Add a more realistic test for JWT passthrough
This commit is contained in:
parent
1ff74d322a
commit
10f65e0381
@ -1170,17 +1170,67 @@ func TestGetJwtSession(t *testing.T) {
|
|||||||
&oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true})
|
&oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true})
|
||||||
p := OAuthProxy{}
|
p := OAuthProxy{}
|
||||||
p.jwtBearerVerifiers = append(p.jwtBearerVerifiers, verifier)
|
p.jwtBearerVerifiers = append(p.jwtBearerVerifiers, verifier)
|
||||||
getReq := &http.Request{URL: &url.URL{Scheme: "http", Host: "example.com"}}
|
|
||||||
|
req, _ := http.NewRequest("GET", "/", strings.NewReader(""))
|
||||||
|
authHeader := fmt.Sprintf("Bearer %s", goodJwt)
|
||||||
|
req.Header = map[string][]string{
|
||||||
|
"Authorization": {authHeader},
|
||||||
|
}
|
||||||
|
|
||||||
// Bearer
|
// Bearer
|
||||||
getReq.Header = map[string][]string{
|
session, _ := p.GetJwtSession(req)
|
||||||
"Authorization": {fmt.Sprintf("Bearer %s", goodJwt)},
|
|
||||||
}
|
|
||||||
session, _ := p.GetJwtSession(getReq)
|
|
||||||
assert.Equal(t, session.User, "john")
|
assert.Equal(t, session.User, "john")
|
||||||
assert.Equal(t, session.Email, "john@example.com")
|
assert.Equal(t, session.Email, "john@example.com")
|
||||||
assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0))
|
assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0))
|
||||||
assert.Equal(t, session.IDToken, goodJwt)
|
assert.Equal(t, session.IDToken, goodJwt)
|
||||||
|
|
||||||
|
jwtProviderServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
log.Printf("%#v", r)
|
||||||
|
var payload string
|
||||||
|
payload = r.Header.Get("Authorization")
|
||||||
|
if payload == "" {
|
||||||
|
payload = "No Authorization header found."
|
||||||
|
}
|
||||||
|
w.WriteHeader(200)
|
||||||
|
w.Write([]byte(payload))
|
||||||
|
}))
|
||||||
|
|
||||||
|
opts := NewOptions()
|
||||||
|
opts.Upstreams = append(opts.Upstreams, jwtProviderServer.URL)
|
||||||
|
opts.PassAuthorization = true
|
||||||
|
opts.SetAuthorization = true
|
||||||
|
opts.SetXAuthRequest = true
|
||||||
|
opts.CookieSecret = "0123456789abcdef0123"
|
||||||
|
opts.SkipJwtBearerTokens = true
|
||||||
|
opts.Validate()
|
||||||
|
|
||||||
|
// We can't actually use opts.Validate() because it will attempt to find a jwks URI
|
||||||
|
opts.jwtBearerVerifiers = append(opts.jwtBearerVerifiers, verifier)
|
||||||
|
|
||||||
|
providerURL, _ := url.Parse(jwtProviderServer.URL)
|
||||||
|
const emailAddress = "john@example.com"
|
||||||
|
|
||||||
|
opts.provider = NewTestProvider(providerURL, emailAddress)
|
||||||
|
jwtTestProxy := NewOAuthProxy(opts, func(email string) bool {
|
||||||
|
return email == emailAddress
|
||||||
|
})
|
||||||
|
|
||||||
|
rw := httptest.NewRecorder()
|
||||||
|
jwtTestProxy.ServeHTTP(rw, req)
|
||||||
|
if rw.Code >= 400 {
|
||||||
|
t.Fatalf("expected 3xx got %d", rw.Code)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check PassAuthorization, should overwrite Basic header
|
||||||
|
assert.Equal(t, req.Header.Get("Authorization"), authHeader)
|
||||||
|
assert.Equal(t, req.Header.Get("X-Forwarded-User"), "john")
|
||||||
|
assert.Equal(t, req.Header.Get("X-Forwarded-Email"), "john@example.com")
|
||||||
|
|
||||||
|
// SetAuthorization and SetXAuthRequest
|
||||||
|
assert.Equal(t, rw.Header().Get("Authorization"), authHeader)
|
||||||
|
assert.Equal(t, rw.Header().Get("X-Auth-Request-User"), "john")
|
||||||
|
assert.Equal(t, rw.Header().Get("X-Auth-Request-Email"), "john@example.com")
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestFindJwtBearerToken(t *testing.T) {
|
func TestFindJwtBearerToken(t *testing.T) {
|
||||||
|
Loading…
Reference in New Issue
Block a user