Add a more realistic test for JWT passthrough

This commit is contained in:
Brian Van Klaveren 2019-04-30 14:06:11 -07:00
parent 1ff74d322a
commit 10f65e0381

View File

@ -1170,17 +1170,67 @@ func TestGetJwtSession(t *testing.T) {
&oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true}) &oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true})
p := OAuthProxy{} p := OAuthProxy{}
p.jwtBearerVerifiers = append(p.jwtBearerVerifiers, verifier) p.jwtBearerVerifiers = append(p.jwtBearerVerifiers, verifier)
getReq := &http.Request{URL: &url.URL{Scheme: "http", Host: "example.com"}}
req, _ := http.NewRequest("GET", "/", strings.NewReader(""))
authHeader := fmt.Sprintf("Bearer %s", goodJwt)
req.Header = map[string][]string{
"Authorization": {authHeader},
}
// Bearer // Bearer
getReq.Header = map[string][]string{ session, _ := p.GetJwtSession(req)
"Authorization": {fmt.Sprintf("Bearer %s", goodJwt)},
}
session, _ := p.GetJwtSession(getReq)
assert.Equal(t, session.User, "john") assert.Equal(t, session.User, "john")
assert.Equal(t, session.Email, "john@example.com") assert.Equal(t, session.Email, "john@example.com")
assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0)) assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0))
assert.Equal(t, session.IDToken, goodJwt) assert.Equal(t, session.IDToken, goodJwt)
jwtProviderServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
log.Printf("%#v", r)
var payload string
payload = r.Header.Get("Authorization")
if payload == "" {
payload = "No Authorization header found."
}
w.WriteHeader(200)
w.Write([]byte(payload))
}))
opts := NewOptions()
opts.Upstreams = append(opts.Upstreams, jwtProviderServer.URL)
opts.PassAuthorization = true
opts.SetAuthorization = true
opts.SetXAuthRequest = true
opts.CookieSecret = "0123456789abcdef0123"
opts.SkipJwtBearerTokens = true
opts.Validate()
// We can't actually use opts.Validate() because it will attempt to find a jwks URI
opts.jwtBearerVerifiers = append(opts.jwtBearerVerifiers, verifier)
providerURL, _ := url.Parse(jwtProviderServer.URL)
const emailAddress = "john@example.com"
opts.provider = NewTestProvider(providerURL, emailAddress)
jwtTestProxy := NewOAuthProxy(opts, func(email string) bool {
return email == emailAddress
})
rw := httptest.NewRecorder()
jwtTestProxy.ServeHTTP(rw, req)
if rw.Code >= 400 {
t.Fatalf("expected 3xx got %d", rw.Code)
}
// Check PassAuthorization, should overwrite Basic header
assert.Equal(t, req.Header.Get("Authorization"), authHeader)
assert.Equal(t, req.Header.Get("X-Forwarded-User"), "john")
assert.Equal(t, req.Header.Get("X-Forwarded-Email"), "john@example.com")
// SetAuthorization and SetXAuthRequest
assert.Equal(t, rw.Header().Get("Authorization"), authHeader)
assert.Equal(t, rw.Header().Get("X-Auth-Request-User"), "john")
assert.Equal(t, rw.Header().Get("X-Auth-Request-Email"), "john@example.com")
} }
func TestFindJwtBearerToken(t *testing.T) { func TestFindJwtBearerToken(t *testing.T) {