408 lines
12 KiB
Go
408 lines
12 KiB
Go
package providers
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"testing"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
|
. "github.com/onsi/gomega"
|
|
"github.com/stretchr/testify/assert"
|
|
admin "google.golang.org/api/admin/directory/v1"
|
|
option "google.golang.org/api/option"
|
|
)
|
|
|
|
func newRedeemServer(body []byte) (*url.URL, *httptest.Server) {
|
|
s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
rw.Write(body)
|
|
}))
|
|
u, _ := url.Parse(s.URL)
|
|
return u, s
|
|
}
|
|
|
|
func newGoogleProvider(t *testing.T) *GoogleProvider {
|
|
g := NewWithT(t)
|
|
p, err := NewGoogleProvider(
|
|
&ProviderData{
|
|
ProviderName: "",
|
|
LoginURL: &url.URL{},
|
|
RedeemURL: &url.URL{},
|
|
ProfileURL: &url.URL{},
|
|
ValidateURL: &url.URL{},
|
|
Scope: ""},
|
|
options.GoogleOptions{})
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
return p
|
|
}
|
|
|
|
func TestNewGoogleProvider(t *testing.T) {
|
|
g := NewWithT(t)
|
|
|
|
// Test that defaults are set when calling for a new provider with nothing set
|
|
provider, err := NewGoogleProvider(&ProviderData{}, options.GoogleOptions{})
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
providerData := provider.Data()
|
|
|
|
g.Expect(providerData.ProviderName).To(Equal("Google"))
|
|
g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline"))
|
|
g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token"))
|
|
g.Expect(providerData.ProfileURL.String()).To(Equal(""))
|
|
g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo"))
|
|
g.Expect(providerData.Scope).To(Equal("profile email"))
|
|
}
|
|
|
|
func TestGoogleProviderOverrides(t *testing.T) {
|
|
p, err := NewGoogleProvider(
|
|
&ProviderData{
|
|
LoginURL: &url.URL{
|
|
Scheme: "https",
|
|
Host: "example.com",
|
|
Path: "/oauth/auth"},
|
|
RedeemURL: &url.URL{
|
|
Scheme: "https",
|
|
Host: "example.com",
|
|
Path: "/oauth/token"},
|
|
ProfileURL: &url.URL{
|
|
Scheme: "https",
|
|
Host: "example.com",
|
|
Path: "/oauth/profile"},
|
|
ValidateURL: &url.URL{
|
|
Scheme: "https",
|
|
Host: "example.com",
|
|
Path: "/oauth/tokeninfo"},
|
|
Scope: "profile"},
|
|
options.GoogleOptions{})
|
|
assert.NoError(t, err)
|
|
assert.NotEqual(t, nil, p)
|
|
assert.Equal(t, "Google", p.Data().ProviderName)
|
|
assert.Equal(t, "https://example.com/oauth/auth",
|
|
p.Data().LoginURL.String())
|
|
assert.Equal(t, "https://example.com/oauth/token",
|
|
p.Data().RedeemURL.String())
|
|
assert.Equal(t, "https://example.com/oauth/profile",
|
|
p.Data().ProfileURL.String())
|
|
assert.Equal(t, "https://example.com/oauth/tokeninfo",
|
|
p.Data().ValidateURL.String())
|
|
assert.Equal(t, "profile", p.Data().Scope)
|
|
}
|
|
|
|
type redeemResponse struct {
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
ExpiresIn int64 `json:"expires_in"`
|
|
IDToken string `json:"id_token"`
|
|
}
|
|
|
|
func TestGoogleProviderGetEmailAddress(t *testing.T) {
|
|
p := newGoogleProvider(t)
|
|
body, err := json.Marshal(redeemResponse{
|
|
AccessToken: "a1234",
|
|
ExpiresIn: 10,
|
|
RefreshToken: "refresh12345",
|
|
IDToken: "ignored prefix." + base64.URLEncoding.EncodeToString([]byte(`{"email": "michael.bland@gsa.gov", "email_verified":true}`)),
|
|
})
|
|
assert.Equal(t, nil, err)
|
|
var server *httptest.Server
|
|
p.RedeemURL, server = newRedeemServer(body)
|
|
defer server.Close()
|
|
|
|
session, err := p.Redeem(context.Background(), "http://redirect/", "code1234", "123")
|
|
assert.Equal(t, nil, err)
|
|
assert.NotEqual(t, session, nil)
|
|
assert.Equal(t, "michael.bland@gsa.gov", session.Email)
|
|
assert.Equal(t, "a1234", session.AccessToken)
|
|
assert.Equal(t, "refresh12345", session.RefreshToken)
|
|
}
|
|
|
|
func TestGoogleProviderGroupValidator(t *testing.T) {
|
|
const sessionEmail = "michael.bland@gsa.gov"
|
|
|
|
testCases := map[string]struct {
|
|
session *sessions.SessionState
|
|
validatorFunc func(*sessions.SessionState) bool
|
|
expectedAuthZ bool
|
|
}{
|
|
"Email is authorized with groupValidator": {
|
|
session: &sessions.SessionState{
|
|
Email: sessionEmail,
|
|
},
|
|
validatorFunc: func(s *sessions.SessionState) bool {
|
|
return s.Email == sessionEmail
|
|
},
|
|
expectedAuthZ: true,
|
|
},
|
|
"Email is denied with groupValidator": {
|
|
session: &sessions.SessionState{
|
|
Email: sessionEmail,
|
|
},
|
|
validatorFunc: func(s *sessions.SessionState) bool {
|
|
return s.Email != sessionEmail
|
|
},
|
|
expectedAuthZ: false,
|
|
},
|
|
"Default does no authorization checks": {
|
|
session: &sessions.SessionState{
|
|
Email: sessionEmail,
|
|
},
|
|
validatorFunc: nil,
|
|
expectedAuthZ: true,
|
|
},
|
|
}
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
g := NewWithT(t)
|
|
p := newGoogleProvider(t)
|
|
if tc.validatorFunc != nil {
|
|
p.groupValidator = tc.validatorFunc
|
|
}
|
|
g.Expect(p.groupValidator(tc.session)).To(Equal(tc.expectedAuthZ))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestGoogleProviderGetEmailAddressInvalidEncoding(t *testing.T) {
|
|
p := newGoogleProvider(t)
|
|
body, err := json.Marshal(redeemResponse{
|
|
AccessToken: "a1234",
|
|
IDToken: "ignored prefix." + `{"email": "michael.bland@gsa.gov"}`,
|
|
})
|
|
assert.Equal(t, nil, err)
|
|
var server *httptest.Server
|
|
p.RedeemURL, server = newRedeemServer(body)
|
|
defer server.Close()
|
|
|
|
session, err := p.Redeem(context.Background(), "http://redirect/", "code1234", "123")
|
|
assert.NotEqual(t, nil, err)
|
|
if session != nil {
|
|
t.Errorf("expect nill session %#v", session)
|
|
}
|
|
}
|
|
|
|
func TestGoogleProviderRedeemFailsNoCLientSecret(t *testing.T) {
|
|
p := newGoogleProvider(t)
|
|
p.ProviderData.ClientSecretFile = "srvnoerre"
|
|
|
|
session, err := p.Redeem(context.Background(), "http://redirect/", "code1234", "123")
|
|
assert.NotEqual(t, nil, err)
|
|
if session != nil {
|
|
t.Errorf("expect nill session %#v", session)
|
|
}
|
|
assert.Equal(t, "could not read client secret file", err.Error())
|
|
}
|
|
|
|
func TestGoogleProviderGetEmailAddressInvalidJson(t *testing.T) {
|
|
p := newGoogleProvider(t)
|
|
|
|
body, err := json.Marshal(redeemResponse{
|
|
AccessToken: "a1234",
|
|
IDToken: "ignored prefix." + base64.URLEncoding.EncodeToString([]byte(`{"email": michael.bland@gsa.gov}`)),
|
|
})
|
|
assert.Equal(t, nil, err)
|
|
var server *httptest.Server
|
|
p.RedeemURL, server = newRedeemServer(body)
|
|
defer server.Close()
|
|
|
|
session, err := p.Redeem(context.Background(), "http://redirect/", "code1234", "123")
|
|
assert.NotEqual(t, nil, err)
|
|
if session != nil {
|
|
t.Errorf("expect nill session %#v", session)
|
|
}
|
|
|
|
}
|
|
|
|
func TestGoogleProviderGetEmailAddressEmailMissing(t *testing.T) {
|
|
p := newGoogleProvider(t)
|
|
body, err := json.Marshal(redeemResponse{
|
|
AccessToken: "a1234",
|
|
IDToken: "ignored prefix." + base64.URLEncoding.EncodeToString([]byte(`{"not_email": "missing"}`)),
|
|
})
|
|
assert.Equal(t, nil, err)
|
|
var server *httptest.Server
|
|
p.RedeemURL, server = newRedeemServer(body)
|
|
defer server.Close()
|
|
|
|
session, err := p.Redeem(context.Background(), "http://redirect/", "code1234", "123")
|
|
assert.NotEqual(t, nil, err)
|
|
if session != nil {
|
|
t.Errorf("expect nill session %#v", session)
|
|
}
|
|
|
|
}
|
|
|
|
func TestGoogleProvider_userInGroup(t *testing.T) {
|
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch r.URL.Path {
|
|
case "/admin/directory/v1/groups/group@example.com/hasMember/member-in-domain@example.com":
|
|
fmt.Fprintln(w, `{"isMember":true}`)
|
|
case "/admin/directory/v1/groups/group@example.com/hasMember/non-member-in-domain@example.com":
|
|
fmt.Fprintln(w, `{"isMember":false}`)
|
|
case "/admin/directory/v1/groups/group@example.com/hasMember/member-out-of-domain@otherexample.com":
|
|
http.Error(
|
|
w,
|
|
`{"error":{"errors":[{"domain":"global","reason":"invalid","message":"Invalid Input: memberKey"}],"code":400,"message":"Invalid Input: memberKey"}}`,
|
|
http.StatusBadRequest,
|
|
)
|
|
case "/admin/directory/v1/groups/group@example.com/hasMember/non-member-out-of-domain@otherexample.com":
|
|
http.Error(
|
|
w,
|
|
`{"error":{"errors":[{"domain":"global","reason":"invalid","message":"Invalid Input: memberKey"}],"code":400,"message":"Invalid Input: memberKey"}}`,
|
|
http.StatusBadRequest,
|
|
)
|
|
case "/admin/directory/v1/groups/group@example.com/members/non-member-out-of-domain@otherexample.com":
|
|
// note that the client currently doesn't care what this response text or code is - any error here results in failure to match the group
|
|
http.Error(
|
|
w,
|
|
`{"kind":"admin#directory#member","etag":"12345","id":"1234567890","email":"member-out-of-domain@otherexample.com","role":"MEMBER","type":"USER","status":"ACTIVE","delivery_settings":"ALL_MAIL"}`,
|
|
http.StatusNotFound,
|
|
)
|
|
case "/admin/directory/v1/groups/group@example.com/members/member-out-of-domain@otherexample.com":
|
|
fmt.Fprintln(w,
|
|
`{"kind":"admin#directory#member","etag":"12345","id":"1234567890","email":"member-out-of-domain@otherexample.com","role":"MEMBER","type":"USER","status":"ACTIVE","delivery_settings":"ALL_MAIL"}`,
|
|
)
|
|
}
|
|
}))
|
|
defer ts.Close()
|
|
|
|
client := ts.Client()
|
|
ctx := context.Background()
|
|
|
|
service, err := admin.NewService(ctx, option.WithHTTPClient(client))
|
|
assert.NoError(t, err)
|
|
|
|
service.BasePath = ts.URL
|
|
|
|
result := userInGroup(service, "group@example.com", "member-in-domain@example.com")
|
|
assert.True(t, result)
|
|
|
|
result = userInGroup(service, "group@example.com", "member-out-of-domain@otherexample.com")
|
|
assert.True(t, result)
|
|
|
|
result = userInGroup(service, "group@example.com", "non-member-in-domain@example.com")
|
|
assert.False(t, result)
|
|
|
|
result = userInGroup(service, "group@example.com", "non-member-out-of-domain@otherexample.com")
|
|
assert.False(t, result)
|
|
}
|
|
|
|
func TestGoogleProvider_getUserGroups(t *testing.T) {
|
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/admin/directory/v1/groups" && r.URL.Query().Get("userKey") == "test@example.com" {
|
|
response := `{
|
|
"kind": "admin#directory#groups",
|
|
"groups": [
|
|
{
|
|
"kind": "admin#directory#group",
|
|
"id": "1",
|
|
"email": "group1@example.com",
|
|
"name": "Group 1"
|
|
},
|
|
{
|
|
"kind": "admin#directory#group",
|
|
"id": "2",
|
|
"email": "group2@example.com",
|
|
"name": "Group 2"
|
|
}
|
|
]
|
|
}`
|
|
fmt.Fprintln(w, response)
|
|
} else {
|
|
http.NotFound(w, r)
|
|
}
|
|
}))
|
|
defer ts.Close()
|
|
|
|
client := &http.Client{}
|
|
adminService, err := admin.NewService(context.Background(), option.WithHTTPClient(client), option.WithEndpoint(ts.URL))
|
|
assert.NoError(t, err)
|
|
|
|
groups, err := getUserGroups(adminService, "test@example.com")
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, []string{"group1@example.com", "group2@example.com"}, groups)
|
|
}
|
|
|
|
func TestGoogleProvider_getUserInfo(t *testing.T) {
|
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/admin/directory/v1/users/test@example.com" {
|
|
response := `{
|
|
"kind": "admin#directory#user",
|
|
"id": "",
|
|
"etag": "\"\"",
|
|
"primaryEmail": "test@example.com",
|
|
"name": {
|
|
"givenName": "Test",
|
|
"familyName": "User",
|
|
"fullName": "Test User"
|
|
},
|
|
"isAdmin": false,
|
|
"isDelegatedAdmin": false,
|
|
"lastLoginTime": "",
|
|
"creationTime": "",
|
|
"agreedToTerms": true,
|
|
"suspended": false,
|
|
"archived": false,
|
|
"changePasswordAtNextLogin": false,
|
|
"ipWhitelisted": false,
|
|
"emails": [
|
|
{
|
|
"address": "test@example.com",
|
|
"primary": true
|
|
}
|
|
],
|
|
"externalIds": [
|
|
{
|
|
"value": "test.user",
|
|
"type": "organization"
|
|
}
|
|
],
|
|
"organizations": [
|
|
],
|
|
"phones": [
|
|
],
|
|
"languages": [
|
|
{
|
|
"languageCode": "en",
|
|
"preference": "preferred"
|
|
}
|
|
],
|
|
"aliases": [
|
|
"test.user@example.com"
|
|
],
|
|
"nonEditableAliases": [
|
|
"test.user@example.com"
|
|
],
|
|
"gender": {
|
|
"type": "male"
|
|
},
|
|
"customerId": "",
|
|
"orgUnitPath": "/",
|
|
"isMailboxSetup": true,
|
|
"isEnrolledIn2Sv": true,
|
|
"isEnforcedIn2Sv": false,
|
|
"includeInGlobalAddressList": true,
|
|
"thumbnailPhotoUrl": "",
|
|
"thumbnailPhotoEtag": "\"\"",
|
|
"recoveryEmail": "test.user@gmail.com",
|
|
"recoveryPhone": "+55555555555"
|
|
}`
|
|
fmt.Fprintln(w, response)
|
|
} else {
|
|
http.NotFound(w, r)
|
|
}
|
|
}))
|
|
defer ts.Close()
|
|
|
|
client := &http.Client{}
|
|
adminService, err := admin.NewService(context.Background(), option.WithHTTPClient(client), option.WithEndpoint(ts.URL))
|
|
assert.NoError(t, err)
|
|
|
|
info, err := getUserInfo(adminService, "test@example.com")
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "test.user", info)
|
|
}
|