From dace5cde1826e7e1b7ad5fbf30f7d1c66cf0c883 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Mon, 11 Dec 2017 09:33:52 +0000 Subject: [PATCH] Test explicit subdomain whitelisting --- oauthproxy_test.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index f6f2acc..875c39c 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -97,7 +97,8 @@ func TestIsValidRedirect(t *testing.T) { opts.ClientID = "bazquux" opts.ClientSecret = "foobar" opts.CookieSecret = "xyzzyplugh" - opts.WhitelistDomains = []string{"foo.bar"} + // Should match domains that are exactly foo.bar and any subdomain of bar.foo + opts.WhitelistDomains = []string{"foo.bar", ".bar.foo"} opts.Validate() proxy := NewOAuthProxy(opts, func(string) bool { return true }) @@ -111,12 +112,24 @@ func TestIsValidRedirect(t *testing.T) { doubleSlash := proxy.IsValidRedirect("//redirect") assert.Equal(t, false, doubleSlash) - validHttp := proxy.IsValidRedirect("http://baz.foo.bar/redirect") + validHttp := proxy.IsValidRedirect("http://foo.bar/redirect") assert.Equal(t, true, validHttp) - validHttps := proxy.IsValidRedirect("https://baz.foo.bar/redirect") + validHttps := proxy.IsValidRedirect("https://foo.bar/redirect") assert.Equal(t, true, validHttps) + invalidHttpSubdomain := proxy.IsValidRedirect("http://baz.foo.bar/redirect") + assert.Equal(t, false, invalidHttpSubdomain) + + invalidHttpsSubdomain := proxy.IsValidRedirect("https://baz.foo.bar/redirect") + assert.Equal(t, false, invalidHttpsSubdomain) + + validHttpSubdomain := proxy.IsValidRedirect("http://baz.bar.foo/redirect") + assert.Equal(t, true, validHttpSubdomain) + + validHttpsSubdomain := proxy.IsValidRedirect("https://baz.bar.foo/redirect") + assert.Equal(t, true, validHttpsSubdomain) + invalidHttp1 := proxy.IsValidRedirect("http://foo.bar.evil.corp/redirect") assert.Equal(t, false, invalidHttp1)