feat(server): customizable authz endpoints (#4296)

This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
author: James Elliott <james-d-elliott@users.noreply.github.com> 2023-01-25 20:36:40 +1100
committer: GitHub <noreply@github.com> 2023-01-25 20:36:40 +1100
commit: 65705a646dfd31e4477af3ffb35c584eb49346a4 (patch)
tree: 882b5df73348c5fc6471e57ef6787c4b04cb68f4 /internal/handlers/handler_authz_impl_authrequest_test.go
parent: 78064dec2e9b48308b71ff8862b27e6f8ded5d56 (diff)
1 files changed, 456 insertions, 0 deletions
diff --git a/internal/handlers/handler_authz_impl_authrequest_test.go b/internal/handlers/handler_authz_impl_authrequest_test.go
new file mode 100644
index 000000000..6f4a1d8b4
--- /dev/null
+++ b/internal/handlers/handler_authz_impl_authrequest_test.go
@@ -0,0 +1,456 @@
+package handlers
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+	"github.com/valyala/fasthttp"
+
+	"github.com/authelia/authelia/v4/internal/authorization"
+	"github.com/authelia/authelia/v4/internal/middlewares"
+	"github.com/authelia/authelia/v4/internal/mocks"
+	"github.com/authelia/authelia/v4/internal/session"
+)
+
+func TestRunAuthRequestAuthzSuite(t *testing.T) {
+	suite.Run(t, NewAuthRequestAuthzSuite())
+}
+
+func NewAuthRequestAuthzSuite() *AuthRequestAuthzSuite {
+	return &AuthRequestAuthzSuite{
+		AuthzSuite: &AuthzSuite{
+			implementation: AuthzImplAuthRequest,
+			setRequest:     setRequestAuthRequest,
+		},
+	}
+}
+
+type AuthRequestAuthzSuite struct {
+	*AuthzSuite
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleAllMethodsDeny() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("OriginalMethod%s", method), func(t *testing.T) {
+			for _, targetURI := range []*url.URL{
+				s.RequireParseRequestURI("https://one-factor.example.com"),
+				s.RequireParseRequestURI("https://one-factor.example.com/subpath"),
+				s.RequireParseRequestURI("https://one-factor.example2.com"),
+				s.RequireParseRequestURI("https://one-factor.example2.com/subpath"),
+			} {
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					s.setRequest(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleInvalidMethodCharsDeny() {
+	for _, method := range testRequestMethods {
+		method += "z"
+
+		s.T().Run(fmt.Sprintf("OriginalMethod%s", method), func(t *testing.T) {
+			for _, targetURI := range []*url.URL{
+				s.RequireParseRequestURI("https://bypass.example.com"),
+				s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+				s.RequireParseRequestURI("https://bypass.example2.com"),
+				s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+			} {
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					s.setRequest(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleMissingXOriginalMethodDeny() {
+	for _, targetURI := range []*url.URL{
+		s.RequireParseRequestURI("https://bypass.example.com"),
+		s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+		s.RequireParseRequestURI("https://bypass.example2.com"),
+		s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+	} {
+		s.T().Run(targetURI.String(), func(t *testing.T) {
+			authz := s.Builder().Build()
+
+			mock := mocks.NewMockAutheliaCtx(t)
+
+			defer mock.Close()
+
+			s.setRequest(mock.Ctx, "", targetURI, true, false)
+
+			authz.Handler(mock.Ctx)
+
+			assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+			assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleMissingXOriginalURLDeny() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("OriginalMethod%s", method), func(t *testing.T) {
+			authz := s.Builder().Build()
+
+			mock := mocks.NewMockAutheliaCtx(t)
+
+			defer mock.Close()
+
+			s.setRequest(mock.Ctx, method, nil, true, false)
+
+			authz.Handler(mock.Ctx)
+
+			assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+			assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleAllMethodsAllow() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("OriginalMethod%s", method), func(t *testing.T) {
+			for _, targetURI := range []*url.URL{
+				s.RequireParseRequestURI("https://bypass.example.com"),
+				s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+				s.RequireParseRequestURI("https://bypass.example2.com"),
+				s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+			} {
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					s.setRequest(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusOK, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleAllMethodsWithMethodsACL() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for _, methodACL := range testRequestMethods {
+				targetURI := s.RequireParseRequestURI(fmt.Sprintf("https://bypass-%s.example.com", strings.ToLower(methodACL)))
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+						mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+					}
+
+					mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+					s.setRequest(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					if method == methodACL {
+						assert.Equal(t, fasthttp.StatusOK, mock.Ctx.Response.StatusCode())
+						assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+					} else {
+						assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+						assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+					}
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
+	testCases := []struct {
+		name     string
+		uri      []byte
+		expected int
+	}{
+		{"Should401UnauthorizedWithNullByte",
+			[]byte{104, 116, 116, 112, 115, 58, 47, 47, 0, 110, 111, 116, 45, 111, 110, 101, 45, 102, 97, 99, 116, 111, 114, 46, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109},
+			fasthttp.StatusUnauthorized,
+		},
+		{"Should200OkWithoutNullByte",
+			[]byte{104, 116, 116, 112, 115, 58, 47, 47, 110, 111, 116, 45, 111, 110, 101, 45, 102, 97, 99, 116, 111, 114, 46, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109},
+			fasthttp.StatusOK,
+		},
+	}
+
+	for _, tc := range testCases {
+		s.T().Run(tc.name, func(t *testing.T) {
+			for _, method := range testRequestMethods {
+				t.Run(fmt.Sprintf("OriginalMethod%s", method), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					mock.Ctx.Configuration.AccessControl.DefaultPolicy = testBypass
+					mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&mock.Ctx.Configuration)
+
+					mock.Ctx.Request.Header.Set(testXOriginalMethod, method)
+					mock.Ctx.Request.Header.SetBytesKV([]byte(testXOriginalUrl), tc.uri)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, tc.expected, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleExtAuthzAllMethodsAllow() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for _, targetURI := range []*url.URL{
+				s.RequireParseRequestURI("https://bypass.example.com"),
+				s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+				s.RequireParseRequestURI("https://bypass.example2.com"),
+				s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+			} {
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+						mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+					}
+
+					mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+					setRequestExtAuthz(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleExtAuthzAllMethodsAllowXHR() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for xname, x := range testXHR {
+				t.Run(xname, func(t *testing.T) {
+					for _, targetURI := range []*url.URL{
+						s.RequireParseRequestURI("https://bypass.example.com"),
+						s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+						s.RequireParseRequestURI("https://bypass.example2.com"),
+						s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+					} {
+						t.Run(targetURI.String(), func(t *testing.T) {
+							authz := s.Builder().Build()
+
+							mock := mocks.NewMockAutheliaCtx(t)
+
+							defer mock.Close()
+
+							for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+								mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+							}
+
+							mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+							setRequestExtAuthz(mock.Ctx, method, targetURI, x, x)
+
+							authz.Handler(mock.Ctx)
+
+							assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+							assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+						})
+					}
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleExtAuthzAllMethodsWithMethodsACL() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for _, methodACL := range testRequestMethods {
+				targetURI := s.RequireParseRequestURI(fmt.Sprintf("https://bypass-%s.example.com", strings.ToLower(methodACL)))
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+						mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+					}
+
+					mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+					setRequestExtAuthz(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleForwardAuthAllMethodsAllow() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for _, targetURI := range []*url.URL{
+				s.RequireParseRequestURI("https://bypass.example.com"),
+				s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+				s.RequireParseRequestURI("https://bypass.example2.com"),
+				s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+			} {
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+						mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+					}
+
+					mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+					setRequestForwardAuth(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleForwardAuthAllMethodsAllowXHR() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for xname, x := range testXHR {
+				t.Run(xname, func(t *testing.T) {
+					for _, targetURI := range []*url.URL{
+						s.RequireParseRequestURI("https://bypass.example.com"),
+						s.RequireParseRequestURI("https://bypass.example.com/subpath"),
+						s.RequireParseRequestURI("https://bypass.example2.com"),
+						s.RequireParseRequestURI("https://bypass.example2.com/subpath"),
+					} {
+						t.Run(targetURI.String(), func(t *testing.T) {
+							authz := s.Builder().Build()
+
+							mock := mocks.NewMockAutheliaCtx(t)
+
+							defer mock.Close()
+
+							for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+								mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+							}
+
+							mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+							setRequestForwardAuth(mock.Ctx, method, targetURI, x, x)
+
+							authz.Handler(mock.Ctx)
+
+							assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+							assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+						})
+					}
+				})
+			}
+		})
+	}
+}
+
+func (s *AuthRequestAuthzSuite) TestShouldNotHandleForwardAuthAllMethodsWithMethodsACL() {
+	for _, method := range testRequestMethods {
+		s.T().Run(fmt.Sprintf("Method%s", method), func(t *testing.T) {
+			for _, methodACL := range testRequestMethods {
+				targetURI := s.RequireParseRequestURI(fmt.Sprintf("https://bypass-%s.example.com", strings.ToLower(methodACL)))
+				t.Run(targetURI.String(), func(t *testing.T) {
+					authz := s.Builder().Build()
+
+					mock := mocks.NewMockAutheliaCtx(t)
+
+					defer mock.Close()
+
+					for i, cookie := range mock.Ctx.Configuration.Session.Cookies {
+						mock.Ctx.Configuration.Session.Cookies[i].AutheliaURL = s.RequireParseRequestURI(fmt.Sprintf("https://auth.%s", cookie.Domain))
+					}
+
+					mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
+
+					setRequestForwardAuth(mock.Ctx, method, targetURI, true, false)
+
+					authz.Handler(mock.Ctx)
+
+					assert.Equal(t, fasthttp.StatusUnauthorized, mock.Ctx.Response.StatusCode())
+					assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek(fasthttp.HeaderLocation))
+				})
+			}
+		})
+	}
+}
+
+func setRequestAuthRequest(ctx *middlewares.AutheliaCtx, method string, targetURI *url.URL, accept, xhr bool) {
+	if method != "" {
+		ctx.Request.Header.Set(testXOriginalMethod, method)
+	}
+
+	if targetURI != nil {
+		ctx.Request.Header.Set(testXOriginalUrl, targetURI.String())
+	}
+
+	setRequestXHRValues(ctx, accept, xhr)
+}
author	James Elliott <james-d-elliott@users.noreply.github.com>	2023-01-25 20:36:40 +1100
committer	GitHub <noreply@github.com>	2023-01-25 20:36:40 +1100
commit	65705a646dfd31e4477af3ffb35c584eb49346a4 (patch)
tree	882b5df73348c5fc6471e57ef6787c4b04cb68f4 /internal/handlers/handler_authz_impl_authrequest_test.go
parent	78064dec2e9b48308b71ff8862b27e6f8ded5d56 (diff)