diff options
Diffstat (limited to 'pkg/authz/server_test.go')
| -rw-r--r-- | pkg/authz/server_test.go | 60 |
1 files changed, 36 insertions, 24 deletions
diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go index 6fa4eee..e8f179e 100644 --- a/pkg/authz/server_test.go +++ b/pkg/authz/server_test.go @@ -7,15 +7,23 @@ import ( "testing" auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/oauth2-proxy/mockoidc" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials/insecure" "google.golang.org/grpc/test/bufconn" ) +type HTTPRequest = auth.AttributeContext_HttpRequest + func TestServer(t *testing.T) { + idp := web.NewOIDCServer(t) + defer idp.Close() + socket := bufconn.Listen(1024 * 1024) srv := New(t.Context()) @@ -36,37 +44,41 @@ func TestServer(t *testing.T) { defer connection.Close() client := auth.NewAuthorizationClient(connection) - idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" - accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227" - refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24" + user := mockoidc.DefaultUser() + _, rawIDToken := idp.CreateTokensFor(user) - cookies := []string{ - "bearer_token=" + accessToken + ";", - "id_token=" + idToken + ";", - "refresh_token=" + refreshToken, + loggedInHeaders := map[string]string{ + "cookie": strings.Join([]string{ + "bearer_token=" + pls.GenerateRandomHex(32), + "id_token=" + rawIDToken, + "refresh_token=" + pls.GenerateRandomHex(32), + }, "; "), } - loggedInHeaders := map[string]string{"cookie": strings.Join(cookies, "; ")} + + invalidHeaders := map[string]string{"cookie": strings.Join([]string{"id_token=invalid"}, "; ")} t.Run("CheckRequest", func(t *testing.T) { tt := []struct { - http *auth.AttributeContext_HttpRequest + http *HTTPRequest status codes.Code }{ - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/application.js"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/callback"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard/nav"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.ico"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.png"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/health"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/index.html"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/logo.png"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/signout"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/sparkles"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles/restore"}}, - {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard"}}, - {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/dashboard/nav"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/health"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/logo.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/signout"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/sparkles"}}, + {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, + {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles/restore"}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, } for _, example := range tt { |