Add tests for the /exchange HTTP endpoint

e3651fe8 · ale · 8238fdff · e3651fe8 · e3651fe8
Commit e3651fe8 authored 5 years ago by ale
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -158,12 +158,18 @@ func checkStatusOk(t testing.TB, resp *http.Response) {
 	}
 }

+func checkStatusForbidden(t testing.TB, resp *http.Response) {
+	if resp.StatusCode != 403 {
+		t.Fatalf("expected status 403, got %s", resp.Status)
+	}
+}
+
 func checkStatusNotFound(t testing.TB, resp *http.Response) {
 	if resp.StatusCode != 404 {
 		t.Fatalf("expected status 404, got %s", resp.Status)
 	}
-
 }
+
 func checkRedirectToTargetService(t testing.TB, resp *http.Response) {
 	if resp.StatusCode != 302 {
 		t.Fatalf("expected status 302, got %s", resp.Status)
@@ -260,6 +266,16 @@ func checkLogoutPage(t testing.TB, resp *http.Response) {
 	}
 }

+func extractSSOTicket(dest *string) func(testing.TB, *http.Response) {
+	return func(t testing.TB, resp *http.Response) {
+		u, err := url.Parse(resp.Header.Get("Location"))
+		if err != nil {
+			t.Fatalf("could not parse Location URL: %v", err)
+		}
+		*dest = u.Query().Get("t")
+	}
+}
+
 func TestHTTP_Login(t *testing.T) {
 	tmpdir, httpSrv, config := startTestHTTPServerWithConfig(t)
 	defer os.RemoveAll(tmpdir)
@@ -527,3 +543,45 @@ func TestHTTP_CORS(t *testing.T) {
 		t.Fatalf("Bad Access-Control-Allow-Origin returned to OPTIONS request: %s", s)
 	}
 }
+
+func TestHTTP_LoginAndExchange(t *testing.T) {
+	tmpdir, httpSrv := startTestHTTPServer(t)
+	defer os.RemoveAll(tmpdir)
+	defer httpSrv.Close()
+
+	c := newTestHTTPClient()
+
+	// Simulate an authorization request from a service, expect to
+	// see the login page.
+	v := make(url.Values)
+	v.Set("s", "service.example.com/")
+	v.Set("d", "https://service.example.com/admin/")
+	v.Set("n", "averysecretnonce")
+	doGet(t, c, httpSrv.URL+"/?"+v.Encode(), checkStatusOk, checkLoginPageURL, checkLoginPasswordPage)
+
+	// Attempt to login by submitting the form. We expect the
+	// result to be a 302 redirect to the target service.
+	v = make(url.Values)
+	v.Set("username", "testuser")
+	v.Set("password", "password")
+	var ssoTkt string
+	doPostForm(t, c, httpSrv.URL+"/login", v, checkRedirectToTargetService, extractSSOTicket(&ssoTkt))
+
+	// Make an exchange request for a new service.
+	v = make(url.Values)
+	v.Set("cur_tkt", ssoTkt)
+	v.Set("cur_svc", "service.example.com/")
+	v.Set("cur_nonce", "averysecretnonce")
+	v.Set("new_svc", "service2.example.com/")
+	v.Set("new_nonce", "anothernonce")
+	doPostForm(t, c, httpSrv.URL+"/exchange", v, checkStatusOk)
+
+	// Make an exchange request for a forbidden service.
+	v = make(url.Values)
+	v.Set("cur_tkt", ssoTkt)
+	v.Set("cur_svc", "service.example.com/")
+	v.Set("cur_nonce", "averysecretnonce")
+	v.Set("new_svc", "service3.example.com/")
+	v.Set("new_nonce", "anothernonce")
+	doPostForm(t, c, httpSrv.URL+"/exchange", v, checkStatusForbidden)
+}
--- a/server/service_test.go
+++ b/server/service_test.go
@@ -39,9 +39,10 @@ domain: example.com
 allowed_services:
  - "^service\\.example\\.com/$"
  - "^service2\\.example\\.com/$"
+  - "^service3\\.example\\.com/$"
 allowed_exchanges:
  - src_regexp: "^service\\.example\\.com/$"
-    dst_regexp: "\\.example\\.com/.*$"
+    dst_regexp: "^service2\\.example\\.com/$"
 allowed_cors_origins:
  - "https://origin.example.com"
 service_ttls:
@@ -139,9 +140,10 @@ func TestLoginService_Exchange(t *testing.T) {
 		service, destination string
 		ok                   bool
 	}{
+		{"service.example.com/", "service.example.com/", false},
 		{"service.example.com/", "service2.example.com/", true},
+		{"service.example.com/", "service3.example.com/", false},
 		{"service.example.com/", "bad-service.another.com/", false},
-		{"service.example.com/", "service.example.com/", true}, // self-exchange??
 	}

 	for _, td := range testdata {