2019-07-28 16:54:39 +03:00
|
|
|
package providers
|
|
|
|
|
|
|
|
|
|
import (
|
2020-05-05 18:53:33 +03:00
|
|
|
"context"
|
2020-12-12 23:57:32 +03:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2019-07-28 16:54:39 +03:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
|
2020-09-29 19:44:42 +03:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
2020-12-12 23:57:32 +03:00
|
|
|
. "github.com/onsi/ginkgo"
|
|
|
|
|
. "github.com/onsi/ginkgo/extensions/table"
|
2020-05-25 15:08:04 +03:00
|
|
|
. "github.com/onsi/gomega"
|
2019-07-28 16:54:39 +03:00
|
|
|
)
|
|
|
|
|
|
2020-12-12 23:57:32 +03:00
|
|
|
const (
|
|
|
|
|
keycloakAccessToken = "eyJKeycloak.eyJAccess.Token"
|
|
|
|
|
keycloakUserinfoPath = "/api/v3/user"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func testKeycloakProvider(backend *httptest.Server) (*KeycloakProvider, error) {
|
2019-07-28 16:54:39 +03:00
|
|
|
p := NewKeycloakProvider(
|
|
|
|
|
&ProviderData{
|
|
|
|
|
ProviderName: "",
|
|
|
|
|
LoginURL: &url.URL{},
|
|
|
|
|
RedeemURL: &url.URL{},
|
|
|
|
|
ProfileURL: &url.URL{},
|
|
|
|
|
ValidateURL: &url.URL{},
|
|
|
|
|
Scope: ""})
|
|
|
|
|
|
2020-12-12 23:57:32 +03:00
|
|
|
if backend != nil {
|
|
|
|
|
bURL, err := url.Parse(backend.URL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
hostname := bURL.Host
|
2019-07-28 16:54:39 +03:00
|
|
|
|
|
|
|
|
updateURL(p.Data().LoginURL, hostname)
|
|
|
|
|
updateURL(p.Data().RedeemURL, hostname)
|
|
|
|
|
updateURL(p.Data().ProfileURL, hostname)
|
|
|
|
|
updateURL(p.Data().ValidateURL, hostname)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-12 23:57:32 +03:00
|
|
|
return p, nil
|
|
|
|
|
}
|
2019-07-28 16:54:39 +03:00
|
|
|
|
2020-12-12 23:57:32 +03:00
|
|
|
var _ = Describe("Keycloak Provider Tests", func() {
|
2020-12-13 00:14:57 +03:00
|
|
|
Context("New Provider Init", func() {
|
|
|
|
|
It("uses defaults", func() {
|
|
|
|
|
providerData := NewKeycloakProvider(&ProviderData{}).Data()
|
|
|
|
|
Expect(providerData.ProviderName).To(Equal("Keycloak"))
|
|
|
|
|
Expect(providerData.LoginURL.String()).To(Equal("https://keycloak.org/oauth/authorize"))
|
|
|
|
|
Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak.org/oauth/token"))
|
|
|
|
|
Expect(providerData.ProfileURL.String()).To(Equal(""))
|
|
|
|
|
Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak.org/api/v3/user"))
|
|
|
|
|
Expect(providerData.Scope).To(Equal("api"))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
It("overrides defaults", func() {
|
|
|
|
|
p := NewKeycloakProvider(
|
|
|
|
|
&ProviderData{
|
|
|
|
|
LoginURL: &url.URL{
|
|
|
|
|
Scheme: "https",
|
|
|
|
|
Host: "example.com",
|
|
|
|
|
Path: "/oauth/auth"},
|
|
|
|
|
RedeemURL: &url.URL{
|
|
|
|
|
Scheme: "https",
|
|
|
|
|
Host: "example.com",
|
|
|
|
|
Path: "/oauth/token"},
|
2020-12-13 00:22:15 +03:00
|
|
|
ProfileURL: &url.URL{
|
|
|
|
|
Scheme: "https",
|
|
|
|
|
Host: "example.com",
|
|
|
|
|
Path: "/api/v3/user"},
|
2020-12-13 00:14:57 +03:00
|
|
|
ValidateURL: &url.URL{
|
|
|
|
|
Scheme: "https",
|
|
|
|
|
Host: "example.com",
|
|
|
|
|
Path: "/api/v3/user"},
|
|
|
|
|
Scope: "profile"})
|
|
|
|
|
providerData := p.Data()
|
|
|
|
|
|
|
|
|
|
Expect(providerData.ProviderName).To(Equal("Keycloak"))
|
|
|
|
|
Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth"))
|
|
|
|
|
Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token"))
|
2020-12-13 00:22:15 +03:00
|
|
|
Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user"))
|
2020-12-13 00:14:57 +03:00
|
|
|
Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user"))
|
|
|
|
|
Expect(providerData.Scope).To(Equal("profile"))
|
|
|
|
|
})
|
2020-12-12 23:57:32 +03:00
|
|
|
})
|
|
|
|
|
|
2020-12-22 00:46:54 +03:00
|
|
|
Context("EnrichSession", func() {
|
|
|
|
|
type enrichSessionTableInput struct {
|
|
|
|
|
backendHandler http.HandlerFunc
|
|
|
|
|
expectedError error
|
|
|
|
|
expectedEmail string
|
|
|
|
|
expectedGroups []string
|
|
|
|
|
}
|
2020-12-12 23:57:32 +03:00
|
|
|
|
2020-12-22 00:46:54 +03:00
|
|
|
DescribeTable("should return expected results",
|
|
|
|
|
func(in enrichSessionTableInput) {
|
|
|
|
|
backend := httptest.NewServer(in.backendHandler)
|
|
|
|
|
p, err := testKeycloakProvider(backend)
|
|
|
|
|
Expect(err).To(BeNil())
|
2020-12-12 23:57:32 +03:00
|
|
|
|
2020-12-22 00:46:54 +03:00
|
|
|
p.ProfileURL, err = url.Parse(
|
|
|
|
|
fmt.Sprintf("%s%s", backend.URL, keycloakUserinfoPath),
|
|
|
|
|
)
|
|
|
|
|
Expect(err).To(BeNil())
|
2020-12-13 00:14:57 +03:00
|
|
|
|
2020-12-22 00:46:54 +03:00
|
|
|
session := &sessions.SessionState{AccessToken: keycloakAccessToken}
|
|
|
|
|
err = p.EnrichSession(context.Background(), session)
|
2020-12-13 00:14:57 +03:00
|
|
|
|
2020-12-22 00:46:54 +03:00
|
|
|
if in.expectedError != nil {
|
|
|
|
|
Expect(err).To(Equal(in.expectedError))
|
|
|
|
|
} else {
|
2020-12-12 23:57:32 +03:00
|
|
|
Expect(err).To(BeNil())
|
2020-12-22 00:46:54 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Expect(session.Email).To(Equal(in.expectedEmail))
|
|
|
|
|
|
|
|
|
|
if in.expectedGroups != nil {
|
|
|
|
|
Expect(session.Groups).To(Equal(in.expectedGroups))
|
|
|
|
|
} else {
|
|
|
|
|
Expect(session.Groups).To(BeNil())
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
Entry("email and multiple groups", enrichSessionTableInput{
|
|
|
|
|
backendHandler: func(w http.ResponseWriter, _ *http.Request) {
|
|
|
|
|
w.WriteHeader(200)
|
|
|
|
|
_, err := w.Write([]byte(`
|
|
|
|
|
{
|
|
|
|
|
"email": "michael.bland@gsa.gov",
|
|
|
|
|
"groups": [
|
|
|
|
|
"test-grp1",
|
|
|
|
|
"test-grp2"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
`))
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
2020-12-13 00:14:57 +03:00
|
|
|
}
|
2020-12-22 00:46:54 +03:00
|
|
|
},
|
|
|
|
|
expectedError: nil,
|
|
|
|
|
expectedEmail: "michael.bland@gsa.gov",
|
|
|
|
|
expectedGroups: []string{"test-grp1", "test-grp2"},
|
|
|
|
|
}),
|
|
|
|
|
Entry("email and single group", enrichSessionTableInput{
|
|
|
|
|
backendHandler: func(w http.ResponseWriter, _ *http.Request) {
|
|
|
|
|
w.WriteHeader(200)
|
|
|
|
|
_, err := w.Write([]byte(`
|
|
|
|
|
{
|
|
|
|
|
"email": "michael.bland@gsa.gov",
|
|
|
|
|
"groups": ["test-grp1"]
|
|
|
|
|
}
|
|
|
|
|
`))
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
2020-12-13 00:14:57 +03:00
|
|
|
}
|
|
|
|
|
},
|
2020-12-22 00:46:54 +03:00
|
|
|
expectedError: nil,
|
|
|
|
|
expectedEmail: "michael.bland@gsa.gov",
|
|
|
|
|
expectedGroups: []string{"test-grp1"},
|
|
|
|
|
}),
|
|
|
|
|
Entry("email and no groups", enrichSessionTableInput{
|
|
|
|
|
backendHandler: func(w http.ResponseWriter, _ *http.Request) {
|
|
|
|
|
w.WriteHeader(200)
|
|
|
|
|
_, err := w.Write([]byte(`
|
|
|
|
|
{
|
|
|
|
|
"email": "michael.bland@gsa.gov"
|
|
|
|
|
}
|
|
|
|
|
`))
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
expectedError: nil,
|
|
|
|
|
expectedEmail: "michael.bland@gsa.gov",
|
|
|
|
|
expectedGroups: nil,
|
|
|
|
|
}),
|
|
|
|
|
Entry("missing email", enrichSessionTableInput{
|
|
|
|
|
backendHandler: func(w http.ResponseWriter, _ *http.Request) {
|
|
|
|
|
w.WriteHeader(200)
|
|
|
|
|
_, err := w.Write([]byte(`
|
|
|
|
|
{
|
|
|
|
|
"groups": [
|
|
|
|
|
"test-grp1",
|
|
|
|
|
"test-grp2"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
`))
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
expectedError: errors.New(
|
|
|
|
|
"unable to extract email from userinfo endpoint: type assertion to string failed"),
|
|
|
|
|
expectedEmail: "",
|
|
|
|
|
expectedGroups: []string{"test-grp1", "test-grp2"},
|
|
|
|
|
}),
|
|
|
|
|
Entry("request failure", enrichSessionTableInput{
|
|
|
|
|
backendHandler: func(w http.ResponseWriter, _ *http.Request) {
|
|
|
|
|
w.WriteHeader(500)
|
|
|
|
|
},
|
|
|
|
|
expectedError: errors.New(`unexpected status "500": `),
|
|
|
|
|
expectedEmail: "",
|
|
|
|
|
expectedGroups: nil,
|
|
|
|
|
}),
|
|
|
|
|
)
|
2020-12-13 00:14:57 +03:00
|
|
|
})
|
|
|
|
|
})
|
