From 94ded54208dd4fe73b11a6224d52192558f3463f Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 15:30:38 -0600 Subject: test: update test to generate a valid id_token --- pkg/authz/server_test.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'pkg/authz/server_test.go') diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go index 6fa4eee..ffc00c5 100644 --- a/pkg/authz/server_test.go +++ b/pkg/authz/server_test.go @@ -7,8 +7,11 @@ import ( "testing" auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/oauth2-proxy/mockoidc" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials/insecure" @@ -16,6 +19,9 @@ import ( ) func TestServer(t *testing.T) { + idp := web.NewOIDCServer(t) + defer idp.Close() + socket := bufconn.Listen(1024 * 1024) srv := New(t.Context()) @@ -36,15 +42,15 @@ func TestServer(t *testing.T) { defer connection.Close() client := auth.NewAuthorizationClient(connection) - idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" - accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227" - refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24" + user := mockoidc.DefaultUser() + _, rawIDToken := idp.CreateTokensFor(user) cookies := []string{ - "bearer_token=" + accessToken + ";", - "id_token=" + idToken + ";", - "refresh_token=" + refreshToken, + "bearer_token=" + pls.GenerateRandomHex(32) + ";", + "id_token=" + rawIDToken + ";", + "refresh_token=" + pls.GenerateRandomHex(32), } + loggedInHeaders := map[string]string{"cookie": strings.Join(cookies, "; ")} t.Run("CheckRequest", func(t *testing.T) { -- cgit v1.2.3 From 4e3bfcf1e641d41cb7f02bad7a8fd8759e5fb6ad Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 15:34:11 -0600 Subject: test: allow authenticated user the ability to create a new sparkle --- pkg/authz/server_test.go | 1 + 1 file changed, 1 insertion(+) (limited to 'pkg/authz/server_test.go') diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go index ffc00c5..6740eda 100644 --- a/pkg/authz/server_test.go +++ b/pkg/authz/server_test.go @@ -70,6 +70,7 @@ func TestServer(t *testing.T) { {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/logo.png"}}, {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/signout"}}, {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/sparkles"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles/restore"}}, {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard"}}, {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles"}}, -- cgit v1.2.3 From 86ad4fe8bf4bfde9bbe31a63431a508f81032527 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 15:41:13 -0600 Subject: test: extract alias for HTTP Request --- pkg/authz/server_test.go | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'pkg/authz/server_test.go') diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go index 6740eda..c612146 100644 --- a/pkg/authz/server_test.go +++ b/pkg/authz/server_test.go @@ -18,6 +18,8 @@ import ( "google.golang.org/grpc/test/bufconn" ) +type HTTPRequest = auth.AttributeContext_HttpRequest + func TestServer(t *testing.T) { idp := web.NewOIDCServer(t) defer idp.Close() @@ -55,25 +57,25 @@ func TestServer(t *testing.T) { t.Run("CheckRequest", func(t *testing.T) { tt := []struct { - http *auth.AttributeContext_HttpRequest + http *HTTPRequest status codes.Code }{ - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/application.js"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/callback"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard/nav"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.ico"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.png"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/health"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/index.html"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/logo.png"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/signout"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/sparkles"}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, - {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles/restore"}}, - {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard"}}, - {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/dashboard/nav"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/health"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/logo.png"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/signout"}}, + {status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/sparkles"}}, + {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, + {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles/restore"}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, } for _, example := range tt { -- cgit v1.2.3 From 15b1699b0ad27c9fc3aa4498d4085b7338bec95a Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 16:08:15 -0600 Subject: feat: parse the body of the id token --- app/middleware/id_token_test.go | 1 - pkg/authz/check_service.go | 28 +++++++++++++++++++++++++++- pkg/authz/id_token.go | 40 ++++++++++++++++++++++++++++++++++++++++ pkg/authz/id_token_test.go | 30 ++++++++++++++++++++++++++++++ pkg/authz/server_test.go | 13 ++++++++----- 5 files changed, 105 insertions(+), 7 deletions(-) create mode 100644 pkg/authz/id_token.go create mode 100644 pkg/authz/id_token_test.go (limited to 'pkg/authz/server_test.go') diff --git a/app/middleware/id_token_test.go b/app/middleware/id_token_test.go index 5487ada..9d8521a 100644 --- a/app/middleware/id_token_test.go +++ b/app/middleware/id_token_test.go @@ -23,7 +23,6 @@ func TestIDToken(t *testing.T) { t.Run("when an active id_token cookie is provided", func(t *testing.T) { t.Run("attaches the token to the request context", func(t *testing.T) { user := mockoidc.DefaultUser() - _, rawIDToken := srv.CreateTokensFor(user) server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index ff4e92a..3c4426a 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -2,6 +2,7 @@ package authz import ( "context" + "net/http" "strings" core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" @@ -9,6 +10,7 @@ import ( types "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/xlgmokha/x/pkg/log" "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" status "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc/codes" ) @@ -66,7 +68,31 @@ func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) // TODO:: Replace this naive implementation func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { - return x.IsPresent(r.Attributes.Request.Http.Headers["cookie"]) + rawCookie := r.Attributes.Request.Http.Headers["cookie"] + if x.IsPresent(rawCookie) { + cookies, err := http.ParseCookie(rawCookie) + if err != nil { + pls.LogError(ctx, err) + return false + } + idTokenCookie := x.Find(cookies, func(cookie *http.Cookie) bool { + return cookie.Name == "id_token" + }) + if x.IsZero(idTokenCookie) { + return false + } + segments := strings.SplitN(idTokenCookie.Value, ".", 3) + if len(segments) != 3 { + return false + } + idToken, err := NewIDToken(idTokenCookie.Value) + if err != nil { + pls.LogError(ctx, err) + return false + } + return x.IsPresent(idToken) + } + return false } func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse { diff --git a/pkg/authz/id_token.go b/pkg/authz/id_token.go new file mode 100644 index 0000000..b647161 --- /dev/null +++ b/pkg/authz/id_token.go @@ -0,0 +1,40 @@ +package authz + +import ( + "encoding/base64" + "encoding/json" + "errors" + "strings" + "time" +) + +type IDToken struct { + Audience []string `json:"aud"` + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + ExpiredAt int64 `json:"exp"` + IssuedAt int64 `json:"iat"` + Issuer string `json:"iss"` + Name string `json:"name"` + Nickname string `json:"nickname"` + Picture string `json:"picture"` + Subject string `json:"sub"` + UpdatedAt time.Time `json:"updated_at"` +} + +func NewIDToken(raw string) (*IDToken, error) { + sections := strings.SplitN(raw, ".", 3) + if len(sections) != 3 { + return nil, errors.New("Invalid token") + } + bytes, err := base64.RawURLEncoding.DecodeString(sections[1]) + if err != nil { + return nil, err + } + + token := &IDToken{} + if err := json.Unmarshal(bytes, token); err != nil { + return nil, err + } + return token, nil +} diff --git a/pkg/authz/id_token_test.go b/pkg/authz/id_token_test.go new file mode 100644 index 0000000..22aabc4 --- /dev/null +++ b/pkg/authz/id_token_test.go @@ -0,0 +1,30 @@ +package authz + +import ( + "testing" + + "github.com/oauth2-proxy/mockoidc" + "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" +) + +func TestIDToken(t *testing.T) { + idp := web.NewOIDCServer(t) + defer idp.Close() + + t.Run("when the token is valid", func(t *testing.T) { + user := mockoidc.DefaultUser() + _, rawIDToken := idp.CreateTokensFor(user) + token, err := NewIDToken(rawIDToken) + + require.NoError(t, err) + require.NotNil(t, token) + }) + + t.Run("when the token is invalid", func(t *testing.T) { + token, err := NewIDToken("invalid") + + require.Error(t, err) + require.Nil(t, token) + }) +} diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go index c612146..e8f179e 100644 --- a/pkg/authz/server_test.go +++ b/pkg/authz/server_test.go @@ -47,13 +47,15 @@ func TestServer(t *testing.T) { user := mockoidc.DefaultUser() _, rawIDToken := idp.CreateTokensFor(user) - cookies := []string{ - "bearer_token=" + pls.GenerateRandomHex(32) + ";", - "id_token=" + rawIDToken + ";", - "refresh_token=" + pls.GenerateRandomHex(32), + loggedInHeaders := map[string]string{ + "cookie": strings.Join([]string{ + "bearer_token=" + pls.GenerateRandomHex(32), + "id_token=" + rawIDToken, + "refresh_token=" + pls.GenerateRandomHex(32), + }, "; "), } - loggedInHeaders := map[string]string{"cookie": strings.Join(cookies, "; ")} + invalidHeaders := map[string]string{"cookie": strings.Join([]string{"id_token=invalid"}, "; ")} t.Run("CheckRequest", func(t *testing.T) { tt := []struct { @@ -75,6 +77,7 @@ func TestServer(t *testing.T) { {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, {status: codes.OK, http: &HTTPRequest{Method: "POST", Path: "/sparkles/restore"}}, {status: codes.PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, + {status: codes.PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, {status: codes.PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, } -- cgit v1.2.3