||||
* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
|
||||
|
||||
Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored.
|
||||
|
||||
### Forwarded Headers
|
||||
## Cookie Domains
|
||||
|
||||
The authenticated user is set in the `X-Forwarded-User` header, to pass this on add this to the `authResponseHeaders` config option in traefik, as shown [here](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-dev.yml).
|
||||
You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.
|
||||
|
||||
### Operation Modes
|
||||
For example, if cookie domain is `test.com` and a request comes in on `app1.test.com`, the cookie will be set for the whole `test.com` domain. As such, if another request is forwarded for authentication from `app2.test.com`, the original cookie will be sent and so the request will be allowed without further authentication.
|
||||
|
||||
#### Overlay Mode
|
||||
Beware however, if using cookie domains whilst running multiple instances of traefik/traefik-forward-auth for the same domain, the cookies will clash. You can fix this by using the same `cookie-secret` in both instances, or using a different `cookie-name` on each.
|
||||
|
||||
Overlay is the default operation mode, in this mode the authorisation endpoint is overlayed onto any domain. By default the `/_oauth` path is used, this can be customised using the `url-path` option.
|
||||
## Operation Modes
|
||||
|
||||
The user flow will be:
|
||||
#### Overlay
|
||||
|
||||
1. Request to `www.myapp.com/home`
|
||||
2. User redirected to Google login
|
||||
3. After Google login, user is redirected to `www.myapp.com/_oauth`
|
||||
4. Token, user and CSRF cookie is validated (this request in intercepted and is never passed to your application)
|
||||
5. User is redirected to `www.myapp.com/home`
|
||||
6. Request is allowed
|
||||
Overlay is the default operation mode, in this mode the authorisation endpoint is overlayed onto any domain. By default the `/_oauth` path is used, this can be customised using the `-url-path` option.
|
||||
|
||||
As the hostname in the `redirect_uri` is dynamically generated based on the original request, every hostname must be permitted in the Google OAuth console (e.g. `www.myappp.com` would need to be added in the above example)
|
||||
If a request comes in for `www.myapp.com/home` then the user will be redirected to the google login, following this they will be sent back to `www.myapp.com/_oauth`, where their token will be validated (this request will not be forwarded to your application). Following successful authoristion, the user will return to their originally requested url of `www.myapp.com/home`.
|
||||
|
||||
#### Auth Host Mode
|
||||
As the hostname in the `redirect_uri` is dynamically generated based on the orignal request, every hostname must be permitted in the Google OAuth console (e.g. `www.myappp.com` would need to be added in the above example)
|
||||
|
||||
This is an optional mode of operation that is useful when dealing with a large number of subdomains, it is activated by using the `auth-host` config option (see [this example docker-compose.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml)).
|
||||
#### Auth Host
|
||||
|
||||
This is an optional mode of operation that is useful when dealing with a large number of subdomains, it is activated by using the `-auth-host` config option (see [this example docker-compose.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/example/docker-compose-auth-host.yml)).
|
||||
|
||||
For example, if you have a few applications: `app1.test.com`, `app2.test.com`, `appN.test.com`, adding every domain to Google's console can become laborious.
|
||||
To utilise an auth host, permit domain level cookies by setting the cookie domain to `test.com` then set the `auth-host` to: `auth.test.com`.
|
||||
@ -323,8 +105,6 @@ Two criteria must be met for an `auth-host` to be used:
|
||||
1. Request matches given `cookie-domain`
|
||||
2. `auth-host` is also subdomain of same `cookie-domain`
|
||||
|
||||
Please note: For Auth Host mode to work, you must ensure that requests to your auth-host are routed to the traefik-forward-auth container, as demonstrated with the service labels in the [docker-compose-auth.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml) example.
|
||||
|
||||
## Copyright
|
||||
|
||||
2018 Thom Seddon
|
||||
|
||||
@ -25,15 +25,15 @@ services:
|
||||
traefik-forward-auth:
|
||||
image: thomseddon/traefik-forward-auth
|
||||
environment:
|
||||
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
|
||||
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
|
||||
- CLIENT_ID=your-client-id
|
||||
- CLIENT_SECRET=your-client-secret
|
||||
- SECRET=something-random
|
||||
- INSECURE_COOKIE=true
|
||||
- COOKIE_SECURE=false
|
||||
- DOMAIN=yourcompany.com
|
||||
- AUTH_HOST=auth.yourdomain.com
|
||||
networks:
|
||||
- traefik
|
||||
# When using an auth host, the below must be added
|
||||
# When using an auth host, adding it here prompts traefik to generate certs
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.port=4181
|
||||
@ -35,12 +35,12 @@ services:
|
||||
traefik-forward-auth:
|
||||
build: ../
|
||||
environment:
|
||||
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
|
||||
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
|
||||
- SECRET=something-random
|
||||
- INSECURE_COOKIE=true
|
||||
- COOKIE_DOMAIN=localhost.com
|
||||
- AUTH_HOST=auth.localhost.com
|
||||
- CLIENT_ID=test
|
||||
- CLIENT_SECRET=test
|
||||
- COOKIE_SECRET=something-random
|
||||
- COOKIE_SECURE=false
|
||||
- COOKIE_DOMAINS=localhost.com
|
||||
- AUTH_URL=http://auth.localhost.com:8085/_oauth
|
||||
networks:
|
||||
- traefik
|
||||
|
||||
@ -23,15 +23,13 @@ services:
|
||||
- "traefik.frontend.rule=Host:whoami.localhost.com"
|
||||
|
||||
traefik-forward-auth:
|
||||
build: ../
|
||||
command: ./traefik-forward-auth --rule.1.action=allow --rule.1.rule="Path(`/`)"
|
||||
image: thomseddon/traefik-forward-auth
|
||||
environment:
|
||||
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
|
||||
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
|
||||
- CLIENT_ID=your-client-id
|
||||
- CLIENT_SECRET=your-client-secret
|
||||
- SECRET=something-random
|
||||
- INSECURE_COOKIE=true
|
||||
- COOKIE_SECURE=false
|
||||
- DOMAIN=yourcompany.com
|
||||
- LOG_LEVEL=debug
|
||||
networks:
|
||||
- traefik
|
||||
|
||||
16
go.mod
16
go.mod
@ -9,27 +9,23 @@ require (
|
||||
github.com/containous/flaeg v1.4.1 // indirect
|
||||
github.com/containous/mux v0.0.0-20181024131434-c33f32e26898 // indirect
|
||||
github.com/containous/traefik v2.0.0-alpha2+incompatible
|
||||
github.com/go-acme/lego v2.5.0+incompatible // indirect
|
||||
github.com/go-acme/lego v2.4.0+incompatible // indirect
|
||||
github.com/go-kit/kit v0.8.0 // indirect
|
||||
github.com/gorilla/context v1.1.1 // indirect
|
||||
github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff // indirect
|
||||
github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4
|
||||
github.com/jessevdk/go-flags v1.4.0
|
||||
github.com/jonboulle/clockwork v0.1.0 // indirect
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
|
||||
github.com/kr/pretty v0.1.0 // indirect
|
||||
github.com/kr/pty v1.1.4 // indirect
|
||||
github.com/miekg/dns v1.1.8 // indirect
|
||||
github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
|
||||
github.com/pkg/errors v0.8.1 // indirect
|
||||
github.com/ryanuber/go-glob v1.0.0 // indirect
|
||||
github.com/sirupsen/logrus v1.4.1
|
||||
github.com/stretchr/objx v0.2.0 // indirect
|
||||
github.com/stretchr/testify v1.3.0
|
||||
github.com/stretchr/testify v1.3.0 // indirect
|
||||
github.com/vulcand/predicate v1.1.0 // indirect
|
||||
golang.org/x/crypto v0.0.0-20190422183909-d864b10871cd // indirect
|
||||
golang.org/x/net v0.0.0-20190420063019-afa5a82059c6 // indirect
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58 // indirect
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894 // indirect
|
||||
golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a // indirect
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 // indirect
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f // indirect
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
|
||||
gopkg.in/square/go-jose.v2 v2.3.1 // indirect
|
||||
)
|
||||
|
||||
14
go.sum
14
go.sum
@ -15,7 +15,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
|
||||
github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||
github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||
github.com/go-kit/kit v0.8.0 h1:Wz+5lgoB0kkuqLEc6NVmwRknTKP6dTGbSqvhZtBI/j0=
|
||||
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||
github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
|
||||
@ -24,17 +23,13 @@ github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff h1:xL/fJdlTJL6
|
||||
github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff/go.mod h1:RvdOUHE4SHqR3oXlFFKnGzms8a5dugHygGw1bqDstYI=
|
||||
github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
|
||||
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||
github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4 h1:xKkUL6QBojwguhKKetf1SocCAKqc6W7S/mGm9xEGllo=
|
||||
github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||
github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
|
||||
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/pty v1.1.4/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/miekg/dns v1.1.8 h1:1QYRAKU3lN5cRfLCkPU08hwvLJFhvjP6MqNMmQz6ZVI=
|
||||
@ -51,7 +46,6 @@ github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k
|
||||
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
|
||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
@ -60,23 +54,15 @@ github.com/vulcand/predicate v1.1.0/go.mod h1:mlccC5IRBoc2cIFmCB8ZM62I3VDb6p2GXE
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a h1:Igim7XhdOpBnWPuYJ70XcNpq8q3BCACtVgNfoJxOV7g=
|
||||
golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
|
||||
golang.org/x/crypto v0.0.0-20190422183909-d864b10871cd h1:sMHc2rZHuzQmrbVoSpt9HgerkXPyIeCSO6k0zUMGfFk=
|
||||
golang.org/x/crypto v0.0.0-20190422183909-d864b10871cd/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190420063019-afa5a82059c6 h1:HdqqaWmYAUI7/dmByKKEw+yxDksGSo+9GjkUc9Zp34E=
|
||||
golang.org/x/net v0.0.0-20190420063019-afa5a82059c6/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
|
||||
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
|
||||
@ -311,20 +311,10 @@ func (c *CookieDomain) Match(host string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (c *CookieDomain) UnmarshalFlag(value string) error {
|
||||
*c = *NewCookieDomain(value)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *CookieDomain) MarshalFlag() (string, error) {
|
||||
return c.Domain, nil
|
||||
}
|
||||
|
||||
// Legacy support for comma separated list of cookie domains
|
||||
|
||||
type CookieDomains []CookieDomain
|
||||
|
||||
func (c *CookieDomains) UnmarshalFlag(value string) error {
|
||||
// TODO: test
|
||||
if len(value) > 0 {
|
||||
for _, d := range strings.Split(value, ",") {
|
||||
cookieDomain := NewCookieDomain(d)
|
||||
|
||||
@ -4,11 +4,11 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/thomseddon/traefik-forward-auth/internal/provider"
|
||||
)
|
||||
|
||||
@ -17,7 +17,6 @@ import (
|
||||
*/
|
||||
|
||||
func TestAuthValidateCookie(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
r, _ := http.NewRequest("GET", "http://example.com", nil)
|
||||
c := &http.Cookie{}
|
||||
@ -25,85 +24,87 @@ func TestAuthValidateCookie(t *testing.T) {
|
||||
// Should require 3 parts
|
||||
c.Value = ""
|
||||
valid, _, err := ValidateCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid cookie format", err.Error())
|
||||
if valid || err.Error() != "Invalid cookie format" {
|
||||
t.Error("Should get \"Invalid cookie format\", got:", err)
|
||||
}
|
||||
c.Value = "1|2"
|
||||
valid, _, err = ValidateCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid cookie format", err.Error())
|
||||
if valid || err.Error() != "Invalid cookie format" {
|
||||
t.Error("Should get \"Invalid cookie format\", got:", err)
|
||||
}
|
||||
c.Value = "1|2|3|4"
|
||||
valid, _, err = ValidateCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid cookie format", err.Error())
|
||||
if valid || err.Error() != "Invalid cookie format" {
|
||||
t.Error("Should get \"Invalid cookie format\", got:", err)
|
||||
}
|
||||
|
||||
// Should catch invalid mac
|
||||
c.Value = "MQ==|2|3"
|
||||
valid, _, err = ValidateCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid cookie mac", err.Error())
|
||||
if valid || err.Error() != "Invalid cookie mac" {
|
||||
t.Error("Should get \"Invalid cookie mac\", got:", err)
|
||||
}
|
||||
|
||||
// Should catch expired
|
||||
config.Lifetime = time.Second * time.Duration(-1)
|
||||
c = MakeCookie(r, "test@test.com")
|
||||
valid, _, err = ValidateCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Cookie has expired", err.Error())
|
||||
if valid || err.Error() != "Cookie has expired" {
|
||||
t.Error("Should get \"Cookie has expired\", got:", err)
|
||||
}
|
||||
|
||||
// Should accept valid cookie
|
||||
config.Lifetime = time.Second * time.Duration(10)
|
||||
c = MakeCookie(r, "test@test.com")
|
||||
valid, email, err := ValidateCookie(r, c)
|
||||
assert.True(valid, "valid request should return valid")
|
||||
assert.Nil(err, "valid request should not return an error")
|
||||
assert.Equal("test@test.com", email, "valid request should return user email")
|
||||
if !valid {
|
||||
t.Error("Valid request should return as valid")
|
||||
}
|
||||
if err != nil {
|
||||
t.Error("Valid request should not return error, got:", err)
|
||||
}
|
||||
if email != "test@test.com" {
|
||||
t.Error("Valid request should return user email")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthValidateEmail(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
|
||||
// Should allow any
|
||||
v := ValidateEmail("test@test.com")
|
||||
assert.True(v, "should allow any domain if email domain is not defined")
|
||||
v = ValidateEmail("one@two.com")
|
||||
assert.True(v, "should allow any domain if email domain is not defined")
|
||||
if !ValidateEmail("test@test.com") || !ValidateEmail("one@two.com") {
|
||||
t.Error("Should allow any domain if email domain is not defined")
|
||||
}
|
||||
|
||||
// Should block non matching domain
|
||||
config.Domains = []string{"test.com"}
|
||||
v = ValidateEmail("one@two.com")
|
||||
assert.False(v, "should not allow user from another domain")
|
||||
if ValidateEmail("one@two.com") {
|
||||
t.Error("Should not allow user from another domain")
|
||||
}
|
||||
|
||||
// Should allow matching domain
|
||||
config.Domains = []string{"test.com"}
|
||||
v = ValidateEmail("test@test.com")
|
||||
assert.True(v, "should allow user from allowed domain")
|
||||
if !ValidateEmail("test@test.com") {
|
||||
t.Error("Should allow user from allowed domain")
|
||||
}
|
||||
|
||||
// Should block non whitelisted email address
|
||||
config.Domains = []string{}
|
||||
config.Whitelist = []string{"test@test.com"}
|
||||
v = ValidateEmail("one@two.com")
|
||||
assert.False(v, "should not allow user not in whitelist")
|
||||
if ValidateEmail("one@two.com") {
|
||||
t.Error("Should not allow user not in whitelist.")
|
||||
}
|
||||
|
||||
// Should allow matching whitelisted email address
|
||||
config.Domains = []string{}
|
||||
config.Whitelist = []string{"test@test.com"}
|
||||
v = ValidateEmail("test@test.com")
|
||||
assert.True(v, "should allow user in whitelist")
|
||||
if !ValidateEmail("test@test.com") {
|
||||
t.Error("Should allow user in whitelist.")
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: Split google tests out
|
||||
func TestAuthGetLoginURL(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
google := provider.Google{
|
||||
ClientId: "idtest",
|
||||
ClientSecret: "sectest",
|
||||
@ -126,10 +127,18 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
|
||||
// Check url
|
||||
uri, err := url.Parse(GetLoginURL(r, "nonce"))
|
||||
assert.Nil(err)
|
||||
assert.Equal("https", uri.Scheme)
|
||||
assert.Equal("test.com", uri.Host)
|
||||
assert.Equal("/auth", uri.Path)
|
||||
if err != nil {
|
||||
t.Error("Error parsing login url:", err)
|
||||
}
|
||||
if uri.Scheme != "https" {
|
||||
t.Error("Expected login Scheme to be \"https\", got:", uri.Scheme)
|
||||
}
|
||||
if uri.Host != "test.com" {
|
||||
t.Error("Expected login Host to be \"test.com\", got:", uri.Host)
|
||||
}
|
||||
if uri.Path != "/auth" {
|
||||
t.Error("Expected login Path to be \"/auth\", got:", uri.Path)
|
||||
}
|
||||
|
||||
// Check query string
|
||||
qs := uri.Query()
|
||||
@ -141,7 +150,11 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
"prompt": []string{"consent select_account"},
|
||||
"state": []string{"nonce:http://example.com/hello"},
|
||||
}
|
||||
assert.Equal(expectedQs, qs)
|
||||
if !reflect.DeepEqual(qs, expectedQs) {
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// With Auth URL but no matching cookie domain
|
||||
@ -153,10 +166,18 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
|
||||
// Check url
|
||||
uri, err = url.Parse(GetLoginURL(r, "nonce"))
|
||||
assert.Nil(err)
|
||||
assert.Equal("https", uri.Scheme)
|
||||
assert.Equal("test.com", uri.Host)
|
||||
assert.Equal("/auth", uri.Path)
|
||||
if err != nil {
|
||||
t.Error("Error parsing login url:", err)
|
||||
}
|
||||
if uri.Scheme != "https" {
|
||||
t.Error("Expected login Scheme to be \"https\", got:", uri.Scheme)
|
||||
}
|
||||
if uri.Host != "test.com" {
|
||||
t.Error("Expected login Host to be \"test.com\", got:", uri.Host)
|
||||
}
|
||||
if uri.Path != "/auth" {
|
||||
t.Error("Expected login Path to be \"/auth\", got:", uri.Path)
|
||||
}
|
||||
|
||||
// Check query string
|
||||
qs = uri.Query()
|
||||
@ -168,7 +189,11 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
"prompt": []string{"consent select_account"},
|
||||
"state": []string{"nonce:http://example.com/hello"},
|
||||
}
|
||||
assert.Equal(expectedQs, qs)
|
||||
if !reflect.DeepEqual(qs, expectedQs) {
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// With correct Auth URL + cookie domain
|
||||
@ -180,10 +205,18 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
|
||||
// Check url
|
||||
uri, err = url.Parse(GetLoginURL(r, "nonce"))
|
||||
assert.Nil(err)
|
||||
assert.Equal("https", uri.Scheme)
|
||||
assert.Equal("test.com", uri.Host)
|
||||
assert.Equal("/auth", uri.Path)
|
||||
if err != nil {
|
||||
t.Error("Error parsing login url:", err)
|
||||
}
|
||||
if uri.Scheme != "https" {
|
||||
t.Error("Expected login Scheme to be \"https\", got:", uri.Scheme)
|
||||
}
|
||||
if uri.Host != "test.com" {
|
||||
t.Error("Expected login Host to be \"test.com\", got:", uri.Host)
|
||||
}
|
||||
if uri.Path != "/auth" {
|
||||
t.Error("Expected login Path to be \"/auth\", got:", uri.Path)
|
||||
}
|
||||
|
||||
// Check query string
|
||||
qs = uri.Query()
|
||||
@ -195,7 +228,14 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
"state": []string{"nonce:http://example.com/hello"},
|
||||
"prompt": []string{"consent select_account"},
|
||||
}
|
||||
assert.Equal(expectedQs, qs)
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
if !reflect.DeepEqual(qs, expectedQs) {
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// With Auth URL + cookie domain, but from different domain
|
||||
@ -208,10 +248,18 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
|
||||
// Check url
|
||||
uri, err = url.Parse(GetLoginURL(r, "nonce"))
|
||||
assert.Nil(err)
|
||||
assert.Equal("https", uri.Scheme)
|
||||
assert.Equal("test.com", uri.Host)
|
||||
assert.Equal("/auth", uri.Path)
|
||||
if err != nil {
|
||||
t.Error("Error parsing login url:", err)
|
||||
}
|
||||
if uri.Scheme != "https" {
|
||||
t.Error("Expected login Scheme to be \"https\", got:", uri.Scheme)
|
||||
}
|
||||
if uri.Host != "test.com" {
|
||||
t.Error("Expected login Host to be \"test.com\", got:", uri.Host)
|
||||
}
|
||||
if uri.Path != "/auth" {
|
||||
t.Error("Expected login Path to be \"/auth\", got:", uri.Path)
|
||||
}
|
||||
|
||||
// Check query string
|
||||
qs = uri.Query()
|
||||
@ -223,7 +271,14 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
"state": []string{"nonce:http://another.com/hello"},
|
||||
"prompt": []string{"consent select_account"},
|
||||
}
|
||||
assert.Equal(expectedQs, qs)
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
if !reflect.DeepEqual(qs, expectedQs) {
|
||||
for _, err := range qsDiff(t, expectedQs, qs) {
|
||||
t.Error(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TODO
|
||||
@ -235,47 +290,68 @@ func TestAuthGetLoginURL(t *testing.T) {
|
||||
// }
|
||||
|
||||
func TestAuthMakeCookie(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
r, _ := http.NewRequest("GET", "http://app.example.com", nil)
|
||||
r.Header.Add("X-Forwarded-Host", "app.example.com")
|
||||
|
||||
c := MakeCookie(r, "test@example.com")
|
||||
assert.Equal("_forward_auth", c.Name)
|
||||
if c.Name != "_forward_auth" {
|
||||
t.Error("Cookie name should be \"_forward_auth\", got:", c.Name)
|
||||
}
|
||||
parts := strings.Split(c.Value, "|")
|
||||
assert.Len(parts, 3, "cookie should be 3 parts")
|
||||
if len(parts) != 3 {
|
||||
t.Error("Cookie should be in 3 parts, got:", c.Value)
|
||||
}
|
||||
valid, _, _ := ValidateCookie(r, c)
|
||||
assert.True(valid, "should generate valid cookie")
|
||||
assert.Equal("/", c.Path)
|
||||
assert.Equal("app.example.com", c.Domain)
|
||||
assert.True(c.Secure)
|
||||
|
||||
expires := time.Now().Local().Add(config.Lifetime)
|
||||
assert.WithinDuration(expires, c.Expires, 10*time.Second)
|
||||
if !valid {
|
||||
t.Error("Should generate valid cookie:", c.Value)
|
||||
}
|
||||
if c.Path != "/" {
|
||||
t.Error("Cookie path should be \"/\", got:", c.Path)
|
||||
}
|
||||
if c.Domain != "app.example.com" {
|
||||
t.Error("Cookie domain should be \"app.example.com\", got:", c.Domain)
|
||||
}
|
||||
if c.Secure != true {
|
||||
t.Error("Cookie domain should be true, got:", c.Secure)
|
||||
}
|
||||
if !c.Expires.After(time.Now().Local()) {
|
||||
t.Error("Expires should be after now, got:", c.Expires)
|
||||
}
|
||||
if !c.Expires.Before(time.Now().Local().Add(config.Lifetime).Add(10 * time.Second)) {
|
||||
t.Error("Expires should be before lifetime + 10 seconds, got:", c.Expires)
|
||||
}
|
||||
|
||||
config.CookieName = "testname"
|
||||
config.InsecureCookie = true
|
||||
c = MakeCookie(r, "test@example.com")
|
||||
assert.Equal("testname", c.Name)
|
||||
assert.False(c.Secure)
|
||||
if c.Name != "testname" {
|
||||
t.Error("Cookie name should be \"testname\", got:", c.Name)
|
||||
}
|
||||
if c.Secure != false {
|
||||
t.Error("Cookie domain should be false, got:", c.Secure)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthMakeCSRFCookie(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
r, _ := http.NewRequest("GET", "http://app.example.com", nil)
|
||||
r.Header.Add("X-Forwarded-Host", "app.example.com")
|
||||
|
||||
// No cookie domain or auth url
|
||||
c := MakeCSRFCookie(r, "12345678901234567890123456789012")
|
||||
assert.Equal("app.example.com", c.Domain)
|
||||
if c.Domain != "app.example.com" {
|
||||
t.Error("Cookie Domain should match request domain, got:", c.Domain)
|
||||
}
|
||||
|
||||
// With cookie domain but no auth url
|
||||
config = Config{
|
||||
CookieDomains: []CookieDomain{*NewCookieDomain("example.com")},
|
||||
}
|
||||
c = MakeCSRFCookie(r, "12345678901234567890123456789012")
|
||||
assert.Equal("app.example.com", c.Domain)
|
||||
if c.Domain != "app.example.com" {
|
||||
t.Error("Cookie Domain should match request domain, got:", c.Domain)
|
||||
}
|
||||
|
||||
// With cookie domain and auth url
|
||||
config = Config{
|
||||
@ -283,7 +359,9 @@ func TestAuthMakeCSRFCookie(t *testing.T) {
|
||||
CookieDomains: []CookieDomain{*NewCookieDomain("example.com")},
|
||||
}
|
||||
c = MakeCSRFCookie(r, "12345678901234567890123456789012")
|
||||
assert.Equal("example.com", c.Domain)
|
||||
if c.Domain != "example.com" {
|
||||
t.Error("Cookie Domain should match request domain, got:", c.Domain)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthClearCSRFCookie(t *testing.T) {
|
||||
@ -297,7 +375,6 @@ func TestAuthClearCSRFCookie(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestAuthValidateCSRFCookie(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
c := &http.Cookie{}
|
||||
|
||||
@ -311,88 +388,103 @@ func TestAuthValidateCSRFCookie(t *testing.T) {
|
||||
r := newCsrfRequest("")
|
||||
c.Value = ""
|
||||
valid, _, err := ValidateCSRFCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid CSRF cookie value", err.Error())
|
||||
if valid || err.Error() != "Invalid CSRF cookie value" {
|
||||
t.Error("Should get \"Invalid CSRF cookie value\", got:", err)
|
||||
}
|
||||
c.Value = "123456789012345678901234567890123"
|
||||
valid, _, err = ValidateCSRFCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid CSRF cookie value", err.Error())
|
||||
if valid || err.Error() != "Invalid CSRF cookie value" {
|
||||
t.Error("Should get \"Invalid CSRF cookie value\", got:", err)
|
||||
}
|
||||
|
||||
// Should require valid state
|
||||
r = newCsrfRequest("12345678901234567890123456789012:")
|
||||
c.Value = "12345678901234567890123456789012"
|
||||
valid, _, err = ValidateCSRFCookie(r, c)
|
||||
assert.False(valid)
|
||||
if assert.Error(err) {
|
||||
assert.Equal("Invalid CSRF state value", err.Error())
|
||||
if valid || err.Error() != "Invalid CSRF state value" {
|
||||
t.Error("Should get \"Invalid CSRF state value\", got:", err)
|
||||
}
|
||||
|
||||
// Should allow valid state
|
||||
r = newCsrfRequest("12345678901234567890123456789012:99")
|
||||
c.Value = "12345678901234567890123456789012"
|
||||
valid, state, err := ValidateCSRFCookie(r, c)
|
||||
assert.True(valid, "valid request should return valid")
|
||||
assert.Nil(err, "valid request should not return an error")
|
||||
assert.Equal("99", state, "valid request should return correct state")
|
||||
if !valid {
|
||||
t.Error("Valid request should return as valid")
|
||||
}
|
||||
if err != nil {
|
||||
t.Error("Valid request should not return error, got:", err)
|
||||
}
|
||||
if state != "99" {
|
||||
t.Error("Valid request should return correct state, got:", state)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthNonce(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
err, nonce1 := Nonce()
|
||||
assert.Nil(err, "error generating nonce")
|
||||
assert.Len(nonce1, 32, "length should be 32 chars")
|
||||
if err != nil {
|
||||
t.Error("Error generation nonce:", err)
|
||||
}
|
||||
|
||||
err, nonce2 := Nonce()
|
||||
assert.Nil(err, "error generating nonce")
|
||||
assert.Len(nonce2, 32, "length should be 32 chars")
|
||||
if err != nil {
|
||||
t.Error("Error generation nonce:", err)
|
||||
}
|
||||
|
||||
assert.NotEqual(nonce1, nonce2, "nonce should not be equal")
|
||||
if len(nonce1) != 32 || len(nonce2) != 32 {
|
||||
t.Error("Nonce should be 32 chars")
|
||||
}
|
||||
if nonce1 == nonce2 {
|
||||
t.Error("Nonce should not be equal")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthCookieDomainMatch(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
cd := NewCookieDomain("example.com")
|
||||
|
||||
// Exact should match
|
||||
assert.True(cd.Match("example.com"), "exact domain should match")
|
||||
if !cd.Match("example.com") {
|
||||
t.Error("Exact domain should match")
|
||||
}
|
||||
|
||||
// Subdomain should match
|
||||
assert.True(cd.Match("test.example.com"), "subdomain should match")
|
||||
if !cd.Match("test.example.com") {
|
||||
t.Error("Subdomain should match")
|
||||
}
|
||||
|
||||
// Derived domain should not match
|
||||
assert.False(cd.Match("testexample.com"), "derived domain should not match")
|
||||
if cd.Match("testexample.com") {
|
||||
t.Error("Derived domain should not match")
|
||||
}
|
||||
|
||||
// Other domain should not match
|
||||
assert.False(cd.Match("test.com"), "other domain should not match")
|
||||
if cd.Match("test.com") {
|
||||
t.Error("Other domain should not match")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthCookieDomains(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
cds := CookieDomains{}
|
||||
|
||||
err := cds.UnmarshalFlag("one.com,two.org")
|
||||
assert.Nil(err)
|
||||
expected := CookieDomains{
|
||||
CookieDomain{
|
||||
Domain: "one.com",
|
||||
DomainLen: 7,
|
||||
SubDomain: ".one.com",
|
||||
SubDomainLen: 8,
|
||||
},
|
||||
CookieDomain{
|
||||
Domain: "two.org",
|
||||
DomainLen: 7,
|
||||
SubDomain: ".two.org",
|
||||
SubDomainLen: 8,
|
||||
},
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if len(cds) != 2 {
|
||||
t.Error("Expected UnmarshalFlag to provide 2 CookieDomains, got", cds)
|
||||
}
|
||||
if cds[0].Domain != "one.com" || cds[0].SubDomain != ".one.com" {
|
||||
t.Error("Expected UnmarshalFlag to provide one.com, got", cds[0])
|
||||
}
|
||||
if cds[1].Domain != "two.org" || cds[1].SubDomain != ".two.org" {
|
||||
t.Error("Expected UnmarshalFlag to provide two.org, got", cds[1])
|
||||
}
|
||||
assert.Equal(expected, cds)
|
||||
|
||||
marshal, err := cds.MarshalFlag()
|
||||
assert.Nil(err)
|
||||
assert.Equal("one.com,two.org", marshal)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if marshal != "one.com,two.org" {
|
||||
t.Error("Expected MarshalFlag to provide \"one.com,two.org\", got", cds)
|
||||
}
|
||||
}
|
||||
|
||||
@ -7,7 +7,6 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/url"
|
||||
"os"
|
||||
"regexp"
|
||||
"strconv"
|
||||
@ -24,34 +23,31 @@ type Config struct {
|
||||
LogLevel string `long:"log-level" env:"LOG_LEVEL" default:"warn" choice:"trace" choice:"debug" choice:"info" choice:"warn" choice:"error" choice:"fatal" choice:"panic" description:"Log level"`
|
||||
LogFormat string `long:"log-format" env:"LOG_FORMAT" default:"text" choice:"text" choice:"json" choice:"pretty" description:"Log format"`
|
||||
|
||||
AuthHost string `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
|
||||
Config func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
|
||||
CookieDomains []CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
|
||||
AuthHost string `long:"auth-host" env:"AUTH_HOST" description:"Host for central auth login"`
|
||||
Config func(s string) error `long:"config" env:"CONFIG" description:"Config file"`
|
||||
CookieDomains CookieDomains `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"Comma separated list of cookie domains"`
|
||||
InsecureCookie bool `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
|
||||
CookieName string `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
|
||||
CSRFCookieName string `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
|
||||
DefaultAction string `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default action"`
|
||||
Domains []string `long:"domain" env:"DOMAIN" description:"Only allow given email domains, can be set multiple times"`
|
||||
DefaultAction string `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default Action"`
|
||||
Domains CommaSeparatedList `long:"domains" env:"DOMAINS" description:"Comma separated list of email domains to allow"`
|
||||
LifetimeString int `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
|
||||
Path string `long:"url-path" env:"URL_PATH" default:"/_oauth" description:"Callback URL Path"`
|
||||
SecretString string `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
|
||||
Whitelist CommaSeparatedList `long:"whitelist" env:"WHITELIST" description:"Only allow given email addresses, can be set multiple times"`
|
||||
Path string `long:"url-path" env:"URL_PATH" default:"_oauth" description:"Callback URL Path"`
|
||||
SecretString string `long:"secret" env:"SECRET" description:"*Secret used for signing (required)"`
|
||||
Whitelist CommaSeparatedList `long:"whitelist" env:"WHITELIST" description:"Comma separated list of email addresses to allow"`
|
||||
|
||||
Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
|
||||
Rules map[string]*Rule `long:"rules.<name>.<param>" description:"Rule definitions, param can be: \"action\" or \"rule\""`
|
||||
Rules map[string]*Rule `long:"rules.<name>.<param>" description:"Rule definitions, see docs, param can be: \"action\", \"rule\""`
|
||||
|
||||
// Filled during transformations
|
||||
Secret []byte `json:"-"`
|
||||
Secret []byte
|
||||
Lifetime time.Duration
|
||||
|
||||
// Legacy
|
||||
CookieDomainsLegacy CookieDomains `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"DEPRECATED - Use \"cookie-domain\""`
|
||||
CookieSecretLegacy string `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\"" json:"-"`
|
||||
CookieSecureLegacy string `long:"cookie-secure" env:"COOKIE_SECURE" description:"DEPRECATED - Use \"insecure-cookie\""`
|
||||
DomainsLegacy CommaSeparatedList `long:"domains" env:"DOMAINS" description:"DEPRECATED - Use \"domain\""`
|
||||
ClientIdLegacy string `long:"client-id" env:"CLIENT_ID" group:"DEPs" description:"DEPRECATED - Use \"providers.google.client-id\""`
|
||||
ClientSecretLegacy string `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\"" json:"-"`
|
||||
ClientSecretLegacy string `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""`
|
||||
PromptLegacy string `long:"prompt" env:"PROMPT" description:"DEPRECATED - Use \"providers.google.prompt\""`
|
||||
CookieSecureLegacy string `long:"cookie-secure" env:"COOKIE_SECURE" namespace:"DERPS" description:"DEPRECATED - Use \"insecure-cookie\""`
|
||||
}
|
||||
|
||||
func NewGlobalConfig() Config {
|
||||
@ -68,26 +64,6 @@ func NewGlobalConfig() Config {
|
||||
func NewConfig(args []string) (Config, error) {
|
||||
c := Config{
|
||||
Rules: map[string]*Rule{},
|
||||
Providers: provider.Providers{
|
||||
Google: provider.Google{
|
||||
Scope: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
|
||||
LoginURL: &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "accounts.google.com",
|
||||
Path: "/o/oauth2/auth",
|
||||
},
|
||||
TokenURL: &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v3/token",
|
||||
},
|
||||
UserURL: &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v2/userinfo",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
err := c.parseFlags(args)
|
||||
@ -99,10 +75,6 @@ func NewConfig(args []string) (Config, error) {
|
||||
// any further errors can be logged via logrus instead of printed?
|
||||
|
||||
// Backwards compatability
|
||||
if c.CookieSecretLegacy != "" && c.SecretString == "" {
|
||||
log.Warn("cookie-secret config option is deprecated, please use secret")
|
||||
c.SecretString = c.CookieSecretLegacy
|
||||
}
|
||||
if c.ClientIdLegacy != "" {
|
||||
c.Providers.Google.ClientId = c.ClientIdLegacy
|
||||
}
|
||||
@ -110,30 +82,21 @@ func NewConfig(args []string) (Config, error) {
|
||||
c.Providers.Google.ClientSecret = c.ClientSecretLegacy
|
||||
}
|
||||
if c.PromptLegacy != "" {
|
||||
log.Warn("prompt config option is deprecated, please use providers.google.prompt")
|
||||
c.Providers.Google.Prompt = c.PromptLegacy
|
||||
}
|
||||
if c.CookieSecureLegacy != "" {
|
||||
log.Warn("cookie-secure config option is deprecated, please use insecure-cookie")
|
||||
secure, err := strconv.ParseBool(c.CookieSecureLegacy)
|
||||
if err != nil {
|
||||
return c, err
|
||||
}
|
||||
c.InsecureCookie = !secure
|
||||
}
|
||||
if len(c.CookieDomainsLegacy) > 0 {
|
||||
log.Warn("cookie-domains config option is deprecated, please use cookie-domain")
|
||||
c.CookieDomains = append(c.CookieDomains, c.CookieDomainsLegacy...)
|
||||
}
|
||||
if len(c.DomainsLegacy) > 0 {
|
||||
log.Warn("domains config option is deprecated, please use domain")
|
||||
c.Domains = append(c.Domains, c.DomainsLegacy...)
|
||||
}
|
||||
|
||||
// Provider defaults
|
||||
c.Providers.Google.Build()
|
||||
|
||||
// Transformations
|
||||
if len(c.Path) > 0 && c.Path[0] != '/' {
|
||||
c.Path = "/" + c.Path
|
||||
}
|
||||
c.Path = fmt.Sprintf("/%s", c.Path)
|
||||
c.Secret = []byte(c.SecretString)
|
||||
c.Lifetime = time.Second * time.Duration(c.LifetimeString)
|
||||
|
||||
@ -231,7 +194,7 @@ func handlFlagError(err error) error {
|
||||
return err
|
||||
}
|
||||
|
||||
var legacyFileFormat = regexp.MustCompile(`(?m)^([a-z-]+) (.*)$`)
|
||||
var legacyFileFormat = regexp.MustCompile(`^([a-z-]+) ([\w\W]+)$`)
|
||||
|
||||
func convertLegacyToIni(name string) (io.Reader, error) {
|
||||
b, err := ioutil.ReadFile(name)
|
||||
@ -287,12 +250,10 @@ func (r *Rule) Validate() {
|
||||
}
|
||||
}
|
||||
|
||||
// Legacy support for comma separated lists
|
||||
|
||||
type CommaSeparatedList []string
|
||||
|
||||
func (c *CommaSeparatedList) UnmarshalFlag(value string) error {
|
||||
*c = append(*c, strings.Split(value, ",")...)
|
||||
*c = strings.Split(value, ",")
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@ -1,13 +1,10 @@
|
||||
package tfa
|
||||
|
||||
import (
|
||||
"net/url"
|
||||
"bytes"
|
||||
"os"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
/**
|
||||
@ -15,51 +12,56 @@ import (
|
||||
*/
|
||||
|
||||
func TestConfigDefaults(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
// Check defaults
|
||||
c, err := NewConfig([]string{})
|
||||
assert.Nil(err)
|
||||
|
||||
assert.Equal("warn", c.LogLevel)
|
||||
assert.Equal("text", c.LogFormat)
|
||||
|
||||
assert.Equal("", c.AuthHost)
|
||||
assert.Len(c.CookieDomains, 0)
|
||||
assert.False(c.InsecureCookie)
|
||||
assert.Equal("_forward_auth", c.CookieName)
|
||||
assert.Equal("_forward_auth_csrf", c.CSRFCookieName)
|
||||
assert.Equal("auth", c.DefaultAction)
|
||||
assert.Len(c.Domains, 0)
|
||||
assert.Equal(time.Second*time.Duration(43200), c.Lifetime)
|
||||
assert.Equal("/_oauth", c.Path)
|
||||
assert.Len(c.Whitelist, 0)
|
||||
|
||||
assert.Equal("https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email", c.Providers.Google.Scope)
|
||||
assert.Equal("", c.Providers.Google.Prompt)
|
||||
|
||||
loginURL := &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "accounts.google.com",
|
||||
Path: "/o/oauth2/auth",
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
assert.Equal(loginURL, c.Providers.Google.LoginURL)
|
||||
|
||||
tokenURL := &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v3/token",
|
||||
if c.LogLevel != "warn" {
|
||||
t.Error("LogLevel default should be warn, got", c.LogLevel)
|
||||
}
|
||||
if c.LogFormat != "text" {
|
||||
t.Error("LogFormat default should be text, got", c.LogFormat)
|
||||
}
|
||||
assert.Equal(tokenURL, c.Providers.Google.TokenURL)
|
||||
|
||||
userURL := &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v2/userinfo",
|
||||
if c.AuthHost != "" {
|
||||
t.Error("AuthHost default should be empty, got", c.AuthHost)
|
||||
}
|
||||
if len(c.CookieDomains) != 0 {
|
||||
t.Error("CookieDomains default should be empty, got", c.CookieDomains)
|
||||
}
|
||||
if c.InsecureCookie != false {
|
||||
t.Error("InsecureCookie default should be false, got", c.InsecureCookie)
|
||||
}
|
||||
if c.CookieName != "_forward_auth" {
|
||||
t.Error("CookieName default should be _forward_auth, got", c.CookieName)
|
||||
}
|
||||
if c.CSRFCookieName != "_forward_auth_csrf" {
|
||||
t.Error("CSRFCookieName default should be _forward_auth_csrf, got", c.CSRFCookieName)
|
||||
}
|
||||
if c.DefaultAction != "auth" {
|
||||
t.Error("DefaultAction default should be auth, got", c.DefaultAction)
|
||||
}
|
||||
if len(c.Domains) != 0 {
|
||||
t.Error("Domain default should be empty, got", c.Domains)
|
||||
}
|
||||
if c.Lifetime != time.Second*time.Duration(43200) {
|
||||
t.Error("Lifetime default should be 43200, got", c.Lifetime)
|
||||
}
|
||||
if c.Path != "/_oauth" {
|
||||
t.Error("Path default should be /_oauth, got", c.Path)
|
||||
}
|
||||
if len(c.Whitelist) != 0 {
|
||||
t.Error("Whitelist default should be empty, got", c.Whitelist)
|
||||
}
|
||||
|
||||
if c.Providers.Google.Prompt != "" {
|
||||
t.Error("Providers.Google.Prompt default should be empty, got", c.Providers.Google.Prompt)
|
||||
}
|
||||
assert.Equal(userURL, c.Providers.Google.UserURL)
|
||||
}
|
||||
|
||||
func TestConfigParseArgs(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
c, err := NewConfig([]string{
|
||||
"--cookie-name=cookiename",
|
||||
"--csrf-cookie-name", "\"csrfcookiename\"",
|
||||
@ -68,154 +70,200 @@ func TestConfigParseArgs(t *testing.T) {
|
||||
"--rule.two.action=auth",
|
||||
"--rule.two.rule=\"Host(`two.com`) && Path(`/two`)\"",
|
||||
})
|
||||
require.Nil(t, err)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// Check normal flags
|
||||
assert.Equal("cookiename", c.CookieName)
|
||||
assert.Equal("csrfcookiename", c.CSRFCookieName)
|
||||
if c.CookieName != "cookiename" {
|
||||
t.Error("CookieName default should be cookiename, got", c.CookieName)
|
||||
}
|
||||
if c.CSRFCookieName != "csrfcookiename" {
|
||||
t.Error("CSRFCookieName default should be csrfcookiename, got", c.CSRFCookieName)
|
||||
}
|
||||
|
||||
// Check rules
|
||||
assert.Equal(map[string]*Rule{
|
||||
"1": {
|
||||
Action: "allow",
|
||||
Rule: "PathPrefix(`/one`)",
|
||||
Provider: "google",
|
||||
},
|
||||
"two": {
|
||||
Action: "auth",
|
||||
Rule: "Host(`two.com`) && Path(`/two`)",
|
||||
Provider: "google",
|
||||
},
|
||||
}, c.Rules)
|
||||
if len(c.Rules) != 2 {
|
||||
t.Error("Should create 2 rules, got:", len(c.Rules))
|
||||
}
|
||||
|
||||
// First rule
|
||||
if rule, ok := c.Rules["1"]; !ok {
|
||||
t.Error("Could not find rule key '1'")
|
||||
} else {
|
||||
if rule.Action != "allow" {
|
||||
t.Error("First rule action should be allow, got:", rule.Action)
|
||||
}
|
||||
if rule.Rule != "PathPrefix(`/one`)" {
|
||||
t.Error("First rule rule should be PathPrefix(`/one`), got:", rule.Rule)
|
||||
}
|
||||
if rule.Provider != "google" {
|
||||
t.Error("First rule provider should be google, got:", rule.Provider)
|
||||
}
|
||||
}
|
||||
|
||||
// Second rule
|
||||
if rule, ok := c.Rules["two"]; !ok {
|
||||
t.Error("Could not find rule key '1'")
|
||||
} else {
|
||||
if rule.Action != "auth" {
|
||||
t.Error("Second rule action should be auth, got:", rule.Action)
|
||||
}
|
||||
if rule.Rule != "Host(`two.com`) && Path(`/two`)" {
|
||||
t.Error("Second rule rule should be Host(`two.com`) && Path(`/two`), got:", rule.Rule)
|
||||
}
|
||||
if rule.Provider != "google" {
|
||||
t.Error("Second rule provider should be google, got:", rule.Provider)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigParseUnknownFlags(t *testing.T) {
|
||||
_, err := NewConfig([]string{
|
||||
"--unknown=_oauthpath2",
|
||||
})
|
||||
if assert.Error(t, err) {
|
||||
assert.Equal(t, "unknown flag: unknown", err.Error())
|
||||
if err.Error() != "unknown flag: unknown" {
|
||||
t.Error("Error should be \"unknown flag: unknown\", got:", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigFlagBackwardsCompatability(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
c, err := NewConfig([]string{
|
||||
"--client-id=clientid",
|
||||
"--client-secret=verysecret",
|
||||
"--prompt=prompt",
|
||||
"--cookie-secret=veryverysecret",
|
||||
"--lifetime=200",
|
||||
"--cookie-secure=false",
|
||||
"--cookie-domains=test1.com,example.org",
|
||||
"--cookie-domain=another1.net",
|
||||
"--domains=test2.com,example.org",
|
||||
"--domain=another2.net",
|
||||
"--whitelist=test3.com,example.org",
|
||||
"--whitelist=another3.net",
|
||||
})
|
||||
require.Nil(t, err)
|
||||
|
||||
// The following used to be passed as comma separated list
|
||||
expected1 := []CookieDomain{
|
||||
*NewCookieDomain("another1.net"),
|
||||
*NewCookieDomain("test1.com"),
|
||||
*NewCookieDomain("example.org"),
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
assert.Equal(expected1, c.CookieDomains, "should read legacy comma separated list cookie-domains")
|
||||
|
||||
expected2 := []string{"another2.net", "test2.com", "example.org"}
|
||||
assert.Equal(expected2, c.Domains, "should read legacy comma separated list domains")
|
||||
|
||||
expected3 := CommaSeparatedList{"test3.com", "example.org", "another3.net"}
|
||||
assert.Equal(expected3, c.Whitelist, "should read legacy comma separated list whitelist")
|
||||
|
||||
// Name changed
|
||||
assert.Equal([]byte("veryverysecret"), c.Secret)
|
||||
|
||||
// Google provider params used to be top level
|
||||
assert.Equal("clientid", c.ClientIdLegacy)
|
||||
assert.Equal("clientid", c.Providers.Google.ClientId, "--client-id should set providers.google.client-id")
|
||||
assert.Equal("verysecret", c.ClientSecretLegacy)
|
||||
assert.Equal("verysecret", c.Providers.Google.ClientSecret, "--client-secret should set providers.google.client-secret")
|
||||
assert.Equal("prompt", c.PromptLegacy)
|
||||
assert.Equal("prompt", c.Providers.Google.Prompt, "--prompt should set providers.google.promot")
|
||||
if c.ClientIdLegacy != "clientid" {
|
||||
t.Error("ClientIdLegacy should be clientid, got", c.ClientIdLegacy)
|
||||
}
|
||||
if c.Providers.Google.ClientId != "clientid" {
|
||||
t.Error("Providers.Google.ClientId should be clientid, got", c.Providers.Google.ClientId)
|
||||
}
|
||||
if c.ClientSecretLegacy != "verysecret" {
|
||||
t.Error("ClientSecretLegacy should be verysecret, got", c.ClientSecretLegacy)
|
||||
}
|
||||
if c.Providers.Google.ClientSecret != "verysecret" {
|
||||
t.Error("Providers.Google.ClientSecret should be verysecret, got", c.Providers.Google.ClientSecret)
|
||||
}
|
||||
if c.PromptLegacy != "prompt" {
|
||||
t.Error("PromptLegacy should be prompt, got", c.PromptLegacy)
|
||||
}
|
||||
if c.Providers.Google.Prompt != "prompt" {
|
||||
t.Error("Providers.Google.Prompt should be prompt, got", c.Providers.Google.Prompt)
|
||||
}
|
||||
|
||||
// "cookie-secure" used to be a standard go bool flag that could take
|
||||
// true, TRUE, 1, false, FALSE, 0 etc. values.
|
||||
// Here we're checking that format is still suppoted
|
||||
assert.Equal("false", c.CookieSecureLegacy)
|
||||
assert.True(c.InsecureCookie, "--cookie-secure=false should set insecure-cookie true")
|
||||
|
||||
if c.CookieSecureLegacy != "false" || c.InsecureCookie != true {
|
||||
t.Error("Setting cookie-secure=false should set InsecureCookie true, got", c.InsecureCookie)
|
||||
}
|
||||
c, err = NewConfig([]string{"--cookie-secure=TRUE"})
|
||||
assert.Nil(err)
|
||||
assert.Equal("TRUE", c.CookieSecureLegacy)
|
||||
assert.False(c.InsecureCookie, "--cookie-secure=TRUE should set insecure-cookie false")
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if c.CookieSecureLegacy != "TRUE" || c.InsecureCookie != false {
|
||||
t.Error("Setting cookie-secure=TRUE should set InsecureCookie false, got", c.InsecureCookie)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigParseIni(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
c, err := NewConfig([]string{
|
||||
"--config=../test/config0",
|
||||
"--config=../test/config1",
|
||||
"--csrf-cookie-name=csrfcookiename",
|
||||
})
|
||||
require.Nil(t, err)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
assert.Equal("inicookiename", c.CookieName, "should be read from ini file")
|
||||
assert.Equal("csrfcookiename", c.CSRFCookieName, "should be read from ini file")
|
||||
assert.Equal("/two", c.Path, "variable in second ini file should override first ini file")
|
||||
if c.CookieName != "inicookiename" {
|
||||
t.Error("CookieName should be read as inicookiename from ini file, got", c.CookieName)
|
||||
}
|
||||
if c.CSRFCookieName != "csrfcookiename" {
|
||||
t.Error("CSRFCookieName argument should override ini file, got", c.CSRFCookieName)
|
||||
}
|
||||
if c.Path != "/two" {
|
||||
t.Error("Path in second ini file should override first ini file, got", c.Path)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigFileBackwardsCompatability(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
c, err := NewConfig([]string{
|
||||
"--config=../test/config-legacy",
|
||||
})
|
||||
require.Nil(t, err)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
assert.Equal("/two", c.Path, "variable in legacy config file should be read")
|
||||
assert.Equal("auth.legacy.com", c.AuthHost, "variable in legacy config file should be read")
|
||||
if c.Path != "/two" {
|
||||
t.Error("Path in legacy config file should be read, got", c.Path)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigParseEnvironment(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
os.Setenv("COOKIE_NAME", "env_cookie_name")
|
||||
os.Setenv("PROVIDERS_GOOGLE_CLIENT_ID", "env_client_id")
|
||||
c, err := NewConfig([]string{})
|
||||
assert.Nil(err)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
assert.Equal("env_cookie_name", c.CookieName, "variable should be read from environment")
|
||||
assert.Equal("env_client_id", c.Providers.Google.ClientId, "namespace variable should be read from environment")
|
||||
if c.CookieName != "env_cookie_name" {
|
||||
t.Error("CookieName should be read as env_cookie_name from environment, got", c.CookieName)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigTransformation(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
c, err := NewConfig([]string{
|
||||
"--url-path=_oauthpath",
|
||||
"--secret=verysecret",
|
||||
"--lifetime=200",
|
||||
})
|
||||
require.Nil(t, err)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
assert.Equal("/_oauthpath", c.Path, "path should add slash to front")
|
||||
if c.Path != "/_oauthpath" {
|
||||
t.Error("Path should add slash to front to get /_oauthpath, got:", c.Path)
|
||||
}
|
||||
|
||||
assert.Equal("verysecret", c.SecretString)
|
||||
assert.Equal([]byte("verysecret"), c.Secret, "secret should be converted to byte array")
|
||||
if c.SecretString != "verysecret" {
|
||||
t.Error("SecretString should be verysecret, got:", c.SecretString)
|
||||
}
|
||||
if bytes.Compare(c.Secret, []byte("verysecret")) != 0 {
|
||||
t.Error("Secret should be []byte(verysecret), got:", string(c.Secret))
|
||||
}
|
||||
|
||||
assert.Equal(200, c.LifetimeString)
|
||||
assert.Equal(time.Second*time.Duration(200), c.Lifetime, "lifetime should be read and converted to duration")
|
||||
if c.LifetimeString != 200 {
|
||||
t.Error("LifetimeString should be 200, got:", c.LifetimeString)
|
||||
}
|
||||
if c.Lifetime != time.Second*time.Duration(200) {
|
||||
t.Error("Lifetime default should be 200, got", c.Lifetime)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigCommaSeparatedList(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
list := CommaSeparatedList{}
|
||||
|
||||
err := list.UnmarshalFlag("one,two")
|
||||
assert.Nil(err)
|
||||
assert.Equal(CommaSeparatedList{"one", "two"}, list, "should parse comma sepearated list")
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if len(list) != 2 || list[0] != "one" || list[1] != "two" {
|
||||
t.Error("Expected UnmarshalFlag to provide CommaSeparatedList{one,two}, got", list)
|
||||
}
|
||||
|
||||
marshal, err := list.MarshalFlag()
|
||||
assert.Nil(err)
|
||||
assert.Equal("one,two", marshal, "should marshal back to comma sepearated list")
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if marshal != "one,two" {
|
||||
t.Error("Expected MarshalFlag to provide \"one,two\", got", list)
|
||||
}
|
||||
}
|
||||
|
||||
@ -18,6 +18,24 @@ type Google struct {
|
||||
UserURL *url.URL
|
||||
}
|
||||
|
||||
func (g *Google) Build() {
|
||||
g.LoginURL = &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "accounts.google.com",
|
||||
Path: "/o/oauth2/auth",
|
||||
}
|
||||
g.TokenURL = &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v3/token",
|
||||
}
|
||||
g.UserURL = &url.URL{
|
||||
Scheme: "https",
|
||||
Host: "www.googleapis.com",
|
||||
Path: "/oauth2/v2/userinfo",
|
||||
}
|
||||
}
|
||||
|
||||
func (g *Google) GetLoginURL(redirectUri, state string) string {
|
||||
q := url.Values{}
|
||||
q.Set("client_id", g.ClientId)
|
||||
|
||||
@ -26,11 +26,11 @@ func (s *Server) buildRoutes() {
|
||||
}
|
||||
|
||||
// Let's build a router
|
||||
for name, rule := range config.Rules {
|
||||
for _, rule := range config.Rules {
|
||||
if rule.Action == "allow" {
|
||||
s.router.AddRoute(rule.Rule, 1, s.AllowHandler(name))
|
||||
s.router.AddRoute(rule.Rule, 1, s.AllowHandler())
|
||||
} else {
|
||||
s.router.AddRoute(rule.Rule, 1, s.AuthHandler(name))
|
||||
s.router.AddRoute(rule.Rule, 1, s.AuthHandler())
|
||||
}
|
||||
}
|
||||
|
||||
@ -39,9 +39,9 @@ func (s *Server) buildRoutes() {
|
||||
|
||||
// Add a default handler
|
||||
if config.DefaultAction == "allow" {
|
||||
s.router.NewRoute().Handler(s.AllowHandler("default"))
|
||||
s.router.NewRoute().Handler(s.AllowHandler())
|
||||
} else {
|
||||
s.router.NewRoute().Handler(s.AuthHandler("default"))
|
||||
s.router.NewRoute().Handler(s.AuthHandler())
|
||||
}
|
||||
}
|
||||
|
||||
@ -54,18 +54,18 @@ func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
// Handler that allows requests
|
||||
func (s *Server) AllowHandler(rule string) http.HandlerFunc {
|
||||
func (s *Server) AllowHandler() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
s.logger(r, rule, "Allowing request")
|
||||
s.logger(r, "Allowing request")
|
||||
w.WriteHeader(200)
|
||||
}
|
||||
}
|
||||
|
||||
// Authenticate requests
|
||||
func (s *Server) AuthHandler(rule string) http.HandlerFunc {
|
||||
func (s *Server) AuthHandler() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
// Logging setup
|
||||
logger := s.logger(r, rule, "Authenticating request")
|
||||
logger := s.logger(r, "Authenticating request")
|
||||
|
||||
// Get auth cookie
|
||||
c, err := r.Cookie(config.CookieName)
|
||||
@ -85,7 +85,6 @@ func (s *Server) AuthHandler(rule string) http.HandlerFunc {
|
||||
// Forward them on
|
||||
http.Redirect(w, r, GetLoginURL(r, nonce), http.StatusTemporaryRedirect)
|
||||
|
||||
logger.Debug("Done")
|
||||
return
|
||||
}
|
||||
|
||||
@ -118,7 +117,7 @@ func (s *Server) AuthHandler(rule string) http.HandlerFunc {
|
||||
func (s *Server) AuthCallbackHandler() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
// Logging setup
|
||||
logger := s.logger(r, "default", "Handling callback")
|
||||
logger := s.logger(r, "Handling callback")
|
||||
|
||||
// Check for CSRF cookie
|
||||
c, err := r.Cookie(config.CSRFCookieName)
|
||||
@ -165,17 +164,16 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) logger(r *http.Request, rule, msg string) *logrus.Entry {
|
||||
func (s *Server) logger(r *http.Request, msg string) *logrus.Entry {
|
||||
// Create logger
|
||||
logger := log.WithFields(logrus.Fields{
|
||||
"source_ip": r.Header.Get("X-Forwarded-For"),
|
||||
"RemoteAddr": r.RemoteAddr,
|
||||
})
|
||||
|
||||
// Log request
|
||||
logger.WithFields(logrus.Fields{
|
||||
"rule": rule,
|
||||
"headers": r.Header,
|
||||
}).Debug(msg)
|
||||
"Headers": r.Header,
|
||||
}).Debugf(msg)
|
||||
|
||||
return logger
|
||||
}
|
||||
|
||||
@ -8,12 +8,8 @@ import (
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// TODO:
|
||||
|
||||
/**
|
||||
* Setup
|
||||
*/
|
||||
@ -28,18 +24,19 @@ func init() {
|
||||
*/
|
||||
|
||||
func TestServerAuthHandler(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
|
||||
// Should redirect vanilla request to login url
|
||||
req := newHttpRequest("/foo")
|
||||
res, _ := doHttpRequest(req, nil)
|
||||
assert.Equal(307, res.StatusCode, "vanilla request should be redirected")
|
||||
|
||||
res, _ := httpRequest(req, nil)
|
||||
if res.StatusCode != 307 {
|
||||
t.Error("Vanilla request should be redirected with 307, got:", res.StatusCode)
|
||||
}
|
||||
fwd, _ := res.Location()
|
||||
assert.Equal("https", fwd.Scheme, "vanilla request should be redirected to google")
|
||||
assert.Equal("accounts.google.com", fwd.Host, "vanilla request should be redirected to google")
|
||||
assert.Equal("/o/oauth2/auth", fwd.Path, "vanilla request should be redirected to google")
|
||||
if fwd.Scheme != "https" || fwd.Host != "accounts.google.com" || fwd.Path != "/o/oauth2/auth" {
|
||||
t.Error("Vanilla request should be redirected to login url, got:", fwd)
|
||||
}
|
||||
|
||||
// Should catch invalid cookie
|
||||
req = newHttpRequest("/foo")
|
||||
@ -47,33 +44,42 @@ func TestServerAuthHandler(t *testing.T) {
|
||||
parts := strings.Split(c.Value, "|")
|
||||
c.Value = fmt.Sprintf("bad|%s|%s", parts[1], parts[2])
|
||||
|
||||
res, _ = doHttpRequest(req, c)
|
||||
assert.Equal(401, res.StatusCode, "invalid cookie should not be authorised")
|
||||
res, _ = httpRequest(req, c)
|
||||
if res.StatusCode != 401 {
|
||||
t.Error("Request with invalid cookie shound't be authorised", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should validate email
|
||||
req = newHttpRequest("/foo")
|
||||
c = MakeCookie(req, "test@example.com")
|
||||
config.Domains = []string{"test.com"}
|
||||
|
||||
res, _ = doHttpRequest(req, c)
|
||||
assert.Equal(401, res.StatusCode, "invalid email should not be authorised")
|
||||
res, _ = httpRequest(req, c)
|
||||
if res.StatusCode != 401 {
|
||||
t.Error("Request with invalid email shound't be authorised", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should allow valid request email
|
||||
req = newHttpRequest("/foo")
|
||||
|
||||
c = MakeCookie(req, "test@example.com")
|
||||
config.Domains = []string{}
|
||||
|
||||
res, _ = doHttpRequest(req, c)
|
||||
assert.Equal(200, res.StatusCode, "valid request should be allowed")
|
||||
res, _ = httpRequest(req, c)
|
||||
if res.StatusCode != 200 {
|
||||
t.Error("Valid request should be allowed, got:", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should pass through user
|
||||
users := res.Header["X-Forwarded-User"]
|
||||
assert.Len(users, 1, "valid request should have X-Forwarded-User header")
|
||||
assert.Equal([]string{"test@example.com"}, users, "X-Forwarded-User header should match user")
|
||||
if len(users) != 1 {
|
||||
t.Error("Valid request missing X-Forwarded-User header")
|
||||
} else if users[0] != "test@example.com" {
|
||||
t.Error("X-Forwarded-User should match user, got: ", users)
|
||||
}
|
||||
}
|
||||
|
||||
func TestServerAuthCallback(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
|
||||
// Setup token server
|
||||
@ -92,43 +98,50 @@ func TestServerAuthCallback(t *testing.T) {
|
||||
|
||||
// Should pass auth response request to callback
|
||||
req := newHttpRequest("/_oauth")
|
||||
res, _ := doHttpRequest(req, nil)
|
||||
assert.Equal(401, res.StatusCode, "auth callback without cookie shouldn't be authorised")
|
||||
res, _ := httpRequest(req, nil)
|
||||
if res.StatusCode != 401 {
|
||||
t.Error("Auth callback without cookie shound't be authorised, got:", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should catch invalid csrf cookie
|
||||
req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
|
||||
c := MakeCSRFCookie(req, "nononononononononononononononono")
|
||||
res, _ = doHttpRequest(req, c)
|
||||
assert.Equal(401, res.StatusCode, "auth callback with invalid cookie shouldn't be authorised")
|
||||
res, _ = httpRequest(req, c)
|
||||
if res.StatusCode != 401 {
|
||||
t.Error("Auth callback with invalid cookie shound't be authorised, got:", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should redirect valid request
|
||||
req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
|
||||
c = MakeCSRFCookie(req, "12345678901234567890123456789012")
|
||||
res, _ = doHttpRequest(req, c)
|
||||
assert.Equal(307, res.StatusCode, "valid auth callback should be allowed")
|
||||
|
||||
res, _ = httpRequest(req, c)
|
||||
if res.StatusCode != 307 {
|
||||
t.Error("Valid callback should be allowed, got:", res.StatusCode)
|
||||
}
|
||||
fwd, _ := res.Location()
|
||||
assert.Equal("http", fwd.Scheme, "valid request should be redirected to return url")
|
||||
assert.Equal("redirect", fwd.Host, "valid request should be redirected to return url")
|
||||
assert.Equal("", fwd.Path, "valid request should be redirected to return url")
|
||||
if fwd.Scheme != "http" || fwd.Host != "redirect" || fwd.Path != "" {
|
||||
t.Error("Valid request should be redirected to return url, got:", fwd)
|
||||
}
|
||||
}
|
||||
|
||||
func TestServerDefaultAction(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
|
||||
req := newHttpRequest("/random")
|
||||
res, _ := doHttpRequest(req, nil)
|
||||
assert.Equal(307, res.StatusCode, "request should require auth with auth default handler")
|
||||
res, _ := httpRequest(req, nil)
|
||||
if res.StatusCode != 307 {
|
||||
t.Error("Request should require auth with auth default handler, got:", res.StatusCode)
|
||||
}
|
||||
|
||||
config.DefaultAction = "allow"
|
||||
req = newHttpRequest("/random")
|
||||
res, _ = doHttpRequest(req, nil)
|
||||
assert.Equal(200, res.StatusCode, "request should be allowed with default handler")
|
||||
res, _ = httpRequest(req, nil)
|
||||
if res.StatusCode != 200 {
|
||||
t.Error("Request should be allowed with allow default handler, got:", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
func TestServerRoutePathPrefix(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
config, _ = NewConfig([]string{})
|
||||
config.Rules = map[string]*Rule{
|
||||
"web1": {
|
||||
@ -139,13 +152,17 @@ func TestServerRoutePathPrefix(t *testing.T) {
|
||||
|
||||
// Should block any request
|
||||
req := newHttpRequest("/random")
|
||||
res, _ := doHttpRequest(req, nil)
|
||||
assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")
|
||||
res, _ := httpRequest(req, nil)
|
||||
if res.StatusCode != 307 {
|
||||
t.Error("Request not matching any rule should require auth, got:", res.StatusCode)
|
||||
}
|
||||
|
||||
// Should allow /api request
|
||||
req = newHttpRequest("/api")
|
||||
res, _ = doHttpRequest(req, nil)
|
||||
assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
|
||||
res, _ = httpRequest(req, nil)
|
||||
if res.StatusCode != 200 {
|
||||
t.Error("Request matching allowed rule should be allowed, got:", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@ -169,7 +186,7 @@ func (t *UserServerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
}`)
|
||||
}
|
||||
|
||||
func doHttpRequest(r *http.Request, c *http.Cookie) (*http.Response, string) {
|
||||
func httpRequest(r *http.Request, c *http.Cookie) (*http.Response, string) {
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
// Set cookies on recorder
|
||||
@ -182,6 +199,7 @@ func doHttpRequest(r *http.Request, c *http.Cookie) (*http.Response, string) {
|
||||
r.Header.Add("Cookie", c)
|
||||
}
|
||||
|
||||
|
||||
NewServer().RootHandler(w, r)
|
||||
|
||||
res := w.Result()
|
||||
|
||||
@ -1,2 +1 @@
|
||||
url-path two
|
||||
auth-host auth.legacy.com
|
||||
|
||||
Reference in New Issue
Block a user