2020-10-08 21:40:56 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package manager
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"io/ioutil"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
2020-11-05 01:06:47 +00:00
|
|
|
"net/url"
|
2020-10-08 21:40:56 +00:00
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/sclevine/spec"
|
|
|
|
"github.com/stretchr/testify/require"
|
2020-10-17 00:51:40 +00:00
|
|
|
"gopkg.in/square/go-jose.v2"
|
2020-10-08 21:40:56 +00:00
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
"go.pinniped.dev/internal/here"
|
2020-10-08 21:40:56 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
|
|
|
"go.pinniped.dev/internal/oidc/discovery"
|
2020-10-17 00:51:40 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/jwks"
|
2020-11-20 01:57:07 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/oidctestutil"
|
2020-10-08 21:40:56 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestManager(t *testing.T) {
|
|
|
|
spec.Run(t, "ServeHTTP", func(t *testing.T, when spec.G, it spec.S) {
|
2020-10-17 00:51:40 +00:00
|
|
|
var (
|
|
|
|
r *require.Assertions
|
|
|
|
subject *Manager
|
|
|
|
nextHandler http.HandlerFunc
|
|
|
|
fallbackHandlerWasCalled bool
|
|
|
|
dynamicJWKSProvider jwks.DynamicJWKSProvider
|
|
|
|
)
|
|
|
|
|
2020-11-05 01:06:47 +00:00
|
|
|
const (
|
|
|
|
issuer1 = "https://example.com/some/path"
|
|
|
|
issuer1DifferentCaseHostname = "https://eXamPle.coM/some/path"
|
|
|
|
issuer1KeyID = "issuer1-key"
|
|
|
|
issuer2 = "https://example.com/some/path/more/deeply/nested/path" // note that this is a sub-path of the other issuer url
|
|
|
|
issuer2DifferentCaseHostname = "https://exAmPlE.Com/some/path/more/deeply/nested/path"
|
|
|
|
issuer2KeyID = "issuer2-key"
|
|
|
|
upstreamIDPAuthorizationURL = "https://test-upstream.com/auth"
|
2020-11-20 15:42:43 +00:00
|
|
|
downstreamRedirectURL = "http://127.0.0.1:12345/callback"
|
2020-11-05 01:06:47 +00:00
|
|
|
)
|
2020-10-08 21:40:56 +00:00
|
|
|
|
|
|
|
newGetRequest := func(url string) *http.Request {
|
|
|
|
return httptest.NewRequest(http.MethodGet, url, nil)
|
|
|
|
}
|
|
|
|
|
2020-10-23 23:25:44 +00:00
|
|
|
requireDiscoveryRequestToBeHandled := func(requestIssuer, requestURLSuffix, expectedIssuerInResponse string) {
|
2020-10-08 21:40:56 +00:00
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
2020-10-23 23:25:44 +00:00
|
|
|
subject.ServeHTTP(recorder, newGetRequest(requestIssuer+oidc.WellKnownEndpointPath+requestURLSuffix))
|
2020-10-08 21:40:56 +00:00
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
|
2020-11-05 01:06:47 +00:00
|
|
|
// Minimal check to ensure that the right discovery endpoint was called
|
2020-10-08 21:40:56 +00:00
|
|
|
r.Equal(http.StatusOK, recorder.Code)
|
|
|
|
responseBody, err := ioutil.ReadAll(recorder.Body)
|
|
|
|
r.NoError(err)
|
|
|
|
parsedDiscoveryResult := discovery.Metadata{}
|
|
|
|
err = json.Unmarshal(responseBody, &parsedDiscoveryResult)
|
|
|
|
r.NoError(err)
|
2020-10-23 23:25:44 +00:00
|
|
|
r.Equal(expectedIssuerInResponse, parsedDiscoveryResult.Issuer)
|
2020-10-08 21:40:56 +00:00
|
|
|
}
|
|
|
|
|
2020-11-05 01:06:47 +00:00
|
|
|
requireAuthorizationRequestToBeHandled := func(requestIssuer, requestURLSuffix, expectedRedirectLocationPrefix string) {
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
|
|
|
subject.ServeHTTP(recorder, newGetRequest(requestIssuer+oidc.AuthorizationEndpointPath+requestURLSuffix))
|
|
|
|
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
|
|
|
|
// Minimal check to ensure that the right endpoint was called
|
|
|
|
r.Equal(http.StatusFound, recorder.Code)
|
|
|
|
actualLocation := recorder.Header().Get("Location")
|
|
|
|
r.True(
|
|
|
|
strings.HasPrefix(actualLocation, expectedRedirectLocationPrefix),
|
|
|
|
"actual location %s did not start with expected prefix %s",
|
|
|
|
actualLocation, expectedRedirectLocationPrefix,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2020-11-20 15:42:43 +00:00
|
|
|
requireCallbackRequestToBeHandled := func(requestIssuer, requestURLSuffix string) {
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
|
|
|
subject.ServeHTTP(recorder, newGetRequest(requestIssuer+oidc.CallbackEndpointPath+requestURLSuffix))
|
|
|
|
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
|
|
|
|
// Minimal check to ensure that the right endpoint was called - when we don't send a CSRF
|
|
|
|
// cookie to the callback endpoint, the callback endpoint responds with a 403.
|
|
|
|
r.Equal(http.StatusForbidden, recorder.Code)
|
|
|
|
}
|
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
requireJWKSRequestToBeHandled := func(requestIssuer, requestURLSuffix, expectedJWKKeyID string) {
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
|
|
|
subject.ServeHTTP(recorder, newGetRequest(requestIssuer+oidc.JWKSEndpointPath+requestURLSuffix))
|
|
|
|
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
|
2020-11-05 01:06:47 +00:00
|
|
|
// Minimal check to ensure that the right JWKS endpoint was called
|
2020-10-17 00:51:40 +00:00
|
|
|
r.Equal(http.StatusOK, recorder.Code)
|
|
|
|
responseBody, err := ioutil.ReadAll(recorder.Body)
|
|
|
|
r.NoError(err)
|
|
|
|
parsedJWKSResult := jose.JSONWebKeySet{}
|
|
|
|
err = json.Unmarshal(responseBody, &parsedJWKSResult)
|
|
|
|
r.NoError(err)
|
|
|
|
r.Equal(expectedJWKKeyID, parsedJWKSResult.Keys[0].KeyID)
|
|
|
|
}
|
|
|
|
|
2020-10-08 21:40:56 +00:00
|
|
|
it.Before(func() {
|
|
|
|
r = require.New(t)
|
|
|
|
nextHandler = func(http.ResponseWriter, *http.Request) {
|
|
|
|
fallbackHandlerWasCalled = true
|
|
|
|
}
|
2020-10-17 00:51:40 +00:00
|
|
|
dynamicJWKSProvider = jwks.NewDynamicJWKSProvider()
|
2020-11-05 01:06:47 +00:00
|
|
|
|
|
|
|
parsedUpstreamIDPAuthorizationURL, err := url.Parse(upstreamIDPAuthorizationURL)
|
|
|
|
r.NoError(err)
|
2020-11-20 01:57:07 +00:00
|
|
|
idpListGetter := oidctestutil.NewIDPListGetter(&oidctestutil.TestUpstreamOIDCIdentityProvider{
|
2020-11-18 21:38:13 +00:00
|
|
|
Name: "test-idp",
|
|
|
|
ClientID: "test-client-id",
|
|
|
|
AuthorizationURL: *parsedUpstreamIDPAuthorizationURL,
|
|
|
|
Scopes: []string{"test-scope"},
|
2020-11-05 01:06:47 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter)
|
2020-10-08 21:40:56 +00:00
|
|
|
})
|
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
when("given no providers via SetProviders()", func() {
|
2020-10-08 21:40:56 +00:00
|
|
|
it("sends all requests to the nextHandler", func() {
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
subject.ServeHTTP(httptest.NewRecorder(), newGetRequest("/anything"))
|
|
|
|
r.True(fallbackHandlerWasCalled)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
newTestJWK := func(keyID string) jose.JSONWebKey {
|
|
|
|
testJWKSJSONString := here.Docf(`
|
|
|
|
{
|
|
|
|
"use": "sig",
|
|
|
|
"kty": "EC",
|
|
|
|
"kid": "%s",
|
|
|
|
"crv": "P-256",
|
|
|
|
"alg": "ES256",
|
|
|
|
"x": "awmmj6CIMhSoJyfsqH7sekbTeY72GGPLEy16tPWVz2U",
|
|
|
|
"y": "FcMh06uXLaq9b2MOixlLVidUkycO1u7IHOkrTi7N0aw"
|
|
|
|
}
|
|
|
|
`, keyID)
|
|
|
|
k := jose.JSONWebKey{}
|
|
|
|
r.NoError(json.Unmarshal([]byte(testJWKSJSONString), &k))
|
|
|
|
return k
|
|
|
|
}
|
2020-10-08 21:40:56 +00:00
|
|
|
|
2020-11-05 01:06:47 +00:00
|
|
|
requireRoutesMatchingRequestsToAppropriateProvider := func() {
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer1, "", issuer1)
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer2, "", issuer2)
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer2, "?some=query", issuer2)
|
|
|
|
|
|
|
|
// Hostnames are case-insensitive, so test that we can handle that.
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer1DifferentCaseHostname, "", issuer1)
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer2DifferentCaseHostname, "", issuer2)
|
|
|
|
requireDiscoveryRequestToBeHandled(issuer2DifferentCaseHostname, "?some=query", issuer2)
|
|
|
|
|
|
|
|
requireJWKSRequestToBeHandled(issuer1, "", issuer1KeyID)
|
|
|
|
requireJWKSRequestToBeHandled(issuer2, "", issuer2KeyID)
|
|
|
|
requireJWKSRequestToBeHandled(issuer2, "?some=query", issuer2KeyID)
|
|
|
|
|
|
|
|
// Hostnames are case-insensitive, so test that we can handle that.
|
|
|
|
requireJWKSRequestToBeHandled(issuer1DifferentCaseHostname, "", issuer1KeyID)
|
|
|
|
requireJWKSRequestToBeHandled(issuer2DifferentCaseHostname, "", issuer2KeyID)
|
|
|
|
requireJWKSRequestToBeHandled(issuer2DifferentCaseHostname, "?some=query", issuer2KeyID)
|
|
|
|
|
|
|
|
authRequestParams := "?" + url.Values{
|
|
|
|
"response_type": []string{"code"},
|
|
|
|
"scope": []string{"openid profile email"},
|
|
|
|
"client_id": []string{"pinniped-cli"},
|
|
|
|
"state": []string{"some-state-value"},
|
|
|
|
"nonce": []string{"some-nonce-value"},
|
|
|
|
"code_challenge": []string{"some-challenge"},
|
|
|
|
"code_challenge_method": []string{"S256"},
|
2020-11-20 15:42:43 +00:00
|
|
|
"redirect_uri": []string{downstreamRedirectURL},
|
2020-11-05 01:06:47 +00:00
|
|
|
}.Encode()
|
|
|
|
|
|
|
|
requireAuthorizationRequestToBeHandled(issuer1, authRequestParams, upstreamIDPAuthorizationURL)
|
|
|
|
requireAuthorizationRequestToBeHandled(issuer2, authRequestParams, upstreamIDPAuthorizationURL)
|
|
|
|
|
|
|
|
// Hostnames are case-insensitive, so test that we can handle that.
|
|
|
|
requireAuthorizationRequestToBeHandled(issuer1DifferentCaseHostname, authRequestParams, upstreamIDPAuthorizationURL)
|
|
|
|
requireAuthorizationRequestToBeHandled(issuer2DifferentCaseHostname, authRequestParams, upstreamIDPAuthorizationURL)
|
2020-11-20 15:42:43 +00:00
|
|
|
|
|
|
|
callbackRequestParams := "?" + url.Values{
|
|
|
|
"code": []string{"some-code"},
|
|
|
|
"state": []string{"some-state-value"},
|
|
|
|
}.Encode()
|
|
|
|
|
|
|
|
requireCallbackRequestToBeHandled(issuer1, callbackRequestParams)
|
|
|
|
requireCallbackRequestToBeHandled(issuer2, callbackRequestParams)
|
|
|
|
|
|
|
|
// // Hostnames are case-insensitive, so test that we can handle that.
|
|
|
|
requireCallbackRequestToBeHandled(issuer1DifferentCaseHostname, callbackRequestParams)
|
|
|
|
requireCallbackRequestToBeHandled(issuer2DifferentCaseHostname, callbackRequestParams)
|
2020-11-05 01:06:47 +00:00
|
|
|
}
|
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
when("given some valid providers via SetProviders()", func() {
|
2020-10-08 21:40:56 +00:00
|
|
|
it.Before(func() {
|
|
|
|
p1, err := provider.NewOIDCProvider(issuer1)
|
|
|
|
r.NoError(err)
|
|
|
|
p2, err := provider.NewOIDCProvider(issuer2)
|
|
|
|
r.NoError(err)
|
|
|
|
subject.SetProviders(p1, p2)
|
2020-10-17 00:51:40 +00:00
|
|
|
|
|
|
|
dynamicJWKSProvider.SetIssuerToJWKSMap(map[string]*jose.JSONWebKeySet{
|
|
|
|
issuer1: {Keys: []jose.JSONWebKey{newTestJWK(issuer1KeyID)}},
|
|
|
|
issuer2: {Keys: []jose.JSONWebKey{newTestJWK(issuer2KeyID)}},
|
|
|
|
})
|
2020-10-08 21:40:56 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
it("sends all non-matching host requests to the nextHandler", func() {
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
2020-11-05 01:06:47 +00:00
|
|
|
wrongHostURL := strings.ReplaceAll(issuer1+oidc.WellKnownEndpointPath, "example.com", "wrong-host.com")
|
|
|
|
subject.ServeHTTP(httptest.NewRecorder(), newGetRequest(wrongHostURL))
|
2020-10-08 21:40:56 +00:00
|
|
|
r.True(fallbackHandlerWasCalled)
|
|
|
|
})
|
|
|
|
|
|
|
|
it("sends all non-matching path requests to the nextHandler", func() {
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
subject.ServeHTTP(httptest.NewRecorder(), newGetRequest("https://example.com/path-does-not-match-any-provider"))
|
|
|
|
r.True(fallbackHandlerWasCalled)
|
|
|
|
})
|
|
|
|
|
|
|
|
it("sends requests which match the issuer prefix but do not match any of that provider's known paths to the nextHandler", func() {
|
|
|
|
r.False(fallbackHandlerWasCalled)
|
|
|
|
subject.ServeHTTP(httptest.NewRecorder(), newGetRequest(issuer1+"/unhandled-sub-path"))
|
|
|
|
r.True(fallbackHandlerWasCalled)
|
|
|
|
})
|
|
|
|
|
|
|
|
it("routes matching requests to the appropriate provider", func() {
|
2020-11-05 01:06:47 +00:00
|
|
|
requireRoutesMatchingRequestsToAppropriateProvider()
|
2020-10-08 21:40:56 +00:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-10-17 00:51:40 +00:00
|
|
|
when("given the same valid providers as arguments to SetProviders() in reverse order", func() {
|
2020-10-08 21:40:56 +00:00
|
|
|
it.Before(func() {
|
|
|
|
p1, err := provider.NewOIDCProvider(issuer1)
|
|
|
|
r.NoError(err)
|
|
|
|
p2, err := provider.NewOIDCProvider(issuer2)
|
|
|
|
r.NoError(err)
|
|
|
|
subject.SetProviders(p2, p1)
|
2020-10-17 00:51:40 +00:00
|
|
|
|
|
|
|
dynamicJWKSProvider.SetIssuerToJWKSMap(map[string]*jose.JSONWebKeySet{
|
|
|
|
issuer1: {Keys: []jose.JSONWebKey{newTestJWK(issuer1KeyID)}},
|
|
|
|
issuer2: {Keys: []jose.JSONWebKey{newTestJWK(issuer2KeyID)}},
|
|
|
|
})
|
2020-10-08 21:40:56 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
it("still routes matching requests to the appropriate provider", func() {
|
2020-11-05 01:06:47 +00:00
|
|
|
requireRoutesMatchingRequestsToAppropriateProvider()
|
2020-10-08 21:40:56 +00:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|