oauth2-proxy/providers/keycloak_test.go

package providers

import (
	"context"
	"errors"
	"fmt"
	"net/http"
	"net/http/httptest"
	"net/url"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	. "github.com/onsi/ginkgo"
	. "github.com/onsi/ginkgo/extensions/table"
	. "github.com/onsi/gomega"
)

const (
	keycloakAccessToken  = "eyJKeycloak.eyJAccess.Token"
	keycloakUserinfoPath = "/api/v3/user"

	// Userinfo Test Cases querystring toggles
	tcUIStandard      = "userinfo-standard"
	tcUIFail          = "userinfo-fail"
	tcUISingleGroup   = "userinfo-single-group"
	tcUIMissingEmail  = "userinfo-missing-email"
	tcUIMissingGroups = "userinfo-missing-groups"
)

func testKeycloakProvider(backend *httptest.Server) (*KeycloakProvider, error) {
	p := NewKeycloakProvider(
		&ProviderData{
			ProviderName: "",
			LoginURL:     &url.URL{},
			RedeemURL:    &url.URL{},
			ProfileURL:   &url.URL{},
			ValidateURL:  &url.URL{},
			Scope:        ""})

	if backend != nil {
		bURL, err := url.Parse(backend.URL)
		if err != nil {
			return nil, err
		}
		hostname := bURL.Host

		updateURL(p.Data().LoginURL, hostname)
		updateURL(p.Data().RedeemURL, hostname)
		updateURL(p.Data().ProfileURL, hostname)
		updateURL(p.Data().ValidateURL, hostname)
	}

	return p, nil
}

func testKeycloakBackend() *httptest.Server {
	return httptest.NewServer(http.HandlerFunc(
		func(w http.ResponseWriter, r *http.Request) {
			if r.URL.Path != keycloakUserinfoPath {
				w.WriteHeader(404)
			}

			var err error
			switch r.URL.Query().Get("testcase") {
			case tcUIStandard:
				w.WriteHeader(200)
				_, err = w.Write([]byte(`
					{
						"email": "michael.bland@gsa.gov",
						"groups": [
							"test-grp1",
							"test-grp2"
						]
					}
				`))
			case tcUIFail:
				w.WriteHeader(500)
			case tcUISingleGroup:
				w.WriteHeader(200)
				_, err = w.Write([]byte(`
					{
						"email": "michael.bland@gsa.gov",
						"groups": ["test-grp1"]
					}
				`))
			case tcUIMissingEmail:
				w.WriteHeader(200)
				_, err = w.Write([]byte(`
					{
						"groups": [
							"test-grp1",
							"test-grp2"
						]
					}
				`))
			case tcUIMissingGroups:
				w.WriteHeader(200)
				_, err = w.Write([]byte(`
					{
						"email": "michael.bland@gsa.gov"
					}
				`))
			default:
				w.WriteHeader(404)
			}
			if err != nil {
				panic(err)
			}
		}))
}

var _ = Describe("Keycloak Provider Tests", func() {
	Context("New Provider Init", func() {
		It("uses defaults", func() {
			providerData := NewKeycloakProvider(&ProviderData{}).Data()
			Expect(providerData.ProviderName).To(Equal("Keycloak"))
			Expect(providerData.LoginURL.String()).To(Equal("https://keycloak.org/oauth/authorize"))
			Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak.org/oauth/token"))
			Expect(providerData.ProfileURL.String()).To(Equal(""))
			Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak.org/api/v3/user"))
			Expect(providerData.Scope).To(Equal("api"))
		})

		It("overrides defaults", func() {
			p := NewKeycloakProvider(
				&ProviderData{
					LoginURL: &url.URL{
						Scheme: "https",
						Host:   "example.com",
						Path:   "/oauth/auth"},
					RedeemURL: &url.URL{
						Scheme: "https",
						Host:   "example.com",
						Path:   "/oauth/token"},
					ProfileURL: &url.URL{
						Scheme: "https",
						Host:   "example.com",
						Path:   "/api/v3/user"},
					ValidateURL: &url.URL{
						Scheme: "https",
						Host:   "example.com",
						Path:   "/api/v3/user"},
					Scope: "profile"})
			providerData := p.Data()

			Expect(providerData.ProviderName).To(Equal("Keycloak"))
			Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth"))
			Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token"))
			Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user"))
			Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user"))
			Expect(providerData.Scope).To(Equal("profile"))
		})
	})

	Context("With a test HTTP Server & Provider", func() {
		var p *KeycloakProvider
		var b *httptest.Server

		BeforeEach(func() {
			b = testKeycloakBackend()

			var err error
			p, err = testKeycloakProvider(b)
			Expect(err).To(BeNil())
		})

		AfterEach(func() {
			b.Close()
		})

		Context("EnrichSession", func() {
			type enrichSessionTableInput struct {
				testcase       string
				expectedError  error
				expectedEmail  string
				expectedGroups []string
			}

			DescribeTable("should return expected results",
				func(in enrichSessionTableInput) {
					var err error
					p.ProfileURL, err = url.Parse(
						fmt.Sprintf("%s%s?testcase=%s", b.URL, keycloakUserinfoPath, in.testcase),
					)
					Expect(err).To(BeNil())

					session := &sessions.SessionState{AccessToken: keycloakAccessToken}
					err = p.EnrichSession(context.Background(), session)

					if in.expectedError != nil {
						Expect(err).To(Equal(in.expectedError))
					} else {
						Expect(err).To(BeNil())
					}

					Expect(session.Email).To(Equal(in.expectedEmail))

					if in.expectedGroups != nil {
						Expect(session.Groups).To(Equal(in.expectedGroups))
					} else {
						Expect(session.Groups).To(BeNil())
					}
				},
				Entry("email and multiple groups", enrichSessionTableInput{
					testcase:       tcUIStandard,
					expectedError:  nil,
					expectedEmail:  "michael.bland@gsa.gov",
					expectedGroups: []string{"test-grp1", "test-grp2"},
				}),
				Entry("email and single group", enrichSessionTableInput{
					testcase:       tcUISingleGroup,
					expectedError:  nil,
					expectedEmail:  "michael.bland@gsa.gov",
					expectedGroups: []string{"test-grp1"},
				}),
				Entry("email and no groups", enrichSessionTableInput{
					testcase:       tcUIMissingGroups,
					expectedError:  nil,
					expectedEmail:  "michael.bland@gsa.gov",
					expectedGroups: nil,
				}),
				Entry("missing email", enrichSessionTableInput{
					testcase: tcUIMissingEmail,
					expectedError: errors.New(
						"unable to extract email from userinfo endpoint: type assertion to string failed"),
					expectedEmail:  "",
					expectedGroups: []string{"test-grp1", "test-grp2"},
				}),
				Entry("request failure", enrichSessionTableInput{
					testcase:       tcUIFail,
					expectedError:  errors.New(`unexpected status "500": `),
					expectedEmail:  "",
					expectedGroups: nil,
				}),
			)
		})
	})
})
Add keycloak provider 2019-07-28 16:54:39 +03:00			`package providers`

			`import (`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-05 18:53:33 +03:00			`"context"`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`"errors"`
			`"fmt"`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`"net/http"`
			`"net/http/httptest"`
			`"net/url"`

Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-29 19:44:42 +03:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/ginkgo/extensions/table"`
Move provider URLs to package level vars 2020-05-25 15:08:04 +03:00			`. "github.com/onsi/gomega"`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`)`

Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`const (`
			`keycloakAccessToken = "eyJKeycloak.eyJAccess.Token"`
			`keycloakUserinfoPath = "/api/v3/user"`

Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`// Userinfo Test Cases querystring toggles`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`tcUIStandard = "userinfo-standard"`
			`tcUIFail = "userinfo-fail"`
			`tcUISingleGroup = "userinfo-single-group"`
			`tcUIMissingEmail = "userinfo-missing-email"`
			`tcUIMissingGroups = "userinfo-missing-groups"`
			`)`

			`func testKeycloakProvider(backend httptest.Server) (KeycloakProvider, error) {`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`p := NewKeycloakProvider(`
			`&ProviderData{`
			`ProviderName: "",`
			`LoginURL: &url.URL{},`
			`RedeemURL: &url.URL{},`
			`ProfileURL: &url.URL{},`
			`ValidateURL: &url.URL{},`
			`Scope: ""})`

Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`if backend != nil {`
			`bURL, err := url.Parse(backend.URL)`
			`if err != nil {`
			`return nil, err`
			`}`
			`hostname := bURL.Host`
Add keycloak provider 2019-07-28 16:54:39 +03:00
			`updateURL(p.Data().LoginURL, hostname)`
			`updateURL(p.Data().RedeemURL, hostname)`
			`updateURL(p.Data().ProfileURL, hostname)`
			`updateURL(p.Data().ValidateURL, hostname)`
			`}`

Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`return p, nil`
			`}`
Add keycloak provider 2019-07-28 16:54:39 +03:00
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`func testKeycloakBackend() *httptest.Server {`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`return httptest.NewServer(http.HandlerFunc(`
			`func(w http.ResponseWriter, r *http.Request) {`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`if r.URL.Path != keycloakUserinfoPath {`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`w.WriteHeader(404)`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`}`

			`var err error`
			`switch r.URL.Query().Get("testcase") {`
			`case tcUIStandard:`
			`w.WriteHeader(200)`
			_, err = w.Write([]byte(`
			`{`
			`"email": "michael.bland@gsa.gov",`
			`"groups": [`
			`"test-grp1",`
			`"test-grp2"`
			`]`
			`}`
			`))
			`case tcUIFail:`
			`w.WriteHeader(500)`
			`case tcUISingleGroup:`
			`w.WriteHeader(200)`
			_, err = w.Write([]byte(`
			`{`
			`"email": "michael.bland@gsa.gov",`
			`"groups": ["test-grp1"]`
			`}`
			`))
			`case tcUIMissingEmail:`
			`w.WriteHeader(200)`
			_, err = w.Write([]byte(`
			`{`
			`"groups": [`
			`"test-grp1",`
			`"test-grp2"`
			`]`
			`}`
			`))
			`case tcUIMissingGroups:`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`w.WriteHeader(200)`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			_, err = w.Write([]byte(`
			`{`
			`"email": "michael.bland@gsa.gov"`
			`}`
			`))
			`default:`
			`w.WriteHeader(404)`
			`}`
			`if err != nil {`
			`panic(err)`
Add keycloak provider 2019-07-28 16:54:39 +03:00			`}`
			`}))`
			`}`

Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`var _ = Describe("Keycloak Provider Tests", func() {`
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`Context("New Provider Init", func() {`
			`It("uses defaults", func() {`
			`providerData := NewKeycloakProvider(&ProviderData{}).Data()`
			`Expect(providerData.ProviderName).To(Equal("Keycloak"))`
			`Expect(providerData.LoginURL.String()).To(Equal("https://keycloak.org/oauth/authorize"))`
			`Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak.org/oauth/token"))`
			`Expect(providerData.ProfileURL.String()).To(Equal(""))`
			`Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak.org/api/v3/user"))`
			`Expect(providerData.Scope).To(Equal("api"))`
			`})`

			`It("overrides defaults", func() {`
			`p := NewKeycloakProvider(`
			`&ProviderData{`
			`LoginURL: &url.URL{`
			`Scheme: "https",`
			`Host: "example.com",`
			`Path: "/oauth/auth"},`
			`RedeemURL: &url.URL{`
			`Scheme: "https",`
			`Host: "example.com",`
			`Path: "/oauth/token"},`
Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-13 00:22:15 +03:00			`ProfileURL: &url.URL{`
			`Scheme: "https",`
			`Host: "example.com",`
			`Path: "/api/v3/user"},`
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`ValidateURL: &url.URL{`
			`Scheme: "https",`
			`Host: "example.com",`
			`Path: "/api/v3/user"},`
			`Scope: "profile"})`
			`providerData := p.Data()`

			`Expect(providerData.ProviderName).To(Equal("Keycloak"))`
			`Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth"))`
			`Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token"))`
Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-13 00:22:15 +03:00			`Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user"))`
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user"))`
			`Expect(providerData.Scope).To(Equal("profile"))`
			`})`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`})`

Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`Context("With a test HTTP Server & Provider", func() {`
			`var p *KeycloakProvider`
			`var b *httptest.Server`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`BeforeEach(func() {`
			`b = testKeycloakBackend()`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`var err error`
			`p, err = testKeycloakProvider(b)`
			`Expect(err).To(BeNil())`
			`})`

			`AfterEach(func() {`
			`b.Close()`
			`})`

			`Context("EnrichSession", func() {`
			`type enrichSessionTableInput struct {`
			`testcase string`
			`expectedError error`
			`expectedEmail string`
			`expectedGroups []string`
			`}`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`DescribeTable("should return expected results",`
			`func(in enrichSessionTableInput) {`
			`var err error`
Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-13 00:22:15 +03:00			`p.ProfileURL, err = url.Parse(`
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`fmt.Sprintf("%s%s?testcase=%s", b.URL, keycloakUserinfoPath, in.testcase),`
			`)`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 23:57:32 +03:00			`Expect(err).To(BeNil())`

Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`session := &sessions.SessionState{AccessToken: keycloakAccessToken}`
			`err = p.EnrichSession(context.Background(), session)`
Add keycloak provider 2019-07-28 16:54:39 +03:00
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`if in.expectedError != nil {`
			`Expect(err).To(Equal(in.expectedError))`
			`} else {`
			`Expect(err).To(BeNil())`
			`}`
Move provider URLs to package level vars 2020-05-25 15:08:04 +03:00
Move all Keycloak unit tests to Ginkgo 2020-12-13 00:14:57 +03:00			`Expect(session.Email).To(Equal(in.expectedEmail))`

			`if in.expectedGroups != nil {`
			`Expect(session.Groups).To(Equal(in.expectedGroups))`
			`} else {`
			`Expect(session.Groups).To(BeNil())`
			`}`
			`},`
			`Entry("email and multiple groups", enrichSessionTableInput{`
			`testcase: tcUIStandard,`
			`expectedError: nil,`
			`expectedEmail: "michael.bland@gsa.gov",`
			`expectedGroups: []string{"test-grp1", "test-grp2"},`
			`}),`
			`Entry("email and single group", enrichSessionTableInput{`
			`testcase: tcUISingleGroup,`
			`expectedError: nil,`
			`expectedEmail: "michael.bland@gsa.gov",`
			`expectedGroups: []string{"test-grp1"},`
			`}),`
			`Entry("email and no groups", enrichSessionTableInput{`
			`testcase: tcUIMissingGroups,`
			`expectedError: nil,`
			`expectedEmail: "michael.bland@gsa.gov",`
			`expectedGroups: nil,`
			`}),`
			`Entry("missing email", enrichSessionTableInput{`
			`testcase: tcUIMissingEmail,`
			`expectedError: errors.New(`
			`"unable to extract email from userinfo endpoint: type assertion to string failed"),`
			`expectedEmail: "",`
			`expectedGroups: []string{"test-grp1", "test-grp2"},`
			`}),`
			`Entry("request failure", enrichSessionTableInput{`
			`testcase: tcUIFail,`
			expectedError: errors.New(`unexpected status "500": `),
			`expectedEmail: "",`
			`expectedGroups: nil,`
			`}),`
			`)`
			`})`
			`})`
			`})`