Commit e3651fe8 authored by ale's avatar ale

Add tests for the /exchange HTTP endpoint

parent 8238fdff
Pipeline #5406 passed with stages
in 2 minutes and 59 seconds
......@@ -158,12 +158,18 @@ func checkStatusOk(t testing.TB, resp *http.Response) {
}
}
func checkStatusForbidden(t testing.TB, resp *http.Response) {
if resp.StatusCode != 403 {
t.Fatalf("expected status 403, got %s", resp.Status)
}
}
func checkStatusNotFound(t testing.TB, resp *http.Response) {
if resp.StatusCode != 404 {
t.Fatalf("expected status 404, got %s", resp.Status)
}
}
func checkRedirectToTargetService(t testing.TB, resp *http.Response) {
if resp.StatusCode != 302 {
t.Fatalf("expected status 302, got %s", resp.Status)
......@@ -260,6 +266,16 @@ func checkLogoutPage(t testing.TB, resp *http.Response) {
}
}
func extractSSOTicket(dest *string) func(testing.TB, *http.Response) {
return func(t testing.TB, resp *http.Response) {
u, err := url.Parse(resp.Header.Get("Location"))
if err != nil {
t.Fatalf("could not parse Location URL: %v", err)
}
*dest = u.Query().Get("t")
}
}
func TestHTTP_Login(t *testing.T) {
tmpdir, httpSrv, config := startTestHTTPServerWithConfig(t)
defer os.RemoveAll(tmpdir)
......@@ -527,3 +543,45 @@ func TestHTTP_CORS(t *testing.T) {
t.Fatalf("Bad Access-Control-Allow-Origin returned to OPTIONS request: %s", s)
}
}
func TestHTTP_LoginAndExchange(t *testing.T) {
tmpdir, httpSrv := startTestHTTPServer(t)
defer os.RemoveAll(tmpdir)
defer httpSrv.Close()
c := newTestHTTPClient()
// Simulate an authorization request from a service, expect to
// see the login page.
v := make(url.Values)
v.Set("s", "service.example.com/")
v.Set("d", "https://service.example.com/admin/")
v.Set("n", "averysecretnonce")
doGet(t, c, httpSrv.URL+"/?"+v.Encode(), checkStatusOk, checkLoginPageURL, checkLoginPasswordPage)
// Attempt to login by submitting the form. We expect the
// result to be a 302 redirect to the target service.
v = make(url.Values)
v.Set("username", "testuser")
v.Set("password", "password")
var ssoTkt string
doPostForm(t, c, httpSrv.URL+"/login", v, checkRedirectToTargetService, extractSSOTicket(&ssoTkt))
// Make an exchange request for a new service.
v = make(url.Values)
v.Set("cur_tkt", ssoTkt)
v.Set("cur_svc", "service.example.com/")
v.Set("cur_nonce", "averysecretnonce")
v.Set("new_svc", "service2.example.com/")
v.Set("new_nonce", "anothernonce")
doPostForm(t, c, httpSrv.URL+"/exchange", v, checkStatusOk)
// Make an exchange request for a forbidden service.
v = make(url.Values)
v.Set("cur_tkt", ssoTkt)
v.Set("cur_svc", "service.example.com/")
v.Set("cur_nonce", "averysecretnonce")
v.Set("new_svc", "service3.example.com/")
v.Set("new_nonce", "anothernonce")
doPostForm(t, c, httpSrv.URL+"/exchange", v, checkStatusForbidden)
}
......@@ -39,9 +39,10 @@ domain: example.com
allowed_services:
- "^service\\.example\\.com/$"
- "^service2\\.example\\.com/$"
- "^service3\\.example\\.com/$"
allowed_exchanges:
- src_regexp: "^service\\.example\\.com/$"
dst_regexp: "\\.example\\.com/.*$"
dst_regexp: "^service2\\.example\\.com/$"
allowed_cors_origins:
- "https://origin.example.com"
service_ttls:
......@@ -139,9 +140,10 @@ func TestLoginService_Exchange(t *testing.T) {
service, destination string
ok bool
}{
{"service.example.com/", "service.example.com/", false},
{"service.example.com/", "service2.example.com/", true},
{"service.example.com/", "service3.example.com/", false},
{"service.example.com/", "bad-service.another.com/", false},
{"service.example.com/", "service.example.com/", true}, // self-exchange??
}
for _, td := range testdata {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment