From b6e07d51b2af41b17d5ffc55d6a6d13521587eb9 Mon Sep 17 00:00:00 2001 From: Mike Bland Date: Sat, 9 May 2015 15:09:31 -0400 Subject: [PATCH] Validate access_token when auto-refreshing cookie --- oauthproxy.go | 5 +++- oauthproxy_test.go | 72 ++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 64 insertions(+), 13 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 4943bdf..1726515 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -299,7 +299,10 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e } else if p.CookieRefresh != time.Duration(0) { refresh_threshold := time.Now().Add(p.CookieRefresh) if refresh_threshold.Unix() > timestamp.Unix() { - p.SetCookie(rw, req, value) + ok = p.ValidateToken(access_token) + if ok { + p.SetCookie(rw, req, value) + } } } return diff --git a/oauthproxy_test.go b/oauthproxy_test.go index e0d6f6b..4946a43 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -391,10 +391,12 @@ func TestValidateTokenValidToken(t *testing.T) { } type ProcessCookieTest struct { - opts *Options - proxy *OauthProxy - rw *httptest.ResponseRecorder - req *http.Request + opts *Options + proxy *OauthProxy + rw *httptest.ResponseRecorder + req *http.Request + backend *httptest.Server + response_code int } func NewProcessCookieTest() *ProcessCookieTest { @@ -405,6 +407,8 @@ func NewProcessCookieTest() *ProcessCookieTest { pc_test.opts.CookieSecret = "foobar" pc_test.opts.ClientID = "bazquux" pc_test.opts.ClientSecret = "xyzzyplugh" + pc_test.opts.PassAccessToken = true + pc_test.opts.CookieSecret = "0123456789abcdef" pc_test.opts.Validate() pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool { @@ -416,12 +420,32 @@ func NewProcessCookieTest() *ProcessCookieTest { return &pc_test } -func (p *ProcessCookieTest) MakeCookie(value string) *http.Cookie { - return p.proxy.MakeCookie(p.req, value, p.opts.CookieExpire) +func (p *ProcessCookieTest) InstantiateBackend() { + p.backend = httptest.NewServer( + http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(p.response_code) + })) + backend_url, _ := url.Parse(p.backend.URL) + p.proxy.oauthValidateUrl = &url.URL{ + Scheme: "http", + Host: backend_url.Host, + Path: "/oauth/tokeninfo", + } + p.response_code = 200 } -func (p *ProcessCookieTest) AddCookie(value string) { - p.req.AddCookie(p.MakeCookie(value)) +func (p *ProcessCookieTest) Close() { + p.backend.Close() +} + +func (p *ProcessCookieTest) MakeCookie(value, access_token string) *http.Cookie { + cookie_value, _ := buildCookieValue( + value, p.proxy.AesCipher, access_token) + return p.proxy.MakeCookie(p.req, cookie_value, p.opts.CookieExpire) +} + +func (p *ProcessCookieTest) AddCookie(value, access_token string) { + p.req.AddCookie(p.MakeCookie(value, access_token)) } func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, ok bool) { @@ -430,11 +454,13 @@ func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, o func TestProcessCookie(t *testing.T) { pc_test := NewProcessCookieTest() - pc_test.AddCookie("michael.bland@gsa.gov") - email, user, _, ok := pc_test.ProcessCookie() + + pc_test.AddCookie("michael.bland@gsa.gov", "my_access_token") + email, user, access_token, ok := pc_test.ProcessCookie() assert.Equal(t, true, ok) assert.Equal(t, "michael.bland@gsa.gov", email) assert.Equal(t, "michael.bland", user) + assert.Equal(t, "my_access_token", access_token) } func TestProcessCookieNoCookieError(t *testing.T) { @@ -445,7 +471,10 @@ func TestProcessCookieNoCookieError(t *testing.T) { func TestProcessCookieRefreshNotSet(t *testing.T) { pc_test := NewProcessCookieTest() - cookie := pc_test.MakeCookie("michael.bland@gsa.gov") + pc_test.InstantiateBackend() + defer pc_test.Close() + + cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "") cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour) pc_test.req.AddCookie(cookie) @@ -456,7 +485,10 @@ func TestProcessCookieRefreshNotSet(t *testing.T) { func TestProcessCookieRefresh(t *testing.T) { pc_test := NewProcessCookieTest() - cookie := pc_test.MakeCookie("michael.bland@gsa.gov") + pc_test.InstantiateBackend() + defer pc_test.Close() + + cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token") cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour) pc_test.req.AddCookie(cookie) @@ -465,3 +497,19 @@ func TestProcessCookieRefresh(t *testing.T) { assert.Equal(t, true, ok) assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"]) } + +func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) { + pc_test := NewProcessCookieTest() + pc_test.InstantiateBackend() + defer pc_test.Close() + pc_test.response_code = 401 + + cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token") + cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour) + pc_test.req.AddCookie(cookie) + + pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour + _, _, _, ok := pc_test.ProcessCookie() + assert.Equal(t, false, ok) + assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"]) +}