mirror of
https://github.com/1f349/lavender.git
synced 2024-09-19 18:16:26 +01:00
443 lines
14 KiB
Go
443 lines
14 KiB
Go
package server
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"errors"
|
|
"fmt"
|
|
"github.com/1f349/cache"
|
|
"github.com/1f349/lavender/issuer"
|
|
"github.com/1f349/lavender/server/pages"
|
|
"github.com/1f349/lavender/utils"
|
|
"github.com/1f349/mjwt"
|
|
"github.com/google/uuid"
|
|
"github.com/julienschmidt/httprouter"
|
|
"github.com/stretchr/testify/assert"
|
|
"golang.org/x/oauth2"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
"unicode"
|
|
)
|
|
|
|
const lavenderDomain = "http://localhost:0"
|
|
const clientAppDomain = "http://localhost:1"
|
|
const loginDomain = "http://localhost:2"
|
|
|
|
var clientAppMeta AllowedClient
|
|
|
|
var testSigner mjwt.Signer
|
|
|
|
var testOidc = &issuer.WellKnownOIDC{
|
|
Config: issuer.SsoConfig{
|
|
Addr: utils.JsonUrl{},
|
|
Namespace: "example.com",
|
|
Client: issuer.SsoConfigClient{
|
|
ID: "test-id",
|
|
Secret: "test-secret",
|
|
Scopes: []string{"openid"},
|
|
},
|
|
},
|
|
Issuer: "https://example.com",
|
|
AuthorizationEndpoint: loginDomain + "/authorize",
|
|
TokenEndpoint: loginDomain + "/token",
|
|
UserInfoEndpoint: loginDomain + "/userinfo",
|
|
ResponseTypesSupported: nil,
|
|
ScopesSupported: nil,
|
|
ClaimsSupported: nil,
|
|
GrantTypesSupported: nil,
|
|
OAuth2Config: oauth2.Config{
|
|
ClientID: "test-id",
|
|
ClientSecret: "test-secret",
|
|
Endpoint: oauth2.Endpoint{
|
|
AuthURL: loginDomain + "/authorize",
|
|
TokenURL: loginDomain + "/token",
|
|
AuthStyle: oauth2.AuthStyleInHeader,
|
|
},
|
|
Scopes: nil,
|
|
},
|
|
}
|
|
|
|
var testManager = issuer.NewManagerForTests([]*issuer.WellKnownOIDC{testOidc})
|
|
var testHttpServer = HttpServer{
|
|
r: nil,
|
|
flowState: cache.New[string, flowStateData](),
|
|
}
|
|
|
|
func init() {
|
|
testHttpServer.conf.Store(&Conf{
|
|
BaseUrl: lavenderDomain,
|
|
ServiceName: "Test Lavender Service",
|
|
})
|
|
testHttpServer.manager.Store(testManager)
|
|
testHttpServer.services.Store(&map[string]AllowedClient{
|
|
clientAppDomain: {},
|
|
})
|
|
|
|
err := pages.LoadPages("")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
testSigner = mjwt.NewMJwtSigner("https://example.com", key)
|
|
testHttpServer.signer = testSigner
|
|
|
|
parse, err := url.Parse(clientAppDomain)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
clientAppMeta = AllowedClient{
|
|
Url: utils.JsonUrl{URL: parse},
|
|
Permissions: []string{"test-perm"},
|
|
}
|
|
}
|
|
|
|
func TestFlowPopup(t *testing.T) {
|
|
h := HttpServer{}
|
|
h.conf.Store(&Conf{ServiceName: "Test Service Name"})
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/popup?"+url.Values{"origin": []string{clientAppDomain}}.Encode(), nil)
|
|
h.flowPopup(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusOK, rec.Code)
|
|
assert.Equal(t, fmt.Sprintf(`<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<title>Test Service Name</title>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<h1>Test Service Name</h1>
|
|
</header>
|
|
<main>
|
|
<form method="POST" action="/popup">
|
|
<input type="hidden" name="origin" value="%s"/>
|
|
<div>
|
|
<label for="field_loginname">Login Name:</label>
|
|
<input type="text" name="loginname" id="field_loginname" required/>
|
|
</div>
|
|
<button type="submit">Continue</button>
|
|
</form>
|
|
</main>
|
|
</body>
|
|
</html>
|
|
`, clientAppDomain), rec.Body.String())
|
|
}
|
|
|
|
func TestFlowPopupPost(t *testing.T) {
|
|
// test no login service error
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodPost, "/popup", strings.NewReader(url.Values{
|
|
"loginname": []string{"test@missing.example.com"},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowPopupPost(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusBadRequest, rec.Code)
|
|
assert.Equal(t, "No login service defined for this username\n", rec.Body.String())
|
|
|
|
// test invalid target origin error
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodPost, "/popup", strings.NewReader(url.Values{
|
|
"loginname": []string{"test@example.com"},
|
|
"origin": []string{"http://localhost:1010"},
|
|
}.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowPopupPost(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusBadRequest, rec.Code)
|
|
assert.Equal(t, "Invalid target origin\n", rec.Body.String())
|
|
|
|
// test successful request
|
|
nextState := uuid.NewString()
|
|
uuidNewStringState = func() string { return nextState }
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodPost, "/popup", strings.NewReader(url.Values{
|
|
"loginname": []string{"test@example.com"},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowPopupPost(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusFound, rec.Code)
|
|
assert.Equal(t, "", rec.Body.String())
|
|
assert.Equal(t, loginDomain+"/authorize?"+url.Values{
|
|
"client_id": []string{"test-id"},
|
|
"login_name": []string{"test"},
|
|
"redirect_uri": []string{lavenderDomain + "/callback"},
|
|
"response_type": []string{"code"},
|
|
"state": []string{"example.com:" + nextState},
|
|
}.Encode(), rec.Header().Get("Location"))
|
|
}
|
|
|
|
func TestFlowCallback(t *testing.T) {
|
|
expiryTime := time.Now().Add(15 * time.Minute)
|
|
nextState := uuid.NewString()
|
|
testHttpServer.flowState.Set("example.com:"+nextState, flowStateData{
|
|
sso: testOidc,
|
|
target: clientAppMeta,
|
|
}, expiryTime)
|
|
|
|
testOa2Exchange = func(oa2conf oauth2.Config, ctx context.Context, code string) (*oauth2.Token, error) {
|
|
return nil, errors.New("no exchange should be made")
|
|
}
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
return nil, errors.New("no userinfo should be fetched")
|
|
}
|
|
|
|
// test parse form error
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/callback?%+"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusBadRequest, rec.Code)
|
|
assert.Equal(t, "Error parsing form\n", rec.Body.String())
|
|
|
|
// test invalid namespace
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"missing.example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusBadRequest, rec.Code)
|
|
assert.Equal(t, "Invalid state namespace\n", rec.Body.String())
|
|
|
|
// test invalid state
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:invalid"},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusBadRequest, rec.Code)
|
|
assert.Equal(t, "Invalid state\n", rec.Body.String())
|
|
|
|
// test failed exchange
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Failed to exchange code\n", rec.Body.String())
|
|
|
|
testOa2Exchange = func(oa2conf oauth2.Config, ctx context.Context, code string) (*oauth2.Token, error) {
|
|
return &oauth2.Token{
|
|
AccessToken: "abcd1234",
|
|
TokenType: "",
|
|
RefreshToken: "efgh5678",
|
|
Expiry: expiryTime,
|
|
}, nil
|
|
}
|
|
|
|
// test failed userinfo
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Failed to get userinfo\n", rec.Body.String())
|
|
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
rec := httptest.NewRecorder()
|
|
rec.WriteHeader(http.StatusInternalServerError)
|
|
return rec.Result(), nil
|
|
}
|
|
|
|
// test failed userinfo status code
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Failed to get userinfo: unexpected status code\n", rec.Body.String())
|
|
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
rec := httptest.NewRecorder()
|
|
rec.WriteHeader(http.StatusOK)
|
|
_, _ = rec.Body.WriteString("{")
|
|
return rec.Result(), nil
|
|
}
|
|
|
|
// test failed userinfo decode
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Failed to decode userinfo\n", rec.Body.String())
|
|
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
rec := httptest.NewRecorder()
|
|
rec.WriteHeader(http.StatusOK)
|
|
_, _ = rec.Body.WriteString("{\"sub\":1}")
|
|
return rec.Result(), nil
|
|
}
|
|
|
|
// test invalid subject in userinfo
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Invalid subject in userinfo\n", rec.Body.String())
|
|
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
rec := httptest.NewRecorder()
|
|
rec.WriteHeader(http.StatusOK)
|
|
_, _ = rec.Body.WriteString("{\"sub\":\"1\",\"aud\":1}")
|
|
return rec.Result(), nil
|
|
}
|
|
|
|
// test invalid audience in userinfo
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusInternalServerError, rec.Code)
|
|
assert.Equal(t, "Invalid audience in userinfo\n", rec.Body.String())
|
|
|
|
testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
|
|
rec := httptest.NewRecorder()
|
|
rec.WriteHeader(http.StatusOK)
|
|
_, _ = rec.Body.WriteString(fmt.Sprintf(`{
|
|
"sub": "test-user",
|
|
"aud": "%s",
|
|
"test-field": "ok"
|
|
}
|
|
`, clientAppDomain))
|
|
return rec.Result(), nil
|
|
}
|
|
|
|
// test successful request
|
|
rec = httptest.NewRecorder()
|
|
req = httptest.NewRequest(http.MethodGet, "/callback?"+url.Values{
|
|
"state": []string{"example.com:" + nextState},
|
|
"origin": []string{clientAppDomain},
|
|
}.Encode(), nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
testHttpServer.flowCallback(rec, req, httprouter.Params{})
|
|
assert.Equal(t, http.StatusOK, rec.Code)
|
|
const p1 = `<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<title>Test Lavender Service</title>
|
|
<script>
|
|
let loginData = {
|
|
target:"%s",
|
|
userinfo:{"aud":"%s","sub":"test-user","test-field":"ok"},
|
|
tokens: `
|
|
const p2 = `,
|
|
};
|
|
window.addEventListener("load", function () {
|
|
window.opener.postMessage(loginData, loginData.target);
|
|
setTimeout(function () {
|
|
window.close();
|
|
}, 500);
|
|
});
|
|
</script>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<h1>Test Lavender Service</h1>
|
|
</header>
|
|
<main id="mainBody">Loading...</main>
|
|
</body>
|
|
</html>
|
|
`
|
|
var p1v = fmt.Sprintf(p1, clientAppDomain, clientAppDomain)
|
|
|
|
a := make([]byte, len(p1v))
|
|
n, err := rec.Body.Read(a)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, len(p1v), n)
|
|
assert.Equal(t, p1v, string(a))
|
|
|
|
var accessToken, refreshToken string
|
|
findByte(rec.Body, '{')
|
|
findString(rec.Body, "access:")
|
|
readQuotedString(rec.Body, &accessToken)
|
|
findByte(rec.Body, ',')
|
|
findString(rec.Body, "refresh:")
|
|
readQuotedString(rec.Body, &refreshToken)
|
|
findByte(rec.Body, ',')
|
|
findByte(rec.Body, '}')
|
|
|
|
assert.Equal(t, p2, rec.Body.String())
|
|
}
|
|
|
|
func findByte(buf *bytes.Buffer, v byte) {
|
|
for {
|
|
readByte, err := buf.ReadByte()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
if readByte == v {
|
|
break
|
|
}
|
|
if !unicode.IsSpace(rune(readByte)) {
|
|
panic(fmt.Sprint("Found non space rune: ", readByte))
|
|
}
|
|
}
|
|
}
|
|
|
|
func findString(buf *bytes.Buffer, v string) {
|
|
if len(v) == 0 {
|
|
panic("Cannot find empty string")
|
|
}
|
|
findByte(buf, v[0])
|
|
if len(v) > 1 {
|
|
a2 := make([]byte, len(v)-1)
|
|
n, err := buf.Read(a2)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
if n != len(a2) {
|
|
panic("Probably found end of buffer")
|
|
}
|
|
if bytes.Compare([]byte(v[1:]), a2) != 0 {
|
|
panic("Failed to find string in buffer")
|
|
}
|
|
}
|
|
}
|
|
|
|
func readQuotedString(buf *bytes.Buffer, p *string) {
|
|
findByte(buf, '"')
|
|
b, err := buf.ReadBytes('"')
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
*p = string(b)
|
|
}
|