barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-03-30 10:27:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: add proxy controller tests

Browse Source
This commit is contained in:
Stavros
2026-03-29 19:18:46 +03:00
parent c7bb6d61af
commit 15a3753622
1 changed files with 347 additions and 278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

625
internal/controller/proxy_controller_test.go
View File

@@ -1,302 +1,371 @@
package controller_test package controller_test
import ( import (
"net/http"
"net/http/httptest" "net/http/httptest"
"os"
"testing" "testing"
"github.com/gin-gonic/gin"
"github.com/steveiliop56/tinyauth/internal/bootstrap" "github.com/steveiliop56/tinyauth/internal/bootstrap"
"github.com/steveiliop56/tinyauth/internal/config" "github.com/steveiliop56/tinyauth/internal/config"
"github.com/steveiliop56/tinyauth/internal/controller" "github.com/steveiliop56/tinyauth/internal/controller"
"github.com/steveiliop56/tinyauth/internal/repository" "github.com/steveiliop56/tinyauth/internal/repository"
"github.com/steveiliop56/tinyauth/internal/service" "github.com/steveiliop56/tinyauth/internal/service"
"github.com/steveiliop56/tinyauth/internal/utils/tlog"
"github.com/gin-gonic/gin" "github.com/stretchr/testify/assert"
"gotest.tools/v3/assert"
) )
var loggedInCtx = config.UserContext{ func TestProxyController(t *testing.T) {
Username: "test", authServiceCfg := service.AuthServiceConfig{
Name: "Test",
Email: "test@example.com",
IsLoggedIn: true,
Provider: "local",
}
func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
// Setup
gin.SetMode(gin.TestMode)
router := gin.Default()
if len(middlewares) > 0 {
for _, m := range middlewares {
router.Use(m)
}
}
group := router.Group("/api")
recorder := httptest.NewRecorder()
// Mock app
app := bootstrap.NewBootstrapApp(config.Config{})
// Database
db, err := app.SetupDatabase(":memory:")
assert.NilError(t, err)
// Queries
queries := repository.New(db)
// Docker
dockerService := service.NewDockerService()
assert.NilError(t, dockerService.Init())
// Access controls
accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{
"whoami": {
Path: config.AppPath{
Allow: "/allow",
},
},
})
assert.NilError(t, accessControlsService.Init())
// Auth service
authService := service.NewAuthService(service.AuthServiceConfig{
Users: []config.User{ Users: []config.User{
{ {
Username: "testuser", Username: "testuser",
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa",
}, },
{ {
Username: "totpuser", Username: "totpuser",
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa",
TotpSecret: "foo", TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
}, },
}, },
OauthWhitelist: []string{}, SessionExpiry: 10, // 10 seconds, useful for testing
SessionExpiry: 3600, CookieDomain: "example.com",
SessionMaxLifetime: 0, LoginTimeout: 10, // 10 seconds, useful for testing
SecureCookie: false, LoginMaxRetries: 3,
CookieDomain: "localhost", SessionCookieName: "tinyauth-session",
LoginTimeout: 300, }
LoginMaxRetries: 3,
SessionCookieName: "tinyauth-session",
}, dockerService, nil, queries, &service.OAuthBrokerService{})
// Controller controllerCfg := controller.ProxyControllerConfig{
ctrl := controller.NewProxyController(controller.ProxyControllerConfig{ AppURL: "https://tinyauth.example.com",
AppURL: "http://tinyauth.example.com", }
}, group, accessControlsService, authService)
ctrl.SetupRoutes()
return router, recorder acls := map[string]config.App{
} "app_path_allow": {
Config: config.AppConfig{
// TODO: Needs tests for context middleware Domain: "path-allow.example.com",
},
func TestProxyHandler(t *testing.T) { Path: config.AppPath{
// Test logged out user traefik/caddy (forward_auth) Allow: "/allowed",
router, recorder := setupProxyController(t, nil) },
},
req, err := http.NewRequest("GET", "/api/auth/traefik", nil) "app_user_allow": {
assert.NilError(t, err) Config: config.AppConfig{
Domain: "user-allow.example.com",
req.Header.Set("x-forwarded-host", "whoami.example.com") },
req.Header.Set("x-forwarded-proto", "http") Users: config.AppUsers{
req.Header.Set("x-forwarded-uri", "/") Allow: "testuser",
},
router.ServeHTTP(recorder, req) },
assert.Equal(t, recorder.Code, http.StatusUnauthorized) "ip_bypass": {
Config: config.AppConfig{
// Test logged out user nginx (auth_request) Domain: "ip-bypass.example.com",
router, recorder = setupProxyController(t, nil) },
IP: config.AppIP{
req, err = http.NewRequest("GET", "/api/auth/nginx", nil) Bypass: []string{"10.10.10.10"},
assert.NilError(t, err) },
},
req.Header.Set("x-original-url", "http://whoami.example.com/") }
router.ServeHTTP(recorder, req) const browserUserAgent = `
assert.Equal(t, recorder.Code, http.StatusUnauthorized) Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
// Test logged out user envoy (ext_authz) simpleCtx := func(c *gin.Context) {
router, recorder = setupProxyController(t, nil) c.Set("context", &config.UserContext{
Username: "testuser",
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil) Name: "Testuser",
assert.NilError(t, err) Email: "testuser@example.com",
IsLoggedIn: true,
req.Host = "whoami.example.com" Provider: "local",
req.Header.Set("x-forwarded-proto", "http") })
c.Next()
router.ServeHTTP(recorder, req) }
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
simpleCtxTotp := func(c *gin.Context) {
// Test logged in user traefik/caddy (forward_auth) c.Set("context", &config.UserContext{
router, recorder = setupProxyController(t, []gin.HandlerFunc{ Username: "totpuser",
func(c *gin.Context) { Name: "Totpuser",
c.Set("context", &loggedInCtx) Email: "totpuser@example.com",
c.Next() IsLoggedIn: true,
}, Provider: "local",
}) TotpEnabled: true,
})
req, err = http.NewRequest("GET", "/api/auth/traefik", nil) c.Next()
assert.NilError(t, err) }
req.Header.Set("x-forwarded-host", "whoami.example.com") type testCase struct {
req.Header.Set("x-forwarded-proto", "http") description string
req.Header.Set("x-forwarded-uri", "/") middlewares []gin.HandlerFunc
run func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
router.ServeHTTP(recorder, req) }
assert.Equal(t, recorder.Code, http.StatusOK)
tests := []testCase{
// Test logged in user nginx (auth_request) {
router, recorder = setupProxyController(t, []gin.HandlerFunc{ description: "Default forward auth should be detected and used",
func(c *gin.Context) { middlewares: []gin.HandlerFunc{},
c.Set("context", &loggedInCtx) run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
c.Next() req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
}, req.Header.Set("x-forwarded-host", "test.example.com")
}) req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
req, err = http.NewRequest("GET", "/api/auth/nginx", nil) req.Header.Set("user-agent", browserUserAgent)
assert.NilError(t, err) router.ServeHTTP(recorder, req)
req.Header.Set("x-original-url", "http://whoami.example.com/") assert.Equal(t, 307, recorder.Code)
location := recorder.Header().Get("Location")
router.ServeHTTP(recorder, req) assert.Contains(t, location, "https://tinyauth.example.com/login?redirect_uri=")
assert.Equal(t, recorder.Code, http.StatusOK) assert.Contains(t, location, "https%3A%2F%2Ftest.example.com%2F")
},
// Test logged in user envoy (ext_authz) },
router, recorder = setupProxyController(t, []gin.HandlerFunc{ {
func(c *gin.Context) { description: "Auth request (nginx) should be detected and used",
c.Set("context", &loggedInCtx) middlewares: []gin.HandlerFunc{},
c.Next() run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
}, req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
}) req.Header.Set("x-original-url", "https://test.example.com/")
router.ServeHTTP(recorder, req)
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil) assert.Equal(t, 401, recorder.Code)
assert.NilError(t, err) },
},
req.Host = "whoami.example.com" {
req.Header.Set("x-forwarded-proto", "http") description: "Ext authz (envoy) should be detected and used",
middlewares: []gin.HandlerFunc{},
router.ServeHTTP(recorder, req) run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
assert.Equal(t, recorder.Code, http.StatusOK) req := httptest.NewRequest("HEAD", "/api/auth/envoy?path=/hello", nil) // test a different method for envoy
req.Host = "test.example.com"
// Test ACL allow caddy/traefik (forward_auth) req.Header.Set("x-forwarded-proto", "https")
router, recorder = setupProxyController(t, nil) router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
req, err = http.NewRequest("GET", "/api/auth/traefik", nil) },
assert.NilError(t, err) },
{
req.Header.Set("x-forwarded-host", "whoami.example.com") description: "Ensure forward auth fallback for nginx",
req.Header.Set("x-forwarded-proto", "http") middlewares: []gin.HandlerFunc{},
req.Header.Set("x-forwarded-uri", "/allow") run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
router.ServeHTTP(recorder, req) req.Header.Set("x-forwarded-host", "test.example.com")
assert.Equal(t, recorder.Code, http.StatusOK) req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
// Test ACL allow nginx router.ServeHTTP(recorder, req)
router, recorder = setupProxyController(t, nil) assert.Equal(t, 401, recorder.Code)
},
req, err = http.NewRequest("GET", "/api/auth/nginx", nil) },
assert.NilError(t, err) {
description: "Ensure forward auth fallback for envoy",
req.Header.Set("x-original-url", "http://whoami.example.com/allow") middlewares: []gin.HandlerFunc{},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
router.ServeHTTP(recorder, req) req := httptest.NewRequest("HEAD", "/api/auth/envoy?path=/hello", nil)
assert.Equal(t, recorder.Code, http.StatusOK) req.Header.Set("x-forwarded-host", "test.example.com")
req.Header.Set("x-forwarded-proto", "https")
// Test ACL allow envoy req.Header.Set("x-forwarded-uri", "/hello")
router, recorder = setupProxyController(t, nil) router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/allow", nil) },
assert.NilError(t, err) },
{
req.Host = "whoami.example.com" description: "Ensure normal authentication flow for forward auth",
req.Header.Set("x-forwarded-proto", "http") middlewares: []gin.HandlerFunc{
simpleCtx,
router.ServeHTTP(recorder, req) },
assert.Equal(t, recorder.Code, http.StatusOK) run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
// Test traefik/caddy (forward_auth) without required headers req.Header.Set("x-forwarded-host", "test.example.com")
router, recorder = setupProxyController(t, nil) req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
req, err = http.NewRequest("GET", "/api/auth/traefik", nil) router.ServeHTTP(recorder, req)
assert.NilError(t, err)
assert.Equal(t, 200, recorder.Code)
router.ServeHTTP(recorder, req) assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
assert.Equal(t, recorder.Code, http.StatusBadRequest) assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
// Test nginx (forward_auth) without required headers },
router, recorder = setupProxyController(t, nil) },
{
req, err = http.NewRequest("GET", "/api/auth/nginx", nil) description: "Ensure normal authentication flow for nginx auth request",
assert.NilError(t, err) middlewares: []gin.HandlerFunc{
simpleCtx,
router.ServeHTTP(recorder, req) },
assert.Equal(t, recorder.Code, http.StatusBadRequest) run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
// Test envoy (forward_auth) without required headers req.Header.Set("x-original-url", "https://test.example.com/")
router, recorder = setupProxyController(t, nil) router.ServeHTTP(recorder, req)
req, err = http.NewRequest("GET", "/api/auth/envoy", nil) assert.Equal(t, 200, recorder.Code)
assert.NilError(t, err) assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
router.ServeHTTP(recorder, req) assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
assert.Equal(t, recorder.Code, http.StatusBadRequest) },
},
// Test nginx (auth_request) with forward_auth fallback with ACLs {
router, recorder = setupProxyController(t, nil) description: "Ensure normal authentication flow for envoy ext authz",
middlewares: []gin.HandlerFunc{
req, err = http.NewRequest("GET", "/api/auth/nginx", nil) simpleCtx,
assert.NilError(t, err) },
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req.Header.Set("x-forwarded-host", "whoami.example.com") req := httptest.NewRequest("HEAD", "/api/auth/envoy?path=/hello", nil)
req.Header.Set("x-forwarded-proto", "http") req.Host = "test.example.com"
req.Header.Set("x-forwarded-uri", "/allow") req.Header.Set("x-forwarded-proto", "https")
router.ServeHTTP(recorder, req)
router.ServeHTTP(recorder, req)
assert.Equal(t, recorder.Code, http.StatusOK) assert.Equal(t, 200, recorder.Code)
assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
// Test envoy (ext_authz) with forward_auth fallback with ACLs assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
router, recorder = setupProxyController(t, nil) assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
},
req, err = http.NewRequest("GET", "/api/auth/envoy", nil) },
assert.NilError(t, err) {
description: "Ensure path allow ACL works on forward auth",
req.Header.Set("x-forwarded-host", "whoami.example.com") middlewares: []gin.HandlerFunc{},
req.Header.Set("x-forwarded-proto", "http") run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req.Header.Set("x-forwarded-uri", "/allow") req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("x-forwarded-host", "path-allow.example.com")
router.ServeHTTP(recorder, req) req.Header.Set("x-forwarded-proto", "https")
assert.Equal(t, recorder.Code, http.StatusOK) req.Header.Set("x-forwarded-uri", "/allowed")
router.ServeHTTP(recorder, req)
// Test envoy (ext_authz) with empty path assert.Equal(t, 200, recorder.Code)
router, recorder = setupProxyController(t, nil) },
},
req, err = http.NewRequest("GET", "/api/auth/envoy", nil) {
assert.NilError(t, err) description: "Ensure path allow ACL works on nginx auth request",
middlewares: []gin.HandlerFunc{},
req.Host = "whoami.example.com" run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req.Header.Set("x-forwarded-proto", "http") req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
req.Header.Set("x-original-url", "https://path-allow.example.com/allowed")
router.ServeHTTP(recorder, req) router.ServeHTTP(recorder, req)
assert.Equal(t, recorder.Code, http.StatusUnauthorized) assert.Equal(t, 200, recorder.Code)
},
// Ensure forward_auth fallback works with path (should ignore) },
router, recorder = setupProxyController(t, nil) {
description: "Ensure path allow ACL works on envoy ext authz",
req, err = http.NewRequest("GET", "/api/auth/traefik?path=/allow", nil) middlewares: []gin.HandlerFunc{},
assert.NilError(t, err) run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("HEAD", "/api/auth/envoy?path=/allowed", nil)
req.Header.Set("x-forwarded-proto", "http") req.Host = "path-allow.example.com"
req.Header.Set("x-forwarded-host", "whoami.example.com") req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/allow") router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
router.ServeHTTP(recorder, req) },
assert.Equal(t, recorder.Code, http.StatusOK) },
{
description: "Ensure ip bypass ACL works on forward auth",
middlewares: []gin.HandlerFunc{},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("x-forwarded-host", "ip-bypass.example.com")
req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
req.Header.Set("x-forwarded-for", "10.10.10.10")
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
},
},
{
description: "Ensure ip bypass ACL works on nginx auth request",
middlewares: []gin.HandlerFunc{},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
req.Header.Set("x-original-url", "https://ip-bypass.example.com/")
req.Header.Set("x-forwarded-for", "10.10.10.10")
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
},
},
{
description: "Ensure ip bypass ACL works on envoy ext authz",
middlewares: []gin.HandlerFunc{},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("HEAD", "/api/auth/envoy?path=/hello", nil)
req.Host = "ip-bypass.example.com"
req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-for", "10.10.10.10")
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
},
},
{
description: "Ensure user allow ACL allows correct user (should allow testuer)",
middlewares: []gin.HandlerFunc{
simpleCtx,
},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("x-forwarded-host", "user-allow.example.com")
req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
},
},
{
description: "Ensure user allow ACL blocks incorrect user (should block testuer)",
middlewares: []gin.HandlerFunc{
simpleCtxTotp,
},
run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("x-forwarded-host", "user-allow.example.com")
req.Header.Set("x-forwarded-proto", "https")
req.Header.Set("x-forwarded-uri", "/")
router.ServeHTTP(recorder, req)
assert.Equal(t, 403, recorder.Code)
assert.Equal(t, "", recorder.Header().Get("remote-user"))
assert.Equal(t, "", recorder.Header().Get("remote-name"))
assert.Equal(t, "", recorder.Header().Get("remote-email"))
},
},
}
tlog.NewSimpleLogger().Init()
oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
app := bootstrap.NewBootstrapApp(config.Config{})
db, err := app.SetupDatabase("/tmp/tinyauth_test.db")
assert.NoError(t, err)
queries := repository.New(db)
docker := service.NewDockerService()
err = docker.Init()
assert.NoError(t, err)
ldap := service.NewLdapService(service.LdapServiceConfig{})
err = ldap.Init()
assert.NoError(t, err)
broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
err = broker.Init()
assert.NoError(t, err)
authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
err = authService.Init()
assert.NoError(t, err)
aclsService := service.NewAccessControlsService(docker, acls)
for _, test := range tests {
t.Run(test.description, func(t *testing.T) {
router := gin.Default()
for _, m := range test.middlewares {
router.Use(m)
}
group := router.Group("/api")
gin.SetMode(gin.TestMode)
recorder := httptest.NewRecorder()
proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
proxyController.SetupRoutes()
test.run(t, router, recorder)
})
}
err = db.Close()
assert.NoError(t, err)
err = os.Remove("/tmp/tinyauth_test.db")
assert.NoError(t, err)
} }