Validate access_token when auto-refreshing cookie
This commit is contained in:
parent
25372567ac
commit
b6e07d51b2
@ -299,9 +299,12 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
|
|||||||
} else if p.CookieRefresh != time.Duration(0) {
|
} else if p.CookieRefresh != time.Duration(0) {
|
||||||
refresh_threshold := time.Now().Add(p.CookieRefresh)
|
refresh_threshold := time.Now().Add(p.CookieRefresh)
|
||||||
if refresh_threshold.Unix() > timestamp.Unix() {
|
if refresh_threshold.Unix() > timestamp.Unix() {
|
||||||
|
ok = p.ValidateToken(access_token)
|
||||||
|
if ok {
|
||||||
p.SetCookie(rw, req, value)
|
p.SetCookie(rw, req, value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -395,6 +395,8 @@ type ProcessCookieTest struct {
|
|||||||
proxy *OauthProxy
|
proxy *OauthProxy
|
||||||
rw *httptest.ResponseRecorder
|
rw *httptest.ResponseRecorder
|
||||||
req *http.Request
|
req *http.Request
|
||||||
|
backend *httptest.Server
|
||||||
|
response_code int
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProcessCookieTest() *ProcessCookieTest {
|
func NewProcessCookieTest() *ProcessCookieTest {
|
||||||
@ -405,6 +407,8 @@ func NewProcessCookieTest() *ProcessCookieTest {
|
|||||||
pc_test.opts.CookieSecret = "foobar"
|
pc_test.opts.CookieSecret = "foobar"
|
||||||
pc_test.opts.ClientID = "bazquux"
|
pc_test.opts.ClientID = "bazquux"
|
||||||
pc_test.opts.ClientSecret = "xyzzyplugh"
|
pc_test.opts.ClientSecret = "xyzzyplugh"
|
||||||
|
pc_test.opts.PassAccessToken = true
|
||||||
|
pc_test.opts.CookieSecret = "0123456789abcdef"
|
||||||
pc_test.opts.Validate()
|
pc_test.opts.Validate()
|
||||||
|
|
||||||
pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
|
pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
|
||||||
@ -416,12 +420,32 @@ func NewProcessCookieTest() *ProcessCookieTest {
|
|||||||
return &pc_test
|
return &pc_test
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *ProcessCookieTest) MakeCookie(value string) *http.Cookie {
|
func (p *ProcessCookieTest) InstantiateBackend() {
|
||||||
return p.proxy.MakeCookie(p.req, value, p.opts.CookieExpire)
|
p.backend = httptest.NewServer(
|
||||||
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
w.WriteHeader(p.response_code)
|
||||||
|
}))
|
||||||
|
backend_url, _ := url.Parse(p.backend.URL)
|
||||||
|
p.proxy.oauthValidateUrl = &url.URL{
|
||||||
|
Scheme: "http",
|
||||||
|
Host: backend_url.Host,
|
||||||
|
Path: "/oauth/tokeninfo",
|
||||||
|
}
|
||||||
|
p.response_code = 200
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *ProcessCookieTest) AddCookie(value string) {
|
func (p *ProcessCookieTest) Close() {
|
||||||
p.req.AddCookie(p.MakeCookie(value))
|
p.backend.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *ProcessCookieTest) MakeCookie(value, access_token string) *http.Cookie {
|
||||||
|
cookie_value, _ := buildCookieValue(
|
||||||
|
value, p.proxy.AesCipher, access_token)
|
||||||
|
return p.proxy.MakeCookie(p.req, cookie_value, p.opts.CookieExpire)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *ProcessCookieTest) AddCookie(value, access_token string) {
|
||||||
|
p.req.AddCookie(p.MakeCookie(value, access_token))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, ok bool) {
|
func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, ok bool) {
|
||||||
@ -430,11 +454,13 @@ func (p *ProcessCookieTest) ProcessCookie() (email, user, access_token string, o
|
|||||||
|
|
||||||
func TestProcessCookie(t *testing.T) {
|
func TestProcessCookie(t *testing.T) {
|
||||||
pc_test := NewProcessCookieTest()
|
pc_test := NewProcessCookieTest()
|
||||||
pc_test.AddCookie("michael.bland@gsa.gov")
|
|
||||||
email, user, _, ok := pc_test.ProcessCookie()
|
pc_test.AddCookie("michael.bland@gsa.gov", "my_access_token")
|
||||||
|
email, user, access_token, ok := pc_test.ProcessCookie()
|
||||||
assert.Equal(t, true, ok)
|
assert.Equal(t, true, ok)
|
||||||
assert.Equal(t, "michael.bland@gsa.gov", email)
|
assert.Equal(t, "michael.bland@gsa.gov", email)
|
||||||
assert.Equal(t, "michael.bland", user)
|
assert.Equal(t, "michael.bland", user)
|
||||||
|
assert.Equal(t, "my_access_token", access_token)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestProcessCookieNoCookieError(t *testing.T) {
|
func TestProcessCookieNoCookieError(t *testing.T) {
|
||||||
@ -445,7 +471,10 @@ func TestProcessCookieNoCookieError(t *testing.T) {
|
|||||||
|
|
||||||
func TestProcessCookieRefreshNotSet(t *testing.T) {
|
func TestProcessCookieRefreshNotSet(t *testing.T) {
|
||||||
pc_test := NewProcessCookieTest()
|
pc_test := NewProcessCookieTest()
|
||||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
pc_test.InstantiateBackend()
|
||||||
|
defer pc_test.Close()
|
||||||
|
|
||||||
|
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "")
|
||||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||||
pc_test.req.AddCookie(cookie)
|
pc_test.req.AddCookie(cookie)
|
||||||
|
|
||||||
@ -456,7 +485,10 @@ func TestProcessCookieRefreshNotSet(t *testing.T) {
|
|||||||
|
|
||||||
func TestProcessCookieRefresh(t *testing.T) {
|
func TestProcessCookieRefresh(t *testing.T) {
|
||||||
pc_test := NewProcessCookieTest()
|
pc_test := NewProcessCookieTest()
|
||||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
pc_test.InstantiateBackend()
|
||||||
|
defer pc_test.Close()
|
||||||
|
|
||||||
|
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token")
|
||||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||||
pc_test.req.AddCookie(cookie)
|
pc_test.req.AddCookie(cookie)
|
||||||
|
|
||||||
@ -465,3 +497,19 @@ func TestProcessCookieRefresh(t *testing.T) {
|
|||||||
assert.Equal(t, true, ok)
|
assert.Equal(t, true, ok)
|
||||||
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) {
|
||||||
|
pc_test := NewProcessCookieTest()
|
||||||
|
pc_test.InstantiateBackend()
|
||||||
|
defer pc_test.Close()
|
||||||
|
pc_test.response_code = 401
|
||||||
|
|
||||||
|
cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token")
|
||||||
|
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||||
|
pc_test.req.AddCookie(cookie)
|
||||||
|
|
||||||
|
pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour
|
||||||
|
_, _, _, ok := pc_test.ProcessCookie()
|
||||||
|
assert.Equal(t, false, ok)
|
||||||
|
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user