feat(session): multiple session cookie domains (#3754)

This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
author: Manuel Nuñez <10672208+mind-ar@users.noreply.github.com> 2023-01-12 07:57:44 -0300
committer: GitHub <noreply@github.com> 2023-01-12 21:57:44 +1100
commit: 8b29cf7ee849fa39aa211912e95b777a64bed7e3 (patch)
tree: 3e1f759046426514840ae41e4a72be2dfb616ece /internal/handlers/handler_verify_test.go
parent: ad1a8042fd66cedc71413201017b1f6d73f9a9be (diff)
1 files changed, 31 insertions, 69 deletions
diff --git a/internal/handlers/handler_verify_test.go b/internal/handlers/handler_verify_test.go
index 518ac7ec0..20cbf8f22 100644
--- a/internal/handlers/handler_verify_test.go
+++ b/internal/handlers/handler_verify_test.go
@@ -43,6 +43,8 @@ func TestShouldRaiseWhenTargetUrlIsMalformed(t *testing.T) {
 
 func TestShouldRaiseWhenNoHeaderProvidedToDetectTargetURL(t *testing.T) {
 	mock := mocks.NewMockAutheliaCtx(t)
+	mock.Ctx.Request.Header.Del("X-Forwarded-Host")
+
 	defer mock.Close()
 	_, err := mock.Ctx.GetOriginalURL()
 	assert.Error(t, err)
@@ -53,6 +55,7 @@ func TestShouldRaiseWhenNoXForwardedHostHeaderProvidedToDetectTargetURL(t *testi
 	mock := mocks.NewMockAutheliaCtx(t)
 	defer mock.Close()
 
+	mock.Ctx.Request.Header.Del("X-Forwarded-Host")
 	mock.Ctx.Request.Header.Set("X-Forwarded-Proto", "https")
 	_, err := mock.Ctx.GetOriginalURL()
 	assert.Error(t, err)
@@ -162,7 +165,7 @@ func TestShouldCheckAuthorizationMatching(t *testing.T) {
 			username = testUsername
 		}
 
-		matching := isTargetURLAuthorized(authorizer, *u, username, []string{}, net.ParseIP("127.0.0.1"), []byte("GET"), rule.AuthLevel)
+		matching := isTargetURLAuthorized(authorizer, u, username, []string{}, net.ParseIP("127.0.0.1"), []byte("GET"), rule.AuthLevel)
 		assert.Equal(t, rule.ExpectedMatching, matching, "policy=%s, authLevel=%v, expected=%v, actual=%v",
 			rule.Policy, rule.AuthLevel, rule.ExpectedMatching, matching)
 	}
@@ -510,7 +513,6 @@ func TestShouldNotCrashOnEmptyEmail(t *testing.T) {
 	userSession.AuthenticationLevel = authentication.OneFactor
 	userSession.RefreshTTL = mock.Clock.Now().Add(5 * time.Minute)
 
-	fmt.Printf("Time is %v\n", userSession.RefreshTTL)
 	err := mock.Ctx.SaveSession(userSession)
 	require.NoError(t, err)
 
@@ -663,32 +665,33 @@ func TestShouldVerifyAuthorizationsUsingSessionCookie(t *testing.T) {
 		{"https://deny.example.com", "john", []string{"john.doe@example.com"}, authentication.TwoFactor, 403},
 	}
 
-	for _, testCase := range testCases {
-		testCase := testCase
-		t.Run(testCase.String(), func(t *testing.T) {
+	for i, tc := range testCases {
+		t.Run(tc.String(), func(t *testing.T) {
 			mock := mocks.NewMockAutheliaCtx(t)
 			defer mock.Close()
 
 			mock.Clock.Set(time.Now())
 
+			mock.Ctx.Request.Header.Set("X-Original-URL", tc.URL)
+
 			userSession := mock.Ctx.GetSession()
-			userSession.Username = testCase.Username
-			userSession.Emails = testCase.Emails
-			userSession.AuthenticationLevel = testCase.AuthenticationLevel
+			userSession.Username = tc.Username
+			userSession.Emails = tc.Emails
+			userSession.AuthenticationLevel = tc.AuthenticationLevel
 			userSession.RefreshTTL = mock.Clock.Now().Add(5 * time.Minute)
 
 			err := mock.Ctx.SaveSession(userSession)
 			require.NoError(t, err)
 
-			mock.Ctx.Request.Header.Set("X-Original-URL", testCase.URL)
-
 			VerifyGET(verifyGetCfg)(mock.Ctx)
-			expStatus, actualStatus := testCase.ExpectedStatusCode, mock.Ctx.Response.StatusCode()
+			expStatus, actualStatus := tc.ExpectedStatusCode, mock.Ctx.Response.StatusCode()
 			assert.Equal(t, expStatus, actualStatus, "URL=%s -> AuthLevel=%d, StatusCode=%d != ExpectedStatusCode=%d",
-				testCase.URL, testCase.AuthenticationLevel, actualStatus, expStatus)
+				tc.URL, tc.AuthenticationLevel, actualStatus, expStatus)
 
-			if testCase.ExpectedStatusCode == 200 && testCase.Username != "" {
-				assert.Equal(t, []byte(testCase.Username), mock.Ctx.Response.Header.Peek("Remote-User"))
+			fmt.Println(i)
+			if tc.ExpectedStatusCode == 200 && tc.Username != "" {
+				assert.Equal(t, tc.ExpectedStatusCode, mock.Ctx.Response.StatusCode())
+				assert.Equal(t, []byte(tc.Username), mock.Ctx.Response.Header.Peek("Remote-User"))
 				assert.Equal(t, []byte("john.doe@example.com"), mock.Ctx.Response.Header.Peek("Remote-Email"))
 			} else {
 				assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek("Remote-User"))
@@ -706,10 +709,12 @@ func TestShouldDestroySessionWhenInactiveForTooLong(t *testing.T) {
 	clock.Set(time.Now())
 	past := clock.Now().Add(-1 * time.Hour)
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 	// Reload the session provider since the configuration is indirect.
 	mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
-	assert.Equal(t, time.Second*10, mock.Ctx.Providers.SessionProvider.Inactivity)
+	assert.Equal(t, time.Second*10, mock.Ctx.Configuration.Session.Cookies[0].Inactivity)
+
+	mock.Ctx.Request.Header.Set("X-Original-URL", "https://two-factor.example.com")
 
 	userSession := mock.Ctx.GetSession()
 	userSession.Username = testUsername
@@ -719,8 +724,6 @@ func TestShouldDestroySessionWhenInactiveForTooLong(t *testing.T) {
 	err := mock.Ctx.SaveSession(userSession)
 	require.NoError(t, err)
 
-	mock.Ctx.Request.Header.Set("X-Original-URL", "https://two-factor.example.com")
-
 	VerifyGET(verifyGetCfg)(mock.Ctx)
 
 	// The session has been destroyed.
@@ -739,10 +742,10 @@ func TestShouldDestroySessionWhenInactiveForTooLongUsingDurationNotation(t *test
 	clock := utils.TestingClock{}
 	clock.Set(time.Now())
 
-	mock.Ctx.Configuration.Session.Inactivity = time.Second * 10
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = time.Second * 10
 	// Reload the session provider since the configuration is indirect.
 	mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
-	assert.Equal(t, time.Second*10, mock.Ctx.Providers.SessionProvider.Inactivity)
+	assert.Equal(t, time.Second*10, mock.Ctx.Configuration.Session.Cookies[0].Inactivity)
 
 	userSession := mock.Ctx.GetSession()
 	userSession.Username = testUsername
@@ -768,7 +771,7 @@ func TestShouldKeepSessionWhenUserCheckedRememberMeAndIsInactiveForTooLong(t *te
 
 	mock.Clock.Set(time.Now())
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 
 	userSession := mock.Ctx.GetSession()
 	userSession.Username = testUsername
@@ -800,7 +803,7 @@ func TestShouldKeepSessionWhenInactivityTimeoutHasNotBeenExceeded(t *testing.T)
 
 	mock.Clock.Set(time.Now())
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 
 	past := mock.Clock.Now().Add(-1 * time.Hour)
 
@@ -836,10 +839,10 @@ func TestShouldRedirectWhenSessionInactiveForTooLongAndRDParamProvided(t *testin
 	clock := utils.TestingClock{}
 	clock.Set(time.Now())
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 	// Reload the session provider since the configuration is indirect.
 	mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
-	assert.Equal(t, time.Second*10, mock.Ctx.Providers.SessionProvider.Inactivity)
+	assert.Equal(t, time.Second*10, mock.Ctx.Configuration.Session.Cookies[0].Inactivity)
 
 	past := clock.Now().Add(-1 * time.Hour)
 
@@ -899,7 +902,7 @@ func TestShouldUpdateInactivityTimestampEvenWhenHittingForbiddenResources(t *tes
 
 	mock.Clock.Set(time.Now())
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 
 	past := mock.Clock.Now().Add(-1 * time.Hour)
 
@@ -974,47 +977,6 @@ func TestShouldURLEncodeRedirectionHeader(t *testing.T) {
 		string(mock.Ctx.Response.Body()))
 }
 
-func TestIsDomainProtected(t *testing.T) {
-	GetURL := func(u string) *url.URL {
-		x, err := url.ParseRequestURI(u)
-		require.NoError(t, err)
-
-		return x
-	}
-
-	assert.True(t, isURLUnderProtectedDomain(
-		GetURL("http://mytest.example.com/abc/?query=abc"), "example.com"))
-
-	assert.True(t, isURLUnderProtectedDomain(
-		GetURL("http://example.com/abc/?query=abc"), "example.com"))
-
-	assert.True(t, isURLUnderProtectedDomain(
-		GetURL("https://mytest.example.com/abc/?query=abc"), "example.com"))
-
-	// Cookies readable by a service on a machine is also readable by a service on the same machine
-	// with a different port as mentioned in https://tools.ietf.org/html/rfc6265#section-8.5.
-	assert.True(t, isURLUnderProtectedDomain(
-		GetURL("https://mytest.example.com:8080/abc/?query=abc"), "example.com"))
-}
-
-func TestSchemeIsHTTPS(t *testing.T) {
-	GetURL := func(u string) *url.URL {
-		x, err := url.ParseRequestURI(u)
-		require.NoError(t, err)
-
-		return x
-	}
-
-	assert.False(t, isSchemeHTTPS(
-		GetURL("http://mytest.example.com/abc/?query=abc")))
-	assert.False(t, isSchemeHTTPS(
-		GetURL("ws://mytest.example.com/abc/?query=abc")))
-	assert.False(t, isSchemeHTTPS(
-		GetURL("wss://mytest.example.com/abc/?query=abc")))
-	assert.True(t, isSchemeHTTPS(
-		GetURL("https://mytest.example.com/abc/?query=abc")))
-}
-
 func TestSchemeIsWSS(t *testing.T) {
 	GetURL := func(u string) *url.URL {
 		x, err := url.ParseRequestURI(u)
@@ -1435,10 +1397,10 @@ func TestShouldNotRedirectRequestsForBypassACLWhenInactiveForTooLong(t *testing.
 	clock.Set(time.Now())
 	past := clock.Now().Add(-1 * time.Hour)
 
-	mock.Ctx.Configuration.Session.Inactivity = testInactivity
+	mock.Ctx.Configuration.Session.Cookies[0].Inactivity = testInactivity
 	// Reload the session provider since the configuration is indirect.
 	mock.Ctx.Providers.SessionProvider = session.NewProvider(mock.Ctx.Configuration.Session, nil)
-	assert.Equal(t, time.Second*10, mock.Ctx.Providers.SessionProvider.Inactivity)
+	assert.Equal(t, time.Second*10, mock.Ctx.Configuration.Session.Cookies[0].Inactivity)
 
 	userSession := mock.Ctx.GetSession()
 	userSession.Username = testUsername
@@ -1527,7 +1489,7 @@ func TestIsSessionInactiveTooLong(t *testing.T) {
 
 			defer ctx.Close()
 
-			ctx.Ctx.Configuration.Session.Inactivity = tc.inactivity
+			ctx.Ctx.Configuration.Session.Cookies[0].Inactivity = tc.inactivity
 			ctx.Ctx.Providers.SessionProvider = session.NewProvider(ctx.Ctx.Configuration.Session, nil)
 
 			ctx.Clock.Set(tc.now)
author	Manuel Nuñez <10672208+mind-ar@users.noreply.github.com>	2023-01-12 07:57:44 -0300
committer	GitHub <noreply@github.com>	2023-01-12 21:57:44 +1100
commit	8b29cf7ee849fa39aa211912e95b777a64bed7e3 (patch)
tree	3e1f759046426514840ae41e4a72be2dfb616ece /internal/handlers/handler_verify_test.go
parent	ad1a8042fd66cedc71413201017b1f6d73f9a9be (diff)