lukaszraczylo/traefikoidc
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/traefikoidc.git synced 2026-06-05 22:44:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release 0.7.5 (#70)

Browse Source 
* Resolve issue with opaque tokens not being parsed correctly

* Increase test coverage

* Further improvements to test coverage and code quality

* Add new providers.

* fixup! Add new providers.

* Cleanup.

* fixup! Cleanup.

* fixup! fixup! Cleanup.

* fixup! fixup! fixup! Cleanup.

* fixup! fixup! fixup! fixup! Cleanup.

* Memory management optimisation

24 bytes per Put < 256-4096 bytes per buffer allocation avoided (10-170x difference)

* Pooling cleanup.
This commit is contained in:
Lukasz Raczylo
2025-10-01 12:13:10 +01:00
committed by GitHub
parent 3bbc6a1608
commit c3f23cb99b
93 changed files with 26767 additions and 4230 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/cache/typed_cache.go
Vendored
+17 -3
View File
@@ -1,9 +1,12 @@
package cache
import (
"bytes"
"encoding/json"
"fmt"
"time"
"github.com/lukaszraczylo/traefikoidc/internal/pool"
)
// TypedCache provides a type-safe wrapper around Cache for specific types
@@ -42,13 +45,24 @@ func (tc *TypedCache[T]) Get(key string) (T, bool) {
}
// If that fails, try JSON marshaling/unmarshaling for complex types
data, err := json.Marshal(value)
if err != nil {
// Use pooled buffer for encoding
pm := pool.Get()
buf := pm.GetBuffer(256)
defer pm.PutBuffer(buf)
encoder := pm.GetJSONEncoder(buf)
defer pm.PutJSONEncoder(encoder)
if err := encoder.Encode(value); err != nil {
return zero, false
}
// Decode using pooled decoder
var result T
if err := json.Unmarshal(data, &result); err != nil {
decoder := pm.GetJSONDecoder(bytes.NewReader(buf.Bytes()))
defer pm.PutJSONDecoder(decoder)
if err := decoder.Decode(&result); err != nil {
return zero, false
}
internal/errors/errors.go
+218
View File
@@ -0,0 +1,218 @@
// Package errors provides unified error handling for OIDC operations
package errors
import (
"fmt"
"net/http"
)
// ErrorCode represents specific error types
type ErrorCode string
const (
// Authentication errors
ErrCodeAuthenticationFailed ErrorCode = "AUTH_FAILED"
ErrCodeTokenExpired ErrorCode = "TOKEN_EXPIRED"
ErrCodeTokenInvalid ErrorCode = "TOKEN_INVALID"
ErrCodeSessionExpired ErrorCode = "SESSION_EXPIRED"
ErrCodeCSRFMismatch ErrorCode = "CSRF_MISMATCH"
ErrCodeNonceMismatch ErrorCode = "NONCE_MISMATCH"
// Configuration errors
ErrCodeConfigInvalid ErrorCode = "CONFIG_INVALID"
ErrCodeProviderUnreachable ErrorCode = "PROVIDER_UNREACHABLE"
ErrCodeMetadataFailed ErrorCode = "METADATA_FAILED"
// Network errors
ErrCodeNetworkTimeout ErrorCode = "NETWORK_TIMEOUT"
ErrCodeRateLimited ErrorCode = "RATE_LIMITED"
ErrCodeServiceUnavailable ErrorCode = "SERVICE_UNAVAILABLE"
// Validation errors
ErrCodeValidationFailed ErrorCode = "VALIDATION_FAILED"
ErrCodeDomainNotAllowed ErrorCode = "DOMAIN_NOT_ALLOWED"
ErrCodeUserNotAllowed ErrorCode = "USER_NOT_ALLOWED"
ErrCodeRoleNotAllowed ErrorCode = "ROLE_NOT_ALLOWED"
)
// OIDCError represents a structured error with context
type OIDCError struct {
Code ErrorCode `json:"code"`
Message string `json:"message"`
Details string `json:"details,omitempty"`
HTTPStatus int `json:"http_status"`
Internal error `json:"-"` // Internal error, not exposed
}
// Error implements the error interface
func (e *OIDCError) Error() string {
if e.Details != "" {
return fmt.Sprintf("%s: %s (%s)", e.Code, e.Message, e.Details)
}
return fmt.Sprintf("%s: %s", e.Code, e.Message)
}
// Unwrap returns the internal error for error wrapping
func (e *OIDCError) Unwrap() error {
return e.Internal
}
// IsRetryable indicates if the error is temporary and can be retried
func (e *OIDCError) IsRetryable() bool {
return e.Code == ErrCodeNetworkTimeout ||
e.Code == ErrCodeServiceUnavailable ||
e.Code == ErrCodeProviderUnreachable
}
// IsAuthenticationError indicates if this is an authentication-related error
func (e *OIDCError) IsAuthenticationError() bool {
return e.Code == ErrCodeAuthenticationFailed ||
e.Code == ErrCodeTokenExpired ||
e.Code == ErrCodeTokenInvalid ||
e.Code == ErrCodeSessionExpired ||
e.Code == ErrCodeCSRFMismatch ||
e.Code == ErrCodeNonceMismatch
}
// IsAuthorizationError indicates if this is an authorization-related error
func (e *OIDCError) IsAuthorizationError() bool {
return e.Code == ErrCodeDomainNotAllowed ||
e.Code == ErrCodeUserNotAllowed ||
e.Code == ErrCodeRoleNotAllowed
}
// ToJSON converts the error to a JSON response
func (e *OIDCError) ToJSON() map[string]any {
result := map[string]any{
"error": map[string]any{
"code": string(e.Code),
"message": e.Message,
},
}
if e.Details != "" {
result["error"].(map[string]any)["details"] = e.Details
}
return result
}
// Error constructors for common scenarios
// NewAuthenticationError creates an authentication-related error
func NewAuthenticationError(code ErrorCode, message string, internal error) *OIDCError {
status := http.StatusUnauthorized
if code == ErrCodeSessionExpired {
status = http.StatusForbidden
}
return &OIDCError{
Code: code,
Message: message,
HTTPStatus: status,
Internal: internal,
}
}
// NewAuthorizationError creates an authorization-related error
func NewAuthorizationError(code ErrorCode, message string, details string) *OIDCError {
return &OIDCError{
Code: code,
Message: message,
Details: details,
HTTPStatus: http.StatusForbidden,
}
}
// NewConfigurationError creates a configuration-related error
func NewConfigurationError(code ErrorCode, message string, internal error) *OIDCError {
return &OIDCError{
Code: code,
Message: message,
HTTPStatus: http.StatusInternalServerError,
Internal: internal,
}
}
// NewNetworkError creates a network-related error
func NewNetworkError(code ErrorCode, message string, internal error) *OIDCError {
status := http.StatusServiceUnavailable
if code == ErrCodeRateLimited {
status = http.StatusTooManyRequests
}
return &OIDCError{
Code: code,
Message: message,
HTTPStatus: status,
Internal: internal,
}
}
// NewValidationError creates a validation-related error
func NewValidationError(code ErrorCode, message string, details string) *OIDCError {
return &OIDCError{
Code: code,
Message: message,
Details: details,
HTTPStatus: http.StatusBadRequest,
}
}
// Convenience functions for common error patterns
// WrapAuthenticationError wraps an existing error as an authentication error
func WrapAuthenticationError(err error, message string) *OIDCError {
return NewAuthenticationError(ErrCodeAuthenticationFailed, message, err)
}
// WrapTokenError wraps a token-related error
func WrapTokenError(err error, tokenType string) *OIDCError {
message := fmt.Sprintf("Token validation failed: %s", tokenType)
return NewAuthenticationError(ErrCodeTokenInvalid, message, err)
}
// WrapProviderError wraps a provider communication error
func WrapProviderError(err error, providerURL string) *OIDCError {
message := fmt.Sprintf("Provider communication failed: %s", providerURL)
return NewNetworkError(ErrCodeProviderUnreachable, message, err)
}
// IsOIDCError checks if an error is an OIDCError
func IsOIDCError(err error) (*OIDCError, bool) {
oidcErr, ok := err.(*OIDCError)
return oidcErr, ok
}
// GetHTTPStatus extracts HTTP status from error, defaulting to 500
func GetHTTPStatus(err error) int {
if oidcErr, ok := IsOIDCError(err); ok {
return oidcErr.HTTPStatus
}
return http.StatusInternalServerError
}
// FormatUserMessage creates a user-friendly error message
func FormatUserMessage(err error) string {
if oidcErr, ok := IsOIDCError(err); ok {
switch oidcErr.Code {
case ErrCodeDomainNotAllowed:
return "Your email domain is not authorized for this application"
case ErrCodeUserNotAllowed:
return "Your account is not authorized for this application"
case ErrCodeRoleNotAllowed:
return "You do not have the required permissions for this application"
case ErrCodeSessionExpired:
return "Your session has expired. Please log in again"
case ErrCodeTokenExpired:
return "Your authentication has expired. Please log in again"
case ErrCodeProviderUnreachable:
return "Authentication service is temporarily unavailable. Please try again later"
case ErrCodeRateLimited:
return "Too many requests. Please wait a moment and try again"
default:
return "Authentication failed. Please try again"
}
}
return "An unexpected error occurred. Please try again"
}
internal/errors/errors_test.go
+529
View File
@@ -0,0 +1,529 @@
package errors
import (
"errors"
"net/http"
"reflect"
"testing"
)
func TestOIDCError_Error(t *testing.T) {
tests := []struct {
name string
oidcErr *OIDCError
expected string
}{
{
name: "Error with details",
oidcErr: &OIDCError{
Code: ErrCodeTokenInvalid,
Message: "Token validation failed",
Details: "JWT signature invalid",
},
expected: "TOKEN_INVALID: Token validation failed (JWT signature invalid)",
},
{
name: "Error without details",
oidcErr: &OIDCError{
Code: ErrCodeAuthenticationFailed,
Message: "Authentication failed",
},
expected: "AUTH_FAILED: Authentication failed",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := tt.oidcErr.Error()
if result != tt.expected {
t.Errorf("Expected '%s', got '%s'", tt.expected, result)
}
})
}
}
func TestOIDCError_Unwrap(t *testing.T) {
internalErr := errors.New("internal error")
oidcErr := &OIDCError{
Code: ErrCodeTokenInvalid,
Message: "Token validation failed",
Internal: internalErr,
}
unwrapped := oidcErr.Unwrap()
if unwrapped != internalErr {
t.Errorf("Expected internal error, got %v", unwrapped)
}
// Test with nil internal error
oidcErrNoInternal := &OIDCError{
Code: ErrCodeTokenInvalid,
Message: "Token validation failed",
}
unwrappedNil := oidcErrNoInternal.Unwrap()
if unwrappedNil != nil {
t.Errorf("Expected nil, got %v", unwrappedNil)
}
}
func TestOIDCError_IsRetryable(t *testing.T) {
tests := []struct {
name string
code ErrorCode
expected bool
}{
{"Network timeout", ErrCodeNetworkTimeout, true},
{"Service unavailable", ErrCodeServiceUnavailable, true},
{"Provider unreachable", ErrCodeProviderUnreachable, true},
{"Authentication failed", ErrCodeAuthenticationFailed, false},
{"Token invalid", ErrCodeTokenInvalid, false},
{"Rate limited", ErrCodeRateLimited, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
oidcErr := &OIDCError{Code: tt.code}
result := oidcErr.IsRetryable()
if result != tt.expected {
t.Errorf("Expected %v, got %v for code %s", tt.expected, result, tt.code)
}
})
}
}
func TestOIDCError_IsAuthenticationError(t *testing.T) {
tests := []struct {
name string
code ErrorCode
expected bool
}{
{"Authentication failed", ErrCodeAuthenticationFailed, true},
{"Token expired", ErrCodeTokenExpired, true},
{"Token invalid", ErrCodeTokenInvalid, true},
{"Session expired", ErrCodeSessionExpired, true},
{"CSRF mismatch", ErrCodeCSRFMismatch, true},
{"Nonce mismatch", ErrCodeNonceMismatch, true},
{"Config invalid", ErrCodeConfigInvalid, false},
{"Domain not allowed", ErrCodeDomainNotAllowed, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
oidcErr := &OIDCError{Code: tt.code}
result := oidcErr.IsAuthenticationError()
if result != tt.expected {
t.Errorf("Expected %v, got %v for code %s", tt.expected, result, tt.code)
}
})
}
}
func TestOIDCError_IsAuthorizationError(t *testing.T) {
tests := []struct {
name string
code ErrorCode
expected bool
}{
{"Domain not allowed", ErrCodeDomainNotAllowed, true},
{"User not allowed", ErrCodeUserNotAllowed, true},
{"Role not allowed", ErrCodeRoleNotAllowed, true},
{"Authentication failed", ErrCodeAuthenticationFailed, false},
{"Token expired", ErrCodeTokenExpired, false},
{"Config invalid", ErrCodeConfigInvalid, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
oidcErr := &OIDCError{Code: tt.code}
result := oidcErr.IsAuthorizationError()
if result != tt.expected {
t.Errorf("Expected %v, got %v for code %s", tt.expected, result, tt.code)
}
})
}
}
func TestOIDCError_ToJSON(t *testing.T) {
tests := []struct {
name string
oidcErr *OIDCError
expected map[string]any
}{
{
name: "Error with details",
oidcErr: &OIDCError{
Code: ErrCodeTokenInvalid,
Message: "Token validation failed",
Details: "JWT signature invalid",
},
expected: map[string]any{
"error": map[string]any{
"code": "TOKEN_INVALID",
"message": "Token validation failed",
"details": "JWT signature invalid",
},
},
},
{
name: "Error without details",
oidcErr: &OIDCError{
Code: ErrCodeAuthenticationFailed,
Message: "Authentication failed",
},
expected: map[string]any{
"error": map[string]any{
"code": "AUTH_FAILED",
"message": "Authentication failed",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := tt.oidcErr.ToJSON()
if !reflect.DeepEqual(result, tt.expected) {
t.Errorf("Expected %+v, got %+v", tt.expected, result)
}
})
}
}
func TestNewAuthenticationError(t *testing.T) {
internalErr := errors.New("internal error")
tests := []struct {
name string
code ErrorCode
message string
internal error
expectedHTTP int
}{
{
name: "Regular auth error",
code: ErrCodeAuthenticationFailed,
message: "Auth failed",
internal: internalErr,
expectedHTTP: http.StatusUnauthorized,
},
{
name: "Session expired error",
code: ErrCodeSessionExpired,
message: "Session expired",
internal: internalErr,
expectedHTTP: http.StatusForbidden,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := NewAuthenticationError(tt.code, tt.message, tt.internal)
if err.Code != tt.code {
t.Errorf("Expected code %s, got %s", tt.code, err.Code)
}
if err.Message != tt.message {
t.Errorf("Expected message '%s', got '%s'", tt.message, err.Message)
}
if err.Internal != tt.internal {
t.Errorf("Expected internal error %v, got %v", tt.internal, err.Internal)
}
if err.HTTPStatus != tt.expectedHTTP {
t.Errorf("Expected HTTP status %d, got %d", tt.expectedHTTP, err.HTTPStatus)
}
})
}
}
func TestNewAuthorizationError(t *testing.T) {
err := NewAuthorizationError(ErrCodeDomainNotAllowed, "Domain not allowed", "example.com not in whitelist")
if err.Code != ErrCodeDomainNotAllowed {
t.Errorf("Expected code %s, got %s", ErrCodeDomainNotAllowed, err.Code)
}
if err.Message != "Domain not allowed" {
t.Errorf("Expected message 'Domain not allowed', got '%s'", err.Message)
}
if err.Details != "example.com not in whitelist" {
t.Errorf("Expected details 'example.com not in whitelist', got '%s'", err.Details)
}
if err.HTTPStatus != http.StatusForbidden {
t.Errorf("Expected HTTP status %d, got %d", http.StatusForbidden, err.HTTPStatus)
}
}
func TestNewConfigurationError(t *testing.T) {
internalErr := errors.New("config parse error")
err := NewConfigurationError(ErrCodeConfigInvalid, "Invalid config", internalErr)
if err.Code != ErrCodeConfigInvalid {
t.Errorf("Expected code %s, got %s", ErrCodeConfigInvalid, err.Code)
}
if err.HTTPStatus != http.StatusInternalServerError {
t.Errorf("Expected HTTP status %d, got %d", http.StatusInternalServerError, err.HTTPStatus)
}
if err.Internal != internalErr {
t.Errorf("Expected internal error %v, got %v", internalErr, err.Internal)
}
}
func TestNewNetworkError(t *testing.T) {
internalErr := errors.New("network error")
tests := []struct {
name string
code ErrorCode
expectedHTTP int
}{
{
name: "Rate limited",
code: ErrCodeRateLimited,
expectedHTTP: http.StatusTooManyRequests,
},
{
name: "Service unavailable",
code: ErrCodeServiceUnavailable,
expectedHTTP: http.StatusServiceUnavailable,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := NewNetworkError(tt.code, "Network error", internalErr)
if err.Code != tt.code {
t.Errorf("Expected code %s, got %s", tt.code, err.Code)
}
if err.HTTPStatus != tt.expectedHTTP {
t.Errorf("Expected HTTP status %d, got %d", tt.expectedHTTP, err.HTTPStatus)
}
})
}
}
func TestNewValidationError(t *testing.T) {
err := NewValidationError(ErrCodeValidationFailed, "Validation failed", "field 'email' is required")
if err.Code != ErrCodeValidationFailed {
t.Errorf("Expected code %s, got %s", ErrCodeValidationFailed, err.Code)
}
if err.HTTPStatus != http.StatusBadRequest {
t.Errorf("Expected HTTP status %d, got %d", http.StatusBadRequest, err.HTTPStatus)
}
if err.Details != "field 'email' is required" {
t.Errorf("Expected details 'field 'email' is required', got '%s'", err.Details)
}
}
func TestWrapAuthenticationError(t *testing.T) {
internalErr := errors.New("original error")
err := WrapAuthenticationError(internalErr, "Custom auth message")
if err.Code != ErrCodeAuthenticationFailed {
t.Errorf("Expected code %s, got %s", ErrCodeAuthenticationFailed, err.Code)
}
if err.Message != "Custom auth message" {
t.Errorf("Expected message 'Custom auth message', got '%s'", err.Message)
}
if err.Internal != internalErr {
t.Errorf("Expected internal error %v, got %v", internalErr, err.Internal)
}
}
func TestWrapTokenError(t *testing.T) {
internalErr := errors.New("token error")
err := WrapTokenError(internalErr, "ID token")
if err.Code != ErrCodeTokenInvalid {
t.Errorf("Expected code %s, got %s", ErrCodeTokenInvalid, err.Code)
}
if err.Message != "Token validation failed: ID token" {
t.Errorf("Expected message 'Token validation failed: ID token', got '%s'", err.Message)
}
if err.Internal != internalErr {
t.Errorf("Expected internal error %v, got %v", internalErr, err.Internal)
}
}
func TestWrapProviderError(t *testing.T) {
internalErr := errors.New("provider error")
err := WrapProviderError(internalErr, "https://provider.example.com")
if err.Code != ErrCodeProviderUnreachable {
t.Errorf("Expected code %s, got %s", ErrCodeProviderUnreachable, err.Code)
}
if err.Message != "Provider communication failed: https://provider.example.com" {
t.Errorf("Expected specific message, got '%s'", err.Message)
}
if err.Internal != internalErr {
t.Errorf("Expected internal error %v, got %v", internalErr, err.Internal)
}
}
func TestIsOIDCError(t *testing.T) {
// Test with OIDCError
oidcErr := &OIDCError{Code: ErrCodeTokenInvalid, Message: "test"}
result, ok := IsOIDCError(oidcErr)
if !ok {
t.Error("Expected IsOIDCError to return true for OIDCError")
}
if result != oidcErr {
t.Error("Expected to get the same OIDCError back")
}
// Test with regular error
regularErr := errors.New("regular error")
result, ok = IsOIDCError(regularErr)
if ok {
t.Error("Expected IsOIDCError to return false for regular error")
}
if result != nil {
t.Error("Expected nil result for regular error")
}
}
func TestGetHTTPStatus(t *testing.T) {
// Test with OIDCError
oidcErr := &OIDCError{
Code: ErrCodeTokenInvalid,
HTTPStatus: http.StatusUnauthorized,
}
status := GetHTTPStatus(oidcErr)
if status != http.StatusUnauthorized {
t.Errorf("Expected %d, got %d", http.StatusUnauthorized, status)
}
// Test with regular error
regularErr := errors.New("regular error")
status = GetHTTPStatus(regularErr)
if status != http.StatusInternalServerError {
t.Errorf("Expected %d, got %d", http.StatusInternalServerError, status)
}
}
func TestFormatUserMessage(t *testing.T) {
tests := []struct {
name string
err error
expected string
}{
{
name: "Domain not allowed",
err: &OIDCError{Code: ErrCodeDomainNotAllowed},
expected: "Your email domain is not authorized for this application",
},
{
name: "User not allowed",
err: &OIDCError{Code: ErrCodeUserNotAllowed},
expected: "Your account is not authorized for this application",
},
{
name: "Role not allowed",
err: &OIDCError{Code: ErrCodeRoleNotAllowed},
expected: "You do not have the required permissions for this application",
},
{
name: "Session expired",
err: &OIDCError{Code: ErrCodeSessionExpired},
expected: "Your session has expired. Please log in again",
},
{
name: "Token expired",
err: &OIDCError{Code: ErrCodeTokenExpired},
expected: "Your authentication has expired. Please log in again",
},
{
name: "Provider unreachable",
err: &OIDCError{Code: ErrCodeProviderUnreachable},
expected: "Authentication service is temporarily unavailable. Please try again later",
},
{
name: "Rate limited",
err: &OIDCError{Code: ErrCodeRateLimited},
expected: "Too many requests. Please wait a moment and try again",
},
{
name: "Unknown OIDC error",
err: &OIDCError{Code: ErrCodeConfigInvalid},
expected: "Authentication failed. Please try again",
},
{
name: "Regular error",
err: errors.New("regular error"),
expected: "An unexpected error occurred. Please try again",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := FormatUserMessage(tt.err)
if result != tt.expected {
t.Errorf("Expected '%s', got '%s'", tt.expected, result)
}
})
}
}
func TestErrorCodes(t *testing.T) {
// Test that all error codes are defined correctly
codes := []ErrorCode{
ErrCodeAuthenticationFailed,
ErrCodeTokenExpired,
ErrCodeTokenInvalid,
ErrCodeSessionExpired,
ErrCodeCSRFMismatch,
ErrCodeNonceMismatch,
ErrCodeConfigInvalid,
ErrCodeProviderUnreachable,
ErrCodeMetadataFailed,
ErrCodeNetworkTimeout,
ErrCodeRateLimited,
ErrCodeServiceUnavailable,
ErrCodeValidationFailed,
ErrCodeDomainNotAllowed,
ErrCodeUserNotAllowed,
ErrCodeRoleNotAllowed,
}
for _, code := range codes {
if string(code) == "" {
t.Errorf("Error code %v is empty", code)
}
}
}
func TestErrorConstructorCompleteness(t *testing.T) {
// Test each constructor function to ensure they set all required fields
internalErr := errors.New("test error")
// Test NewAuthenticationError
authErr := NewAuthenticationError(ErrCodeAuthenticationFailed, "auth message", internalErr)
if authErr.Code == "" || authErr.Message == "" || authErr.HTTPStatus == 0 {
t.Error("NewAuthenticationError did not set all required fields")
}
// Test NewAuthorizationError
authzErr := NewAuthorizationError(ErrCodeDomainNotAllowed, "authz message", "details")
if authzErr.Code == "" || authzErr.Message == "" || authzErr.HTTPStatus == 0 {
t.Error("NewAuthorizationError did not set all required fields")
}
// Test NewConfigurationError
configErr := NewConfigurationError(ErrCodeConfigInvalid, "config message", internalErr)
if configErr.Code == "" || configErr.Message == "" || configErr.HTTPStatus == 0 {
t.Error("NewConfigurationError did not set all required fields")
}
// Test NewNetworkError
netErr := NewNetworkError(ErrCodeNetworkTimeout, "network message", internalErr)
if netErr.Code == "" || netErr.Message == "" || netErr.HTTPStatus == 0 {
t.Error("NewNetworkError did not set all required fields")
}
// Test NewValidationError
validErr := NewValidationError(ErrCodeValidationFailed, "validation message", "details")
if validErr.Code == "" || validErr.Message == "" || validErr.HTTPStatus == 0 {
t.Error("NewValidationError did not set all required fields")
}
}
internal/handlers/auth_flow.go
+224
View File
@@ -0,0 +1,224 @@
// Package handlers provides authentication flow management
package handlers
import (
"net/http"
"time"
)
// AuthFlowHandler manages the complete OIDC authentication flow
type AuthFlowHandler struct {
sessionHandler *SessionHandler
tokenHandler TokenHandler
logger Logger
excludedURLs map[string]struct{}
initComplete chan struct{}
issuerURL string
}
// TokenHandler interface for token operations
type TokenHandler interface {
VerifyToken(token string) error
RefreshToken(refreshToken string) (*TokenResponse, error)
}
// TokenResponse represents token exchange response
type TokenResponse struct {
IDToken string `json:"id_token"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"`
}
// AuthFlowResult represents the result of authentication flow processing
type AuthFlowResult struct {
Authenticated bool
RequiresAuth bool
RequiresRefresh bool
Error error
RedirectURL string
StatusCode int
}
// NewAuthFlowHandler creates a new authentication flow handler
func NewAuthFlowHandler(sessionHandler *SessionHandler, tokenHandler TokenHandler, logger Logger, excludedURLs map[string]struct{}, initComplete chan struct{}, issuerURL string) *AuthFlowHandler {
return &AuthFlowHandler{
sessionHandler: sessionHandler,
tokenHandler: tokenHandler,
logger: logger,
excludedURLs: excludedURLs,
initComplete: initComplete,
issuerURL: issuerURL,
}
}
// ProcessRequest handles the main authentication flow
func (h *AuthFlowHandler) ProcessRequest(rw http.ResponseWriter, req *http.Request) AuthFlowResult {
// Check if URL should be excluded
if h.shouldExcludeURL(req.URL.Path) {
h.logger.Debugf("Request path %s excluded by configuration, bypassing OIDC", req.URL.Path)
return AuthFlowResult{Authenticated: true}
}
// Check for streaming requests
if h.isStreamingRequest(req) {
h.logger.Debugf("Streaming request detected, bypassing OIDC")
return AuthFlowResult{Authenticated: true}
}
// Wait for initialization
if !h.waitForInitialization(req) {
return AuthFlowResult{
Error: ErrInitializationTimeout,
StatusCode: http.StatusServiceUnavailable,
}
}
// Get and validate session
session, err := h.sessionHandler.sessionManager.GetSession(req)
if err != nil {
h.logger.Errorf("Error getting session: %v", err)
return AuthFlowResult{
RequiresAuth: true,
Error: err,
}
}
defer session.ReturnToPoolSafely()
// Clean up old cookies
h.sessionHandler.sessionManager.CleanupOldCookies(rw, req)
// Validate session
validationResult := h.sessionHandler.ValidateSession(session)
if !validationResult.Valid {
if validationResult.NeedsAuth {
return AuthFlowResult{RequiresAuth: true}
}
return AuthFlowResult{
Error: ErrSessionInvalid,
StatusCode: http.StatusUnauthorized,
}
}
// Check token validity and refresh if needed
return h.validateAndRefreshTokens(session, req, rw)
}
// shouldExcludeURL checks if a URL should bypass authentication
func (h *AuthFlowHandler) shouldExcludeURL(path string) bool {
for excludedURL := range h.excludedURLs {
if len(path) >= len(excludedURL) && path[:len(excludedURL)] == excludedURL {
return true
}
}
return false
}
// isStreamingRequest checks if request is a streaming request that should bypass auth
func (h *AuthFlowHandler) isStreamingRequest(req *http.Request) bool {
acceptHeader := req.Header.Get("Accept")
return acceptHeader == "text/event-stream"
}
// waitForInitialization waits for OIDC provider initialization
func (h *AuthFlowHandler) waitForInitialization(req *http.Request) bool {
select {
case <-h.initComplete:
if h.issuerURL == "" {
h.logger.Error("OIDC provider metadata initialization failed")
return false
}
return true
case <-req.Context().Done():
h.logger.Debug("Request cancelled while waiting for OIDC initialization")
return false
case <-time.After(30 * time.Second):
h.logger.Error("Timeout waiting for OIDC initialization")
return false
}
}
// validateAndRefreshTokens handles token validation and refresh logic
func (h *AuthFlowHandler) validateAndRefreshTokens(session Session, req *http.Request, rw http.ResponseWriter) AuthFlowResult {
// Check access token if present
if accessToken := session.GetAccessToken(); accessToken != "" {
if err := h.tokenHandler.VerifyToken(accessToken); err != nil {
h.logger.Errorf("Access token validation failed: %v", err)
// Try refresh if refresh token is available
if refreshToken := session.GetRefreshToken(); refreshToken != "" {
return h.attemptTokenRefresh(session, req, rw)
}
return AuthFlowResult{RequiresAuth: true}
}
}
// Check ID token
if idToken := session.GetIDToken(); idToken != "" {
if err := h.tokenHandler.VerifyToken(idToken); err != nil {
h.logger.Errorf("ID token validation failed: %v", err)
// Try refresh if refresh token is available
if refreshToken := session.GetRefreshToken(); refreshToken != "" {
return h.attemptTokenRefresh(session, req, rw)
}
return AuthFlowResult{RequiresAuth: true}
}
}
return AuthFlowResult{Authenticated: true}
}
// attemptTokenRefresh tries to refresh tokens
func (h *AuthFlowHandler) attemptTokenRefresh(session Session, req *http.Request, rw http.ResponseWriter) AuthFlowResult {
refreshToken := session.GetRefreshToken()
if refreshToken == "" {
return AuthFlowResult{RequiresAuth: true}
}
// Check if this is an AJAX request
if h.sessionHandler.IsAjaxRequest(req) {
return AuthFlowResult{
Error: ErrSessionExpiredAjax,
StatusCode: http.StatusUnauthorized,
}
}
_, err := h.tokenHandler.RefreshToken(refreshToken)
if err != nil {
h.logger.Errorf("Token refresh failed: %v", err)
return AuthFlowResult{RequiresAuth: true}
}
// Update session with new tokens would be handled here
// Implementation depends on the actual session interface
if err := session.Save(req, rw); err != nil {
h.logger.Errorf("Failed to save refreshed session: %v", err)
return AuthFlowResult{
Error: err,
StatusCode: http.StatusInternalServerError,
}
}
return AuthFlowResult{Authenticated: true}
}
// Common errors
var (
ErrInitializationTimeout = &AuthFlowError{Code: "INIT_TIMEOUT", Message: "OIDC initialization timeout"}
ErrSessionInvalid = &AuthFlowError{Code: "SESSION_INVALID", Message: "Invalid session"}
ErrSessionExpiredAjax = &AuthFlowError{Code: "SESSION_EXPIRED_AJAX", Message: "Session expired for AJAX request"}
)
// AuthFlowError represents authentication flow errors
type AuthFlowError struct {
Code string
Message string
}
func (e *AuthFlowError) Error() string {
return e.Message
}
internal/handlers/auth_flow_test.go
+588
View File
@@ -0,0 +1,588 @@
package handlers
import (
"context"
"errors"
"net/http"
"net/http/httptest"
"testing"
"time"
)
// Mock implementations that embed SessionHandler
type MockSessionHandlerWrapper struct {
*SessionHandler
}
func NewMockSessionHandlerWrapper() *MockSessionHandlerWrapper {
sessionManager := &MockSessionManager{}
logger := &MockLogger{}
sessionHandler := NewSessionHandler(
sessionManager,
logger,
"/logout",
"https://example.com/post-logout",
"https://provider.example.com/logout",
"test-client-id",
)
return &MockSessionHandlerWrapper{
SessionHandler: sessionHandler,
}
}
type MockSessionManager struct {
session Session
err error
}
func (m *MockSessionManager) GetSession(req *http.Request) (Session, error) {
return m.session, m.err
}
func (m *MockSessionManager) CleanupOldCookies(rw http.ResponseWriter, req *http.Request) {
// Mock implementation
}
type MockSession struct {
authenticated bool
email string
idToken string
accessToken string
refreshToken string
saveError error
clearError error
}
func (m *MockSession) GetAuthenticated() bool { return m.authenticated }
func (m *MockSession) SetAuthenticated(auth bool) error { m.authenticated = auth; return nil }
func (m *MockSession) GetEmail() string { return m.email }
func (m *MockSession) SetEmail(email string) { m.email = email }
func (m *MockSession) GetIDToken() string { return m.idToken }
func (m *MockSession) GetAccessToken() string { return m.accessToken }
func (m *MockSession) GetRefreshToken() string { return m.refreshToken }
func (m *MockSession) SetRefreshToken(token string) { m.refreshToken = token }
func (m *MockSession) Clear(req *http.Request, rw http.ResponseWriter) error { return m.clearError }
func (m *MockSession) Save(req *http.Request, rw http.ResponseWriter) error { return m.saveError }
func (m *MockSession) ReturnToPoolSafely() {}
type MockTokenHandler struct {
verifyError error
refreshError error
tokenResponse *TokenResponse
}
func (m *MockTokenHandler) VerifyToken(token string) error {
return m.verifyError
}
func (m *MockTokenHandler) RefreshToken(refreshToken string) (*TokenResponse, error) {
return m.tokenResponse, m.refreshError
}
type MockLogger struct {
debugMessages []string
errorMessages []string
}
func (m *MockLogger) Debug(msg string) {
m.debugMessages = append(m.debugMessages, msg)
}
func (m *MockLogger) Debugf(format string, args ...interface{}) {
m.debugMessages = append(m.debugMessages, format)
}
func (m *MockLogger) Info(msg string) {}
func (m *MockLogger) Infof(format string, args ...interface{}) {}
func (m *MockLogger) Error(msg string) {
m.errorMessages = append(m.errorMessages, msg)
}
func (m *MockLogger) Errorf(format string, args ...interface{}) {
m.errorMessages = append(m.errorMessages, format)
}
func TestNewAuthFlowHandler(t *testing.T) {
sessionHandler := NewMockSessionHandlerWrapper()
tokenHandler := &MockTokenHandler{}
logger := &MockLogger{}
excludedURLs := map[string]struct{}{"/health": {}}
initComplete := make(chan struct{})
issuerURL := "https://issuer.example.com"
handler := NewAuthFlowHandler(sessionHandler.SessionHandler, tokenHandler, logger, excludedURLs, initComplete, issuerURL)
if handler == nil {
t.Fatal("NewAuthFlowHandler returned nil")
}
if handler.sessionHandler == nil {
t.Error("SessionHandler not set correctly")
}
if handler.tokenHandler != tokenHandler {
t.Error("TokenHandler not set correctly")
}
if handler.logger != logger {
t.Error("Logger not set correctly")
}
if handler.issuerURL != issuerURL {
t.Error("IssuerURL not set correctly")
}
}
func TestAuthFlowHandler_shouldExcludeURL(t *testing.T) {
excludedURLs := map[string]struct{}{
"/health": {},
"/metrics": {},
"/api/public": {},
}
handler := &AuthFlowHandler{excludedURLs: excludedURLs}
tests := []struct {
path string
expected bool
}{
{"/health", true},
{"/health/check", true},
{"/metrics", true},
{"/metrics/prometheus", true},
{"/api/public", true},
{"/api/public/endpoint", true},
{"/api/private", false},
{"/login", false},
{"/dashboard", false},
}
for _, test := range tests {
result := handler.shouldExcludeURL(test.path)
if result != test.expected {
t.Errorf("For path '%s': expected %v, got %v", test.path, test.expected, result)
}
}
}
func TestAuthFlowHandler_isStreamingRequest(t *testing.T) {
handler := &AuthFlowHandler{}
tests := []struct {
name string
accept string
expected bool
}{
{
name: "SSE request",
accept: "text/event-stream",
expected: true,
},
{
name: "Regular HTML request",
accept: "text/html,application/xhtml+xml",
expected: false,
},
{
name: "JSON request",
accept: "application/json",
expected: false,
},
{
name: "Empty accept header",
accept: "",
expected: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "/", nil)
req.Header.Set("Accept", test.accept)
result := handler.isStreamingRequest(req)
if result != test.expected {
t.Errorf("Expected %v, got %v", test.expected, result)
}
})
}
}
func TestAuthFlowHandler_waitForInitialization(t *testing.T) {
tests := []struct {
name string
setupHandler func() (*AuthFlowHandler, context.CancelFunc)
expectedResult bool
}{
{
name: "Initialization complete successfully",
setupHandler: func() (*AuthFlowHandler, context.CancelFunc) {
initComplete := make(chan struct{})
close(initComplete) // Already complete
handler := &AuthFlowHandler{
initComplete: initComplete,
issuerURL: "https://issuer.example.com",
}
return handler, nil
},
expectedResult: true,
},
{
name: "Initialization complete but no issuer URL",
setupHandler: func() (*AuthFlowHandler, context.CancelFunc) {
initComplete := make(chan struct{})
close(initComplete)
handler := &AuthFlowHandler{
initComplete: initComplete,
issuerURL: "",
logger: &MockLogger{},
}
return handler, nil
},
expectedResult: false,
},
{
name: "Request cancelled",
setupHandler: func() (*AuthFlowHandler, context.CancelFunc) {
initComplete := make(chan struct{})
handler := &AuthFlowHandler{
initComplete: initComplete,
logger: &MockLogger{},
}
_, cancel := context.WithCancel(context.Background())
return handler, cancel
},
expectedResult: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler, cancelFunc := test.setupHandler()
req := httptest.NewRequest("GET", "/", nil)
if cancelFunc != nil {
ctx, cancel := context.WithCancel(context.Background())
req = req.WithContext(ctx)
cancel() // Cancel immediately
}
result := handler.waitForInitialization(req)
if result != test.expectedResult {
t.Errorf("Expected %v, got %v", test.expectedResult, result)
}
})
}
}
func TestAuthFlowHandler_ProcessRequest(t *testing.T) {
tests := []struct {
name string
setupRequest func() *http.Request
setupHandler func() *AuthFlowHandler
expectedResult AuthFlowResult
}{
{
name: "Excluded URL bypasses authentication",
setupRequest: func() *http.Request {
return httptest.NewRequest("GET", "/health", nil)
},
setupHandler: func() *AuthFlowHandler {
return &AuthFlowHandler{
excludedURLs: map[string]struct{}{"/health": {}},
logger: &MockLogger{},
}
},
expectedResult: AuthFlowResult{Authenticated: true},
},
{
name: "Streaming request bypasses authentication",
setupRequest: func() *http.Request {
req := httptest.NewRequest("GET", "/events", nil)
req.Header.Set("Accept", "text/event-stream")
return req
},
setupHandler: func() *AuthFlowHandler {
return &AuthFlowHandler{
excludedURLs: map[string]struct{}{},
logger: &MockLogger{},
}
},
expectedResult: AuthFlowResult{Authenticated: true},
},
{
name: "Initialization timeout",
setupRequest: func() *http.Request {
return httptest.NewRequest("GET", "/dashboard", nil)
},
setupHandler: func() *AuthFlowHandler {
return &AuthFlowHandler{
excludedURLs: map[string]struct{}{},
initComplete: make(chan struct{}), // Never closes
logger: &MockLogger{},
}
},
expectedResult: AuthFlowResult{
Error: ErrInitializationTimeout,
StatusCode: http.StatusServiceUnavailable,
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
req := test.setupRequest()
handler := test.setupHandler()
rw := httptest.NewRecorder()
// For timeout test, use context with timeout
if test.name == "Initialization timeout" {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req = req.WithContext(ctx)
}
result := handler.ProcessRequest(rw, req)
if result.Authenticated != test.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", test.expectedResult.Authenticated, result.Authenticated)
}
if result.StatusCode != test.expectedResult.StatusCode {
t.Errorf("Expected StatusCode %d, got %d", test.expectedResult.StatusCode, result.StatusCode)
}
if test.expectedResult.Error != nil && result.Error == nil {
t.Error("Expected error but got nil")
}
})
}
}
func TestAuthFlowHandler_validateAndRefreshTokens(t *testing.T) {
tests := []struct {
name string
session *MockSession
tokenHandler *MockTokenHandler
expectedResult AuthFlowResult
}{
{
name: "Valid access token",
session: &MockSession{
authenticated: true,
accessToken: "valid-access-token",
},
tokenHandler: &MockTokenHandler{
verifyError: nil,
},
expectedResult: AuthFlowResult{Authenticated: true},
},
{
name: "Invalid access token, successful refresh",
session: &MockSession{
authenticated: true,
accessToken: "invalid-access-token",
refreshToken: "valid-refresh-token",
},
tokenHandler: &MockTokenHandler{
verifyError: errors.New("token expired"),
refreshError: nil,
tokenResponse: &TokenResponse{
IDToken: "new-id-token",
AccessToken: "new-access-token",
},
},
expectedResult: AuthFlowResult{Authenticated: true},
},
{
name: "Invalid access token, no refresh token",
session: &MockSession{
authenticated: true,
accessToken: "invalid-access-token",
refreshToken: "",
},
tokenHandler: &MockTokenHandler{
verifyError: errors.New("token expired"),
},
expectedResult: AuthFlowResult{RequiresAuth: true},
},
{
name: "Valid ID token only",
session: &MockSession{
authenticated: true,
idToken: "valid-id-token",
},
tokenHandler: &MockTokenHandler{
verifyError: nil,
},
expectedResult: AuthFlowResult{Authenticated: true},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &AuthFlowHandler{
tokenHandler: test.tokenHandler,
logger: &MockLogger{},
}
req := httptest.NewRequest("GET", "/", nil)
rw := httptest.NewRecorder()
result := handler.validateAndRefreshTokens(test.session, req, rw)
if result.Authenticated != test.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", test.expectedResult.Authenticated, result.Authenticated)
}
if result.RequiresAuth != test.expectedResult.RequiresAuth {
t.Errorf("Expected RequiresAuth %v, got %v", test.expectedResult.RequiresAuth, result.RequiresAuth)
}
})
}
}
func TestAuthFlowHandler_attemptTokenRefresh(t *testing.T) {
tests := []struct {
name string
session *MockSession
tokenHandler *MockTokenHandler
isAjax bool
expectedResult AuthFlowResult
}{
{
name: "No refresh token",
session: &MockSession{
refreshToken: "",
},
tokenHandler: &MockTokenHandler{},
expectedResult: AuthFlowResult{RequiresAuth: true},
},
{
name: "AJAX request with expired session",
session: &MockSession{
refreshToken: "refresh-token",
},
tokenHandler: &MockTokenHandler{},
isAjax: true,
expectedResult: AuthFlowResult{
Error: ErrSessionExpiredAjax,
StatusCode: http.StatusUnauthorized,
},
},
{
name: "Successful token refresh",
session: &MockSession{
refreshToken: "valid-refresh-token",
},
tokenHandler: &MockTokenHandler{
refreshError: nil,
tokenResponse: &TokenResponse{
IDToken: "new-id-token",
AccessToken: "new-access-token",
},
},
expectedResult: AuthFlowResult{Authenticated: true},
},
{
name: "Failed token refresh",
session: &MockSession{
refreshToken: "invalid-refresh-token",
},
tokenHandler: &MockTokenHandler{
refreshError: errors.New("refresh failed"),
},
expectedResult: AuthFlowResult{RequiresAuth: true},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
sessionHandlerWrapper := NewMockSessionHandlerWrapper()
handler := &AuthFlowHandler{
sessionHandler: sessionHandlerWrapper.SessionHandler,
tokenHandler: test.tokenHandler,
logger: &MockLogger{},
}
req := httptest.NewRequest("GET", "/", nil)
if test.isAjax {
req.Header.Set("X-Requested-With", "XMLHttpRequest")
}
rw := httptest.NewRecorder()
result := handler.attemptTokenRefresh(test.session, req, rw)
if result.Authenticated != test.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", test.expectedResult.Authenticated, result.Authenticated)
}
if result.RequiresAuth != test.expectedResult.RequiresAuth {
t.Errorf("Expected RequiresAuth %v, got %v", test.expectedResult.RequiresAuth, result.RequiresAuth)
}
if result.StatusCode != test.expectedResult.StatusCode {
t.Errorf("Expected StatusCode %d, got %d", test.expectedResult.StatusCode, result.StatusCode)
}
})
}
}
func TestAuthFlowError_Error(t *testing.T) {
err := &AuthFlowError{
Code: "TEST_ERROR",
Message: "This is a test error",
}
expected := "This is a test error"
result := err.Error()
if result != expected {
t.Errorf("Expected '%s', got '%s'", expected, result)
}
}
func TestAuthFlowResult(t *testing.T) {
// Test AuthFlowResult struct
result := AuthFlowResult{
Authenticated: true,
RequiresAuth: false,
RequiresRefresh: false,
Error: nil,
RedirectURL: "https://example.com",
StatusCode: 200,
}
if !result.Authenticated {
t.Error("Expected Authenticated to be true")
}
if result.RequiresAuth {
t.Error("Expected RequiresAuth to be false")
}
if result.StatusCode != 200 {
t.Errorf("Expected StatusCode 200, got %d", result.StatusCode)
}
}
func TestTokenResponse(t *testing.T) {
response := &TokenResponse{
IDToken: "id-token-value",
AccessToken: "access-token-value",
RefreshToken: "refresh-token-value",
ExpiresIn: 3600,
}
if response.IDToken != "id-token-value" {
t.Errorf("Expected IDToken 'id-token-value', got '%s'", response.IDToken)
}
if response.ExpiresIn != 3600 {
t.Errorf("Expected ExpiresIn 3600, got %d", response.ExpiresIn)
}
}
internal/handlers/session_handler.go
+247
View File
@@ -0,0 +1,247 @@
// Package handlers provides HTTP request handlers for OIDC operations
package handlers
import (
"fmt"
"net/http"
"strings"
)
// SessionHandler manages session-related HTTP operations
type SessionHandler struct {
sessionManager SessionManager
logger Logger
logoutURLPath string
postLogoutRedirectURI string
endSessionURL string
clientID string
}
// SessionManager interface for session operations
type SessionManager interface {
GetSession(req *http.Request) (Session, error)
CleanupOldCookies(rw http.ResponseWriter, req *http.Request)
}
// Session interface for session data
type Session interface {
GetAuthenticated() bool
SetAuthenticated(bool) error
GetEmail() string
SetEmail(string)
GetIDToken() string
GetAccessToken() string
GetRefreshToken() string
SetRefreshToken(string)
Clear(req *http.Request, rw http.ResponseWriter) error
Save(req *http.Request, rw http.ResponseWriter) error
ReturnToPoolSafely()
}
// Logger interface for logging operations
type Logger interface {
Debug(msg string)
Debugf(format string, args ...interface{})
Info(msg string)
Infof(format string, args ...interface{})
Error(msg string)
Errorf(format string, args ...interface{})
}
// NewSessionHandler creates a new session handler
func NewSessionHandler(sessionManager SessionManager, logger Logger, logoutURLPath, postLogoutRedirectURI, endSessionURL, clientID string) *SessionHandler {
return &SessionHandler{
sessionManager: sessionManager,
logger: logger,
logoutURLPath: logoutURLPath,
postLogoutRedirectURI: postLogoutRedirectURI,
endSessionURL: endSessionURL,
clientID: clientID,
}
}
// HandleLogout processes logout requests
func (h *SessionHandler) HandleLogout(rw http.ResponseWriter, req *http.Request) {
h.logger.Debug("Processing logout request")
session, err := h.sessionManager.GetSession(req)
if err != nil {
h.logger.Errorf("Error getting session during logout: %v", err)
// Continue with logout even if session retrieval fails
}
var idToken string
if session != nil {
defer session.ReturnToPoolSafely()
idToken = session.GetIDToken()
// Clear the session
if err := session.Clear(req, rw); err != nil {
h.logger.Errorf("Error clearing session during logout: %v", err)
}
}
// Build logout URL
logoutURL := h.buildLogoutURL(idToken)
h.logger.Debugf("Redirecting to logout URL: %s", logoutURL)
http.Redirect(rw, req, logoutURL, http.StatusFound)
}
// buildLogoutURL constructs the provider logout URL
func (h *SessionHandler) buildLogoutURL(idToken string) string {
if h.endSessionURL == "" {
// If no end session URL, redirect to post-logout redirect URI
return h.postLogoutRedirectURI
}
logoutURL := h.endSessionURL
// Add query parameters
params := make([]string, 0, 3)
if idToken != "" {
params = append(params, fmt.Sprintf("id_token_hint=%s", idToken))
}
if h.postLogoutRedirectURI != "" {
params = append(params, fmt.Sprintf("post_logout_redirect_uri=%s", h.postLogoutRedirectURI))
}
if h.clientID != "" {
params = append(params, fmt.Sprintf("client_id=%s", h.clientID))
}
if len(params) > 0 {
separator := "?"
if strings.Contains(logoutURL, "?") {
separator = "&"
}
logoutURL += separator + strings.Join(params, "&")
}
return logoutURL
}
// ValidateSession checks if a session is valid and authenticated
func (h *SessionHandler) ValidateSession(session Session) SessionValidationResult {
if session == nil {
return SessionValidationResult{
Valid: false,
NeedsAuth: true,
ErrorMessage: "session is nil",
}
}
if !session.GetAuthenticated() {
return SessionValidationResult{
Valid: false,
NeedsAuth: true,
ErrorMessage: "session not authenticated",
}
}
email := session.GetEmail()
if email == "" {
return SessionValidationResult{
Valid: false,
NeedsAuth: true,
ErrorMessage: "no email in session",
}
}
return SessionValidationResult{
Valid: true,
NeedsAuth: false,
}
}
// SessionValidationResult represents the result of session validation
type SessionValidationResult struct {
Valid bool
NeedsAuth bool
ErrorMessage string
}
// CleanupExpiredSession clears an expired session
func (h *SessionHandler) CleanupExpiredSession(rw http.ResponseWriter, req *http.Request, session Session) error {
h.logger.Debug("Cleaning up expired session")
if session == nil {
return nil
}
// Clear all session data
if err := session.SetAuthenticated(false); err != nil {
h.logger.Errorf("Failed to set authenticated to false: %v", err)
}
session.SetEmail("")
session.SetRefreshToken("")
// Save the cleared session
if err := session.Save(req, rw); err != nil {
h.logger.Errorf("Failed to save cleared session: %v", err)
return err
}
return nil
}
// IsAjaxRequest determines if the request is an AJAX/XHR request
func (h *SessionHandler) IsAjaxRequest(req *http.Request) bool {
// Check X-Requested-With header (commonly used by jQuery and other libraries)
if req.Header.Get("X-Requested-With") == "XMLHttpRequest" {
return true
}
// Check Accept header for JSON preference
accept := req.Header.Get("Accept")
if strings.Contains(accept, "application/json") && !strings.Contains(accept, "text/html") {
return true
}
// Check for fetch API indication
if req.Header.Get("Sec-Fetch-Mode") == "cors" {
return true
}
return false
}
// SendErrorResponse sends an appropriate error response based on request type
func (h *SessionHandler) SendErrorResponse(rw http.ResponseWriter, req *http.Request, message string, statusCode int) {
if h.IsAjaxRequest(req) {
// For AJAX requests, send JSON response
rw.Header().Set("Content-Type", "application/json")
rw.WriteHeader(statusCode)
fmt.Fprintf(rw, `{"error": "%s"}`, message)
} else {
// For browser requests, send HTML response
rw.Header().Set("Content-Type", "text/html")
rw.WriteHeader(statusCode)
fmt.Fprintf(rw, `<html><body><h1>Error %d</h1><p>%s</p></body></html>`, statusCode, message)
}
}
// SetSecurityHeaders sets standard security headers
func (h *SessionHandler) SetSecurityHeaders(rw http.ResponseWriter, req *http.Request) {
rw.Header().Set("X-Frame-Options", "DENY")
rw.Header().Set("X-Content-Type-Options", "nosniff")
rw.Header().Set("X-XSS-Protection", "1; mode=block")
rw.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
// Handle CORS for AJAX requests
origin := req.Header.Get("Origin")
if origin != "" {
rw.Header().Set("Access-Control-Allow-Origin", origin)
rw.Header().Set("Access-Control-Allow-Credentials", "true")
rw.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
rw.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
if req.Method == "OPTIONS" {
rw.WriteHeader(http.StatusOK)
return
}
}
}
internal/handlers/session_handler_test.go
+587
View File
@@ -0,0 +1,587 @@
package handlers
import (
"fmt"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestNewSessionHandler(t *testing.T) {
sessionManager := &MockSessionManager{}
logger := &MockLogger{}
logoutURLPath := "/logout"
postLogoutRedirectURI := "https://example.com/post-logout"
endSessionURL := "https://provider.example.com/logout"
clientID := "test-client-id"
handler := NewSessionHandler(
sessionManager,
logger,
logoutURLPath,
postLogoutRedirectURI,
endSessionURL,
clientID,
)
if handler == nil {
t.Fatal("NewSessionHandler returned nil")
}
if handler.sessionManager != sessionManager {
t.Error("SessionManager not set correctly")
}
if handler.logger != logger {
t.Error("Logger not set correctly")
}
if handler.logoutURLPath != logoutURLPath {
t.Error("LogoutURLPath not set correctly")
}
if handler.postLogoutRedirectURI != postLogoutRedirectURI {
t.Error("PostLogoutRedirectURI not set correctly")
}
if handler.endSessionURL != endSessionURL {
t.Error("EndSessionURL not set correctly")
}
if handler.clientID != clientID {
t.Error("ClientID not set correctly")
}
}
func TestSessionHandler_HandleLogout(t *testing.T) {
tests := []struct {
name string
setupSession func() *MockSession
setupManager func() *MockSessionManager
expectedCode int
expectedURL string
}{
{
name: "Successful logout with ID token",
setupSession: func() *MockSession {
return &MockSession{
authenticated: true,
idToken: "test-id-token",
}
},
setupManager: func() *MockSessionManager {
return &MockSessionManager{
session: &MockSession{
authenticated: true,
idToken: "test-id-token",
},
}
},
expectedCode: http.StatusFound,
expectedURL: "https://provider.example.com/logout?id_token_hint=test-id-token&post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
{
name: "Logout without ID token",
setupSession: func() *MockSession {
return &MockSession{
authenticated: true,
idToken: "",
}
},
setupManager: func() *MockSessionManager {
return &MockSessionManager{
session: &MockSession{
authenticated: true,
idToken: "",
},
}
},
expectedCode: http.StatusFound,
expectedURL: "https://provider.example.com/logout?post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
{
name: "Session retrieval error",
setupSession: func() *MockSession { return nil },
setupManager: func() *MockSessionManager {
return &MockSessionManager{
err: fmt.Errorf("session error"),
}
},
expectedCode: http.StatusFound,
expectedURL: "https://provider.example.com/logout?post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &SessionHandler{
sessionManager: test.setupManager(),
logger: &MockLogger{},
logoutURLPath: "/logout",
postLogoutRedirectURI: "https://example.com/post-logout",
endSessionURL: "https://provider.example.com/logout",
clientID: "test-client-id",
}
req := httptest.NewRequest("POST", "/logout", nil)
rw := httptest.NewRecorder()
handler.HandleLogout(rw, req)
if rw.Code != test.expectedCode {
t.Errorf("Expected status code %d, got %d", test.expectedCode, rw.Code)
}
location := rw.Header().Get("Location")
if location != test.expectedURL {
t.Errorf("Expected location '%s', got '%s'", test.expectedURL, location)
}
})
}
}
func TestSessionHandler_buildLogoutURL(t *testing.T) {
tests := []struct {
name string
endSessionURL string
postLogoutRedirectURI string
clientID string
idToken string
expected string
}{
{
name: "Complete logout URL with all parameters",
endSessionURL: "https://provider.example.com/logout",
postLogoutRedirectURI: "https://example.com/post-logout",
clientID: "test-client-id",
idToken: "test-id-token",
expected: "https://provider.example.com/logout?id_token_hint=test-id-token&post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
{
name: "Logout URL without ID token",
endSessionURL: "https://provider.example.com/logout",
postLogoutRedirectURI: "https://example.com/post-logout",
clientID: "test-client-id",
idToken: "",
expected: "https://provider.example.com/logout?post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
{
name: "No end session URL",
endSessionURL: "",
postLogoutRedirectURI: "https://example.com/post-logout",
clientID: "test-client-id",
idToken: "test-id-token",
expected: "https://example.com/post-logout",
},
{
name: "End session URL with existing query parameters",
endSessionURL: "https://provider.example.com/logout?foo=bar",
postLogoutRedirectURI: "https://example.com/post-logout",
clientID: "test-client-id",
idToken: "",
expected: "https://provider.example.com/logout?foo=bar&post_logout_redirect_uri=https://example.com/post-logout&client_id=test-client-id",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &SessionHandler{
endSessionURL: test.endSessionURL,
postLogoutRedirectURI: test.postLogoutRedirectURI,
clientID: test.clientID,
}
result := handler.buildLogoutURL(test.idToken)
if result != test.expected {
t.Errorf("Expected '%s', got '%s'", test.expected, result)
}
})
}
}
func TestSessionHandler_ValidateSession(t *testing.T) {
handler := &SessionHandler{}
tests := []struct {
name string
session Session
expectedValid bool
expectedAuth bool
expectedMessage string
}{
{
name: "Nil session",
session: nil,
expectedValid: false,
expectedAuth: true,
expectedMessage: "session is nil",
},
{
name: "Not authenticated session",
session: &MockSession{
authenticated: false,
},
expectedValid: false,
expectedAuth: true,
expectedMessage: "session not authenticated",
},
{
name: "Authenticated session without email",
session: &MockSession{
authenticated: true,
email: "",
},
expectedValid: false,
expectedAuth: true,
expectedMessage: "no email in session",
},
{
name: "Valid authenticated session with email",
session: &MockSession{
authenticated: true,
email: "user@example.com",
},
expectedValid: true,
expectedAuth: false,
expectedMessage: "",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
result := handler.ValidateSession(test.session)
if result.Valid != test.expectedValid {
t.Errorf("Expected Valid %v, got %v", test.expectedValid, result.Valid)
}
if result.NeedsAuth != test.expectedAuth {
t.Errorf("Expected NeedsAuth %v, got %v", test.expectedAuth, result.NeedsAuth)
}
if result.ErrorMessage != test.expectedMessage {
t.Errorf("Expected ErrorMessage '%s', got '%s'", test.expectedMessage, result.ErrorMessage)
}
})
}
}
func TestSessionHandler_CleanupExpiredSession(t *testing.T) {
tests := []struct {
name string
session *MockSession
expectError bool
}{
{
name: "Successful cleanup",
session: &MockSession{
authenticated: true,
email: "user@example.com",
refreshToken: "refresh-token",
},
expectError: false,
},
{
name: "Save error during cleanup",
session: &MockSession{
authenticated: true,
email: "user@example.com",
refreshToken: "refresh-token",
saveError: fmt.Errorf("save failed"),
},
expectError: true,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &SessionHandler{
logger: &MockLogger{},
}
req := httptest.NewRequest("GET", "/", nil)
rw := httptest.NewRecorder()
err := handler.CleanupExpiredSession(rw, req, test.session)
if test.expectError && err == nil {
t.Error("Expected error but got nil")
}
if !test.expectError && err != nil {
t.Errorf("Expected no error but got: %v", err)
}
if test.session != nil && !test.expectError {
if test.session.authenticated {
t.Error("Expected session authenticated to be false after cleanup")
}
if test.session.email != "" {
t.Error("Expected session email to be empty after cleanup")
}
if test.session.refreshToken != "" {
t.Error("Expected session refresh token to be empty after cleanup")
}
}
})
}
// Test nil session separately
t.Run("Nil session", func(t *testing.T) {
handler := &SessionHandler{
logger: &MockLogger{},
}
req := httptest.NewRequest("GET", "/", nil)
rw := httptest.NewRecorder()
var nilSession Session = nil
err := handler.CleanupExpiredSession(rw, req, nilSession)
if err != nil {
t.Errorf("Expected no error for nil session, got: %v", err)
}
})
}
func TestSessionHandler_IsAjaxRequest(t *testing.T) {
handler := &SessionHandler{}
tests := []struct {
name string
headers map[string]string
expected bool
}{
{
name: "XMLHttpRequest header",
headers: map[string]string{
"X-Requested-With": "XMLHttpRequest",
},
expected: true,
},
{
name: "JSON Accept header without HTML",
headers: map[string]string{
"Accept": "application/json",
},
expected: true,
},
{
name: "JSON Accept header with HTML",
headers: map[string]string{
"Accept": "application/json, text/html",
},
expected: false,
},
{
name: "Fetch API CORS mode",
headers: map[string]string{
"Sec-Fetch-Mode": "cors",
},
expected: true,
},
{
name: "Regular browser request",
headers: map[string]string{
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
},
expected: false,
},
{
name: "No special headers",
headers: map[string]string{},
expected: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "/", nil)
for key, value := range test.headers {
req.Header.Set(key, value)
}
result := handler.IsAjaxRequest(req)
if result != test.expected {
t.Errorf("Expected %v, got %v", test.expected, result)
}
})
}
}
func TestSessionHandler_SendErrorResponse(t *testing.T) {
tests := []struct {
name string
isAjax bool
message string
statusCode int
expectedContentType string
expectedBodyContains string
}{
{
name: "AJAX error response",
isAjax: true,
message: "Authentication failed",
statusCode: http.StatusUnauthorized,
expectedContentType: "application/json",
expectedBodyContains: `{"error": "Authentication failed"}`,
},
{
name: "Browser error response",
isAjax: false,
message: "Session expired",
statusCode: http.StatusForbidden,
expectedContentType: "text/html",
expectedBodyContains: "<h1>Error 403</h1>",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &SessionHandler{}
req := httptest.NewRequest("GET", "/", nil)
if test.isAjax {
req.Header.Set("X-Requested-With", "XMLHttpRequest")
}
rw := httptest.NewRecorder()
handler.SendErrorResponse(rw, req, test.message, test.statusCode)
if rw.Code != test.statusCode {
t.Errorf("Expected status code %d, got %d", test.statusCode, rw.Code)
}
contentType := rw.Header().Get("Content-Type")
if contentType != test.expectedContentType {
t.Errorf("Expected Content-Type '%s', got '%s'", test.expectedContentType, contentType)
}
body := rw.Body.String()
if !strings.Contains(body, test.expectedBodyContains) {
t.Errorf("Expected body to contain '%s', got '%s'", test.expectedBodyContains, body)
}
})
}
}
func TestSessionHandler_SetSecurityHeaders(t *testing.T) {
tests := []struct {
name string
method string
origin string
expectedCORS bool
expectedStatus int
}{
{
name: "Regular request without CORS",
method: "GET",
origin: "",
expectedCORS: false,
expectedStatus: 0, // No status written
},
{
name: "CORS request with origin",
method: "GET",
origin: "https://example.com",
expectedCORS: true,
expectedStatus: 0,
},
{
name: "OPTIONS preflight request",
method: "OPTIONS",
origin: "https://example.com",
expectedCORS: true,
expectedStatus: http.StatusOK,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
handler := &SessionHandler{}
req := httptest.NewRequest(test.method, "/", nil)
if test.origin != "" {
req.Header.Set("Origin", test.origin)
}
rw := httptest.NewRecorder()
handler.SetSecurityHeaders(rw, req)
// Check standard security headers
expectedSecurityHeaders := map[string]string{
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff",
"X-XSS-Protection": "1; mode=block",
"Referrer-Policy": "strict-origin-when-cross-origin",
}
for header, expectedValue := range expectedSecurityHeaders {
actualValue := rw.Header().Get(header)
if actualValue != expectedValue {
t.Errorf("Expected %s header '%s', got '%s'", header, expectedValue, actualValue)
}
}
// Check CORS headers
if test.expectedCORS {
corsOrigin := rw.Header().Get("Access-Control-Allow-Origin")
if corsOrigin != test.origin {
t.Errorf("Expected CORS origin '%s', got '%s'", test.origin, corsOrigin)
}
corsCredentials := rw.Header().Get("Access-Control-Allow-Credentials")
if corsCredentials != "true" {
t.Errorf("Expected CORS credentials 'true', got '%s'", corsCredentials)
}
corsMethods := rw.Header().Get("Access-Control-Allow-Methods")
if corsMethods != "GET, POST, OPTIONS" {
t.Errorf("Expected CORS methods 'GET, POST, OPTIONS', got '%s'", corsMethods)
}
corsHeaders := rw.Header().Get("Access-Control-Allow-Headers")
if corsHeaders != "Authorization, Content-Type" {
t.Errorf("Expected CORS headers 'Authorization, Content-Type', got '%s'", corsHeaders)
}
} else {
corsOrigin := rw.Header().Get("Access-Control-Allow-Origin")
if corsOrigin != "" {
t.Errorf("Expected no CORS origin header, got '%s'", corsOrigin)
}
}
// Check status code for OPTIONS requests
if test.expectedStatus > 0 {
if rw.Code != test.expectedStatus {
t.Errorf("Expected status code %d, got %d", test.expectedStatus, rw.Code)
}
}
})
}
}
func TestSessionValidationResult(t *testing.T) {
result := SessionValidationResult{
Valid: true,
NeedsAuth: false,
ErrorMessage: "test message",
}
if !result.Valid {
t.Error("Expected Valid to be true")
}
if result.NeedsAuth {
t.Error("Expected NeedsAuth to be false")
}
if result.ErrorMessage != "test message" {
t.Errorf("Expected ErrorMessage 'test message', got '%s'", result.ErrorMessage)
}
}
internal/httpclient/client_additional_test.go
+408
View File
@@ -0,0 +1,408 @@
package httpclient
import (
"context"
"crypto/tls"
"net/http"
"net/http/httptest"
"testing"
"time"
)
// TestCreateProxy tests the CreateProxy method
func TestCreateProxy(t *testing.T) {
factory := NewFactory(nil)
client, err := factory.CreateProxy()
if err != nil {
t.Fatalf("Failed to create proxy client: %v", err)
}
if client == nil {
t.Fatal("Expected non-nil proxy client")
}
// Verify proxy configuration specifics
if client.Timeout != 60*time.Second {
t.Errorf("Expected proxy timeout to be 60s, got %v", client.Timeout)
}
}
// TestValidateConfigEdgeCases tests additional validation scenarios
func TestValidateConfigEdgeCases(t *testing.T) {
factory := NewFactory(nil)
testCases := []struct {
name string
config Config
shouldFail bool
errorMsg string
}{
{
name: "Negative MaxIdleConnsPerHost",
config: Config{
MaxIdleConnsPerHost: -1,
},
shouldFail: true,
errorMsg: "MaxIdleConnsPerHost cannot be negative",
},
{
name: "Excessive MaxIdleConnsPerHost",
config: Config{
MaxIdleConnsPerHost: 200,
},
shouldFail: true,
errorMsg: "MaxIdleConnsPerHost too high",
},
{
name: "Negative MaxConnsPerHost",
config: Config{
MaxConnsPerHost: -1,
},
shouldFail: true,
errorMsg: "MaxConnsPerHost cannot be negative",
},
{
name: "Excessive MaxConnsPerHost",
config: Config{
MaxConnsPerHost: 300,
},
shouldFail: true,
errorMsg: "MaxConnsPerHost too high",
},
{
name: "Negative WriteBufferSize",
config: Config{
WriteBufferSize: -1,
},
shouldFail: true,
errorMsg: "buffer sizes cannot be negative",
},
{
name: "Negative ReadBufferSize",
config: Config{
ReadBufferSize: -1,
},
shouldFail: true,
errorMsg: "buffer sizes cannot be negative",
},
{
name: "Excessive WriteBufferSize",
config: Config{
WriteBufferSize: 2 * 1024 * 1024,
},
shouldFail: true,
errorMsg: "buffer sizes too large",
},
{
name: "Excessive ReadBufferSize",
config: Config{
ReadBufferSize: 2 * 1024 * 1024,
},
shouldFail: true,
errorMsg: "buffer sizes too large",
},
{
name: "Valid edge values",
config: Config{
MaxIdleConns: 1000,
MaxIdleConnsPerHost: 100,
MaxConnsPerHost: 200,
Timeout: 5 * time.Minute,
WriteBufferSize: 1024 * 1024,
ReadBufferSize: 1024 * 1024,
},
shouldFail: false,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
err := factory.ValidateConfig(&tc.config)
if tc.shouldFail {
if err == nil {
t.Fatalf("Expected validation to fail with message containing: %s", tc.errorMsg)
}
} else {
if err != nil {
t.Fatalf("Unexpected validation error: %v", err)
}
}
})
}
}
// TestTransportPoolClose tests the Close method of TransportPool
func TestTransportPoolClose(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
pool := &TransportPool{
transports: make(map[string]*sharedTransport),
maxConns: 20,
ctx: ctx,
cancel: cancel,
clientCount: 0,
maxClients: 5,
}
// Create some transports
config := PresetConfigs[ClientTypeDefault]
transport1 := pool.GetOrCreateTransport(config)
if transport1 == nil {
t.Fatal("Failed to create transport")
}
// Modify config slightly to create a different transport
config.Timeout = 20 * time.Second
transport2 := pool.GetOrCreateTransport(config)
if transport2 == nil {
t.Fatal("Failed to create second transport")
}
// Verify transports were created
pool.mu.RLock()
initialCount := len(pool.transports)
pool.mu.RUnlock()
if initialCount == 0 {
t.Fatal("Expected transports to be created")
}
// Close the pool
err := pool.Close()
if err != nil {
t.Fatalf("Failed to close pool: %v", err)
}
// Verify all transports were removed
pool.mu.RLock()
finalCount := len(pool.transports)
pool.mu.RUnlock()
if finalCount != 0 {
t.Fatalf("Expected 0 transports after close, got %d", finalCount)
}
// Verify client count was reset
if pool.clientCount != 0 {
t.Fatalf("Expected client count to be 0 after close, got %d", pool.clientCount)
}
}
// TestNoOpLogger tests the no-op logger implementation
func TestNoOpLogger(t *testing.T) {
logger := &noOpLogger{}
// These should not panic or cause any issues
logger.Debug("test debug")
logger.Debugf("test debug %s", "formatted")
logger.Info("test info")
logger.Infof("test info %s", "formatted")
logger.Error("test error")
logger.Errorf("test error %s", "formatted")
// Test using logger with factory
factory := NewFactory(logger)
client, err := factory.CreateDefault()
if err != nil {
t.Fatalf("Failed to create client with no-op logger: %v", err)
}
if client == nil {
t.Fatal("Expected non-nil client")
}
}
// TestCreateClientWithCustomTLS tests creating client with custom TLS config
func TestCreateClientWithCustomTLS(t *testing.T) {
factory := NewFactory(nil)
customTLS := &tls.Config{
MinVersion: tls.VersionTLS13,
MaxVersion: tls.VersionTLS13,
}
config := Config{
Timeout: 10 * time.Second,
MaxIdleConns: 10,
MaxIdleConnsPerHost: 2,
MaxConnsPerHost: 5,
TLSConfig: customTLS,
}
client, err := factory.CreateClient(config)
if err != nil {
t.Fatalf("Failed to create client with custom TLS: %v", err)
}
if client == nil {
t.Fatal("Expected non-nil client")
}
}
// TestCreateClientWithMaxRedirects tests redirect limiting
func TestCreateClientWithMaxRedirects(t *testing.T) {
redirectCount := 0
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
redirectCount++
if redirectCount <= 3 {
http.Redirect(w, r, "/redirect", http.StatusFound)
} else {
w.WriteHeader(http.StatusOK)
w.Write([]byte("final"))
}
}))
defer server.Close()
factory := NewFactory(nil)
// Test with max redirects = 2 (should fail)
config := Config{
Timeout: 10 * time.Second,
MaxRedirects: 2,
MaxIdleConns: 10,
MaxIdleConnsPerHost: 2,
MaxConnsPerHost: 5,
}
client, err := factory.CreateClient(config)
if err != nil {
t.Fatalf("Failed to create client: %v", err)
}
redirectCount = 0
_, err = client.Get(server.URL)
if err == nil {
t.Fatal("Expected redirect limit error")
}
// Test with max redirects = 5 (should succeed)
config.MaxRedirects = 5
client, err = factory.CreateClient(config)
if err != nil {
t.Fatalf("Failed to create client: %v", err)
}
redirectCount = 0
resp, err := client.Get(server.URL)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("Expected status 200, got %d", resp.StatusCode)
}
}
// TestTransportPoolMaxClientsLimit tests the max clients limitation
func TestTransportPoolMaxClientsLimit(t *testing.T) {
pool := &TransportPool{
transports: make(map[string]*sharedTransport),
maxConns: 20,
clientCount: 0,
maxClients: 2, // Set low limit for testing
}
// Create transports up to the limit
configs := []Config{
{Timeout: 10 * time.Second},
{Timeout: 20 * time.Second},
{Timeout: 30 * time.Second}, // This should not create a new transport
}
for i, config := range configs {
transport := pool.GetOrCreateTransport(config)
if i < 2 {
if transport == nil {
t.Fatalf("Expected transport %d to be created", i)
}
// Transport created successfully within limit
} else {
// When limit is reached, should return existing transport or nil
if transport == nil {
// This is acceptable - nil when limit reached
t.Log("Transport creation blocked due to client limit")
}
}
}
// Verify client count doesn't exceed limit
if pool.clientCount > pool.maxClients {
t.Fatalf("Client count %d exceeds max %d", pool.clientCount, pool.maxClients)
}
}
// TestCleanupIdleTransportsContext tests cleanup goroutine with context
func TestCleanupIdleTransportsContext(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
pool := &TransportPool{
transports: make(map[string]*sharedTransport),
maxConns: 20,
ctx: ctx,
cancel: cancel,
clientCount: 0,
maxClients: 5,
}
// Start cleanup goroutine
done := make(chan bool)
go func() {
pool.cleanupIdleTransports(ctx)
done <- true
}()
// Give it a moment to start
time.Sleep(10 * time.Millisecond)
// Cancel context to stop cleanup
cancel()
// Wait for goroutine to exit
select {
case <-done:
// Success - goroutine exited
case <-time.After(1 * time.Second):
t.Fatal("Cleanup goroutine did not exit after context cancellation")
}
}
// TestFactoryWithLogger tests factory creation with custom logger
func TestFactoryWithLogger(t *testing.T) {
// Create a mock logger that implements the Logger interface
logger := &MockLogger{}
factory := NewFactory(logger)
if factory.logger == nil {
t.Fatal("Expected logger to be set")
}
}
// MockLogger for testing
type MockLogger struct {
debugCalled bool
debugfCalled bool
infoCalled bool
infofCalled bool
errorCalled bool
errorfCalled bool
}
func (m *MockLogger) Debug(msg string) { m.debugCalled = true }
func (m *MockLogger) Debugf(format string, args ...interface{}) { m.debugfCalled = true }
func (m *MockLogger) Info(msg string) { m.infoCalled = true }
func (m *MockLogger) Infof(format string, args ...interface{}) { m.infofCalled = true }
func (m *MockLogger) Error(msg string) { m.errorCalled = true }
func (m *MockLogger) Errorf(format string, args ...interface{}) { m.errorfCalled = true }
// TestCreateClientLogging tests that logger is called during client creation
func TestCreateClientLogging(t *testing.T) {
logger := &MockLogger{}
factory := NewFactory(logger)
client, err := factory.CreateDefault()
if err != nil {
t.Fatalf("Failed to create client: %v", err)
}
if client == nil {
t.Fatal("Expected non-nil client")
}
// Verify logger was called
if !logger.debugfCalled {
t.Error("Expected Debugf to be called during client creation")
}
}
internal/middleware/request_handler.go
+122
View File
@@ -0,0 +1,122 @@
package middleware
import (
"fmt"
"net/http"
"strings"
"time"
)
// RequestContext holds request processing context
type RequestContext struct {
Writer http.ResponseWriter
Request *http.Request
RedirectURL string
Scheme string
Host string
}
// RequestProcessor handles common request processing operations
type RequestProcessor struct {
logger Logger
}
// Logger interface for logging operations
type Logger interface {
Debug(msg string)
Debugf(format string, args ...interface{})
Error(msg string)
Errorf(format string, args ...interface{})
Info(msg string)
Infof(format string, args ...interface{})
}
// NewRequestProcessor creates a new request processor
func NewRequestProcessor(logger Logger) *RequestProcessor {
return &RequestProcessor{
logger: logger,
}
}
// BuildRequestContext creates a request context with scheme and host detection
func (rp *RequestProcessor) BuildRequestContext(rw http.ResponseWriter, req *http.Request, redirectPath string) *RequestContext {
scheme := rp.determineScheme(req)
host := rp.determineHost(req)
redirectURL := buildFullURL(scheme, host, redirectPath)
return &RequestContext{
Writer: rw,
Request: req,
RedirectURL: redirectURL,
Scheme: scheme,
Host: host,
}
}
// IsHealthCheckRequest checks if request is a health check
func (rp *RequestProcessor) IsHealthCheckRequest(req *http.Request) bool {
return strings.HasPrefix(req.URL.Path, "/health")
}
// IsEventStreamRequest checks if request expects event stream
func (rp *RequestProcessor) IsEventStreamRequest(req *http.Request) bool {
acceptHeader := req.Header.Get("Accept")
return strings.Contains(acceptHeader, "text/event-stream")
}
// IsAjaxRequest determines if this is an AJAX request
func (rp *RequestProcessor) IsAjaxRequest(req *http.Request) bool {
xhr := req.Header.Get("X-Requested-With")
contentType := req.Header.Get("Content-Type")
accept := req.Header.Get("Accept")
return xhr == "XMLHttpRequest" ||
strings.Contains(contentType, "application/json") ||
strings.Contains(accept, "application/json")
}
// WaitForInitialization waits for OIDC provider initialization with timeout
func (rp *RequestProcessor) WaitForInitialization(req *http.Request, initComplete <-chan struct{}) error {
select {
case <-initComplete:
return nil
case <-req.Context().Done():
rp.logger.Debug("Request cancelled while waiting for OIDC initialization")
return fmt.Errorf("request cancelled")
case <-time.After(30 * time.Second):
rp.logger.Error("Timeout waiting for OIDC initialization")
return fmt.Errorf("timeout waiting for OIDC provider initialization")
}
}
// determineScheme determines the URL scheme for building redirect URLs
func (rp *RequestProcessor) determineScheme(req *http.Request) string {
if scheme := req.Header.Get("X-Forwarded-Proto"); scheme != "" {
return scheme
}
if req.TLS != nil {
return "https"
}
return "http"
}
// determineHost determines the host for building redirect URLs
func (rp *RequestProcessor) determineHost(req *http.Request) string {
if host := req.Header.Get("X-Forwarded-Host"); host != "" {
return host
}
return req.Host
}
// buildFullURL constructs a complete URL from scheme, host, and path components
func buildFullURL(scheme, host, path string) string {
if strings.HasPrefix(path, "http://") || strings.HasPrefix(path, "https://") {
return path
}
if !strings.HasPrefix(path, "/") {
path = "/" + path
}
return fmt.Sprintf("%s://%s%s", scheme, host, path)
}
internal/middleware/request_handler_test.go
+655
View File
@@ -0,0 +1,655 @@
package middleware
import (
"context"
"crypto/tls"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
)
// MockLogger implements the Logger interface for testing
type MockLogger struct {
DebugCalls []string
DebugfCalls []string
ErrorCalls []string
ErrorfCalls []string
InfoCalls []string
InfofCalls []string
}
func (m *MockLogger) Debug(msg string) {
m.DebugCalls = append(m.DebugCalls, msg)
}
func (m *MockLogger) Debugf(format string, args ...interface{}) {
m.DebugfCalls = append(m.DebugfCalls, format)
}
func (m *MockLogger) Error(msg string) {
m.ErrorCalls = append(m.ErrorCalls, msg)
}
func (m *MockLogger) Errorf(format string, args ...interface{}) {
m.ErrorfCalls = append(m.ErrorfCalls, format)
}
func (m *MockLogger) Info(msg string) {
m.InfoCalls = append(m.InfoCalls, msg)
}
func (m *MockLogger) Infof(format string, args ...interface{}) {
m.InfofCalls = append(m.InfofCalls, format)
}
// TestNewRequestProcessor tests the constructor
func TestNewRequestProcessor(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
if processor == nil {
t.Error("Expected NewRequestProcessor to return non-nil processor")
return
}
if processor.logger != logger {
t.Error("Expected processor to use provided logger")
}
}
// TestBuildRequestContext tests request context building
func TestBuildRequestContext(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
setupRequest func() (*http.Request, http.ResponseWriter)
redirectPath string
expectedURL string
expectedHost string
}{
{
name: "Basic HTTP request",
setupRequest: func() (*http.Request, http.ResponseWriter) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
rw := httptest.NewRecorder()
return req, rw
},
redirectPath: "/callback",
expectedURL: "http://example.com/callback",
expectedHost: "example.com",
},
{
name: "HTTPS request with TLS",
setupRequest: func() (*http.Request, http.ResponseWriter) {
req := httptest.NewRequest("GET", "https://secure.com/test", nil)
req.TLS = &tls.ConnectionState{} // Simulate TLS
rw := httptest.NewRecorder()
return req, rw
},
redirectPath: "/auth",
expectedURL: "https://secure.com/auth",
expectedHost: "secure.com",
},
{
name: "Request with X-Forwarded-Proto header",
setupRequest: func() (*http.Request, http.ResponseWriter) {
req := httptest.NewRequest("GET", "http://internal.com/test", nil)
req.Header.Set("X-Forwarded-Proto", "https")
rw := httptest.NewRecorder()
return req, rw
},
redirectPath: "/callback",
expectedURL: "https://internal.com/callback",
expectedHost: "internal.com",
},
{
name: "Request with X-Forwarded-Host header",
setupRequest: func() (*http.Request, http.ResponseWriter) {
req := httptest.NewRequest("GET", "http://internal.com/test", nil)
req.Header.Set("X-Forwarded-Host", "public.com")
rw := httptest.NewRecorder()
return req, rw
},
redirectPath: "/callback",
expectedURL: "http://public.com/callback",
expectedHost: "public.com",
},
{
name: "Request with both forwarded headers",
setupRequest: func() (*http.Request, http.ResponseWriter) {
req := httptest.NewRequest("GET", "http://internal.com/test", nil)
req.Header.Set("X-Forwarded-Proto", "https")
req.Header.Set("X-Forwarded-Host", "public.com")
rw := httptest.NewRecorder()
return req, rw
},
redirectPath: "/auth",
expectedURL: "https://public.com/auth",
expectedHost: "public.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req, rw := tt.setupRequest()
ctx := processor.BuildRequestContext(rw, req, tt.redirectPath)
if ctx == nil {
t.Error("Expected BuildRequestContext to return non-nil context")
return
}
if ctx.Writer != rw {
t.Error("Expected context writer to match provided writer")
}
if ctx.Request != req {
t.Error("Expected context request to match provided request")
}
if ctx.RedirectURL != tt.expectedURL {
t.Errorf("Expected redirect URL '%s', got '%s'", tt.expectedURL, ctx.RedirectURL)
}
if ctx.Host != tt.expectedHost {
t.Errorf("Expected host '%s', got '%s'", tt.expectedHost, ctx.Host)
}
})
}
}
// TestIsHealthCheckRequest tests health check detection
func TestIsHealthCheckRequest(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
path string
expected bool
}{
{
name: "Health check path",
path: "/health",
expected: true,
},
{
name: "Health check subpath",
path: "/health/status",
expected: true,
},
{
name: "Health check with query params",
path: "/health?check=db",
expected: true,
},
{
name: "Not a health check",
path: "/api/users",
expected: false,
},
{
name: "Health-related path (matches prefix)",
path: "/healthiness",
expected: true, // HasPrefix behavior - this actually matches
},
{
name: "Root path",
path: "/",
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com"+tt.path, nil)
result := processor.IsHealthCheckRequest(req)
if result != tt.expected {
t.Errorf("Expected IsHealthCheckRequest to return %v for path '%s', got %v", tt.expected, tt.path, result)
}
})
}
}
// TestIsEventStreamRequest tests event stream detection
func TestIsEventStreamRequest(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
acceptHeader string
expected bool
}{
{
name: "Event stream accept header",
acceptHeader: "text/event-stream",
expected: true,
},
{
name: "Event stream with other types",
acceptHeader: "text/html, text/event-stream, application/json",
expected: true,
},
{
name: "JSON accept header",
acceptHeader: "application/json",
expected: false,
},
{
name: "HTML accept header",
acceptHeader: "text/html,application/xhtml+xml",
expected: false,
},
{
name: "Empty accept header",
acceptHeader: "",
expected: false,
},
{
name: "Similar but not event stream",
acceptHeader: "text/event-source",
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
if tt.acceptHeader != "" {
req.Header.Set("Accept", tt.acceptHeader)
}
result := processor.IsEventStreamRequest(req)
if result != tt.expected {
t.Errorf("Expected IsEventStreamRequest to return %v for accept header '%s', got %v", tt.expected, tt.acceptHeader, result)
}
})
}
}
// TestIsAjaxRequest tests AJAX request detection
func TestIsAjaxRequest(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
setupHeader func(*http.Request)
expected bool
}{
{
name: "XMLHttpRequest header",
setupHeader: func(req *http.Request) {
req.Header.Set("X-Requested-With", "XMLHttpRequest")
},
expected: true,
},
{
name: "JSON content type",
setupHeader: func(req *http.Request) {
req.Header.Set("Content-Type", "application/json")
},
expected: true,
},
{
name: "JSON content type with charset",
setupHeader: func(req *http.Request) {
req.Header.Set("Content-Type", "application/json; charset=utf-8")
},
expected: true,
},
{
name: "JSON accept header",
setupHeader: func(req *http.Request) {
req.Header.Set("Accept", "application/json")
},
expected: true,
},
{
name: "JSON accept with other types",
setupHeader: func(req *http.Request) {
req.Header.Set("Accept", "text/html, application/json, application/xml")
},
expected: true,
},
{
name: "Multiple AJAX indicators",
setupHeader: func(req *http.Request) {
req.Header.Set("X-Requested-With", "XMLHttpRequest")
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Accept", "application/json")
},
expected: true,
},
{
name: "Regular HTML request",
setupHeader: func(req *http.Request) {
req.Header.Set("Accept", "text/html,application/xhtml+xml")
},
expected: false,
},
{
name: "Form submission",
setupHeader: func(req *http.Request) {
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
},
expected: false,
},
{
name: "No special headers",
setupHeader: func(req *http.Request) {},
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("POST", "http://example.com/api", nil)
tt.setupHeader(req)
result := processor.IsAjaxRequest(req)
if result != tt.expected {
t.Errorf("Expected IsAjaxRequest to return %v, got %v", tt.expected, result)
}
})
}
}
// TestWaitForInitialization tests initialization waiting
func TestWaitForInitialization(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
t.Run("Initialization completes successfully", func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
initComplete := make(chan struct{})
go func() {
time.Sleep(10 * time.Millisecond)
close(initComplete)
}()
err := processor.WaitForInitialization(req, initComplete)
if err != nil {
t.Errorf("Expected no error when initialization completes, got: %v", err)
}
})
t.Run("Request context cancelled", func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
req := httptest.NewRequest("GET", "http://example.com/test", nil)
req = req.WithContext(ctx)
initComplete := make(chan struct{})
go func() {
time.Sleep(10 * time.Millisecond)
cancel()
}()
err := processor.WaitForInitialization(req, initComplete)
if err == nil {
t.Error("Expected error when request context is cancelled")
}
if !strings.Contains(err.Error(), "request cancelled") {
t.Errorf("Expected 'request cancelled' error, got: %v", err)
}
if len(logger.DebugCalls) == 0 {
t.Error("Expected debug log when request is cancelled")
}
})
t.Run("Initialization timeout", func(t *testing.T) {
if testing.Short() {
t.Skip("Skipping timeout test in short mode")
}
req := httptest.NewRequest("GET", "http://example.com/test", nil)
initComplete := make(chan struct{}) // Never closes
// Note: This test takes 30 seconds due to hardcoded timeout in implementation
start := time.Now()
err := processor.WaitForInitialization(req, initComplete)
duration := time.Since(start)
if err == nil {
t.Error("Expected timeout error")
}
if !strings.Contains(err.Error(), "timeout") {
t.Errorf("Expected timeout error, got: %v", err)
}
// The timeout should be around 30 seconds, allow some variance
if duration < 29*time.Second || duration > 31*time.Second {
t.Errorf("Expected timeout after ~30 seconds, but got %v", duration)
}
if len(logger.ErrorCalls) == 0 {
t.Error("Expected error log when timeout occurs")
}
})
}
// TestDetermineScheme tests scheme determination
func TestDetermineScheme(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
setup func(*http.Request)
expected string
}{
{
name: "X-Forwarded-Proto HTTPS",
setup: func(req *http.Request) {
req.Header.Set("X-Forwarded-Proto", "https")
},
expected: "https",
},
{
name: "X-Forwarded-Proto HTTP",
setup: func(req *http.Request) {
req.Header.Set("X-Forwarded-Proto", "http")
},
expected: "http",
},
{
name: "TLS connection without header",
setup: func(req *http.Request) {
req.TLS = &tls.ConnectionState{}
},
expected: "https",
},
{
name: "No TLS, no header",
setup: func(req *http.Request) {
// No special setup
},
expected: "http",
},
{
name: "X-Forwarded-Proto takes precedence over TLS",
setup: func(req *http.Request) {
req.Header.Set("X-Forwarded-Proto", "http")
req.TLS = &tls.ConnectionState{}
},
expected: "http",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
tt.setup(req)
result := processor.determineScheme(req)
if result != tt.expected {
t.Errorf("Expected scheme '%s', got '%s'", tt.expected, result)
}
})
}
}
// TestDetermineHost tests host determination
func TestDetermineHost(t *testing.T) {
logger := &MockLogger{}
processor := NewRequestProcessor(logger)
tests := []struct {
name string
setup func(*http.Request)
expected string
}{
{
name: "X-Forwarded-Host header present",
setup: func(req *http.Request) {
req.Header.Set("X-Forwarded-Host", "public.example.com")
},
expected: "public.example.com",
},
{
name: "No X-Forwarded-Host, use req.Host",
setup: func(req *http.Request) {
// No special setup, will use req.Host
},
expected: "example.com",
},
{
name: "Empty X-Forwarded-Host, fallback to req.Host",
setup: func(req *http.Request) {
req.Header.Set("X-Forwarded-Host", "")
},
expected: "example.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
tt.setup(req)
result := processor.determineHost(req)
if result != tt.expected {
t.Errorf("Expected host '%s', got '%s'", tt.expected, result)
}
})
}
}
// TestBuildFullURL tests URL building
func TestBuildFullURL(t *testing.T) {
tests := []struct {
name string
scheme string
host string
path string
expected string
}{
{
name: "Basic URL construction",
scheme: "https",
host: "example.com",
path: "/callback",
expected: "https://example.com/callback",
},
{
name: "Path without leading slash",
scheme: "http",
host: "test.com",
path: "auth",
expected: "http://test.com/auth",
},
{
name: "Absolute HTTP URL in path",
scheme: "https",
host: "example.com",
path: "http://other.com/callback",
expected: "http://other.com/callback",
},
{
name: "Absolute HTTPS URL in path",
scheme: "http",
host: "example.com",
path: "https://secure.com/auth",
expected: "https://secure.com/auth",
},
{
name: "Root path",
scheme: "https",
host: "example.com:8080",
path: "/",
expected: "https://example.com:8080/",
},
{
name: "Empty path",
scheme: "https",
host: "example.com",
path: "",
expected: "https://example.com/",
},
{
name: "Path with query parameters",
scheme: "https",
host: "example.com",
path: "/callback?state=abc123",
expected: "https://example.com/callback?state=abc123",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := buildFullURL(tt.scheme, tt.host, tt.path)
if result != tt.expected {
t.Errorf("Expected URL '%s', got '%s'", tt.expected, result)
}
})
}
}
// TestRequestContext tests the RequestContext struct
func TestRequestContext(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com/test", nil)
rw := httptest.NewRecorder()
ctx := &RequestContext{
Writer: rw,
Request: req,
RedirectURL: "https://example.com/callback",
Scheme: "https",
Host: "example.com",
}
if ctx.Writer != rw {
t.Error("Expected Writer to be set correctly")
}
if ctx.Request != req {
t.Error("Expected Request to be set correctly")
}
if ctx.RedirectURL != "https://example.com/callback" {
t.Error("Expected RedirectURL to be set correctly")
}
if ctx.Scheme != "https" {
t.Error("Expected Scheme to be set correctly")
}
if ctx.Host != "example.com" {
t.Error("Expected Host to be set correctly")
}
}
internal/patterns/regex_cache.go
+309
View File
@@ -0,0 +1,309 @@
// Package patterns provides cached compiled regex patterns for performance optimization
package patterns
import (
"regexp"
"sync"
)
// RegexCache manages compiled regex patterns with thread-safe access
type RegexCache struct {
patterns map[string]*regexp.Regexp
mu sync.RWMutex
}
// NewRegexCache creates a new regex cache instance
func NewRegexCache() *RegexCache {
return &RegexCache{
patterns: make(map[string]*regexp.Regexp),
}
}
// Get retrieves a compiled regex pattern, compiling and caching it if not present
func (c *RegexCache) Get(pattern string) (*regexp.Regexp, error) {
// First try read lock for existing pattern
c.mu.RLock()
if regex, exists := c.patterns[pattern]; exists {
c.mu.RUnlock()
return regex, nil
}
c.mu.RUnlock()
// Pattern not found, acquire write lock to compile and cache
c.mu.Lock()
defer c.mu.Unlock()
// Double-check in case another goroutine compiled it while we waited
if regex, exists := c.patterns[pattern]; exists {
return regex, nil
}
// Compile the pattern
regex, err := regexp.Compile(pattern)
if err != nil {
return nil, err
}
// Cache the compiled pattern
c.patterns[pattern] = regex
return regex, nil
}
// MustGet is like Get but panics if the pattern cannot be compiled
func (c *RegexCache) MustGet(pattern string) *regexp.Regexp {
regex, err := c.Get(pattern)
if err != nil {
panic("regex compilation failed for pattern '" + pattern + "': " + err.Error())
}
return regex
}
// Precompile compiles and caches multiple patterns at once
func (c *RegexCache) Precompile(patterns []string) error {
c.mu.Lock()
defer c.mu.Unlock()
for _, pattern := range patterns {
if _, exists := c.patterns[pattern]; !exists {
regex, err := regexp.Compile(pattern)
if err != nil {
return err
}
c.patterns[pattern] = regex
}
}
return nil
}
// Size returns the number of cached patterns
func (c *RegexCache) Size() int {
c.mu.RLock()
defer c.mu.RUnlock()
return len(c.patterns)
}
// Clear removes all cached patterns
func (c *RegexCache) Clear() {
c.mu.Lock()
defer c.mu.Unlock()
c.patterns = make(map[string]*regexp.Regexp)
}
// Global regex cache instance
var globalCache = NewRegexCache()
// Common regex patterns used throughout the OIDC implementation
const (
// Email validation pattern (RFC 5322 compliant)
EmailPattern = `^[a-zA-Z0-9.!#$%&'*+/=?^_` + "`" + `{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$`
// Domain validation pattern
DomainPattern = `^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$`
// URL validation pattern (http/https)
URLPattern = `^https?://[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*(/.*)?$`
// JWT token pattern (three base64url parts separated by dots)
JWTPattern = `^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$`
// Bearer token pattern (Authorization header)
BearerTokenPattern = `^Bearer\s+([A-Za-z0-9._~+/-]+=*)$`
// Client ID pattern (alphanumeric with common separators)
ClientIDPattern = `^[a-zA-Z0-9._-]+$`
// Scope pattern (space-separated alphanumeric with underscores)
ScopePattern = `^[a-zA-Z0-9_]+(\s+[a-zA-Z0-9_]+)*$`
// Session ID pattern (hexadecimal)
SessionIDPattern = `^[a-fA-F0-9]{32,128}$`
// CSRF token pattern (base64url)
CSRFTokenPattern = `^[A-Za-z0-9_-]+$`
// Nonce pattern (base64url)
NoncePattern = `^[A-Za-z0-9_-]+$`
// Code verifier pattern for PKCE (base64url, 43-128 chars)
CodeVerifierPattern = `^[A-Za-z0-9_-]{43,128}$`
// Authorization code pattern (base64url)
AuthCodePattern = `^[A-Za-z0-9._~+/-]+=*$`
// Redirect URI validation (must be absolute HTTP/HTTPS URL)
RedirectURIPattern = `^https?://[^\s/$.?#].[^\s]*$`
// User-Agent pattern for bot detection
BotUserAgentPattern = `(?i)(bot|crawler|spider|scraper|curl|wget|python|java|go-http)`
// IP address pattern (IPv4)
IPv4Pattern = `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$`
// Tenant ID pattern (UUID format for Azure, etc.)
TenantIDPattern = `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`
)
// Precompiled common patterns for immediate use
var (
EmailRegex *regexp.Regexp
DomainRegex *regexp.Regexp
URLRegex *regexp.Regexp
JWTRegex *regexp.Regexp
BearerTokenRegex *regexp.Regexp
ClientIDRegex *regexp.Regexp
ScopeRegex *regexp.Regexp
SessionIDRegex *regexp.Regexp
CSRFTokenRegex *regexp.Regexp
NonceRegex *regexp.Regexp
CodeVerifierRegex *regexp.Regexp
AuthCodeRegex *regexp.Regexp
RedirectURIRegex *regexp.Regexp
BotUserAgentRegex *regexp.Regexp
IPv4Regex *regexp.Regexp
TenantIDRegex *regexp.Regexp
)
// Initialize precompiled patterns
func init() {
commonPatterns := []string{
EmailPattern,
DomainPattern,
URLPattern,
JWTPattern,
BearerTokenPattern,
ClientIDPattern,
ScopePattern,
SessionIDPattern,
CSRFTokenPattern,
NoncePattern,
CodeVerifierPattern,
AuthCodePattern,
RedirectURIPattern,
BotUserAgentPattern,
IPv4Pattern,
TenantIDPattern,
}
if err := globalCache.Precompile(commonPatterns); err != nil {
panic("Failed to precompile common regex patterns: " + err.Error())
}
// Assign precompiled patterns to global variables for easy access
EmailRegex = globalCache.MustGet(EmailPattern)
DomainRegex = globalCache.MustGet(DomainPattern)
URLRegex = globalCache.MustGet(URLPattern)
JWTRegex = globalCache.MustGet(JWTPattern)
BearerTokenRegex = globalCache.MustGet(BearerTokenPattern)
ClientIDRegex = globalCache.MustGet(ClientIDPattern)
ScopeRegex = globalCache.MustGet(ScopePattern)
SessionIDRegex = globalCache.MustGet(SessionIDPattern)
CSRFTokenRegex = globalCache.MustGet(CSRFTokenPattern)
NonceRegex = globalCache.MustGet(NoncePattern)
CodeVerifierRegex = globalCache.MustGet(CodeVerifierPattern)
AuthCodeRegex = globalCache.MustGet(AuthCodePattern)
RedirectURIRegex = globalCache.MustGet(RedirectURIPattern)
BotUserAgentRegex = globalCache.MustGet(BotUserAgentPattern)
IPv4Regex = globalCache.MustGet(IPv4Pattern)
TenantIDRegex = globalCache.MustGet(TenantIDPattern)
}
// Global helper functions for common validations
// ValidateEmail checks if an email address is valid
func ValidateEmail(email string) bool {
return EmailRegex.MatchString(email)
}
// ValidateDomain checks if a domain name is valid
func ValidateDomain(domain string) bool {
return DomainRegex.MatchString(domain)
}
// ValidateURL checks if a URL is valid (http/https)
func ValidateURL(url string) bool {
return URLRegex.MatchString(url)
}
// ValidateJWT checks if a token has valid JWT format
func ValidateJWT(token string) bool {
return JWTRegex.MatchString(token)
}
// ExtractBearerToken extracts the token from a Bearer authorization header
func ExtractBearerToken(authHeader string) (string, bool) {
matches := BearerTokenRegex.FindStringSubmatch(authHeader)
if len(matches) == 2 {
return matches[1], true
}
return "", false
}
// ValidateClientID checks if a client ID has valid format
func ValidateClientID(clientID string) bool {
return ClientIDRegex.MatchString(clientID)
}
// ValidateScopes checks if scopes string has valid format
func ValidateScopes(scopes string) bool {
return ScopeRegex.MatchString(scopes)
}
// ValidateSessionID checks if a session ID has valid format
func ValidateSessionID(sessionID string) bool {
return SessionIDRegex.MatchString(sessionID)
}
// ValidateCSRFToken checks if a CSRF token has valid format
func ValidateCSRFToken(token string) bool {
return CSRFTokenRegex.MatchString(token)
}
// ValidateNonce checks if a nonce has valid format
func ValidateNonce(nonce string) bool {
return NonceRegex.MatchString(nonce)
}
// ValidateCodeVerifier checks if a PKCE code verifier has valid format
func ValidateCodeVerifier(verifier string) bool {
return CodeVerifierRegex.MatchString(verifier)
}
// ValidateAuthCode checks if an authorization code has valid format
func ValidateAuthCode(code string) bool {
return AuthCodeRegex.MatchString(code)
}
// ValidateRedirectURI checks if a redirect URI is valid
func ValidateRedirectURI(uri string) bool {
return RedirectURIRegex.MatchString(uri)
}
// IsBotUserAgent checks if a User-Agent suggests an automated client
func IsBotUserAgent(userAgent string) bool {
return BotUserAgentRegex.MatchString(userAgent)
}
// ValidateIPv4 checks if an IP address is valid IPv4
func ValidateIPv4(ip string) bool {
return IPv4Regex.MatchString(ip)
}
// ValidateTenantID checks if a tenant ID has valid UUID format
func ValidateTenantID(tenantID string) bool {
return TenantIDRegex.MatchString(tenantID)
}
// GetGlobalCache returns the global regex cache instance
func GetGlobalCache() *RegexCache {
return globalCache
}
// CompilePattern compiles a pattern using the global cache
func CompilePattern(pattern string) (*regexp.Regexp, error) {
return globalCache.Get(pattern)
}
// MustCompilePattern compiles a pattern using the global cache, panicking on error
func MustCompilePattern(pattern string) *regexp.Regexp {
return globalCache.MustGet(pattern)
}
internal/patterns/regex_cache_test.go
+484
View File
@@ -0,0 +1,484 @@
package patterns
import (
"regexp"
"sync"
"testing"
)
func TestRegexCache_Get(t *testing.T) {
cache := NewRegexCache()
pattern := `^test\d+$`
// First call should compile and cache
regex1, err := cache.Get(pattern)
if err != nil {
t.Fatalf("Failed to get regex: %v", err)
}
// Second call should return cached version
regex2, err := cache.Get(pattern)
if err != nil {
t.Fatalf("Failed to get cached regex: %v", err)
}
// Should be the same instance
if regex1 != regex2 {
t.Error("Expected same regex instance from cache")
}
// Test the regex works
if !regex1.MatchString("test123") {
t.Error("Regex should match 'test123'")
}
if regex1.MatchString("test") {
t.Error("Regex should not match 'test'")
}
}
func TestRegexCache_ConcurrentAccess(t *testing.T) {
cache := NewRegexCache()
pattern := `^concurrent\d+$`
var wg sync.WaitGroup
results := make([]*regexp.Regexp, 10)
errors := make([]error, 10)
// Launch multiple goroutines to access the same pattern
for i := 0; i < 10; i++ {
wg.Add(1)
go func(index int) {
defer wg.Done()
regex, err := cache.Get(pattern)
results[index] = regex
errors[index] = err
}(i)
}
wg.Wait()
// Check all succeeded
for i, err := range errors {
if err != nil {
t.Fatalf("Goroutine %d failed: %v", i, err)
}
}
// All should return the same instance
first := results[0]
for i, regex := range results[1:] {
if regex != first {
t.Errorf("Goroutine %d got different regex instance", i+1)
}
}
}
func TestRegexCache_InvalidPattern(t *testing.T) {
cache := NewRegexCache()
_, err := cache.Get(`[invalid`)
if err == nil {
t.Error("Expected error for invalid regex pattern")
}
}
func TestRegexCache_Precompile(t *testing.T) {
cache := NewRegexCache()
patterns := []string{
`^test1$`,
`^test2$`,
`^test3$`,
}
err := cache.Precompile(patterns)
if err != nil {
t.Fatalf("Failed to precompile patterns: %v", err)
}
if cache.Size() != 3 {
t.Errorf("Expected cache size 3, got %d", cache.Size())
}
// Should be able to get precompiled patterns without error
for _, pattern := range patterns {
_, err := cache.Get(pattern)
if err != nil {
t.Errorf("Failed to get precompiled pattern %s: %v", pattern, err)
}
}
}
func TestValidationFunctions(t *testing.T) {
tests := []struct {
name string
function func(string) bool
valid []string
invalid []string
}{
{
name: "ValidateEmail",
function: ValidateEmail,
valid: []string{"test@example.com", "user.name@domain.org", "admin+tag@company.co.uk"},
invalid: []string{"invalid-email", "@domain.com", "user@", ""},
},
{
name: "ValidateDomain",
function: ValidateDomain,
valid: []string{"example.com", "sub.domain.org", "test.co.uk"},
invalid: []string{"", "invalid..domain", ".example.com", "domain."},
},
{
name: "ValidateJWT",
function: ValidateJWT,
valid: []string{"eyJ0.eyJ1.sig", "a.b.c"},
invalid: []string{"invalid", "a.b", "a.b.c.d", ""},
},
{
name: "ValidateClientID",
function: ValidateClientID,
valid: []string{"client123", "my-client_id", "123.456"},
invalid: []string{"", "client with spaces", "client@invalid"},
},
{
name: "ValidateURL",
function: ValidateURL,
valid: []string{"https://example.com", "https://sub.domain.org/path", "http://localhost", "https://example.com/path?query=value", "http://192.168.1.1"},
invalid: []string{"", "ftp://example.com", "not-a-url", "https://", "example.com", "http://localhost:8080"},
},
{
name: "ValidateScopes",
function: ValidateScopes,
valid: []string{"openid", "openid profile", "read write admin", "user_info"},
invalid: []string{"", "scope-with-dash", "scope@invalid", "scope with.dot", " "},
},
{
name: "ValidateSessionID",
function: ValidateSessionID,
valid: []string{"a1b2c3d4e5f6789012345678901234567890abcdef", "ABCDEF1234567890abcdef1234567890", "0123456789abcdef0123456789abcdef"},
invalid: []string{"", "too-short", "contains-invalid-chars!", "g123456789abcdef0123456789abcdef", "1234567890abcdef1234567890abcde"},
},
{
name: "ValidateCSRFToken",
function: ValidateCSRFToken,
valid: []string{"abc123", "ABC_123-xyz", "token-value_123", "_valid-token_"},
invalid: []string{"", "token with spaces", "token@invalid", "token.with.dots!", "token/with/slash"},
},
{
name: "ValidateNonce",
function: ValidateNonce,
valid: []string{"abc123", "ABC_123-xyz", "nonce-value_123", "_valid-nonce_"},
invalid: []string{"", "nonce with spaces", "nonce@invalid", "nonce.with.dots!", "nonce/with/slash"},
},
{
name: "ValidateCodeVerifier",
function: ValidateCodeVerifier,
valid: []string{"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-"},
invalid: []string{"", "too-short", "short", "verifier with spaces", "verifier@invalid", "a"},
},
{
name: "ValidateAuthCode",
function: ValidateAuthCode,
valid: []string{"auth_code_123", "ABC.123-xyz/code+value=", "simple-code"},
invalid: []string{"", "code with spaces", "code@invalid"},
},
{
name: "ValidateRedirectURI",
function: ValidateRedirectURI,
valid: []string{"https://example.com/callback", "http://localhost:8080/auth", "https://app.example.org/oauth/callback", "http://127.0.0.1:3000"},
invalid: []string{"", "ftp://example.com", "not-a-url", "example.com/callback", "https://"},
},
{
name: "ValidateIPv4",
function: ValidateIPv4,
valid: []string{"192.168.1.1", "10.0.0.1", "127.0.0.1", "255.255.255.255", "0.0.0.0"},
invalid: []string{"", "256.1.1.1", "192.168.1", "192.168.1.1.1", "not-an-ip"},
},
{
name: "ValidateTenantID",
function: ValidateTenantID,
valid: []string{"12345678-1234-1234-1234-123456789abc", "ABCDEF12-3456-7890-ABCD-EF1234567890"},
invalid: []string{"", "not-a-uuid", "12345678-1234-1234-1234", "12345678-1234-1234-1234-123456789abcd", "123456781234123412341234567890ab"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
for _, valid := range tt.valid {
if !tt.function(valid) {
t.Errorf("%s should be valid: %s", tt.name, valid)
}
}
for _, invalid := range tt.invalid {
if tt.function(invalid) {
t.Errorf("%s should be invalid: %s", tt.name, invalid)
}
}
})
}
}
func TestExtractBearerToken(t *testing.T) {
tests := []struct {
header string
expected string
valid bool
}{
{"Bearer abc123", "abc123", true},
{"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9", true},
{"bearer token123", "", false}, // case sensitive
{"Basic abc123", "", false},
{"Bearer", "", false},
{"", "", false},
}
for _, tt := range tests {
token, valid := ExtractBearerToken(tt.header)
if valid != tt.valid {
t.Errorf("ExtractBearerToken(%q) valid = %v, want %v", tt.header, valid, tt.valid)
}
if token != tt.expected {
t.Errorf("ExtractBearerToken(%q) token = %q, want %q", tt.header, token, tt.expected)
}
}
}
func BenchmarkRegexCache_Get(b *testing.B) {
cache := NewRegexCache()
pattern := `^benchmark\d+$`
b.ResetTimer()
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
_, err := cache.Get(pattern)
if err != nil {
b.Fatal(err)
}
}
})
}
func BenchmarkRegexCache_Validation(b *testing.B) {
email := "test@example.com"
b.ResetTimer()
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
ValidateEmail(email)
}
})
}
func BenchmarkRegex_DirectCompile(b *testing.B) {
pattern := `^benchmark\d+$`
b.ResetTimer()
for i := 0; i < b.N; i++ {
_, err := regexp.Compile(pattern)
if err != nil {
b.Fatal(err)
}
}
}
func TestRegexCache_Clear(t *testing.T) {
cache := NewRegexCache()
// Add some patterns to the cache
patterns := []string{`^test1$`, `^test2$`, `^test3$`}
for _, pattern := range patterns {
_, err := cache.Get(pattern)
if err != nil {
t.Fatalf("Failed to add pattern %s: %v", pattern, err)
}
}
// Verify cache has patterns
if cache.Size() != 3 {
t.Errorf("Expected cache size 3, got %d", cache.Size())
}
// Clear the cache
cache.Clear()
// Verify cache is empty
if cache.Size() != 0 {
t.Errorf("Expected cache size 0 after clear, got %d", cache.Size())
}
}
func TestIsBotUserAgent(t *testing.T) {
tests := []struct {
userAgent string
isBot bool
}{
{"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", true},
{"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", true},
{"facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)", false},
{"crawler-bot/1.0", true},
{"spider-agent/2.0", true},
{"curl/7.68.0", true},
{"wget/1.20.3", true},
{"python-requests/2.25.1", true},
{"Go-http-client/1.1", true},
{"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", false},
{"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", false},
{"", false},
}
for _, tt := range tests {
t.Run(tt.userAgent, func(t *testing.T) {
result := IsBotUserAgent(tt.userAgent)
if result != tt.isBot {
t.Errorf("IsBotUserAgent(%q) = %v, want %v", tt.userAgent, result, tt.isBot)
}
})
}
}
func TestGetGlobalCache(t *testing.T) {
cache := GetGlobalCache()
if cache == nil {
t.Error("GetGlobalCache() should not return nil")
}
// Should return the same instance
cache2 := GetGlobalCache()
if cache != cache2 {
t.Error("GetGlobalCache() should return the same instance")
}
// Should have precompiled patterns
if cache.Size() == 0 {
t.Error("Global cache should have precompiled patterns")
}
}
func TestCompilePattern(t *testing.T) {
pattern := `^test_compile\d+$`
regex, err := CompilePattern(pattern)
if err != nil {
t.Fatalf("CompilePattern failed: %v", err)
}
if !regex.MatchString("test_compile123") {
t.Error("Compiled pattern should match 'test_compile123'")
}
if regex.MatchString("test_compile") {
t.Error("Compiled pattern should not match 'test_compile'")
}
// Test invalid pattern
_, err = CompilePattern(`[invalid`)
if err == nil {
t.Error("Expected error for invalid pattern")
}
}
func TestMustCompilePattern(t *testing.T) {
pattern := `^test_must_compile\d+$`
regex := MustCompilePattern(pattern)
if regex == nil {
t.Fatal("MustCompilePattern should not return nil")
}
if !regex.MatchString("test_must_compile456") {
t.Error("Compiled pattern should match 'test_must_compile456'")
}
// Test that it panics with invalid pattern
defer func() {
if r := recover(); r == nil {
t.Error("MustCompilePattern should panic with invalid pattern")
}
}()
MustCompilePattern(`[invalid`)
}
func TestAdditionalValidationEdgeCases(t *testing.T) {
// Test edge cases for ValidateURL
t.Run("ValidateURL_EdgeCases", func(t *testing.T) {
edgeCases := []struct {
url string
valid bool
}{
{"https://a.b", true},
{"http://localhost", true},
{"https://example.com/path?query=value#fragment", true},
{"http://192.168.0.1:8080/api", false},
{"https://", false},
{"http://", false},
{"https://example", true},
}
for _, tc := range edgeCases {
result := ValidateURL(tc.url)
if result != tc.valid {
t.Errorf("ValidateURL(%q) = %v, want %v", tc.url, result, tc.valid)
}
}
})
// Test edge cases for ValidateScopes
t.Run("ValidateScopes_EdgeCases", func(t *testing.T) {
edgeCases := []struct {
scopes string
valid bool
}{
{"a", true},
{"a b", true},
{"openid profile email", true},
{"user_profile", true},
{"read_all write_all", true},
{"scope-with-dash", false},
{"scope.with.dot", false},
{"scope@email", false},
{" scope", false},
{"scope ", false},
{"a b", true}, // pattern allows multiple spaces
}
for _, tc := range edgeCases {
result := ValidateScopes(tc.scopes)
if result != tc.valid {
t.Errorf("ValidateScopes(%q) = %v, want %v", tc.scopes, result, tc.valid)
}
}
})
// Test edge cases for ValidateSessionID
t.Run("ValidateSessionID_EdgeCases", func(t *testing.T) {
edgeCases := []struct {
sessionID string
valid bool
}{
{"12345678901234567890123456789012", true}, // 32 chars (min)
{"1234567890123456789012345678901", false}, // 31 chars (too short)
{string(make([]byte, 128)), false}, // 128 non-hex chars
{"abcdef1234567890ABCDEF1234567890" + string(make([]byte, 96)), false}, // 128+ chars with non-hex
}
// Generate valid 128-char hex string (max length)
validLongHex := ""
for i := 0; i < 128; i++ {
validLongHex += "a"
}
edgeCases = append(edgeCases, struct {
sessionID string
valid bool
}{validLongHex, true})
for _, tc := range edgeCases {
result := ValidateSessionID(tc.sessionID)
if result != tc.valid {
t.Errorf("ValidateSessionID(%q) = %v, want %v", tc.sessionID, result, tc.valid)
}
}
})
}
internal/pool/pool.go
+68
View File
@@ -6,6 +6,8 @@ package pool
import (
"bytes"
"compress/gzip"
"encoding/json"
"io"
"strings"
"sync"
"sync/atomic"
@@ -54,6 +56,10 @@ type PoolStats struct {
JWTPuts uint64
HTTPGets uint64
HTTPPuts uint64
JSONEncoderGets uint64
JSONEncoderPuts uint64
JSONDecoderGets uint64
JSONDecoderPuts uint64
OversizedRejects uint64
}
@@ -378,6 +384,40 @@ func (m *Manager) PutByteSlice(b []byte) {
}
}
// GetJSONEncoder returns a JSON encoder from the pool configured for the given writer
func (m *Manager) GetJSONEncoder(w io.Writer) *json.Encoder {
atomic.AddUint64(&m.stats.JSONEncoderGets, 1)
// Since json.Encoder doesn't support resetting, we create new ones each time
encoder := json.NewEncoder(w)
encoder.SetEscapeHTML(false) // Disable HTML escaping for performance
return encoder
}
// PutJSONEncoder returns a JSON encoder to the pool
func (m *Manager) PutJSONEncoder(encoder *json.Encoder) {
if encoder == nil {
return
}
atomic.AddUint64(&m.stats.JSONEncoderPuts, 1)
// JSON encoders can't be reset, so we don't pool them
}
// GetJSONDecoder returns a JSON decoder from the pool configured for the given reader
func (m *Manager) GetJSONDecoder(r io.Reader) *json.Decoder {
atomic.AddUint64(&m.stats.JSONDecoderGets, 1)
// Since json.Decoder doesn't support resetting, we create new ones each time
return json.NewDecoder(r)
}
// PutJSONDecoder returns a JSON decoder to the pool
func (m *Manager) PutJSONDecoder(decoder *json.Decoder) {
if decoder == nil {
return
}
atomic.AddUint64(&m.stats.JSONDecoderPuts, 1)
// JSON decoders can't be reset, so we don't pool them
}
// GetStats returns current pool statistics
func (m *Manager) GetStats() PoolStats {
return PoolStats{
@@ -391,6 +431,10 @@ func (m *Manager) GetStats() PoolStats {
JWTPuts: atomic.LoadUint64(&m.stats.JWTPuts),
HTTPGets: atomic.LoadUint64(&m.stats.HTTPGets),
HTTPPuts: atomic.LoadUint64(&m.stats.HTTPPuts),
JSONEncoderGets: atomic.LoadUint64(&m.stats.JSONEncoderGets),
JSONEncoderPuts: atomic.LoadUint64(&m.stats.JSONEncoderPuts),
JSONDecoderGets: atomic.LoadUint64(&m.stats.JSONDecoderGets),
JSONDecoderPuts: atomic.LoadUint64(&m.stats.JSONDecoderPuts),
OversizedRejects: atomic.LoadUint64(&m.stats.OversizedRejects),
}
}
@@ -407,6 +451,10 @@ func (m *Manager) ResetStats() {
atomic.StoreUint64(&m.stats.JWTPuts, 0)
atomic.StoreUint64(&m.stats.HTTPGets, 0)
atomic.StoreUint64(&m.stats.HTTPPuts, 0)
atomic.StoreUint64(&m.stats.JSONEncoderGets, 0)
atomic.StoreUint64(&m.stats.JSONEncoderPuts, 0)
atomic.StoreUint64(&m.stats.JSONDecoderGets, 0)
atomic.StoreUint64(&m.stats.JSONDecoderPuts, 0)
atomic.StoreUint64(&m.stats.OversizedRejects, 0)
}
@@ -471,3 +519,23 @@ func ByteSlice(size int) []byte {
func ReturnByteSlice(b []byte) {
Get().PutByteSlice(b)
}
// JSONEncoder returns a JSON encoder from the global pool
func JSONEncoder(w io.Writer) *json.Encoder {
return Get().GetJSONEncoder(w)
}
// ReturnJSONEncoder returns a JSON encoder to the global pool
func ReturnJSONEncoder(encoder *json.Encoder) {
Get().PutJSONEncoder(encoder)
}
// JSONDecoder returns a JSON decoder from the global pool
func JSONDecoder(r io.Reader) *json.Decoder {
return Get().GetJSONDecoder(r)
}
// ReturnJSONDecoder returns a JSON decoder to the global pool
func ReturnJSONDecoder(decoder *json.Decoder) {
Get().PutJSONDecoder(decoder)
}
internal/pool/utils.go
+70
View File
@@ -0,0 +1,70 @@
// Package pool provides centralized memory pool management utilities
package pool
import (
"strings"
)
// BuildSessionName efficiently builds session names using pooled string builders
func BuildSessionName(baseName string, index int) string {
sb := StringBuilder()
defer ReturnStringBuilder(sb)
sb.WriteString(baseName)
sb.WriteRune('_')
// Efficient int to string conversion
if index < 10 {
sb.WriteRune('0' + rune(index))
} else {
sb.WriteString(intToString(index))
}
return sb.String()
}
// BuildCacheKey efficiently builds cache keys using pooled string builders
func BuildCacheKey(parts ...string) string {
sb := StringBuilder()
defer ReturnStringBuilder(sb)
for i, part := range parts {
if i > 0 {
sb.WriteRune(':')
}
sb.WriteString(part)
}
return sb.String()
}
// FormatString efficiently formats a string using a pooled string builder
func FormatString(format func(*strings.Builder)) string {
sb := StringBuilder()
defer ReturnStringBuilder(sb)
format(sb)
return sb.String()
}
// intToString converts int to string without allocation (for small numbers)
func intToString(n int) string {
if n < 0 {
return "-" + intToString(-n)
}
if n < 10 {
return string(rune('0' + n))
}
if n < 100 {
return string(rune('0'+n/10)) + string(rune('0'+n%10))
}
// Fall back to standard conversion for larger numbers
buf := make([]byte, 0, 20)
for n > 0 {
buf = append(buf, byte('0'+n%10))
n /= 10
}
// Reverse the buffer
for i, j := 0, len(buf)-1; i < j; i, j = i+1, j-1 {
buf[i], buf[j] = buf[j], buf[i]
}
return string(buf)
}
internal/providers/auth0.go
+72
View File
@@ -0,0 +1,72 @@
package providers
import (
"net/url"
)
// Auth0Provider encapsulates Auth0-specific OIDC logic.
type Auth0Provider struct {
*BaseProvider
}
// NewAuth0Provider creates a new instance of the Auth0Provider.
func NewAuth0Provider() *Auth0Provider {
return &Auth0Provider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *Auth0Provider) GetType() ProviderType {
return ProviderTypeAuth0
}
// GetCapabilities returns the specific capabilities of the Auth0 provider.
func (p *Auth0Provider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: true,
RequiresPromptConsent: false,
PreferredTokenValidation: "id", // Auth0 typically uses ID tokens
}
}
// BuildAuthParams configures Auth0-specific authentication parameters.
func (p *Auth0Provider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// Auth0 supports various response types and connection parameters
baseParams.Set("response_type", "code")
// Ensure offline_access scope is present for refresh tokens
hasOfflineAccess := false
for _, scope := range scopes {
if scope == "offline_access" {
hasOfflineAccess = true
break
}
}
if !hasOfflineAccess {
scopes = append(scopes, "offline_access")
}
// Ensure openid scope is present
hasOpenID := false
for _, scope := range scopes {
if scope == "openid" {
hasOpenID = true
break
}
}
if !hasOpenID {
scopes = append(scopes, "openid")
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(scopes),
}, nil
}
// Auth0 requires specific tenant configuration and connection handling.
func (p *Auth0Provider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/auth0_test.go
+124
View File
@@ -0,0 +1,124 @@
package providers
import (
"net/url"
"testing"
)
// TestAuth0Provider_NewAuth0Provider tests the constructor
func TestAuth0Provider_NewAuth0Provider(t *testing.T) {
provider := NewAuth0Provider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestAuth0Provider_GetType tests provider type
func TestAuth0Provider_GetType(t *testing.T) {
provider := NewAuth0Provider()
if provider.GetType() != ProviderTypeAuth0 {
t.Errorf("Expected ProviderTypeAuth0, got %v", provider.GetType())
}
}
// TestAuth0Provider_GetCapabilities tests Auth0-specific capabilities
func TestAuth0Provider_GetCapabilities(t *testing.T) {
provider := NewAuth0Provider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true for Auth0")
}
if !capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be true for Auth0")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for Auth0")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestAuth0Provider_BuildAuthParams tests Auth0-specific auth params
func TestAuth0Provider_BuildAuthParams(t *testing.T) {
provider := NewAuth0Provider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Add offline_access and openid scopes",
scopes: []string{"profile", "email"},
expectedScopes: []string{"profile", "email", "offline_access", "openid"},
},
{
name: "Keep existing offline_access and openid",
scopes: []string{"openid", "profile", "offline_access", "email"},
expectedScopes: []string{"openid", "profile", "offline_access", "email"},
},
{
name: "Add both scopes when none provided",
scopes: []string{},
expectedScopes: []string{"offline_access", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Check that response_type is set
if authParams.URLValues.Get("response_type") != "code" {
t.Errorf("Expected response_type 'code', got '%s'", authParams.URLValues.Get("response_type"))
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d. Expected: %v, Got: %v",
len(tt.expectedScopes), len(authParams.Scopes), tt.expectedScopes, authParams.Scopes)
return
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestAuth0Provider_ValidateConfig tests config validation
func TestAuth0Provider_ValidateConfig(t *testing.T) {
provider := NewAuth0Provider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
internal/providers/aws_cognito.go
+74
View File
@@ -0,0 +1,74 @@
package providers
import (
"net/url"
"strings"
)
// AWSCognitoProvider encapsulates AWS Cognito-specific OIDC logic.
type AWSCognitoProvider struct {
*BaseProvider
}
// NewAWSCognitoProvider creates a new instance of the AWSCognitoProvider.
func NewAWSCognitoProvider() *AWSCognitoProvider {
return &AWSCognitoProvider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *AWSCognitoProvider) GetType() ProviderType {
return ProviderTypeAWSCognito
}
// GetCapabilities returns the specific capabilities of the AWS Cognito provider.
func (p *AWSCognitoProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: false, // Cognito doesn't use offline_access scope
RequiresPromptConsent: false,
PreferredTokenValidation: "id", // Cognito typically uses ID tokens
}
}
// BuildAuthParams configures AWS Cognito-specific authentication parameters.
func (p *AWSCognitoProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// AWS Cognito supports standard OIDC parameters
baseParams.Set("response_type", "code")
// Remove offline_access scope as Cognito doesn't use it (case-insensitive)
var filteredScopes []string
for _, scope := range scopes {
if strings.ToLower(scope) != "offline_access" {
filteredScopes = append(filteredScopes, scope)
}
}
// Ensure openid scope is present
hasOpenID := false
for _, scope := range filteredScopes {
if scope == "openid" {
hasOpenID = true
break
}
}
if !hasOpenID {
filteredScopes = append(filteredScopes, "openid")
}
// Default Cognito scopes if none specified
if len(filteredScopes) == 1 && filteredScopes[0] == "openid" {
filteredScopes = append(filteredScopes, "email", "profile")
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(filteredScopes),
}, nil
}
// AWS Cognito requires user pool and domain configuration.
func (p *AWSCognitoProvider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/aws_cognito_test.go
+295
View File
@@ -0,0 +1,295 @@
package providers
import (
"net/url"
"testing"
)
// TestAWSCognitoProvider_NewAWSCognitoProvider tests the constructor
func TestAWSCognitoProvider_NewAWSCognitoProvider(t *testing.T) {
provider := NewAWSCognitoProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestAWSCognitoProvider_GetType tests provider type
func TestAWSCognitoProvider_GetType(t *testing.T) {
provider := NewAWSCognitoProvider()
if provider.GetType() != ProviderTypeAWSCognito {
t.Errorf("Expected ProviderTypeAWSCognito, got %v", provider.GetType())
}
}
// TestAWSCognitoProvider_GetCapabilities tests AWS Cognito-specific capabilities
func TestAWSCognitoProvider_GetCapabilities(t *testing.T) {
provider := NewAWSCognitoProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true for AWS Cognito")
}
if capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be false for AWS Cognito")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for AWS Cognito")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestAWSCognitoProvider_BuildAuthParams tests AWS Cognito-specific auth params
func TestAWSCognitoProvider_BuildAuthParams(t *testing.T) {
provider := NewAWSCognitoProvider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Remove offline_access scope and ensure openid",
scopes: []string{"email", "profile", "offline_access"},
expectedScopes: []string{"email", "profile", "openid"},
},
{
name: "Keep existing openid, remove offline_access",
scopes: []string{"openid", "email", "offline_access", "profile"},
expectedScopes: []string{"openid", "email", "profile"},
},
{
name: "Add default scopes when only openid",
scopes: []string{"openid"},
expectedScopes: []string{"openid", "email", "profile"},
},
{
name: "Add openid and defaults when empty",
scopes: []string{},
expectedScopes: []string{"openid", "email", "profile"},
},
{
name: "Cognito-specific scopes",
scopes: []string{"aws.cognito.signin.user.admin", "phone"},
expectedScopes: []string{"aws.cognito.signin.user.admin", "phone", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Check that response_type is set
if authParams.URLValues.Get("response_type") != "code" {
t.Errorf("Expected response_type 'code', got '%s'", authParams.URLValues.Get("response_type"))
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d. Expected: %v, Got: %v",
len(tt.expectedScopes), len(authParams.Scopes), tt.expectedScopes, authParams.Scopes)
return
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
// Ensure offline_access is NOT present
for _, actualScope := range authParams.Scopes {
if actualScope == "offline_access" {
t.Error("offline_access scope should be filtered out for AWS Cognito")
}
}
})
}
}
// TestAWSCognitoProvider_ValidateConfig tests config validation
func TestAWSCognitoProvider_ValidateConfig(t *testing.T) {
provider := NewAWSCognitoProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
// TestAWSCognitoProvider_InterfaceCompliance tests that AWS Cognito provider implements the OIDCProvider interface
func TestAWSCognitoProvider_InterfaceCompliance(t *testing.T) {
var _ OIDCProvider = NewAWSCognitoProvider()
}
// TestAWSCognitoProvider_BaseProviderInheritance tests that AWS Cognito provider inherits from BaseProvider correctly
func TestAWSCognitoProvider_BaseProviderInheritance(t *testing.T) {
provider := NewAWSCognitoProvider()
// Test that it has access to BaseProvider methods
if provider.BaseProvider == nil {
t.Error("Expected BaseProvider to be initialized")
}
// Test HandleTokenRefresh (inherited from BaseProvider)
err := provider.HandleTokenRefresh(&TokenResult{
IDToken: "test-id-token",
AccessToken: "test-access-token",
RefreshToken: "test-refresh-token",
})
if err != nil {
t.Errorf("HandleTokenRefresh failed: %v", err)
}
}
// TestAWSCognitoProvider_OfflineAccessFiltering tests that offline_access scope is always filtered out
func TestAWSCognitoProvider_OfflineAccessFiltering(t *testing.T) {
provider := NewAWSCognitoProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
}{
{
name: "Single offline_access",
scopes: []string{"offline_access"},
},
{
name: "Multiple offline_access occurrences",
scopes: []string{"offline_access", "email", "offline_access", "profile"},
},
{
name: "Mixed case",
scopes: []string{"OFFLINE_ACCESS", "email"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Ensure offline_access is NOT present in any form
for _, actualScope := range authParams.Scopes {
if actualScope == "offline_access" || actualScope == "OFFLINE_ACCESS" {
t.Errorf("offline_access scope should be filtered out, but found: %s", actualScope)
}
}
})
}
}
// TestAWSCognitoProvider_CognitoSpecificScopes tests AWS Cognito-specific scopes
func TestAWSCognitoProvider_CognitoSpecificScopes(t *testing.T) {
provider := NewAWSCognitoProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
checkFor []string
}{
{
name: "Cognito admin scope",
scopes: []string{"aws.cognito.signin.user.admin"},
checkFor: []string{"aws.cognito.signin.user.admin", "openid"},
},
{
name: "Phone scope",
scopes: []string{"phone"},
checkFor: []string{"phone", "openid"},
},
{
name: "Address scope",
scopes: []string{"address"},
checkFor: []string{"address", "openid"},
},
{
name: "Multiple Cognito scopes",
scopes: []string{"aws.cognito.signin.user.admin", "phone", "address"},
checkFor: []string{"aws.cognito.signin.user.admin", "phone", "address", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
for _, expectedScope := range tt.checkFor {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestAWSCognitoProvider_DefaultScopeHandling tests default scope behavior
func TestAWSCognitoProvider_DefaultScopeHandling(t *testing.T) {
provider := NewAWSCognitoProvider()
baseParams := url.Values{}
// Test with only openid scope - should add defaults
authParams, err := provider.BuildAuthParams(baseParams, []string{"openid"})
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
expectedScopes := []string{"openid", "email", "profile"}
if len(authParams.Scopes) != len(expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(expectedScopes), len(authParams.Scopes))
return
}
for _, expectedScope := range expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected default scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
}
internal/providers/azure.go
+1 -1
View File
@@ -49,7 +49,7 @@ func (p *AzureProvider) BuildAuthParams(baseParams url.Values, scopes []string)
return &AuthParams{
URLValues: baseParams,
Scopes: scopes,
Scopes: deduplicateScopes(scopes),
}, nil
}
internal/providers/azure_test.go
+584
View File
@@ -0,0 +1,584 @@
package providers
import (
"errors"
"net/url"
"strings"
"testing"
"time"
)
// TestAzureProvider_NewAzureProvider tests the constructor
func TestAzureProvider_NewAzureProvider(t *testing.T) {
provider := NewAzureProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestAzureProvider_GetType tests provider type
func TestAzureProvider_GetType(t *testing.T) {
provider := NewAzureProvider()
if provider.GetType() != ProviderTypeAzure {
t.Errorf("Expected ProviderTypeAzure, got %v", provider.GetType())
}
}
// TestAzureProvider_GetCapabilities tests Azure-specific capabilities
func TestAzureProvider_GetCapabilities(t *testing.T) {
provider := NewAzureProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true")
}
if !capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be true for Azure")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for Azure")
}
if capabilities.PreferredTokenValidation != "access" {
t.Errorf("Expected PreferredTokenValidation 'access', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestAzureProvider_BuildAuthParams tests Azure-specific auth parameters
func TestAzureProvider_BuildAuthParams(t *testing.T) {
provider := NewAzureProvider()
tests := []struct {
name string
inputScopes []string
expectedScopes []string
shouldHaveResponseMode bool
shouldAddOfflineAccess bool
}{
{
name: "Basic scopes without offline_access",
inputScopes: []string{"openid", "profile", "email"},
expectedScopes: []string{"openid", "profile", "email", "offline_access"},
shouldHaveResponseMode: true,
shouldAddOfflineAccess: true,
},
{
name: "Scopes with offline_access already present",
inputScopes: []string{"openid", "profile", "offline_access", "email"},
expectedScopes: []string{"openid", "profile", "offline_access", "email"},
shouldHaveResponseMode: true,
shouldAddOfflineAccess: false,
},
{
name: "Only offline_access scope",
inputScopes: []string{"offline_access"},
expectedScopes: []string{"offline_access"},
shouldHaveResponseMode: true,
shouldAddOfflineAccess: false,
},
{
name: "Empty scopes (should add offline_access)",
inputScopes: []string{},
expectedScopes: []string{"offline_access"},
shouldHaveResponseMode: true,
shouldAddOfflineAccess: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
result, err := provider.BuildAuthParams(baseParams, tt.inputScopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Check Azure-specific parameters
if tt.shouldHaveResponseMode {
if result.URLValues.Get("response_mode") != "query" {
t.Errorf("Expected response_mode 'query', got '%s'", result.URLValues.Get("response_mode"))
}
}
// Check scopes
if len(result.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(tt.expectedScopes), len(result.Scopes))
}
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range result.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in result", expectedScope)
}
}
// Verify offline_access is present
hasOfflineAccess := false
for _, scope := range result.Scopes {
if scope == "offline_access" {
hasOfflineAccess = true
break
}
}
if !hasOfflineAccess {
t.Error("Azure provider should always include offline_access scope")
}
// Verify original base parameters are preserved
if result.URLValues.Get("client_id") != "test-client" {
t.Errorf("Expected client_id 'test-client', got '%s'", result.URLValues.Get("client_id"))
}
})
}
}
// TestAzureProvider_ValidateTokens tests Azure-specific token validation logic
func TestAzureProvider_ValidateTokens(t *testing.T) {
provider := NewAzureProvider()
tests := []struct {
name string
session *mockSession
verifierError error
cacheData map[string]interface{}
expectedResult ValidationResult
}{
{
name: "Unauthenticated with refresh token",
session: &mockSession{
authenticated: false,
refreshToken: "refresh-token",
},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Unauthenticated without refresh token",
session: &mockSession{
authenticated: false,
},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
{
name: "JWT access token valid",
session: &mockSession{
authenticated: true,
accessToken: "valid.jwt.token",
refreshToken: "refresh-token",
},
verifierError: nil,
cacheData: map[string]interface{}{
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "JWT access token invalid, valid ID token",
session: &mockSession{
authenticated: true,
accessToken: "invalid.jwt.token",
idToken: "valid.id.token",
refreshToken: "refresh-token",
},
verifierError: errors.New("invalid token"),
cacheData: map[string]interface{}{
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "Opaque access token with valid ID token",
session: &mockSession{
authenticated: true,
accessToken: "opaque-token-no-dots",
idToken: "valid.id.token",
refreshToken: "refresh-token",
},
cacheData: map[string]interface{}{
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "Opaque access token without ID token",
session: &mockSession{
authenticated: true,
accessToken: "opaque-token-no-dots",
refreshToken: "refresh-token",
},
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "No access token, valid ID token",
session: &mockSession{
authenticated: true,
idToken: "valid.id.token",
refreshToken: "refresh-token",
},
verifierError: nil,
cacheData: map[string]interface{}{
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "No access token, invalid ID token, with refresh token",
session: &mockSession{
authenticated: true,
idToken: "invalid.id.token",
refreshToken: "refresh-token",
},
verifierError: errors.New("invalid token"),
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "No tokens, with refresh token",
session: &mockSession{
authenticated: true,
refreshToken: "refresh-token",
},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "No tokens, no refresh token",
session: &mockSession{
authenticated: true,
},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
verifier := &mockTokenVerifier{error: tt.verifierError}
cache := &mockTokenCache{claims: make(map[string]map[string]interface{})}
// Set up cache data
if tt.cacheData != nil {
if tt.session.accessToken != "" && strings.Count(tt.session.accessToken, ".") == 2 {
cache.claims[tt.session.accessToken] = tt.cacheData
}
if tt.session.idToken != "" {
cache.claims[tt.session.idToken] = tt.cacheData
}
}
result, err := provider.ValidateTokens(tt.session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestAzureProvider_ValidateConfig tests configuration validation
func TestAzureProvider_ValidateConfig(t *testing.T) {
provider := NewAzureProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("Expected no error, got %v", err)
}
}
// TestAzureProvider_InterfaceCompliance tests that Azure provider implements OIDCProvider
func TestAzureProvider_InterfaceCompliance(t *testing.T) {
provider := NewAzureProvider()
// Verify it implements the OIDCProvider interface
var _ OIDCProvider = provider
}
// TestAzureProvider_OfflineAccessHandling tests comprehensive offline_access handling
func TestAzureProvider_OfflineAccessHandling(t *testing.T) {
provider := NewAzureProvider()
tests := []struct {
name string
inputScopes []string
expectedCount int // Expected number of offline_access scopes (should be 1)
description string
}{
{
name: "No offline_access - should add one",
inputScopes: []string{"openid", "profile", "email"},
expectedCount: 1,
description: "Should add offline_access when not present",
},
{
name: "One offline_access - should preserve",
inputScopes: []string{"openid", "offline_access", "profile"},
expectedCount: 1,
description: "Should preserve existing offline_access",
},
{
name: "Multiple offline_access - should deduplicate",
inputScopes: []string{"openid", "offline_access", "profile", "offline_access"},
expectedCount: 1,
description: "Should deduplicate multiple offline_access scopes",
},
{
name: "Only offline_access",
inputScopes: []string{"offline_access"},
expectedCount: 1,
description: "Should preserve when only offline_access is present",
},
{
name: "Empty scopes - should add offline_access",
inputScopes: []string{},
expectedCount: 1,
description: "Should add offline_access when no scopes provided",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
baseParams := make(url.Values)
result, err := provider.BuildAuthParams(baseParams, tt.inputScopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Count offline_access occurrences in result
offlineAccessCount := 0
for _, scope := range result.Scopes {
if scope == "offline_access" {
offlineAccessCount++
}
}
if offlineAccessCount != tt.expectedCount {
t.Errorf("Expected %d offline_access scopes in result, got %d", tt.expectedCount, offlineAccessCount)
}
// Ensure at least one offline_access is always present
if offlineAccessCount == 0 {
t.Error("Azure provider should always have at least one offline_access scope")
}
// Verify other scopes are preserved (except for the empty case)
if len(tt.inputScopes) > 0 {
for _, originalScope := range tt.inputScopes {
found := false
for _, resultScope := range result.Scopes {
if resultScope == originalScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' to be preserved", originalScope)
}
}
}
})
}
}
// TestAzureProvider_TokenValidationPriority tests access token vs ID token priority
func TestAzureProvider_TokenValidationPriority(t *testing.T) {
provider := NewAzureProvider()
// Test that Azure prefers access tokens over ID tokens when both are JWT
session := &mockSession{
authenticated: true,
accessToken: "valid.access.token",
idToken: "valid.id.token",
refreshToken: "refresh-token",
}
verifier := &mockTokenVerifier{} // Valid tokens
cache := &mockTokenCache{
claims: map[string]map[string]interface{}{
"valid.access.token": {
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
"valid.id.token": {
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
},
}
result, err := provider.ValidateTokens(session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if !result.Authenticated {
t.Error("Should be authenticated with valid access token")
}
if result.NeedsRefresh {
t.Error("Should not need refresh with valid access token")
}
}
// TestAzureProvider_AuthParamsPreservation tests that base parameters are not overwritten
func TestAzureProvider_AuthParamsPreservation(t *testing.T) {
provider := NewAzureProvider()
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
baseParams.Set("redirect_uri", "https://example.com/callback")
baseParams.Set("response_type", "code")
baseParams.Set("state", "test-state")
baseParams.Set("nonce", "test-nonce")
scopes := []string{"openid", "profile"}
result, err := provider.BuildAuthParams(baseParams, scopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Verify all original parameters are preserved
expectedParams := map[string]string{
"client_id": "test-client",
"redirect_uri": "https://example.com/callback",
"response_type": "code",
"state": "test-state",
"nonce": "test-nonce",
"response_mode": "query", // Added by Azure provider
}
for key, expectedValue := range expectedParams {
actualValue := result.URLValues.Get(key)
if actualValue != expectedValue {
t.Errorf("Expected %s '%s', got '%s'", key, expectedValue, actualValue)
}
}
// Verify scopes (should include offline_access)
if len(result.Scopes) != 3 {
t.Errorf("Expected 3 scopes (including offline_access), got %d", len(result.Scopes))
}
expectedScopes := []string{"openid", "profile", "offline_access"}
for _, expectedScope := range expectedScopes {
found := false
for _, actualScope := range result.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found", expectedScope)
}
}
}
// Benchmark tests
func BenchmarkAzureProvider_BuildAuthParams(b *testing.B) {
provider := NewAzureProvider()
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
scopes := []string{"openid", "profile", "email"}
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.BuildAuthParams(baseParams, scopes)
}
}
func BenchmarkAzureProvider_ValidateTokens(b *testing.B) {
provider := NewAzureProvider()
session := &mockSession{
authenticated: true,
accessToken: "valid.access.token",
idToken: "valid.id.token",
refreshToken: "refresh-token",
}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{
claims: map[string]map[string]interface{}{
"valid.access.token": {
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
},
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.ValidateTokens(session, verifier, cache, time.Minute)
}
}
internal/providers/base.go
+16 -1
View File
@@ -117,7 +117,7 @@ func (p *BaseProvider) BuildAuthParams(baseParams url.Values, scopes []string) (
return &AuthParams{
URLValues: baseParams,
Scopes: scopes,
Scopes: deduplicateScopes(scopes),
}, nil
}
@@ -127,6 +127,21 @@ func (p *BaseProvider) HandleTokenRefresh(tokenData *TokenResult) error {
return nil
}
// deduplicateScopes removes duplicate scopes from a slice while preserving order.
func deduplicateScopes(scopes []string) []string {
seen := make(map[string]bool)
result := make([]string, 0, len(scopes))
for _, scope := range scopes {
if !seen[scope] {
seen[scope] = true
result = append(result, scope)
}
}
return result
}
// ValidateConfig checks provider-specific configuration requirements.
// By default, it assumes the configuration is valid.
func (p *BaseProvider) ValidateConfig() error {
internal/providers/base_test.go
+652
View File
@@ -0,0 +1,652 @@
package providers
import (
"errors"
"testing"
"time"
)
// Mock implementations for testing
type mockSession struct {
authenticated bool
idToken string
accessToken string
refreshToken string
}
func (s *mockSession) GetIDToken() string { return s.idToken }
func (s *mockSession) GetAccessToken() string { return s.accessToken }
func (s *mockSession) GetRefreshToken() string { return s.refreshToken }
func (s *mockSession) GetAuthenticated() bool { return s.authenticated }
type mockTokenVerifier struct {
error error
}
func (v *mockTokenVerifier) VerifyToken(token string) error {
return v.error
}
type mockTokenCache struct {
claims map[string]map[string]interface{}
}
func (c *mockTokenCache) Get(key string) (map[string]interface{}, bool) {
claims, exists := c.claims[key]
return claims, exists
}
// TestBaseProvider_GetType tests the default provider type
func TestBaseProvider_GetType(t *testing.T) {
provider := NewBaseProvider()
if provider.GetType() != ProviderTypeGeneric {
t.Errorf("Expected ProviderTypeGeneric, got %v", provider.GetType())
}
}
// TestBaseProvider_GetCapabilities tests the default capabilities
func TestBaseProvider_GetCapabilities(t *testing.T) {
provider := NewBaseProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true")
}
if !capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be true")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false")
}
}
// TestBaseProvider_ValidateTokens_Unauthenticated tests validation when not authenticated
func TestBaseProvider_ValidateTokens_Unauthenticated(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{authenticated: false}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{}
tests := []struct {
name string
refreshToken string
expectedResult ValidationResult
}{
{
name: "No refresh token",
refreshToken: "",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "Has refresh token",
refreshToken: "refresh-token",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
session.refreshToken = tt.refreshToken
result, err := provider.ValidateTokens(session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_ValidateTokens_AuthenticatedNoAccessToken tests authenticated session without access token
func TestBaseProvider_ValidateTokens_AuthenticatedNoAccessToken(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{
authenticated: true,
accessToken: "", // No access token
}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{}
tests := []struct {
name string
refreshToken string
expectedResult ValidationResult
}{
{
name: "No access token, no refresh token",
refreshToken: "",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
{
name: "No access token, has refresh token",
refreshToken: "refresh-token",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
session.refreshToken = tt.refreshToken
result, err := provider.ValidateTokens(session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_ValidateTokens_AuthenticatedNoIDToken tests authenticated session without ID token
func TestBaseProvider_ValidateTokens_AuthenticatedNoIDToken(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{
authenticated: true,
accessToken: "access-token",
idToken: "", // No ID token
}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{}
tests := []struct {
name string
refreshToken string
expectedResult ValidationResult
}{
{
name: "No ID token, no refresh token",
refreshToken: "",
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "No ID token, has refresh token",
refreshToken: "refresh-token",
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: true,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
session.refreshToken = tt.refreshToken
result, err := provider.ValidateTokens(session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_ValidateTokens_TokenVerificationFailure tests token verification failures
func TestBaseProvider_ValidateTokens_TokenVerificationFailure(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{
authenticated: true,
accessToken: "access-token",
idToken: "id-token",
}
cache := &mockTokenCache{}
tests := []struct {
name string
verifierError error
refreshToken string
expectedResult ValidationResult
}{
{
name: "Token expired, has refresh token",
verifierError: errors.New("token has expired"),
refreshToken: "refresh-token",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Token expired, no refresh token",
verifierError: errors.New("token has expired"),
refreshToken: "",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
{
name: "Other verification error, has refresh token",
verifierError: errors.New("invalid signature"),
refreshToken: "refresh-token",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Other verification error, no refresh token",
verifierError: errors.New("invalid signature"),
refreshToken: "",
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
verifier := &mockTokenVerifier{error: tt.verifierError}
session.refreshToken = tt.refreshToken
result, err := provider.ValidateTokens(session, verifier, cache, time.Minute)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_ValidateTokenExpiry tests token expiry validation logic
func TestBaseProvider_ValidateTokenExpiry(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{refreshToken: "refresh-token"}
now := time.Now()
gracePeriod := 5 * time.Minute
tests := []struct {
name string
claims map[string]interface{}
cacheFound bool
expectedResult ValidationResult
}{
{
name: "Token not found in cache, has refresh token",
claims: nil,
cacheFound: false,
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Claims without exp, has refresh token",
claims: map[string]interface{}{"sub": "user123"},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Token expired (beyond grace period), has refresh token",
claims: map[string]interface{}{
"exp": float64(now.Add(-10 * time.Minute).Unix()),
},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Token expires within grace period, has refresh token",
claims: map[string]interface{}{
"exp": float64(now.Add(2 * time.Minute).Unix()),
},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Token valid (beyond grace period)",
claims: map[string]interface{}{
"exp": float64(now.Add(10 * time.Minute).Unix()),
},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cache := &mockTokenCache{claims: make(map[string]map[string]interface{})}
if tt.cacheFound {
cache.claims["test-token"] = tt.claims
}
result, err := provider.ValidateTokenExpiry(session, "test-token", cache, gracePeriod)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_ValidateTokenExpiry_NoRefreshToken tests expiry validation without refresh token
func TestBaseProvider_ValidateTokenExpiry_NoRefreshToken(t *testing.T) {
provider := NewBaseProvider()
session := &mockSession{refreshToken: ""} // No refresh token
now := time.Now()
gracePeriod := 5 * time.Minute
tests := []struct {
name string
claims map[string]interface{}
cacheFound bool
expectedResult ValidationResult
}{
{
name: "Token not found in cache, no refresh token",
claims: nil,
cacheFound: false,
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
{
name: "Claims without exp, no refresh token",
claims: map[string]interface{}{"sub": "user123"},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: false,
IsExpired: true,
},
},
{
name: "Token expires within grace period, no refresh token",
claims: map[string]interface{}{
"exp": float64(now.Add(2 * time.Minute).Unix()),
},
cacheFound: true,
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cache := &mockTokenCache{claims: make(map[string]map[string]interface{})}
if tt.cacheFound {
cache.claims["test-token"] = tt.claims
}
result, err := provider.ValidateTokenExpiry(session, "test-token", cache, gracePeriod)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// TestBaseProvider_BuildAuthParams tests authorization parameter building
func TestBaseProvider_BuildAuthParams(t *testing.T) {
provider := NewBaseProvider()
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "No existing offline_access scope",
scopes: []string{"openid", "profile", "email"},
expectedScopes: []string{"openid", "profile", "email", "offline_access"},
},
{
name: "Existing offline_access scope",
scopes: []string{"openid", "profile", "offline_access", "email"},
expectedScopes: []string{"openid", "profile", "offline_access", "email"},
},
{
name: "Empty scopes",
scopes: []string{},
expectedScopes: []string{"offline_access"},
},
{
name: "Only offline_access",
scopes: []string{"offline_access"},
expectedScopes: []string{"offline_access"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
baseParams := make(map[string][]string)
baseParams["client_id"] = []string{"test-client"}
result, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if len(result.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(tt.expectedScopes), len(result.Scopes))
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range result.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in result", expectedScope)
}
}
// Verify base parameters are preserved
if result.URLValues.Get("client_id") != "test-client" {
t.Errorf("Expected client_id 'test-client', got '%s'", result.URLValues.Get("client_id"))
}
})
}
}
// TestBaseProvider_HandleTokenRefresh tests token refresh handling
func TestBaseProvider_HandleTokenRefresh(t *testing.T) {
provider := NewBaseProvider()
tokenData := &TokenResult{
IDToken: "new-id-token",
AccessToken: "new-access-token",
RefreshToken: "new-refresh-token",
}
// Base provider should do nothing and return no error
err := provider.HandleTokenRefresh(tokenData)
if err != nil {
t.Errorf("Expected no error, got %v", err)
}
}
// TestBaseProvider_ValidateConfig tests configuration validation
func TestBaseProvider_ValidateConfig(t *testing.T) {
provider := NewBaseProvider()
// Base provider should always return valid configuration
err := provider.ValidateConfig()
if err != nil {
t.Errorf("Expected no error, got %v", err)
}
}
// TestNewBaseProvider tests the constructor
func TestNewBaseProvider(t *testing.T) {
provider := NewBaseProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
// Verify it implements the OIDCProvider interface
var _ OIDCProvider = provider
}
// Benchmark tests
func BenchmarkBaseProvider_ValidateTokens(b *testing.B) {
provider := NewBaseProvider()
session := &mockSession{
authenticated: true,
idToken: "test-token",
accessToken: "access-token",
refreshToken: "refresh-token",
}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{
claims: map[string]map[string]interface{}{
"test-token": {
"exp": float64(time.Now().Add(10 * time.Minute).Unix()),
"sub": "user123",
},
},
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.ValidateTokens(session, verifier, cache, time.Minute)
}
}
func BenchmarkBaseProvider_BuildAuthParams(b *testing.B) {
provider := NewBaseProvider()
baseParams := make(map[string][]string)
baseParams["client_id"] = []string{"test-client"}
scopes := []string{"openid", "profile", "email"}
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.BuildAuthParams(baseParams, scopes)
}
}
internal/providers/factory.go
+39 -4
View File
@@ -18,6 +18,12 @@ func NewProviderFactory() *ProviderFactory {
registry.RegisterProvider(NewGenericProvider())
registry.RegisterProvider(NewGoogleProvider())
registry.RegisterProvider(NewAzureProvider())
registry.RegisterProvider(NewGitHubProvider())
registry.RegisterProvider(NewAuth0Provider())
registry.RegisterProvider(NewOktaProvider())
registry.RegisterProvider(NewKeycloakProvider())
registry.RegisterProvider(NewAWSCognitoProvider())
registry.RegisterProvider(NewGitLabProvider())
return &ProviderFactory{
registry: registry,
@@ -31,10 +37,16 @@ func (f *ProviderFactory) CreateProvider(issuerURL string) (OIDCProvider, error)
return nil, fmt.Errorf("issuer URL cannot be empty")
}
if _, err := url.Parse(issuerURL); err != nil {
parsedURL, err := url.Parse(issuerURL)
if err != nil {
return nil, fmt.Errorf("invalid issuer URL format: %w", err)
}
// Check if the URL has a valid scheme and host
if parsedURL.Scheme == "" || parsedURL.Host == "" {
return nil, fmt.Errorf("invalid issuer URL format: URL must have a valid scheme and host")
}
provider := f.registry.DetectProvider(issuerURL)
if provider == nil {
return nil, fmt.Errorf("unable to detect provider for issuer URL: %s", issuerURL)
@@ -59,6 +71,18 @@ func (f *ProviderFactory) CreateProviderByType(providerType ProviderType) (OIDCP
provider = NewGoogleProvider()
case ProviderTypeAzure:
provider = NewAzureProvider()
case ProviderTypeGitHub:
provider = NewGitHubProvider()
case ProviderTypeAuth0:
provider = NewAuth0Provider()
case ProviderTypeOkta:
provider = NewOktaProvider()
case ProviderTypeKeycloak:
provider = NewKeycloakProvider()
case ProviderTypeAWSCognito:
provider = NewAWSCognitoProvider()
case ProviderTypeGitLab:
provider = NewGitLabProvider()
default:
return nil, fmt.Errorf("unsupported provider type: %d", providerType)
}
@@ -73,9 +97,15 @@ func (f *ProviderFactory) CreateProviderByType(providerType ProviderType) (OIDCP
// GetSupportedProviders returns a list of all supported provider types and their detection patterns.
func (f *ProviderFactory) GetSupportedProviders() map[ProviderType][]string {
return map[ProviderType][]string{
ProviderTypeGeneric: {"*"},
ProviderTypeGoogle: {"accounts.google.com"},
ProviderTypeAzure: {"login.microsoftonline.com", "sts.windows.net"},
ProviderTypeGeneric: {"*"},
ProviderTypeGoogle: {"accounts.google.com"},
ProviderTypeAzure: {"login.microsoftonline.com", "sts.windows.net"},
ProviderTypeGitHub: {"github.com"},
ProviderTypeAuth0: {".auth0.com"},
ProviderTypeOkta: {".okta.com", ".oktapreview.com", ".okta-emea.com"},
ProviderTypeKeycloak: {"keycloak"},
ProviderTypeAWSCognito: {"cognito-idp", ".amazonaws.com"},
ProviderTypeGitLab: {"gitlab.com"},
}
}
@@ -100,6 +130,11 @@ func (f *ProviderFactory) IsProviderSupported(issuerURL string) bool {
return false
}
// Check if the URL has a valid scheme and host
if normalizedURL.Scheme == "" || normalizedURL.Host == "" {
return false
}
host := strings.ToLower(normalizedURL.Host)
supportedProviders := f.GetSupportedProviders()
internal/providers/factory_test.go
+624
View File
@@ -0,0 +1,624 @@
package providers
import (
"strings"
"testing"
)
// TestProviderFactory_NewProviderFactory tests the factory constructor
func TestProviderFactory_NewProviderFactory(t *testing.T) {
factory := NewProviderFactory()
if factory == nil {
t.Fatal("Expected factory to be created, got nil")
}
if factory.registry == nil {
t.Error("Expected registry to be initialized")
}
}
// TestProviderFactory_CreateProvider tests provider creation by issuer URL
func TestProviderFactory_CreateProvider(t *testing.T) {
factory := NewProviderFactory()
tests := []struct {
name string
issuerURL string
expectedType ProviderType
wantErr bool
errMsg string
}{
{
name: "Google provider",
issuerURL: "https://accounts.google.com",
expectedType: ProviderTypeGoogle,
wantErr: false,
},
{
name: "Google provider with path",
issuerURL: "https://accounts.google.com/oauth2",
expectedType: ProviderTypeGoogle,
wantErr: false,
},
{
name: "Azure provider - login.microsoftonline.com",
issuerURL: "https://login.microsoftonline.com/tenant-id/v2.0",
expectedType: ProviderTypeAzure,
wantErr: false,
},
{
name: "Azure provider - sts.windows.net",
issuerURL: "https://sts.windows.net/tenant-id",
expectedType: ProviderTypeAzure,
wantErr: false,
},
{
name: "GitHub provider",
issuerURL: "https://github.com/login/oauth",
expectedType: ProviderTypeGitHub,
wantErr: false,
},
{
name: "Auth0 provider",
issuerURL: "https://tenant.auth0.com",
expectedType: ProviderTypeAuth0,
wantErr: false,
},
{
name: "Okta provider",
issuerURL: "https://tenant.okta.com",
expectedType: ProviderTypeOkta,
wantErr: false,
},
{
name: "Okta preview provider",
issuerURL: "https://tenant.oktapreview.com",
expectedType: ProviderTypeOkta,
wantErr: false,
},
{
name: "Keycloak provider",
issuerURL: "https://auth.example.com/auth/realms/master",
expectedType: ProviderTypeKeycloak,
wantErr: false,
},
{
name: "AWS Cognito provider",
issuerURL: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",
expectedType: ProviderTypeAWSCognito,
wantErr: false,
},
{
name: "GitLab provider",
issuerURL: "https://gitlab.com/oauth",
expectedType: ProviderTypeGitLab,
wantErr: false,
},
{
name: "Generic provider",
issuerURL: "https://auth.example.com",
expectedType: ProviderTypeGeneric,
wantErr: false,
},
{
name: "Empty issuer URL",
issuerURL: "",
wantErr: true,
errMsg: "issuer URL cannot be empty",
},
{
name: "Invalid URL format",
issuerURL: "not-a-url",
wantErr: true,
errMsg: "invalid issuer URL format",
},
{
name: "URL without scheme",
issuerURL: "example.com",
wantErr: true,
errMsg: "invalid issuer URL format",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
provider, err := factory.CreateProvider(tt.issuerURL)
if tt.wantErr {
if err == nil {
t.Error("Expected error but got none")
return
}
if !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("Expected error containing '%s', got '%s'", tt.errMsg, err.Error())
}
return
}
if err != nil {
t.Errorf("Unexpected error: %v", err)
return
}
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.GetType() != tt.expectedType {
t.Errorf("Expected provider type %v, got %v", tt.expectedType, provider.GetType())
}
})
}
}
// TestProviderFactory_CreateProviderByType tests provider creation by type
func TestProviderFactory_CreateProviderByType(t *testing.T) {
factory := NewProviderFactory()
tests := []struct {
name string
providerType ProviderType
expectedType ProviderType
wantErr bool
errMsg string
}{
{
name: "Generic provider",
providerType: ProviderTypeGeneric,
expectedType: ProviderTypeGeneric,
wantErr: false,
},
{
name: "Google provider",
providerType: ProviderTypeGoogle,
expectedType: ProviderTypeGoogle,
wantErr: false,
},
{
name: "Azure provider",
providerType: ProviderTypeAzure,
expectedType: ProviderTypeAzure,
wantErr: false,
},
{
name: "GitHub provider",
providerType: ProviderTypeGitHub,
expectedType: ProviderTypeGitHub,
wantErr: false,
},
{
name: "Auth0 provider",
providerType: ProviderTypeAuth0,
expectedType: ProviderTypeAuth0,
wantErr: false,
},
{
name: "Okta provider",
providerType: ProviderTypeOkta,
expectedType: ProviderTypeOkta,
wantErr: false,
},
{
name: "Keycloak provider",
providerType: ProviderTypeKeycloak,
expectedType: ProviderTypeKeycloak,
wantErr: false,
},
{
name: "AWS Cognito provider",
providerType: ProviderTypeAWSCognito,
expectedType: ProviderTypeAWSCognito,
wantErr: false,
},
{
name: "GitLab provider",
providerType: ProviderTypeGitLab,
expectedType: ProviderTypeGitLab,
wantErr: false,
},
{
name: "Invalid provider type",
providerType: ProviderType(999),
wantErr: true,
errMsg: "unsupported provider type",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
provider, err := factory.CreateProviderByType(tt.providerType)
if tt.wantErr {
if err == nil {
t.Error("Expected error but got none")
return
}
if !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("Expected error containing '%s', got '%s'", tt.errMsg, err.Error())
}
return
}
if err != nil {
t.Errorf("Unexpected error: %v", err)
return
}
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.GetType() != tt.expectedType {
t.Errorf("Expected provider type %v, got %v", tt.expectedType, provider.GetType())
}
})
}
}
// TestProviderFactory_GetSupportedProviders tests listing supported providers
func TestProviderFactory_GetSupportedProviders(t *testing.T) {
factory := NewProviderFactory()
supported := factory.GetSupportedProviders()
// Verify expected provider types are present
expectedTypes := []ProviderType{
ProviderTypeGeneric,
ProviderTypeGoogle,
ProviderTypeAzure,
}
for _, expectedType := range expectedTypes {
if _, exists := supported[expectedType]; !exists {
t.Errorf("Expected provider type %v to be supported", expectedType)
}
}
// Verify Google patterns
googlePatterns := supported[ProviderTypeGoogle]
if len(googlePatterns) != 1 || googlePatterns[0] != "accounts.google.com" {
t.Errorf("Expected Google patterns ['accounts.google.com'], got %v", googlePatterns)
}
// Verify Azure patterns
azurePatterns := supported[ProviderTypeAzure]
expectedAzurePatterns := []string{"login.microsoftonline.com", "sts.windows.net"}
if len(azurePatterns) != len(expectedAzurePatterns) {
t.Errorf("Expected %d Azure patterns, got %d", len(expectedAzurePatterns), len(azurePatterns))
}
for _, expectedPattern := range expectedAzurePatterns {
found := false
for _, pattern := range azurePatterns {
if pattern == expectedPattern {
found = true
break
}
}
if !found {
t.Errorf("Expected Azure pattern '%s' not found", expectedPattern)
}
}
// Verify Generic patterns
genericPatterns := supported[ProviderTypeGeneric]
if len(genericPatterns) != 1 || genericPatterns[0] != "*" {
t.Errorf("Expected Generic patterns ['*'], got %v", genericPatterns)
}
}
// TestProviderFactory_DetectProviderType tests provider type detection
func TestProviderFactory_DetectProviderType(t *testing.T) {
factory := NewProviderFactory()
tests := []struct {
name string
issuerURL string
expectedType ProviderType
wantErr bool
}{
{
name: "Google provider detection",
issuerURL: "https://accounts.google.com",
expectedType: ProviderTypeGoogle,
wantErr: false,
},
{
name: "Azure provider detection",
issuerURL: "https://login.microsoftonline.com/tenant/v2.0",
expectedType: ProviderTypeAzure,
wantErr: false,
},
{
name: "Generic provider detection",
issuerURL: "https://auth.example.com",
expectedType: ProviderTypeGeneric,
wantErr: false,
},
{
name: "Invalid URL",
issuerURL: "not-a-url",
wantErr: true,
},
{
name: "Empty URL",
issuerURL: "",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
providerType, err := factory.DetectProviderType(tt.issuerURL)
if tt.wantErr {
if err == nil {
t.Error("Expected error but got none")
}
return
}
if err != nil {
t.Errorf("Unexpected error: %v", err)
return
}
if providerType != tt.expectedType {
t.Errorf("Expected provider type %v, got %v", tt.expectedType, providerType)
}
})
}
}
// TestProviderFactory_IsProviderSupported tests provider support checking
func TestProviderFactory_IsProviderSupported(t *testing.T) {
factory := NewProviderFactory()
tests := []struct {
name string
issuerURL string
expected bool
}{
{
name: "Google provider supported",
issuerURL: "https://accounts.google.com",
expected: true,
},
{
name: "Google provider with subdomain supported",
issuerURL: "https://accounts.google.com/oauth2",
expected: true,
},
{
name: "Azure login.microsoftonline.com supported",
issuerURL: "https://login.microsoftonline.com/tenant/v2.0",
expected: true,
},
{
name: "Azure sts.windows.net supported",
issuerURL: "https://sts.windows.net/tenant",
expected: true,
},
{
name: "Generic provider supported (wildcard)",
issuerURL: "https://auth.example.com",
expected: true,
},
{
name: "Any valid URL supported (wildcard)",
issuerURL: "https://custom-auth.company.org",
expected: true,
},
{
name: "Empty URL not supported",
issuerURL: "",
expected: false,
},
{
name: "Invalid URL format not supported",
issuerURL: "not-a-url",
expected: false,
},
{
name: "URL without scheme not supported",
issuerURL: "example.com",
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := factory.IsProviderSupported(tt.issuerURL)
if result != tt.expected {
t.Errorf("Expected %v, got %v", tt.expected, result)
}
})
}
}
// TestProviderFactory_IntegrationTest tests the full flow
func TestProviderFactory_IntegrationTest(t *testing.T) {
factory := NewProviderFactory()
// Test Google provider flow
t.Run("Google Provider Flow", func(t *testing.T) {
// Check if supported
if !factory.IsProviderSupported("https://accounts.google.com") {
t.Error("Google provider should be supported")
}
// Detect type
providerType, err := factory.DetectProviderType("https://accounts.google.com")
if err != nil {
t.Errorf("Unexpected error detecting Google provider: %v", err)
}
if providerType != ProviderTypeGoogle {
t.Errorf("Expected ProviderTypeGoogle, got %v", providerType)
}
// Create provider by URL
provider, err := factory.CreateProvider("https://accounts.google.com")
if err != nil {
t.Errorf("Unexpected error creating Google provider: %v", err)
}
if provider.GetType() != ProviderTypeGoogle {
t.Errorf("Expected ProviderTypeGoogle, got %v", provider.GetType())
}
// Create provider by type
provider2, err := factory.CreateProviderByType(ProviderTypeGoogle)
if err != nil {
t.Errorf("Unexpected error creating Google provider by type: %v", err)
}
if provider2.GetType() != ProviderTypeGoogle {
t.Errorf("Expected ProviderTypeGoogle, got %v", provider2.GetType())
}
})
// Test Azure provider flow
t.Run("Azure Provider Flow", func(t *testing.T) {
azureURL := "https://login.microsoftonline.com/tenant/v2.0"
// Check if supported
if !factory.IsProviderSupported(azureURL) {
t.Error("Azure provider should be supported")
}
// Detect type
providerType, err := factory.DetectProviderType(azureURL)
if err != nil {
t.Errorf("Unexpected error detecting Azure provider: %v", err)
}
if providerType != ProviderTypeAzure {
t.Errorf("Expected ProviderTypeAzure, got %v", providerType)
}
// Create provider
provider, err := factory.CreateProvider(azureURL)
if err != nil {
t.Errorf("Unexpected error creating Azure provider: %v", err)
}
if provider.GetType() != ProviderTypeAzure {
t.Errorf("Expected ProviderTypeAzure, got %v", provider.GetType())
}
})
// Test Generic provider flow
t.Run("Generic Provider Flow", func(t *testing.T) {
genericURL := "https://auth.custom-provider.com"
// Check if supported
if !factory.IsProviderSupported(genericURL) {
t.Error("Generic provider should be supported")
}
// Detect type
providerType, err := factory.DetectProviderType(genericURL)
if err != nil {
t.Errorf("Unexpected error detecting generic provider: %v", err)
}
if providerType != ProviderTypeGeneric {
t.Errorf("Expected ProviderTypeGeneric, got %v", providerType)
}
// Create provider
provider, err := factory.CreateProvider(genericURL)
if err != nil {
t.Errorf("Unexpected error creating generic provider: %v", err)
}
if provider.GetType() != ProviderTypeGeneric {
t.Errorf("Expected ProviderTypeGeneric, got %v", provider.GetType())
}
})
}
// TestProviderFactory_CaseInsensitiveHostMatching tests case insensitive host matching
func TestProviderFactory_CaseInsensitiveHostMatching(t *testing.T) {
factory := NewProviderFactory()
tests := []struct {
name string
issuerURL string
expectedType ProviderType
}{
{
name: "Google with uppercase",
issuerURL: "https://ACCOUNTS.GOOGLE.COM",
expectedType: ProviderTypeGoogle,
},
{
name: "Google with mixed case",
issuerURL: "https://Accounts.Google.Com",
expectedType: ProviderTypeGoogle,
},
{
name: "Azure with uppercase",
issuerURL: "https://LOGIN.MICROSOFTONLINE.COM/tenant",
expectedType: ProviderTypeAzure,
},
{
name: "Azure STS with mixed case",
issuerURL: "https://Sts.Windows.Net/tenant",
expectedType: ProviderTypeAzure,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Should be supported
if !factory.IsProviderSupported(tt.issuerURL) {
t.Errorf("URL %s should be supported", tt.issuerURL)
}
// Should detect correct type
providerType, err := factory.DetectProviderType(tt.issuerURL)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if providerType != tt.expectedType {
t.Errorf("Expected %v, got %v", tt.expectedType, providerType)
}
// Should create correct provider
provider, err := factory.CreateProvider(tt.issuerURL)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if provider.GetType() != tt.expectedType {
t.Errorf("Expected %v, got %v", tt.expectedType, provider.GetType())
}
})
}
}
// Benchmark tests
func BenchmarkProviderFactory_CreateProvider(b *testing.B) {
factory := NewProviderFactory()
issuerURL := "https://accounts.google.com"
b.ResetTimer()
for i := 0; i < b.N; i++ {
factory.CreateProvider(issuerURL)
}
}
func BenchmarkProviderFactory_IsProviderSupported(b *testing.B) {
factory := NewProviderFactory()
issuerURL := "https://auth.example.com"
b.ResetTimer()
for i := 0; i < b.N; i++ {
factory.IsProviderSupported(issuerURL)
}
}
func BenchmarkProviderFactory_DetectProviderType(b *testing.B) {
factory := NewProviderFactory()
issuerURL := "https://login.microsoftonline.com/tenant"
b.ResetTimer()
for i := 0; i < b.N; i++ {
factory.DetectProviderType(issuerURL)
}
}
internal/providers/generic_test.go
+246
View File
@@ -0,0 +1,246 @@
package providers
import (
"testing"
)
// TestGenericProvider_NewGenericProvider tests the constructor
func TestGenericProvider_NewGenericProvider(t *testing.T) {
provider := NewGenericProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestGenericProvider_GetType tests provider type
func TestGenericProvider_GetType(t *testing.T) {
provider := NewGenericProvider()
if provider.GetType() != ProviderTypeGeneric {
t.Errorf("Expected ProviderTypeGeneric, got %v", provider.GetType())
}
}
// TestGenericProvider_GetCapabilities tests that it inherits BaseProvider capabilities
func TestGenericProvider_GetCapabilities(t *testing.T) {
provider := NewGenericProvider()
capabilities := provider.GetCapabilities()
// Should have the same capabilities as BaseProvider
baseProvider := NewBaseProvider()
baseCapabilities := baseProvider.GetCapabilities()
if capabilities.SupportsRefreshTokens != baseCapabilities.SupportsRefreshTokens {
t.Errorf("Expected SupportsRefreshTokens %v, got %v",
baseCapabilities.SupportsRefreshTokens, capabilities.SupportsRefreshTokens)
}
if capabilities.RequiresOfflineAccessScope != baseCapabilities.RequiresOfflineAccessScope {
t.Errorf("Expected RequiresOfflineAccessScope %v, got %v",
baseCapabilities.RequiresOfflineAccessScope, capabilities.RequiresOfflineAccessScope)
}
if capabilities.PreferredTokenValidation != baseCapabilities.PreferredTokenValidation {
t.Errorf("Expected PreferredTokenValidation %v, got %v",
baseCapabilities.PreferredTokenValidation, capabilities.PreferredTokenValidation)
}
if capabilities.RequiresPromptConsent != baseCapabilities.RequiresPromptConsent {
t.Errorf("Expected RequiresPromptConsent %v, got %v",
baseCapabilities.RequiresPromptConsent, capabilities.RequiresPromptConsent)
}
}
// TestGenericProvider_InterfaceCompliance tests that Generic provider implements OIDCProvider
func TestGenericProvider_InterfaceCompliance(t *testing.T) {
provider := NewGenericProvider()
// Verify it implements the OIDCProvider interface
var _ OIDCProvider = provider
}
// TestGenericProvider_InheritsBaseProviderBehavior tests inherited functionality
func TestGenericProvider_InheritsBaseProviderBehavior(t *testing.T) {
provider := NewGenericProvider()
baseProvider := NewBaseProvider()
// Test BuildAuthParams behavior is the same
scopes := []string{"openid", "profile", "email"}
baseParams := make(map[string][]string)
baseParams["client_id"] = []string{"test-client"}
genericResult, genericErr := provider.BuildAuthParams(baseParams, scopes)
baseResult, baseErr := baseProvider.BuildAuthParams(baseParams, scopes)
if (genericErr == nil) != (baseErr == nil) {
t.Errorf("BuildAuthParams error mismatch: generic=%v, base=%v", genericErr, baseErr)
}
if genericErr == nil && baseErr == nil {
// Compare scopes length (offline_access should be added)
if len(genericResult.Scopes) != len(baseResult.Scopes) {
t.Errorf("BuildAuthParams scope count mismatch: generic=%d, base=%d",
len(genericResult.Scopes), len(baseResult.Scopes))
}
// Verify offline_access is added in both cases
genericHasOffline := false
baseHasOffline := false
for _, scope := range genericResult.Scopes {
if scope == "offline_access" {
genericHasOffline = true
break
}
}
for _, scope := range baseResult.Scopes {
if scope == "offline_access" {
baseHasOffline = true
break
}
}
if genericHasOffline != baseHasOffline {
t.Errorf("offline_access scope handling mismatch: generic=%v, base=%v",
genericHasOffline, baseHasOffline)
}
}
// Test ValidateConfig behavior is the same
genericConfigErr := provider.ValidateConfig()
baseConfigErr := baseProvider.ValidateConfig()
if (genericConfigErr == nil) != (baseConfigErr == nil) {
t.Errorf("ValidateConfig error mismatch: generic=%v, base=%v", genericConfigErr, baseConfigErr)
}
// Test HandleTokenRefresh behavior is the same
tokenData := &TokenResult{IDToken: "test-token"}
genericRefreshErr := provider.HandleTokenRefresh(tokenData)
baseRefreshErr := baseProvider.HandleTokenRefresh(tokenData)
if (genericRefreshErr == nil) != (baseRefreshErr == nil) {
t.Errorf("HandleTokenRefresh error mismatch: generic=%v, base=%v",
genericRefreshErr, baseRefreshErr)
}
}
// TestGenericProvider_ValidateTokens tests token validation inheritance
func TestGenericProvider_ValidateTokens(t *testing.T) {
provider := NewGenericProvider()
tests := []struct {
name string
session *mockSession
verifierError error
expectedResult ValidationResult
}{
{
name: "Unauthenticated with refresh token",
session: &mockSession{
authenticated: false,
refreshToken: "refresh-token",
},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
{
name: "Authenticated with valid tokens",
session: &mockSession{
authenticated: true,
idToken: "valid-token",
accessToken: "access-token",
refreshToken: "refresh-token",
},
verifierError: nil,
expectedResult: ValidationResult{
Authenticated: true,
NeedsRefresh: false,
IsExpired: false,
},
},
{
name: "Authenticated with invalid token, has refresh",
session: &mockSession{
authenticated: true,
idToken: "invalid-token",
refreshToken: "refresh-token",
},
verifierError: &testError{"token expired"},
expectedResult: ValidationResult{
Authenticated: false,
NeedsRefresh: true,
IsExpired: false,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
verifier := &mockTokenVerifier{error: tt.verifierError}
cache := &mockTokenCache{
claims: map[string]map[string]interface{}{
"valid-token": {
"exp": float64(9999999999), // Far future
"sub": "user123",
},
},
}
result, err := provider.ValidateTokens(tt.session, verifier, cache, 0)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result.Authenticated != tt.expectedResult.Authenticated {
t.Errorf("Expected Authenticated %v, got %v", tt.expectedResult.Authenticated, result.Authenticated)
}
if result.NeedsRefresh != tt.expectedResult.NeedsRefresh {
t.Errorf("Expected NeedsRefresh %v, got %v", tt.expectedResult.NeedsRefresh, result.NeedsRefresh)
}
if result.IsExpired != tt.expectedResult.IsExpired {
t.Errorf("Expected IsExpired %v, got %v", tt.expectedResult.IsExpired, result.IsExpired)
}
})
}
}
// Benchmark tests
func BenchmarkGenericProvider_GetType(b *testing.B) {
provider := NewGenericProvider()
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.GetType()
}
}
func BenchmarkGenericProvider_GetCapabilities(b *testing.B) {
provider := NewGenericProvider()
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.GetCapabilities()
}
}
// Test error type for testing
type testError struct {
message string
}
func (e *testError) Error() string {
return e.message
}
internal/providers/github.go
+61
View File
@@ -0,0 +1,61 @@
package providers
import (
"net/url"
)
// GitHubProvider encapsulates GitHub-specific OIDC logic.
type GitHubProvider struct {
*BaseProvider
}
// NewGitHubProvider creates a new instance of the GitHubProvider.
func NewGitHubProvider() *GitHubProvider {
return &GitHubProvider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *GitHubProvider) GetType() ProviderType {
return ProviderTypeGitHub
}
// GetCapabilities returns the specific capabilities of the GitHub provider.
// WARNING: GitHub does NOT support OpenID Connect - it's OAuth 2.0 only.
// This provider should only be used for OAuth flows, not OIDC authentication.
func (p *GitHubProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: false, // GitHub OAuth apps don't support refresh tokens
RequiresOfflineAccessScope: false, // GitHub doesn't use offline_access
RequiresPromptConsent: false,
PreferredTokenValidation: "access", // GitHub only provides access tokens, no ID tokens
}
}
// BuildAuthParams configures GitHub-specific authentication parameters.
func (p *GitHubProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// GitHub doesn't use offline_access scope, so remove it if present
var filteredScopes []string
for _, scope := range scopes {
if scope != "offline_access" {
filteredScopes = append(filteredScopes, scope)
}
}
// If no scopes specified, use default GitHub scopes for OAuth
// Note: GitHub doesn't support 'openid' scope as it's not an OIDC provider
if len(filteredScopes) == 0 {
filteredScopes = []string{"user:email", "read:user"}
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(filteredScopes),
}, nil
}
// GitHub requires specific configuration for proper operation.
func (p *GitHubProvider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/github_test.go
+110
View File
@@ -0,0 +1,110 @@
package providers
import (
"net/url"
"testing"
)
// TestGitHubProvider_NewGitHubProvider tests the constructor
func TestGitHubProvider_NewGitHubProvider(t *testing.T) {
provider := NewGitHubProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestGitHubProvider_GetType tests provider type
func TestGitHubProvider_GetType(t *testing.T) {
provider := NewGitHubProvider()
if provider.GetType() != ProviderTypeGitHub {
t.Errorf("Expected ProviderTypeGitHub, got %v", provider.GetType())
}
}
// TestGitHubProvider_GetCapabilities tests GitHub-specific capabilities
func TestGitHubProvider_GetCapabilities(t *testing.T) {
provider := NewGitHubProvider()
capabilities := provider.GetCapabilities()
if capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be false for GitHub")
}
if capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be false for GitHub")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for GitHub")
}
if capabilities.PreferredTokenValidation != "access" {
t.Errorf("Expected PreferredTokenValidation 'access', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestGitHubProvider_BuildAuthParams tests GitHub-specific auth params
func TestGitHubProvider_BuildAuthParams(t *testing.T) {
provider := NewGitHubProvider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Remove offline_access scope",
scopes: []string{"user:email", "offline_access", "read:user"},
expectedScopes: []string{"user:email", "read:user"},
},
{
name: "Default scopes when none provided",
scopes: []string{},
expectedScopes: []string{"user:email", "read:user"},
},
{
name: "Keep other scopes",
scopes: []string{"user", "repo"},
expectedScopes: []string{"user", "repo"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(tt.expectedScopes), len(authParams.Scopes))
return
}
for i, scope := range tt.expectedScopes {
if authParams.Scopes[i] != scope {
t.Errorf("Expected scope '%s', got '%s'", scope, authParams.Scopes[i])
}
}
})
}
}
// TestGitHubProvider_ValidateConfig tests config validation
func TestGitHubProvider_ValidateConfig(t *testing.T) {
provider := NewGitHubProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
internal/providers/gitlab.go
+73
View File
@@ -0,0 +1,73 @@
package providers
import (
"net/url"
)
// GitLabProvider encapsulates GitLab-specific OIDC logic.
type GitLabProvider struct {
*BaseProvider
}
// NewGitLabProvider creates a new instance of the GitLabProvider.
func NewGitLabProvider() *GitLabProvider {
return &GitLabProvider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *GitLabProvider) GetType() ProviderType {
return ProviderTypeGitLab
}
// GetCapabilities returns the specific capabilities of the GitLab provider.
func (p *GitLabProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: false, // GitLab doesn't use offline_access scope
RequiresPromptConsent: false,
PreferredTokenValidation: "id", // GitLab typically uses ID tokens
}
}
// BuildAuthParams configures GitLab-specific authentication parameters.
func (p *GitLabProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// GitLab supports standard OAuth 2.0 parameters
baseParams.Set("response_type", "code")
// Remove offline_access scope as GitLab doesn't use it
var filteredScopes []string
for _, scope := range scopes {
if scope != "offline_access" {
filteredScopes = append(filteredScopes, scope)
}
}
// Ensure openid scope is present for OIDC
hasOpenID := false
for _, scope := range filteredScopes {
if scope == "openid" {
hasOpenID = true
break
}
}
if !hasOpenID {
filteredScopes = append(filteredScopes, "openid")
}
// Default GitLab scopes if none specified
if len(filteredScopes) == 1 && filteredScopes[0] == "openid" {
filteredScopes = append(filteredScopes, "profile", "email")
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(filteredScopes),
}, nil
}
// GitLab requires application configuration and proper redirect URIs.
func (p *GitLabProvider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/gitlab_test.go
+322
View File
@@ -0,0 +1,322 @@
package providers
import (
"net/url"
"testing"
)
// TestGitLabProvider_NewGitLabProvider tests the constructor
func TestGitLabProvider_NewGitLabProvider(t *testing.T) {
provider := NewGitLabProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestGitLabProvider_GetType tests provider type
func TestGitLabProvider_GetType(t *testing.T) {
provider := NewGitLabProvider()
if provider.GetType() != ProviderTypeGitLab {
t.Errorf("Expected ProviderTypeGitLab, got %v", provider.GetType())
}
}
// TestGitLabProvider_GetCapabilities tests GitLab-specific capabilities
func TestGitLabProvider_GetCapabilities(t *testing.T) {
provider := NewGitLabProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true for GitLab")
}
if capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be false for GitLab")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for GitLab")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestGitLabProvider_BuildAuthParams tests GitLab-specific auth params
func TestGitLabProvider_BuildAuthParams(t *testing.T) {
provider := NewGitLabProvider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Remove offline_access scope and ensure openid",
scopes: []string{"read_user", "read_api", "offline_access"},
expectedScopes: []string{"read_user", "read_api", "openid"},
},
{
name: "Keep existing openid, remove offline_access",
scopes: []string{"openid", "read_user", "offline_access", "profile"},
expectedScopes: []string{"openid", "read_user", "profile"},
},
{
name: "Add default scopes when only openid",
scopes: []string{"openid"},
expectedScopes: []string{"openid", "profile", "email"},
},
{
name: "Add openid and defaults when empty",
scopes: []string{},
expectedScopes: []string{"openid", "profile", "email"},
},
{
name: "GitLab-specific scopes",
scopes: []string{"read_user", "read_api", "read_repository"},
expectedScopes: []string{"read_user", "read_api", "read_repository", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Check that response_type is set
if authParams.URLValues.Get("response_type") != "code" {
t.Errorf("Expected response_type 'code', got '%s'", authParams.URLValues.Get("response_type"))
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d. Expected: %v, Got: %v",
len(tt.expectedScopes), len(authParams.Scopes), tt.expectedScopes, authParams.Scopes)
return
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
// Ensure offline_access is NOT present
for _, actualScope := range authParams.Scopes {
if actualScope == "offline_access" {
t.Error("offline_access scope should be filtered out for GitLab")
}
}
})
}
}
// TestGitLabProvider_ValidateConfig tests config validation
func TestGitLabProvider_ValidateConfig(t *testing.T) {
provider := NewGitLabProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
// TestGitLabProvider_InterfaceCompliance tests that GitLab provider implements the OIDCProvider interface
func TestGitLabProvider_InterfaceCompliance(t *testing.T) {
var _ OIDCProvider = NewGitLabProvider()
}
// TestGitLabProvider_BaseProviderInheritance tests that GitLab provider inherits from BaseProvider correctly
func TestGitLabProvider_BaseProviderInheritance(t *testing.T) {
provider := NewGitLabProvider()
// Test that it has access to BaseProvider methods
if provider.BaseProvider == nil {
t.Error("Expected BaseProvider to be initialized")
}
// Test HandleTokenRefresh (inherited from BaseProvider)
err := provider.HandleTokenRefresh(&TokenResult{
IDToken: "test-id-token",
AccessToken: "test-access-token",
RefreshToken: "test-refresh-token",
})
if err != nil {
t.Errorf("HandleTokenRefresh failed: %v", err)
}
}
// TestGitLabProvider_OfflineAccessFiltering tests that offline_access scope is always filtered out
func TestGitLabProvider_OfflineAccessFiltering(t *testing.T) {
provider := NewGitLabProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
}{
{
name: "Single offline_access",
scopes: []string{"offline_access"},
},
{
name: "Multiple offline_access occurrences",
scopes: []string{"offline_access", "read_user", "offline_access", "profile"},
},
{
name: "Mixed with other scopes",
scopes: []string{"read_api", "offline_access", "read_user"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Ensure offline_access is NOT present
for _, actualScope := range authParams.Scopes {
if actualScope == "offline_access" {
t.Error("offline_access scope should be filtered out for GitLab")
}
}
})
}
}
// TestGitLabProvider_GitLabSpecificScopes tests GitLab-specific scopes
func TestGitLabProvider_GitLabSpecificScopes(t *testing.T) {
provider := NewGitLabProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
checkFor []string
}{
{
name: "GitLab API scopes",
scopes: []string{"read_api", "read_user"},
checkFor: []string{"read_api", "read_user", "openid"},
},
{
name: "GitLab repository scopes",
scopes: []string{"read_repository", "write_repository"},
checkFor: []string{"read_repository", "write_repository", "openid"},
},
{
name: "GitLab admin scopes",
scopes: []string{"api", "sudo"},
checkFor: []string{"api", "sudo", "openid"},
},
{
name: "GitLab registry scopes",
scopes: []string{"read_registry", "write_registry"},
checkFor: []string{"read_registry", "write_registry", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
for _, expectedScope := range tt.checkFor {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestGitLabProvider_DefaultScopeHandling tests default scope behavior
func TestGitLabProvider_DefaultScopeHandling(t *testing.T) {
provider := NewGitLabProvider()
baseParams := url.Values{}
// Test with only openid scope - should add defaults
authParams, err := provider.BuildAuthParams(baseParams, []string{"openid"})
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
expectedScopes := []string{"openid", "profile", "email"}
if len(authParams.Scopes) != len(expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(expectedScopes), len(authParams.Scopes))
return
}
for _, expectedScope := range expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected default scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
}
// TestGitLabProvider_ScopeDeduplication tests that duplicate scopes are handled correctly
func TestGitLabProvider_ScopeDeduplication(t *testing.T) {
provider := NewGitLabProvider()
baseParams := url.Values{}
// Test with duplicate scopes
scopes := []string{"openid", "read_user", "openid", "profile", "read_user"}
authParams, err := provider.BuildAuthParams(baseParams, scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Count occurrences of each scope
scopeCounts := make(map[string]int)
for _, scope := range authParams.Scopes {
scopeCounts[scope]++
}
// Check that no scope appears more than once
for scope, count := range scopeCounts {
if count > 1 {
t.Errorf("Scope '%s' appears %d times, expected 1", scope, count)
}
}
}
internal/providers/google.go
+3 -3
View File
@@ -24,8 +24,8 @@ func (p *GoogleProvider) GetType() ProviderType {
// GetCapabilities returns the specific capabilities of the Google provider.
func (p *GoogleProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: false,
SupportsRefreshTokens: true, // Google DOES support refresh tokens
RequiresOfflineAccessScope: false, // Google uses access_type=offline instead
RequiresPromptConsent: true,
PreferredTokenValidation: "id",
}
@@ -46,7 +46,7 @@ func (p *GoogleProvider) BuildAuthParams(baseParams url.Values, scopes []string)
return &AuthParams{
URLValues: baseParams,
Scopes: filteredScopes,
Scopes: deduplicateScopes(filteredScopes),
}, nil
}
internal/providers/google_test.go
+350
View File
@@ -0,0 +1,350 @@
package providers
import (
"net/url"
"testing"
)
// TestGoogleProvider_NewGoogleProvider tests the constructor
func TestGoogleProvider_NewGoogleProvider(t *testing.T) {
provider := NewGoogleProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestGoogleProvider_GetType tests provider type
func TestGoogleProvider_GetType(t *testing.T) {
provider := NewGoogleProvider()
if provider.GetType() != ProviderTypeGoogle {
t.Errorf("Expected ProviderTypeGoogle, got %v", provider.GetType())
}
}
// TestGoogleProvider_GetCapabilities tests Google-specific capabilities
func TestGoogleProvider_GetCapabilities(t *testing.T) {
provider := NewGoogleProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true")
}
if capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be false for Google")
}
if !capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be true for Google")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestGoogleProvider_BuildAuthParams tests Google-specific auth parameters
func TestGoogleProvider_BuildAuthParams(t *testing.T) {
provider := NewGoogleProvider()
tests := []struct {
name string
inputScopes []string
expectedScopes []string
shouldHaveAccessType bool
shouldHavePrompt bool
}{
{
name: "Basic scopes without offline_access",
inputScopes: []string{"openid", "profile", "email"},
expectedScopes: []string{"openid", "profile", "email"},
shouldHaveAccessType: true,
shouldHavePrompt: true,
},
{
name: "Scopes with offline_access (should be filtered out)",
inputScopes: []string{"openid", "profile", "offline_access", "email"},
expectedScopes: []string{"openid", "profile", "email"},
shouldHaveAccessType: true,
shouldHavePrompt: true,
},
{
name: "Only offline_access scope (should be filtered out)",
inputScopes: []string{"offline_access"},
expectedScopes: []string{},
shouldHaveAccessType: true,
shouldHavePrompt: true,
},
{
name: "Empty scopes",
inputScopes: []string{},
expectedScopes: []string{},
shouldHaveAccessType: true,
shouldHavePrompt: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
result, err := provider.BuildAuthParams(baseParams, tt.inputScopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Check Google-specific parameters
if tt.shouldHaveAccessType {
if result.URLValues.Get("access_type") != "offline" {
t.Errorf("Expected access_type 'offline', got '%s'", result.URLValues.Get("access_type"))
}
}
if tt.shouldHavePrompt {
if result.URLValues.Get("prompt") != "consent" {
t.Errorf("Expected prompt 'consent', got '%s'", result.URLValues.Get("prompt"))
}
}
// Check filtered scopes
if len(result.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d", len(tt.expectedScopes), len(result.Scopes))
}
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range result.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in result", expectedScope)
}
}
// Ensure offline_access is not in the result scopes
for _, scope := range result.Scopes {
if scope == "offline_access" {
t.Error("offline_access scope should be filtered out for Google")
}
}
// Verify original base parameters are preserved
if result.URLValues.Get("client_id") != "test-client" {
t.Errorf("Expected client_id 'test-client', got '%s'", result.URLValues.Get("client_id"))
}
})
}
}
// TestGoogleProvider_ValidateConfig tests configuration validation
func TestGoogleProvider_ValidateConfig(t *testing.T) {
provider := NewGoogleProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("Expected no error, got %v", err)
}
}
// TestGoogleProvider_InterfaceCompliance tests that Google provider implements OIDCProvider
func TestGoogleProvider_InterfaceCompliance(t *testing.T) {
provider := NewGoogleProvider()
// Verify it implements the OIDCProvider interface
var _ OIDCProvider = provider
}
// TestGoogleProvider_OfflineAccessFiltering tests comprehensive offline_access filtering
func TestGoogleProvider_OfflineAccessFiltering(t *testing.T) {
provider := NewGoogleProvider()
tests := []struct {
name string
inputScopes []string
description string
}{
{
name: "Multiple offline_access occurrences",
inputScopes: []string{"openid", "offline_access", "profile", "offline_access", "email"},
description: "Should remove all instances of offline_access",
},
{
name: "Case sensitive filtering",
inputScopes: []string{"openid", "OFFLINE_ACCESS", "profile", "offline_access"},
description: "Should only remove exact case matches",
},
{
name: "Similar but different scopes",
inputScopes: []string{"openid", "offline_access_extended", "profile", "offline_access"},
description: "Should only remove exact offline_access matches",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
baseParams := make(url.Values)
result, err := provider.BuildAuthParams(baseParams, tt.inputScopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Count offline_access occurrences in result
offlineAccessCount := 0
for _, scope := range result.Scopes {
if scope == "offline_access" {
offlineAccessCount++
}
}
if offlineAccessCount != 0 {
t.Errorf("Expected 0 offline_access scopes in result, got %d", offlineAccessCount)
}
// Verify other scopes are preserved
for _, originalScope := range tt.inputScopes {
if originalScope == "offline_access" {
continue // Skip the filtered scope
}
found := false
for _, resultScope := range result.Scopes {
if resultScope == originalScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' to be preserved", originalScope)
}
}
})
}
}
// TestGoogleProvider_BaseProviderInheritance tests inherited functionality from BaseProvider
func TestGoogleProvider_BaseProviderInheritance(t *testing.T) {
provider := NewGoogleProvider()
// Test ValidateTokens (inherited from BaseProvider)
session := &mockSession{
authenticated: true,
idToken: "test-token",
accessToken: "access-token", // Add access token for proper validation
}
verifier := &mockTokenVerifier{}
cache := &mockTokenCache{
claims: map[string]map[string]interface{}{
"test-token": {
"exp": float64(9999999999), // Far future
"sub": "user123",
},
},
}
result, err := provider.ValidateTokens(session, verifier, cache, 0)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if !result.Authenticated {
t.Error("Expected result to be authenticated")
}
// Test HandleTokenRefresh (inherited from BaseProvider)
tokenData := &TokenResult{IDToken: "new-token"}
err = provider.HandleTokenRefresh(tokenData)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
}
// TestGoogleProvider_AuthParamsPreservation tests that base parameters are not overwritten
func TestGoogleProvider_AuthParamsPreservation(t *testing.T) {
provider := NewGoogleProvider()
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
baseParams.Set("redirect_uri", "https://example.com/callback")
baseParams.Set("response_type", "code")
baseParams.Set("state", "test-state")
baseParams.Set("nonce", "test-nonce")
scopes := []string{"openid", "profile"}
result, err := provider.BuildAuthParams(baseParams, scopes)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// Verify all original parameters are preserved
expectedParams := map[string]string{
"client_id": "test-client",
"redirect_uri": "https://example.com/callback",
"response_type": "code",
"state": "test-state",
"nonce": "test-nonce",
"access_type": "offline", // Added by Google provider
"prompt": "consent", // Added by Google provider
}
for key, expectedValue := range expectedParams {
actualValue := result.URLValues.Get(key)
if actualValue != expectedValue {
t.Errorf("Expected %s '%s', got '%s'", key, expectedValue, actualValue)
}
}
// Verify scopes
if len(result.Scopes) != 2 {
t.Errorf("Expected 2 scopes, got %d", len(result.Scopes))
}
expectedScopes := []string{"openid", "profile"}
for _, expectedScope := range expectedScopes {
found := false
for _, actualScope := range result.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found", expectedScope)
}
}
}
// Benchmark tests
func BenchmarkGoogleProvider_BuildAuthParams(b *testing.B) {
provider := NewGoogleProvider()
baseParams := make(url.Values)
baseParams.Set("client_id", "test-client")
scopes := []string{"openid", "profile", "email", "offline_access"}
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.BuildAuthParams(baseParams, scopes)
}
}
func BenchmarkGoogleProvider_GetCapabilities(b *testing.B) {
provider := NewGoogleProvider()
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider.GetCapabilities()
}
}
internal/providers/interfaces.go
+6
View File
@@ -25,6 +25,12 @@ const (
ProviderTypeGeneric ProviderType = iota
ProviderTypeGoogle
ProviderTypeAzure
ProviderTypeGitHub
ProviderTypeAuth0
ProviderTypeOkta
ProviderTypeKeycloak
ProviderTypeAWSCognito
ProviderTypeGitLab
)
// ProviderCapabilities defines the specific features and behaviors of an OIDC provider.
internal/providers/keycloak.go
+72
View File
@@ -0,0 +1,72 @@
package providers
import (
"net/url"
)
// KeycloakProvider encapsulates Keycloak-specific OIDC logic.
type KeycloakProvider struct {
*BaseProvider
}
// NewKeycloakProvider creates a new instance of the KeycloakProvider.
func NewKeycloakProvider() *KeycloakProvider {
return &KeycloakProvider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *KeycloakProvider) GetType() ProviderType {
return ProviderTypeKeycloak
}
// GetCapabilities returns the specific capabilities of the Keycloak provider.
func (p *KeycloakProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: true,
RequiresPromptConsent: false,
PreferredTokenValidation: "id", // Keycloak typically uses ID tokens
}
}
// BuildAuthParams configures Keycloak-specific authentication parameters.
func (p *KeycloakProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// Keycloak supports standard OIDC parameters
baseParams.Set("response_type", "code")
// Ensure offline_access scope is present for refresh tokens
hasOfflineAccess := false
for _, scope := range scopes {
if scope == "offline_access" {
hasOfflineAccess = true
break
}
}
if !hasOfflineAccess {
scopes = append(scopes, "offline_access")
}
// Ensure openid scope is present
hasOpenID := false
for _, scope := range scopes {
if scope == "openid" {
hasOpenID = true
break
}
}
if !hasOpenID {
scopes = append(scopes, "openid")
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(scopes),
}, nil
}
// Keycloak requires realm and server configuration.
func (p *KeycloakProvider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/keycloak_test.go
+232
View File
@@ -0,0 +1,232 @@
package providers
import (
"net/url"
"testing"
)
// TestKeycloakProvider_NewKeycloakProvider tests the constructor
func TestKeycloakProvider_NewKeycloakProvider(t *testing.T) {
provider := NewKeycloakProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestKeycloakProvider_GetType tests provider type
func TestKeycloakProvider_GetType(t *testing.T) {
provider := NewKeycloakProvider()
if provider.GetType() != ProviderTypeKeycloak {
t.Errorf("Expected ProviderTypeKeycloak, got %v", provider.GetType())
}
}
// TestKeycloakProvider_GetCapabilities tests Keycloak-specific capabilities
func TestKeycloakProvider_GetCapabilities(t *testing.T) {
provider := NewKeycloakProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true for Keycloak")
}
if !capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be true for Keycloak")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for Keycloak")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestKeycloakProvider_BuildAuthParams tests Keycloak-specific auth params
func TestKeycloakProvider_BuildAuthParams(t *testing.T) {
provider := NewKeycloakProvider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Add offline_access and openid scopes",
scopes: []string{"roles", "groups"},
expectedScopes: []string{"roles", "groups", "offline_access", "openid"},
},
{
name: "Keep existing offline_access and openid",
scopes: []string{"openid", "roles", "offline_access", "groups"},
expectedScopes: []string{"openid", "roles", "offline_access", "groups"},
},
{
name: "Add both scopes when none provided",
scopes: []string{},
expectedScopes: []string{"offline_access", "openid"},
},
{
name: "Keycloak custom scopes",
scopes: []string{"realm-roles", "account"},
expectedScopes: []string{"realm-roles", "account", "offline_access", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Check that response_type is set
if authParams.URLValues.Get("response_type") != "code" {
t.Errorf("Expected response_type 'code', got '%s'", authParams.URLValues.Get("response_type"))
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d. Expected: %v, Got: %v",
len(tt.expectedScopes), len(authParams.Scopes), tt.expectedScopes, authParams.Scopes)
return
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestKeycloakProvider_ValidateConfig tests config validation
func TestKeycloakProvider_ValidateConfig(t *testing.T) {
provider := NewKeycloakProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
// TestKeycloakProvider_InterfaceCompliance tests that Keycloak provider implements the OIDCProvider interface
func TestKeycloakProvider_InterfaceCompliance(t *testing.T) {
var _ OIDCProvider = NewKeycloakProvider()
}
// TestKeycloakProvider_BaseProviderInheritance tests that Keycloak provider inherits from BaseProvider correctly
func TestKeycloakProvider_BaseProviderInheritance(t *testing.T) {
provider := NewKeycloakProvider()
// Test that it has access to BaseProvider methods
if provider.BaseProvider == nil {
t.Error("Expected BaseProvider to be initialized")
}
// Test HandleTokenRefresh (inherited from BaseProvider)
err := provider.HandleTokenRefresh(&TokenResult{
IDToken: "test-id-token",
AccessToken: "test-access-token",
RefreshToken: "test-refresh-token",
})
if err != nil {
t.Errorf("HandleTokenRefresh failed: %v", err)
}
}
// TestKeycloakProvider_RealmSpecificScopes tests Keycloak realm-specific scopes
func TestKeycloakProvider_RealmSpecificScopes(t *testing.T) {
provider := NewKeycloakProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
checkFor []string
}{
{
name: "Keycloak standard scopes",
scopes: []string{"roles", "groups", "profile", "email"},
checkFor: []string{"roles", "groups", "profile", "email", "offline_access", "openid"},
},
{
name: "Keycloak realm roles",
scopes: []string{"realm-roles", "client-roles"},
checkFor: []string{"realm-roles", "client-roles", "offline_access", "openid"},
},
{
name: "Keycloak account service",
scopes: []string{"account"},
checkFor: []string{"account", "offline_access", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
for _, expectedScope := range tt.checkFor {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestKeycloakProvider_ScopeDeduplication tests that duplicate scopes are handled correctly
func TestKeycloakProvider_ScopeDeduplication(t *testing.T) {
provider := NewKeycloakProvider()
baseParams := url.Values{}
// Test with duplicate scopes
scopes := []string{"openid", "profile", "offline_access", "roles", "openid", "profile"}
authParams, err := provider.BuildAuthParams(baseParams, scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Count occurrences of each scope
scopeCounts := make(map[string]int)
for _, scope := range authParams.Scopes {
scopeCounts[scope]++
}
// Check that no scope appears more than once
for scope, count := range scopeCounts {
if count > 1 {
t.Errorf("Scope '%s' appears %d times, expected 1", scope, count)
}
}
}
internal/providers/okta.go
+72
View File
@@ -0,0 +1,72 @@
package providers
import (
"net/url"
)
// OktaProvider encapsulates Okta-specific OIDC logic.
type OktaProvider struct {
*BaseProvider
}
// NewOktaProvider creates a new instance of the OktaProvider.
func NewOktaProvider() *OktaProvider {
return &OktaProvider{
BaseProvider: NewBaseProvider(),
}
}
// GetType returns the provider's type.
func (p *OktaProvider) GetType() ProviderType {
return ProviderTypeOkta
}
// GetCapabilities returns the specific capabilities of the Okta provider.
func (p *OktaProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{
SupportsRefreshTokens: true,
RequiresOfflineAccessScope: true,
RequiresPromptConsent: false,
PreferredTokenValidation: "id", // Okta primarily uses ID tokens
}
}
// BuildAuthParams configures Okta-specific authentication parameters.
func (p *OktaProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
// Okta supports various response types
baseParams.Set("response_type", "code")
// Ensure offline_access scope is present for refresh tokens
hasOfflineAccess := false
for _, scope := range scopes {
if scope == "offline_access" {
hasOfflineAccess = true
break
}
}
if !hasOfflineAccess {
scopes = append(scopes, "offline_access")
}
// Ensure openid scope is present
hasOpenID := false
for _, scope := range scopes {
if scope == "openid" {
hasOpenID = true
break
}
}
if !hasOpenID {
scopes = append(scopes, "openid")
}
return &AuthParams{
URLValues: baseParams,
Scopes: deduplicateScopes(scopes),
}, nil
}
// Okta requires specific domain configuration and application setup.
func (p *OktaProvider) ValidateConfig() error {
return p.BaseProvider.ValidateConfig()
}
internal/providers/okta_test.go
+200
View File
@@ -0,0 +1,200 @@
package providers
import (
"net/url"
"testing"
)
// TestOktaProvider_NewOktaProvider tests the constructor
func TestOktaProvider_NewOktaProvider(t *testing.T) {
provider := NewOktaProvider()
if provider == nil {
t.Fatal("Expected provider to be created, got nil")
}
if provider.BaseProvider == nil {
t.Error("BaseProvider should be initialized")
}
}
// TestOktaProvider_GetType tests provider type
func TestOktaProvider_GetType(t *testing.T) {
provider := NewOktaProvider()
if provider.GetType() != ProviderTypeOkta {
t.Errorf("Expected ProviderTypeOkta, got %v", provider.GetType())
}
}
// TestOktaProvider_GetCapabilities tests Okta-specific capabilities
func TestOktaProvider_GetCapabilities(t *testing.T) {
provider := NewOktaProvider()
capabilities := provider.GetCapabilities()
if !capabilities.SupportsRefreshTokens {
t.Error("Expected SupportsRefreshTokens to be true for Okta")
}
if !capabilities.RequiresOfflineAccessScope {
t.Error("Expected RequiresOfflineAccessScope to be true for Okta")
}
if capabilities.RequiresPromptConsent {
t.Error("Expected RequiresPromptConsent to be false for Okta")
}
if capabilities.PreferredTokenValidation != "id" {
t.Errorf("Expected PreferredTokenValidation 'id', got '%s'", capabilities.PreferredTokenValidation)
}
}
// TestOktaProvider_BuildAuthParams tests Okta-specific auth params
func TestOktaProvider_BuildAuthParams(t *testing.T) {
provider := NewOktaProvider()
baseParams := url.Values{}
baseParams.Set("client_id", "test_client")
tests := []struct {
name string
scopes []string
expectedScopes []string
}{
{
name: "Add offline_access and openid scopes",
scopes: []string{"groups", "profile"},
expectedScopes: []string{"groups", "profile", "offline_access", "openid"},
},
{
name: "Keep existing offline_access and openid",
scopes: []string{"openid", "groups", "offline_access", "profile"},
expectedScopes: []string{"openid", "groups", "offline_access", "profile"},
},
{
name: "Add both scopes when none provided",
scopes: []string{},
expectedScopes: []string{"offline_access", "openid"},
},
{
name: "Add openid when only offline_access present",
scopes: []string{"offline_access"},
expectedScopes: []string{"offline_access", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
// Check that response_type is set
if authParams.URLValues.Get("response_type") != "code" {
t.Errorf("Expected response_type 'code', got '%s'", authParams.URLValues.Get("response_type"))
}
if len(authParams.Scopes) != len(tt.expectedScopes) {
t.Errorf("Expected %d scopes, got %d. Expected: %v, Got: %v",
len(tt.expectedScopes), len(authParams.Scopes), tt.expectedScopes, authParams.Scopes)
return
}
// Check that all expected scopes are present
for _, expectedScope := range tt.expectedScopes {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
// TestOktaProvider_ValidateConfig tests config validation
func TestOktaProvider_ValidateConfig(t *testing.T) {
provider := NewOktaProvider()
err := provider.ValidateConfig()
if err != nil {
t.Errorf("ValidateConfig failed: %v", err)
}
}
// TestOktaProvider_InterfaceCompliance tests that Okta provider implements the OIDCProvider interface
func TestOktaProvider_InterfaceCompliance(t *testing.T) {
var _ OIDCProvider = NewOktaProvider()
}
// TestOktaProvider_BaseProviderInheritance tests that Okta provider inherits from BaseProvider correctly
func TestOktaProvider_BaseProviderInheritance(t *testing.T) {
provider := NewOktaProvider()
// Test that it has access to BaseProvider methods
if provider.BaseProvider == nil {
t.Error("Expected BaseProvider to be initialized")
}
// Test HandleTokenRefresh (inherited from BaseProvider)
err := provider.HandleTokenRefresh(&TokenResult{
IDToken: "test-id-token",
AccessToken: "test-access-token",
RefreshToken: "test-refresh-token",
})
if err != nil {
t.Errorf("HandleTokenRefresh failed: %v", err)
}
}
// TestOktaProvider_ScopeHandling tests Okta-specific scope handling
func TestOktaProvider_ScopeHandling(t *testing.T) {
provider := NewOktaProvider()
baseParams := url.Values{}
tests := []struct {
name string
scopes []string
checkFor []string
}{
{
name: "Groups scope handling",
scopes: []string{"groups", "profile"},
checkFor: []string{"groups", "profile", "offline_access", "openid"},
},
{
name: "Custom Okta scopes",
scopes: []string{"okta.users.read", "okta.groups.read"},
checkFor: []string{"okta.users.read", "okta.groups.read", "offline_access", "openid"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authParams, err := provider.BuildAuthParams(baseParams, tt.scopes)
if err != nil {
t.Errorf("BuildAuthParams failed: %v", err)
return
}
for _, expectedScope := range tt.checkFor {
found := false
for _, actualScope := range authParams.Scopes {
if actualScope == expectedScope {
found = true
break
}
}
if !found {
t.Errorf("Expected scope '%s' not found in %v", expectedScope, authParams.Scopes)
}
}
})
}
}
internal/providers/registry.go
+32 -1
View File
@@ -115,7 +115,14 @@ func (r *ProviderRegistry) detectProviderUnsafe(issuerURL string) OIDCProvider {
if err != nil {
return nil
}
host := normalizedURL.Host
// Check if the URL has a valid scheme and host
if normalizedURL.Scheme == "" || normalizedURL.Host == "" {
return nil
}
// Convert host to lowercase for case-insensitive matching
host := strings.ToLower(normalizedURL.Host)
for _, p := range r.providers {
switch p.GetType() {
@@ -127,6 +134,30 @@ func (r *ProviderRegistry) detectProviderUnsafe(issuerURL string) OIDCProvider {
if strings.Contains(host, "login.microsoftonline.com") || strings.Contains(host, "sts.windows.net") {
return p
}
case ProviderTypeGitHub:
if strings.Contains(host, "github.com") {
return p
}
case ProviderTypeAuth0:
if strings.Contains(host, ".auth0.com") {
return p
}
case ProviderTypeOkta:
if strings.Contains(host, ".okta.com") || strings.Contains(host, ".oktapreview.com") || strings.Contains(host, ".okta-emea.com") {
return p
}
case ProviderTypeKeycloak:
if strings.Contains(host, "keycloak") || strings.Contains(normalizedURL.Path, "/auth/realms/") {
return p
}
case ProviderTypeAWSCognito:
if strings.Contains(host, "cognito-idp") && strings.Contains(host, ".amazonaws.com") {
return p
}
case ProviderTypeGitLab:
if strings.Contains(host, "gitlab.com") {
return p
}
}
}
internal/providers/registry_test.go
+521
View File
@@ -0,0 +1,521 @@
package providers
import (
"sync"
"testing"
)
// TestProviderRegistry_NewProviderRegistry tests registry constructor
func TestProviderRegistry_NewProviderRegistry(t *testing.T) {
registry := NewProviderRegistry()
if registry == nil {
t.Fatal("Expected registry to be created, got nil")
}
if registry.providers == nil {
t.Error("Providers slice should be initialized")
}
if registry.cache == nil {
t.Error("Cache map should be initialized")
}
if registry.typeMap == nil {
t.Error("TypeMap should be initialized")
}
if registry.maxCacheSize != 1000 {
t.Errorf("Expected maxCacheSize 1000, got %d", registry.maxCacheSize)
}
if registry.cacheCount != 0 {
t.Errorf("Expected initial cacheCount 0, got %d", registry.cacheCount)
}
}
// TestProviderRegistry_RegisterProvider tests provider registration
func TestProviderRegistry_RegisterProvider(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
googleProvider := NewGoogleProvider()
azureProvider := NewAzureProvider()
// Register providers
registry.RegisterProvider(genericProvider)
registry.RegisterProvider(googleProvider)
registry.RegisterProvider(azureProvider)
// Verify providers are registered
if len(registry.providers) != 3 {
t.Errorf("Expected 3 providers, got %d", len(registry.providers))
}
if len(registry.typeMap) != 3 {
t.Errorf("Expected 3 type mappings, got %d", len(registry.typeMap))
}
// Verify type mappings
if registry.typeMap[ProviderTypeGeneric] != genericProvider {
t.Error("Generic provider not mapped correctly")
}
if registry.typeMap[ProviderTypeGoogle] != googleProvider {
t.Error("Google provider not mapped correctly")
}
if registry.typeMap[ProviderTypeAzure] != azureProvider {
t.Error("Azure provider not mapped correctly")
}
}
// TestProviderRegistry_GetProviderByType tests provider retrieval by type
func TestProviderRegistry_GetProviderByType(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
googleProvider := NewGoogleProvider()
registry.RegisterProvider(genericProvider)
registry.RegisterProvider(googleProvider)
tests := []struct {
name string
providerType ProviderType
expected OIDCProvider
}{
{
name: "Get Generic provider",
providerType: ProviderTypeGeneric,
expected: genericProvider,
},
{
name: "Get Google provider",
providerType: ProviderTypeGoogle,
expected: googleProvider,
},
{
name: "Get unregistered provider",
providerType: ProviderTypeAzure,
expected: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := registry.GetProviderByType(tt.providerType)
if result != tt.expected {
t.Errorf("Expected %v, got %v", tt.expected, result)
}
})
}
}
// TestProviderRegistry_GetRegisteredProviders tests listing registered provider types
func TestProviderRegistry_GetRegisteredProviders(t *testing.T) {
registry := NewProviderRegistry()
// Initially empty
types := registry.GetRegisteredProviders()
if len(types) != 0 {
t.Errorf("Expected 0 registered providers, got %d", len(types))
}
// Register some providers
registry.RegisterProvider(NewGenericProvider())
registry.RegisterProvider(NewGoogleProvider())
types = registry.GetRegisteredProviders()
if len(types) != 2 {
t.Errorf("Expected 2 registered providers, got %d", len(types))
}
// Verify types are correct
expectedTypes := map[ProviderType]bool{
ProviderTypeGeneric: false,
ProviderTypeGoogle: false,
}
for _, providerType := range types {
if _, exists := expectedTypes[providerType]; exists {
expectedTypes[providerType] = true
} else {
t.Errorf("Unexpected provider type: %v", providerType)
}
}
for providerType, found := range expectedTypes {
if !found {
t.Errorf("Provider type %v not found in results", providerType)
}
}
}
// TestProviderRegistry_DetectProvider tests provider detection
func TestProviderRegistry_DetectProvider(t *testing.T) {
registry := NewProviderRegistry()
// Register providers
genericProvider := NewGenericProvider()
googleProvider := NewGoogleProvider()
azureProvider := NewAzureProvider()
githubProvider := NewGitHubProvider()
auth0Provider := NewAuth0Provider()
oktaProvider := NewOktaProvider()
keycloakProvider := NewKeycloakProvider()
cognitoProvider := NewAWSCognitoProvider()
gitlabProvider := NewGitLabProvider()
registry.RegisterProvider(genericProvider)
registry.RegisterProvider(googleProvider)
registry.RegisterProvider(azureProvider)
registry.RegisterProvider(githubProvider)
registry.RegisterProvider(auth0Provider)
registry.RegisterProvider(oktaProvider)
registry.RegisterProvider(keycloakProvider)
registry.RegisterProvider(cognitoProvider)
registry.RegisterProvider(gitlabProvider)
tests := []struct {
name string
issuerURL string
expected OIDCProvider
}{
{
name: "Google provider detection",
issuerURL: "https://accounts.google.com",
expected: googleProvider,
},
{
name: "Google provider with path",
issuerURL: "https://accounts.google.com/oauth2",
expected: googleProvider,
},
{
name: "Azure provider detection - login.microsoftonline.com",
issuerURL: "https://login.microsoftonline.com/tenant/v2.0",
expected: azureProvider,
},
{
name: "Azure provider detection - sts.windows.net",
issuerURL: "https://sts.windows.net/tenant",
expected: azureProvider,
},
{
name: "GitHub provider detection",
issuerURL: "https://github.com/login/oauth",
expected: githubProvider,
},
{
name: "Auth0 provider detection",
issuerURL: "https://tenant.auth0.com",
expected: auth0Provider,
},
{
name: "Okta provider detection",
issuerURL: "https://tenant.okta.com",
expected: oktaProvider,
},
{
name: "Okta preview provider detection",
issuerURL: "https://tenant.oktapreview.com",
expected: oktaProvider,
},
{
name: "Keycloak provider detection",
issuerURL: "https://auth.example.com/auth/realms/master",
expected: keycloakProvider,
},
{
name: "AWS Cognito provider detection",
issuerURL: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",
expected: cognitoProvider,
},
{
name: "GitLab provider detection",
issuerURL: "https://gitlab.com/oauth",
expected: gitlabProvider,
},
{
name: "Generic provider fallback",
issuerURL: "https://auth.example.com",
expected: genericProvider,
},
{
name: "Invalid URL",
issuerURL: "not-a-url",
expected: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := registry.DetectProvider(tt.issuerURL)
if result != tt.expected {
t.Errorf("Expected %v, got %v", tt.expected, result)
}
})
}
}
// TestProviderRegistry_DetectProvider_Caching tests cache behavior
func TestProviderRegistry_DetectProvider_Caching(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
issuerURL := "https://auth.example.com"
// First call should detect and cache
result1 := registry.DetectProvider(issuerURL)
if result1 != genericProvider {
t.Errorf("Expected generic provider, got %v", result1)
}
// Verify it's cached
registry.mu.RLock()
cachedResult, found := registry.cache[issuerURL]
registry.mu.RUnlock()
if !found {
t.Error("Expected result to be cached")
}
if cachedResult != genericProvider {
t.Errorf("Expected cached generic provider, got %v", cachedResult)
}
// Second call should return cached result
result2 := registry.DetectProvider(issuerURL)
if result2 != genericProvider {
t.Errorf("Expected cached generic provider, got %v", result2)
}
// Should be same instance (from cache)
if result1 != result2 {
t.Error("Expected same instance from cache")
}
}
// TestProviderRegistry_ClearCache tests cache clearing
func TestProviderRegistry_ClearCache(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
// Populate cache
registry.DetectProvider("https://auth1.example.com")
registry.DetectProvider("https://auth2.example.com")
// Verify cache has entries
registry.mu.RLock()
cacheSize := len(registry.cache)
registry.mu.RUnlock()
if cacheSize != 2 {
t.Errorf("Expected 2 cache entries, got %d", cacheSize)
}
// Clear cache
registry.ClearCache()
// Verify cache is empty
registry.mu.RLock()
cacheSize = len(registry.cache)
cacheCount := registry.cacheCount
registry.mu.RUnlock()
if cacheSize != 0 {
t.Errorf("Expected 0 cache entries after clear, got %d", cacheSize)
}
if cacheCount != 0 {
t.Errorf("Expected 0 cache count after clear, got %d", cacheCount)
}
}
// TestProviderRegistry_CacheEviction tests cache size limits and eviction
func TestProviderRegistry_CacheEviction(t *testing.T) {
registry := NewProviderRegistry()
registry.maxCacheSize = 2 // Set small cache size for testing
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
// Fill cache to capacity
registry.DetectProvider("https://auth1.example.com")
registry.DetectProvider("https://auth2.example.com")
// Verify cache is at capacity
registry.mu.RLock()
cacheSize := len(registry.cache)
registry.mu.RUnlock()
if cacheSize != 2 {
t.Errorf("Expected 2 cache entries, got %d", cacheSize)
}
// Add one more entry (should trigger eviction)
registry.DetectProvider("https://auth3.example.com")
// Cache size should still be at max
registry.mu.RLock()
cacheSize = len(registry.cache)
registry.mu.RUnlock()
if cacheSize != 2 {
t.Errorf("Expected 2 cache entries after eviction, got %d", cacheSize)
}
// Verify the new entry is cached
registry.mu.RLock()
_, found := registry.cache["https://auth3.example.com"]
registry.mu.RUnlock()
if !found {
t.Error("Expected new entry to be cached")
}
}
// TestProviderRegistry_ConcurrentAccess tests thread safety
func TestProviderRegistry_ConcurrentAccess(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
googleProvider := NewGoogleProvider()
azureProvider := NewAzureProvider()
registry.RegisterProvider(genericProvider)
registry.RegisterProvider(googleProvider)
registry.RegisterProvider(azureProvider)
var wg sync.WaitGroup
goroutines := 10
iterations := 100
// Test concurrent detection
for i := 0; i < goroutines; i++ {
wg.Add(1)
go func(id int) {
defer wg.Done()
for j := 0; j < iterations; j++ {
issuerURL := "https://accounts.google.com"
if id%2 == 0 {
issuerURL = "https://login.microsoftonline.com/tenant"
} else if id%3 == 0 {
issuerURL = "https://auth.example.com"
}
result := registry.DetectProvider(issuerURL)
if result == nil {
t.Errorf("Expected provider for URL %s", issuerURL)
}
}
}(i)
}
// Test concurrent registration
wg.Add(1)
go func() {
defer wg.Done()
for i := 0; i < 10; i++ {
newProvider := NewGenericProvider()
registry.RegisterProvider(newProvider)
}
}()
// Test concurrent cache clearing
wg.Add(1)
go func() {
defer wg.Done()
for i := 0; i < 10; i++ {
registry.ClearCache()
}
}()
wg.Wait()
// Verify final state is consistent
types := registry.GetRegisteredProviders()
if len(types) < 3 { // Should have at least the original 3
t.Errorf("Expected at least 3 provider types, got %d", len(types))
}
}
// TestProviderRegistry_DoubleCheckedLocking tests the double-checked locking pattern
func TestProviderRegistry_DoubleCheckedLocking(t *testing.T) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
var wg sync.WaitGroup
goroutines := 100
issuerURL := "https://auth.example.com"
// Multiple goroutines trying to detect the same provider simultaneously
for i := 0; i < goroutines; i++ {
wg.Add(1)
go func() {
defer wg.Done()
result := registry.DetectProvider(issuerURL)
if result != genericProvider {
t.Errorf("Expected generic provider, got %v", result)
}
}()
}
wg.Wait()
// Verify only one cache entry was created
registry.mu.RLock()
cacheSize := len(registry.cache)
registry.mu.RUnlock()
if cacheSize != 1 {
t.Errorf("Expected 1 cache entry, got %d", cacheSize)
}
}
// Benchmark tests
func BenchmarkProviderRegistry_DetectProvider_Cached(b *testing.B) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
issuerURL := "https://auth.example.com"
// Warm up cache
registry.DetectProvider(issuerURL)
b.ResetTimer()
for i := 0; i < b.N; i++ {
registry.DetectProvider(issuerURL)
}
}
func BenchmarkProviderRegistry_DetectProvider_Uncached(b *testing.B) {
registry := NewProviderRegistry()
genericProvider := NewGenericProvider()
registry.RegisterProvider(genericProvider)
b.ResetTimer()
for i := 0; i < b.N; i++ {
registry.ClearCache() // Clear cache for each iteration
registry.DetectProvider("https://auth.example.com")
}
}
func BenchmarkProviderRegistry_RegisterProvider(b *testing.B) {
registry := NewProviderRegistry()
b.ResetTimer()
for i := 0; i < b.N; i++ {
provider := NewGenericProvider()
registry.RegisterProvider(provider)
}
}
internal/providers/validation_test.go
+563
View File
@@ -0,0 +1,563 @@
package providers
import (
"net/url"
"strings"
"testing"
"time"
)
// TestNewConfigValidator tests the creation of a ConfigValidator
func TestNewConfigValidator(t *testing.T) {
validator := NewConfigValidator()
if validator == nil {
t.Error("expected non-nil validator")
}
}
// TestValidateIssuerURL tests the ValidateIssuerURL function
func TestValidateIssuerURL(t *testing.T) {
tests := []struct {
name string
issuerURL string
wantErr bool
errMsg string
}{
{
name: "valid https URL",
issuerURL: "https://accounts.google.com",
wantErr: false,
},
{
name: "valid http URL",
issuerURL: "http://localhost:8080",
wantErr: false,
},
{
name: "valid URL with path",
issuerURL: "https://login.microsoftonline.com/tenant-id/v2.0",
wantErr: false,
},
{
name: "empty URL",
issuerURL: "",
wantErr: true,
errMsg: "issuer URL cannot be empty",
},
{
name: "URL without scheme",
issuerURL: "accounts.google.com",
wantErr: true,
errMsg: "issuer URL must include scheme",
},
{
name: "URL with invalid scheme",
issuerURL: "ftp://example.com",
wantErr: true,
errMsg: "issuer URL scheme must be http or https",
},
{
name: "URL without host",
issuerURL: "https://",
wantErr: true,
errMsg: "issuer URL must include host",
},
{
name: "malformed URL",
issuerURL: "ht!tp://[invalid",
wantErr: true,
errMsg: "invalid issuer URL format",
},
{
name: "URL with port",
issuerURL: "https://auth.example.com:443/oauth",
wantErr: false,
},
{
name: "URL with query parameters",
issuerURL: "https://auth.example.com?tenant=123",
wantErr: false,
},
}
validator := NewConfigValidator()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateIssuerURL(tt.issuerURL)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidateClientID tests the ValidateClientID function
func TestValidateClientID(t *testing.T) {
tests := []struct {
name string
clientID string
wantErr bool
errMsg string
}{
{
name: "valid client ID",
clientID: "my-application-client",
wantErr: false,
},
{
name: "valid UUID client ID",
clientID: "123e4567-e89b-12d3-a456-426614174000",
wantErr: false,
},
{
name: "empty client ID",
clientID: "",
wantErr: true,
errMsg: "client ID cannot be empty",
},
{
name: "too short client ID",
clientID: "ab",
wantErr: true,
errMsg: "client ID appears to be too short",
},
{
name: "minimum length client ID",
clientID: "abc",
wantErr: false,
},
{
name: "client ID with special characters",
clientID: "client-id_123.app",
wantErr: false,
},
{
name: "long client ID",
clientID: strings.Repeat("a", 255),
wantErr: false,
},
}
validator := NewConfigValidator()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateClientID(tt.clientID)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidateScopes tests the ValidateScopes function
func TestValidateScopes(t *testing.T) {
tests := []struct {
name string
scopes []string
wantErr bool
errMsg string
}{
{
name: "valid scopes with openid",
scopes: []string{"openid", "email", "profile"},
wantErr: false,
},
{
name: "only openid scope",
scopes: []string{"openid"},
wantErr: false,
},
{
name: "openid with whitespace",
scopes: []string{" openid ", "email"},
wantErr: false,
},
{
name: "empty scopes",
scopes: []string{},
wantErr: true,
errMsg: "at least one scope must be provided",
},
{
name: "nil scopes",
scopes: nil,
wantErr: true,
errMsg: "at least one scope must be provided",
},
{
name: "missing openid scope",
scopes: []string{"email", "profile"},
wantErr: true,
errMsg: "'openid' scope is required",
},
{
name: "duplicate openid scope",
scopes: []string{"openid", "openid", "email"},
wantErr: false,
},
{
name: "custom scopes with openid",
scopes: []string{"openid", "api:read", "api:write"},
wantErr: false,
},
}
validator := NewConfigValidator()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateScopes(tt.scopes)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidateRedirectURL tests the ValidateRedirectURL function
func TestValidateRedirectURL(t *testing.T) {
tests := []struct {
name string
redirectURL string
wantErr bool
errMsg string
}{
{
name: "valid https redirect URL",
redirectURL: "https://example.com/callback",
wantErr: false,
},
{
name: "valid http redirect URL",
redirectURL: "http://localhost:3000/auth/callback",
wantErr: false,
},
{
name: "empty redirect URL",
redirectURL: "",
wantErr: true,
errMsg: "redirect URL cannot be empty",
},
{
name: "redirect URL without scheme",
redirectURL: "example.com/callback",
wantErr: true,
errMsg: "redirect URL must include scheme",
},
{
name: "malformed redirect URL",
redirectURL: "ht!tp://[invalid",
wantErr: true,
errMsg: "invalid redirect URL format",
},
{
name: "redirect URL with query parameters",
redirectURL: "https://example.com/callback?state=abc",
wantErr: false,
},
{
name: "redirect URL with fragment",
redirectURL: "https://example.com/callback#section",
wantErr: false,
},
}
validator := NewConfigValidator()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateRedirectURL(tt.redirectURL)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidateProviderSpecificConfig tests provider-specific configuration validation
func TestValidateProviderSpecificConfig(t *testing.T) {
tests := []struct {
name string
provider OIDCProvider
config map[string]interface{}
wantErr bool
errMsg string
}{
{
name: "valid Google config",
provider: NewGoogleProvider(),
config: map[string]interface{}{
"issuer_url": "https://accounts.google.com",
},
wantErr: false,
},
{
name: "invalid Google config - wrong issuer",
provider: NewGoogleProvider(),
config: map[string]interface{}{
"issuer_url": "https://example.com",
},
wantErr: true,
errMsg: "google provider requires issuer URL to contain accounts.google.com",
},
{
name: "valid Azure config with tenant ID",
provider: NewAzureProvider(),
config: map[string]interface{}{
"issuer_url": "https://login.microsoftonline.com/12345678-1234-1234-1234-123456789012/v2.0",
},
wantErr: false,
},
{
name: "invalid Azure config - wrong domain",
provider: NewAzureProvider(),
config: map[string]interface{}{
"issuer_url": "https://example.com/tenant",
},
wantErr: true,
errMsg: "azure provider requires issuer URL to contain login.microsoftonline.com",
},
{
name: "Azure config with sts.windows.net",
provider: NewAzureProvider(),
config: map[string]interface{}{
"issuer_url": "https://sts.windows.net/12345678-1234-1234-1234-123456789012",
},
wantErr: false,
},
{
name: "Azure config without tenant ID",
provider: NewAzureProvider(),
config: map[string]interface{}{
"issuer_url": "https://login.microsoftonline.com/common",
},
wantErr: true,
errMsg: "azure issuer URL should include tenant ID",
},
{
name: "valid generic provider config",
provider: NewGenericProvider(),
config: map[string]interface{}{
"issuer_url": "https://auth.example.com",
},
wantErr: false,
},
{
name: "empty config for generic provider",
provider: NewGenericProvider(),
config: map[string]interface{}{},
wantErr: false,
},
}
validator := NewConfigValidator()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateProviderSpecificConfig(tt.provider, tt.config)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidateProviderSpecificConfig_UnknownProvider tests handling of unknown provider types
func TestValidateProviderSpecificConfig_UnknownProvider(t *testing.T) {
validator := NewConfigValidator()
// Create a mock provider with invalid type
mockProvider := &mockUnknownProvider{}
err := validator.ValidateProviderSpecificConfig(mockProvider, map[string]interface{}{})
if err == nil {
t.Error("expected error for unknown provider type")
}
if !strings.Contains(err.Error(), "unknown provider type") {
t.Errorf("expected 'unknown provider type' error, got: %v", err)
}
}
// mockUnknownProvider is a test provider with an invalid type
type mockUnknownProvider struct{}
func (m *mockUnknownProvider) GetType() ProviderType {
return ProviderType(999) // Invalid type
}
func (m *mockUnknownProvider) GetCapabilities() ProviderCapabilities {
return ProviderCapabilities{}
}
func (m *mockUnknownProvider) ValidateTokens(session Session, verifier TokenVerifier, tokenCache TokenCache, refreshGracePeriod time.Duration) (*ValidationResult, error) {
return &ValidationResult{}, nil
}
func (m *mockUnknownProvider) BuildAuthParams(baseParams url.Values, scopes []string) (*AuthParams, error) {
return &AuthParams{}, nil
}
func (m *mockUnknownProvider) HandleTokenRefresh(tokenData *TokenResult) error {
return nil
}
func (m *mockUnknownProvider) ValidateConfig() error {
return nil
}
// TestValidateGoogleConfig_EdgeCases tests edge cases for Google config validation
func TestValidateGoogleConfig_EdgeCases(t *testing.T) {
validator := NewConfigValidator()
googleProvider := NewGoogleProvider()
tests := []struct {
name string
config map[string]interface{}
wantErr bool
}{
{
name: "config without issuer_url",
config: map[string]interface{}{},
wantErr: false, // Should pass as issuer_url is not present
},
{
name: "config with non-string issuer_url",
config: map[string]interface{}{
"issuer_url": 123,
},
wantErr: false, // Should pass as type assertion fails
},
{
name: "config with accounts.google.com in path",
config: map[string]interface{}{
"issuer_url": "https://example.com/accounts.google.com",
},
wantErr: false, // Should pass as it contains the required string
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateProviderSpecificConfig(googleProvider, tt.config)
if tt.wantErr && err == nil {
t.Error("expected error, got nil")
} else if !tt.wantErr && err != nil {
t.Errorf("unexpected error: %v", err)
}
})
}
}
// TestValidateAzureConfig_EdgeCases tests edge cases for Azure config validation
func TestValidateAzureConfig_EdgeCases(t *testing.T) {
validator := NewConfigValidator()
azureProvider := NewAzureProvider()
tests := []struct {
name string
config map[string]interface{}
wantErr bool
errMsg string
}{
{
name: "valid tenant ID format",
config: map[string]interface{}{
"issuer_url": "https://login.microsoftonline.com/a1b2c3d4-e5f6-7890-abcd-ef1234567890/v2.0",
},
wantErr: false,
},
{
name: "tenant ID in different position",
config: map[string]interface{}{
"issuer_url": "https://login.microsoftonline.com/v2.0/a1b2c3d4-e5f6-7890-abcd-ef1234567890/oauth",
},
wantErr: false,
},
{
name: "malformed URL for parsing",
config: map[string]interface{}{
"issuer_url": "https://login.microsoftonline.com/[invalid",
},
wantErr: true,
errMsg: "azure issuer URL should include tenant ID",
},
{
name: "config without issuer_url",
config: map[string]interface{}{},
wantErr: false,
},
{
name: "config with non-string issuer_url",
config: map[string]interface{}{
"issuer_url": []string{"https://login.microsoftonline.com"},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validator.ValidateProviderSpecificConfig(azureProvider, tt.config)
if tt.wantErr {
if err == nil {
t.Error("expected error, got nil")
} else if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
t.Errorf("expected error containing %q, got %q", tt.errMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
internal/providers/warnings.go
+151
View File
@@ -0,0 +1,151 @@
package providers
import (
"fmt"
"strings"
)
// ProviderWarning represents a warning about provider limitations or requirements.
type ProviderWarning struct {
ProviderType ProviderType
Level string // "info", "warning", "error"
Message string
}
// GetProviderWarnings returns warnings about provider-specific limitations.
func GetProviderWarnings(providerType ProviderType) []ProviderWarning {
var warnings []ProviderWarning
switch providerType {
case ProviderTypeGitHub:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeGitHub,
Level: "warning",
Message: "GitHub uses OAuth 2.0, not OpenID Connect. ID tokens are not available. Use access tokens for API calls only.",
})
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeGitHub,
Level: "info",
Message: "GitHub OAuth apps do not support refresh tokens. Users will need to re-authenticate when tokens expire.",
})
case ProviderTypeAuth0:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeAuth0,
Level: "info",
Message: "Auth0 requires 'offline_access' scope for refresh tokens. This will be automatically added.",
})
case ProviderTypeOkta:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeOkta,
Level: "info",
Message: "Okta requires proper application configuration in your Okta admin console for OIDC to work.",
})
case ProviderTypeKeycloak:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeKeycloak,
Level: "info",
Message: "Keycloak detection is based on URL path '/auth/realms/'. Ensure your issuer URL follows this pattern.",
})
case ProviderTypeAWSCognito:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeAWSCognito,
Level: "info",
Message: "AWS Cognito uses regional endpoints. Ensure your issuer URL includes the correct region (e.g., cognito-idp.us-east-1.amazonaws.com).",
})
case ProviderTypeGitLab:
warnings = append(warnings, ProviderWarning{
ProviderType: ProviderTypeGitLab,
Level: "info",
Message: "GitLab supports OIDC but requires application registration in GitLab admin settings.",
})
}
return warnings
}
// ValidateProviderCompatibility checks if a provider is suitable for OIDC authentication.
func ValidateProviderCompatibility(providerType ProviderType, requiresOIDC bool) error {
switch providerType {
case ProviderTypeGitHub:
if requiresOIDC {
return fmt.Errorf("GitHub does not support OpenID Connect. It only supports OAuth 2.0. Consider using a different provider for OIDC authentication")
}
return nil
default:
return nil
}
}
// GetProviderRecommendations returns setup recommendations for each provider.
func GetProviderRecommendations(providerType ProviderType) []string {
switch providerType {
case ProviderTypeGitHub:
return []string{
"Register an OAuth App in GitHub Settings > Developer settings > OAuth Apps",
"Use scopes: 'user:email', 'read:user' for basic profile access",
"GitHub tokens expire, plan for re-authentication flow",
}
case ProviderTypeAuth0:
return []string{
"Create an Application in Auth0 Dashboard",
"Set Application Type to 'Regular Web Application'",
"Configure Allowed Callback URLs with your redirect URI",
"Enable 'offline_access' scope for refresh tokens",
}
case ProviderTypeOkta:
return []string{
"Create an App Integration in Okta Admin Console",
"Choose 'OIDC - OpenID Connect' as sign-in method",
"Select 'Web Application' as application type",
"Configure redirect URIs and assign users/groups",
}
case ProviderTypeKeycloak:
return []string{
"Create a Client in your Keycloak realm",
"Set Client Protocol to 'openid-connect'",
"Configure Valid Redirect URIs",
"Ensure issuer URL format: https://your-keycloak/auth/realms/your-realm",
}
case ProviderTypeAWSCognito:
return []string{
"Create a User Pool in AWS Cognito",
"Create an App Client with 'Authorization code grant' enabled",
"Configure App Client settings and callback URLs",
"Use issuer URL format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}",
}
case ProviderTypeGitLab:
return []string{
"Create an Application in GitLab (Admin Area > Applications)",
"Select 'openid', 'profile', 'email' scopes",
"Configure Redirect URI",
"Use issuer URL: https://gitlab.com (for GitLab.com)",
}
default:
return []string{}
}
}
// FormatProviderWarnings formats warnings for display.
func FormatProviderWarnings(warnings []ProviderWarning) string {
if len(warnings) == 0 {
return ""
}
var result strings.Builder
for _, warning := range warnings {
result.WriteString(fmt.Sprintf("[%s] %s\n", strings.ToUpper(warning.Level), warning.Message))
}
return result.String()
}
internal/providers/warnings_test.go
+195
View File
@@ -0,0 +1,195 @@
package providers
import (
"strings"
"testing"
)
// TestGetProviderWarnings tests that warnings are provided for providers with limitations
func TestGetProviderWarnings(t *testing.T) {
tests := []struct {
name string
providerType ProviderType
expectCount int
checkContent string
}{
{
name: "GitHub has OAuth 2.0 warning",
providerType: ProviderTypeGitHub,
expectCount: 2,
checkContent: "OAuth 2.0",
},
{
name: "Auth0 has offline_access info",
providerType: ProviderTypeAuth0,
expectCount: 1,
checkContent: "offline_access",
},
{
name: "Okta has configuration info",
providerType: ProviderTypeOkta,
expectCount: 1,
checkContent: "admin console",
},
{
name: "AWS Cognito has regional endpoint info",
providerType: ProviderTypeAWSCognito,
expectCount: 1,
checkContent: "regional endpoints",
},
{
name: "Generic provider has no warnings",
providerType: ProviderTypeGeneric,
expectCount: 0,
checkContent: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
warnings := GetProviderWarnings(tt.providerType)
if len(warnings) != tt.expectCount {
t.Errorf("Expected %d warnings, got %d", tt.expectCount, len(warnings))
}
if tt.checkContent != "" {
found := false
for _, warning := range warnings {
if strings.Contains(strings.ToLower(warning.Message), strings.ToLower(tt.checkContent)) {
found = true
break
}
}
if !found {
t.Errorf("Expected warning content '%s' not found", tt.checkContent)
}
}
})
}
}
// TestValidateProviderCompatibility tests OIDC compatibility validation
func TestValidateProviderCompatibility(t *testing.T) {
tests := []struct {
name string
providerType ProviderType
requiresOIDC bool
expectError bool
}{
{
name: "GitHub with OIDC requirement should error",
providerType: ProviderTypeGitHub,
requiresOIDC: true,
expectError: true,
},
{
name: "GitHub without OIDC requirement should pass",
providerType: ProviderTypeGitHub,
requiresOIDC: false,
expectError: false,
},
{
name: "Auth0 with OIDC requirement should pass",
providerType: ProviderTypeAuth0,
requiresOIDC: true,
expectError: false,
},
{
name: "Google with OIDC requirement should pass",
providerType: ProviderTypeGoogle,
requiresOIDC: true,
expectError: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateProviderCompatibility(tt.providerType, tt.requiresOIDC)
if tt.expectError && err == nil {
t.Error("Expected error but got none")
}
if !tt.expectError && err != nil {
t.Errorf("Unexpected error: %v", err)
}
})
}
}
// TestGetProviderRecommendations tests that recommendations are provided
func TestGetProviderRecommendations(t *testing.T) {
tests := []struct {
name string
providerType ProviderType
expectMin int
}{
{
name: "GitHub recommendations",
providerType: ProviderTypeGitHub,
expectMin: 3,
},
{
name: "Auth0 recommendations",
providerType: ProviderTypeAuth0,
expectMin: 3,
},
{
name: "AWS Cognito recommendations",
providerType: ProviderTypeAWSCognito,
expectMin: 3,
},
{
name: "Generic provider no recommendations",
providerType: ProviderTypeGeneric,
expectMin: 0,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
recommendations := GetProviderRecommendations(tt.providerType)
if len(recommendations) < tt.expectMin {
t.Errorf("Expected at least %d recommendations, got %d", tt.expectMin, len(recommendations))
}
})
}
}
// TestFormatProviderWarnings tests warning formatting
func TestFormatProviderWarnings(t *testing.T) {
warnings := []ProviderWarning{
{
ProviderType: ProviderTypeGitHub,
Level: "warning",
Message: "Test warning message",
},
{
ProviderType: ProviderTypeGitHub,
Level: "info",
Message: "Test info message",
},
}
formatted := FormatProviderWarnings(warnings)
if !strings.Contains(formatted, "[WARNING]") {
t.Error("Expected formatted output to contain [WARNING]")
}
if !strings.Contains(formatted, "[INFO]") {
t.Error("Expected formatted output to contain [INFO]")
}
if !strings.Contains(formatted, "Test warning message") {
t.Error("Expected formatted output to contain warning message")
}
// Test empty warnings
emptyFormatted := FormatProviderWarnings([]ProviderWarning{})
if emptyFormatted != "" {
t.Error("Expected empty string for no warnings")
}
}
internal/security/headers.go
+403
View File
@@ -0,0 +1,403 @@
// Package security provides security-related middleware and utilities
package security
import (
"net/http"
"strings"
"time"
)
// SecurityHeadersConfig configures security headers
type SecurityHeadersConfig struct {
// Content Security Policy
ContentSecurityPolicy string
// HSTS settings
StrictTransportSecurity string
StrictTransportSecurityMaxAge int // seconds
StrictTransportSecuritySubdomains bool
StrictTransportSecurityPreload bool
// Frame options
FrameOptions string // DENY, SAMEORIGIN, or ALLOW-FROM uri
// Content type options
ContentTypeOptions string // nosniff
// XSS protection
XSSProtection string // 1; mode=block
// Referrer policy
ReferrerPolicy string
// Permissions policy
PermissionsPolicy string
// Cross-origin settings
CrossOriginEmbedderPolicy string
CrossOriginOpenerPolicy string
CrossOriginResourcePolicy string
// CORS settings
CORSEnabled bool
CORSAllowedOrigins []string
CORSAllowedMethods []string
CORSAllowedHeaders []string
CORSAllowCredentials bool
CORSMaxAge int // seconds
// Custom headers
CustomHeaders map[string]string
// Security features
DisableServerHeader bool
DisablePoweredByHeader bool
// Development mode (less strict for local development)
DevelopmentMode bool
}
// DefaultSecurityConfig returns a secure default configuration
func DefaultSecurityConfig() *SecurityHeadersConfig {
return &SecurityHeadersConfig{
ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';",
StrictTransportSecurityMaxAge: 31536000, // 1 year
StrictTransportSecuritySubdomains: true,
StrictTransportSecurityPreload: true,
FrameOptions: "DENY",
ContentTypeOptions: "nosniff",
XSSProtection: "1; mode=block",
ReferrerPolicy: "strict-origin-when-cross-origin",
PermissionsPolicy: "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()",
CrossOriginEmbedderPolicy: "require-corp",
CrossOriginOpenerPolicy: "same-origin",
CrossOriginResourcePolicy: "same-origin",
CORSEnabled: false,
CORSAllowedMethods: []string{"GET", "POST", "OPTIONS"},
CORSAllowedHeaders: []string{"Authorization", "Content-Type", "X-Requested-With"},
CORSMaxAge: 86400, // 24 hours
DisableServerHeader: true,
DisablePoweredByHeader: true,
DevelopmentMode: false,
}
}
// DevelopmentSecurityConfig returns a configuration suitable for development
func DevelopmentSecurityConfig() *SecurityHeadersConfig {
config := DefaultSecurityConfig()
// Relax CSP for development
config.ContentSecurityPolicy = "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https: http:; connect-src 'self' ws: wss:;"
// Allow framing for development tools
config.FrameOptions = "SAMEORIGIN"
// Enable CORS for local development
config.CORSEnabled = true
config.CORSAllowedOrigins = []string{"http://localhost:*", "http://127.0.0.1:*"}
config.CORSAllowCredentials = true
// Relax cross-origin policies
config.CrossOriginEmbedderPolicy = ""
config.CrossOriginOpenerPolicy = "unsafe-none"
config.CrossOriginResourcePolicy = "cross-origin"
config.DevelopmentMode = true
return config
}
// SecurityHeadersMiddleware applies security headers to HTTP responses
type SecurityHeadersMiddleware struct {
config *SecurityHeadersConfig
}
// NewSecurityHeadersMiddleware creates a new security headers middleware
func NewSecurityHeadersMiddleware(config *SecurityHeadersConfig) *SecurityHeadersMiddleware {
if config == nil {
config = DefaultSecurityConfig()
}
return &SecurityHeadersMiddleware{
config: config,
}
}
// Apply applies security headers to the response
func (m *SecurityHeadersMiddleware) Apply(rw http.ResponseWriter, req *http.Request) {
headers := rw.Header()
// Content Security Policy
if m.config.ContentSecurityPolicy != "" {
headers.Set("Content-Security-Policy", m.config.ContentSecurityPolicy)
}
// HSTS (only for HTTPS)
if req.TLS != nil || req.Header.Get("X-Forwarded-Proto") == "https" {
hstsValue := m.buildHSTSHeader()
if hstsValue != "" {
headers.Set("Strict-Transport-Security", hstsValue)
}
}
// Frame options
if m.config.FrameOptions != "" {
headers.Set("X-Frame-Options", m.config.FrameOptions)
}
// Content type options
if m.config.ContentTypeOptions != "" {
headers.Set("X-Content-Type-Options", m.config.ContentTypeOptions)
}
// XSS protection
if m.config.XSSProtection != "" {
headers.Set("X-XSS-Protection", m.config.XSSProtection)
}
// Referrer policy
if m.config.ReferrerPolicy != "" {
headers.Set("Referrer-Policy", m.config.ReferrerPolicy)
}
// Permissions policy
if m.config.PermissionsPolicy != "" {
headers.Set("Permissions-Policy", m.config.PermissionsPolicy)
}
// Cross-origin policies
if m.config.CrossOriginEmbedderPolicy != "" {
headers.Set("Cross-Origin-Embedder-Policy", m.config.CrossOriginEmbedderPolicy)
}
if m.config.CrossOriginOpenerPolicy != "" {
headers.Set("Cross-Origin-Opener-Policy", m.config.CrossOriginOpenerPolicy)
}
if m.config.CrossOriginResourcePolicy != "" {
headers.Set("Cross-Origin-Resource-Policy", m.config.CrossOriginResourcePolicy)
}
// CORS headers
if m.config.CORSEnabled {
m.applyCORSHeaders(rw, req)
}
// Custom headers
for name, value := range m.config.CustomHeaders {
headers.Set(name, value)
}
// Remove server identification headers
if m.config.DisableServerHeader {
headers.Del("Server")
}
if m.config.DisablePoweredByHeader {
headers.Del("X-Powered-By")
}
// Add security timestamp for debugging
if m.config.DevelopmentMode {
headers.Set("X-Security-Headers-Applied", time.Now().UTC().Format(time.RFC3339))
}
}
// buildHSTSHeader constructs the HSTS header value
func (m *SecurityHeadersMiddleware) buildHSTSHeader() string {
if m.config.StrictTransportSecurityMaxAge <= 0 {
return ""
}
parts := []string{
"max-age=" + string(rune(m.config.StrictTransportSecurityMaxAge)),
}
if m.config.StrictTransportSecuritySubdomains {
parts = append(parts, "includeSubDomains")
}
if m.config.StrictTransportSecurityPreload {
parts = append(parts, "preload")
}
return strings.Join(parts, "; ")
}
// applyCORSHeaders applies CORS headers based on the request
func (m *SecurityHeadersMiddleware) applyCORSHeaders(rw http.ResponseWriter, req *http.Request) {
headers := rw.Header()
origin := req.Header.Get("Origin")
// Check if origin is allowed
if origin != "" && m.isOriginAllowed(origin) {
headers.Set("Access-Control-Allow-Origin", origin)
} else if len(m.config.CORSAllowedOrigins) == 1 && m.config.CORSAllowedOrigins[0] == "*" {
headers.Set("Access-Control-Allow-Origin", "*")
}
// Set other CORS headers
if len(m.config.CORSAllowedMethods) > 0 {
headers.Set("Access-Control-Allow-Methods", strings.Join(m.config.CORSAllowedMethods, ", "))
}
if len(m.config.CORSAllowedHeaders) > 0 {
headers.Set("Access-Control-Allow-Headers", strings.Join(m.config.CORSAllowedHeaders, ", "))
}
if m.config.CORSAllowCredentials {
headers.Set("Access-Control-Allow-Credentials", "true")
}
if m.config.CORSMaxAge > 0 {
headers.Set("Access-Control-Max-Age", string(rune(m.config.CORSMaxAge)))
}
// Handle preflight requests
if req.Method == "OPTIONS" {
headers.Set("Access-Control-Allow-Methods", strings.Join(m.config.CORSAllowedMethods, ", "))
headers.Set("Access-Control-Allow-Headers", strings.Join(m.config.CORSAllowedHeaders, ", "))
rw.WriteHeader(http.StatusOK)
}
}
// isOriginAllowed checks if the origin is in the allowed list
func (m *SecurityHeadersMiddleware) isOriginAllowed(origin string) bool {
for _, allowed := range m.config.CORSAllowedOrigins {
if m.matchOrigin(origin, allowed) {
return true
}
}
return false
}
// matchOrigin checks if an origin matches an allowed pattern
func (m *SecurityHeadersMiddleware) matchOrigin(origin, pattern string) bool {
// Exact match
if origin == pattern {
return true
}
// Wildcard subdomain match (e.g., "https://*.example.com")
if strings.Contains(pattern, "*") {
// Simple wildcard matching for subdomains
if strings.HasPrefix(pattern, "https://*.") {
domain := strings.TrimPrefix(pattern, "https://*.")
if strings.HasSuffix(origin, "."+domain) || origin == "https://"+domain {
return true
}
}
if strings.HasPrefix(pattern, "http://*.") {
domain := strings.TrimPrefix(pattern, "http://*.")
if strings.HasSuffix(origin, "."+domain) || origin == "http://"+domain {
return true
}
}
}
// Port wildcard match (e.g., "http://localhost:*")
if strings.HasSuffix(pattern, ":*") {
prefix := strings.TrimSuffix(pattern, ":*")
if strings.HasPrefix(origin, prefix+":") {
return true
}
}
return false
}
// Wrap wraps an HTTP handler with security headers
func (m *SecurityHeadersMiddleware) Wrap(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
m.Apply(rw, req)
next.ServeHTTP(rw, req)
})
}
// SecurityHeadersHandler is a convenience function that creates and applies security headers
func SecurityHeadersHandler(config *SecurityHeadersConfig) func(http.ResponseWriter, *http.Request) {
middleware := NewSecurityHeadersMiddleware(config)
return middleware.Apply
}
// Common security header presets
// StrictSecurityConfig returns a very strict security configuration
func StrictSecurityConfig() *SecurityHeadersConfig {
config := DefaultSecurityConfig()
// Very strict CSP
config.ContentSecurityPolicy = "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
// Stricter frame options
config.FrameOptions = "DENY"
// Disable CORS entirely
config.CORSEnabled = false
// Very strict cross-origin policies
config.CrossOriginEmbedderPolicy = "require-corp"
config.CrossOriginOpenerPolicy = "same-origin"
config.CrossOriginResourcePolicy = "same-site"
return config
}
// APISecurityConfig returns a configuration suitable for APIs
func APISecurityConfig() *SecurityHeadersConfig {
config := DefaultSecurityConfig()
// API-friendly CSP
config.ContentSecurityPolicy = "default-src 'none'; frame-ancestors 'none';"
// Enable CORS for APIs
config.CORSEnabled = true
config.CORSAllowedMethods = []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"}
config.CORSAllowedHeaders = []string{"Authorization", "Content-Type", "X-Requested-With", "X-API-Key"}
// API-appropriate policies
config.CrossOriginResourcePolicy = "cross-origin"
return config
}
// ValidateConfig validates the security configuration
func (c *SecurityHeadersConfig) Validate() error {
// Validate HSTS max age
if c.StrictTransportSecurityMaxAge < 0 {
c.StrictTransportSecurityMaxAge = 0
}
// Validate CORS max age
if c.CORSMaxAge < 0 {
c.CORSMaxAge = 0
}
// Validate frame options
validFrameOptions := []string{"DENY", "SAMEORIGIN", ""}
isValidFrameOption := false
for _, valid := range validFrameOptions {
if c.FrameOptions == valid || strings.HasPrefix(c.FrameOptions, "ALLOW-FROM ") {
isValidFrameOption = true
break
}
}
if !isValidFrameOption {
c.FrameOptions = "DENY"
}
return nil
}
// ApplyToResponseWriter is a helper function to quickly apply security headers
func ApplySecurityHeaders(rw http.ResponseWriter, req *http.Request, config *SecurityHeadersConfig) {
middleware := NewSecurityHeadersMiddleware(config)
middleware.Apply(rw, req)
}
internal/security/headers_test.go
+350
View File
@@ -0,0 +1,350 @@
package security
import (
"crypto/tls"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestDefaultSecurityConfig(t *testing.T) {
config := DefaultSecurityConfig()
if config.ContentSecurityPolicy == "" {
t.Error("Expected default CSP to be set")
}
if config.FrameOptions != "DENY" {
t.Errorf("Expected frame options to be DENY, got %s", config.FrameOptions)
}
if !config.DisableServerHeader {
t.Error("Expected server header to be disabled by default")
}
}
func TestSecurityHeadersMiddleware_Apply(t *testing.T) {
config := DefaultSecurityConfig()
middleware := NewSecurityHeadersMiddleware(config)
// Create a mock request (HTTPS)
req := httptest.NewRequest("GET", "https://example.com/test", nil)
req.TLS = &tls.ConnectionState{} // Mock TLS
// Create a response recorder
rr := httptest.NewRecorder()
// Apply security headers
middleware.Apply(rr, req)
headers := rr.Header()
// Check that security headers are set
if headers.Get("Content-Security-Policy") == "" {
t.Error("Expected CSP header to be set")
}
if headers.Get("X-Frame-Options") != "DENY" {
t.Errorf("Expected X-Frame-Options to be DENY, got %s", headers.Get("X-Frame-Options"))
}
if headers.Get("X-Content-Type-Options") != "nosniff" {
t.Errorf("Expected X-Content-Type-Options to be nosniff, got %s", headers.Get("X-Content-Type-Options"))
}
if headers.Get("X-XSS-Protection") != "1; mode=block" {
t.Errorf("Expected X-XSS-Protection to be '1; mode=block', got %s", headers.Get("X-XSS-Protection"))
}
// Check HSTS for HTTPS requests
hsts := headers.Get("Strict-Transport-Security")
if hsts == "" {
t.Error("Expected HSTS header for HTTPS request")
}
if !strings.Contains(hsts, "max-age=") {
t.Error("Expected HSTS header to contain max-age")
}
}
func TestSecurityHeadersMiddleware_HTTPSOnly(t *testing.T) {
config := DefaultSecurityConfig()
middleware := NewSecurityHeadersMiddleware(config)
// Test HTTP request (no HSTS)
req := httptest.NewRequest("GET", "http://example.com/test", nil)
rr := httptest.NewRecorder()
middleware.Apply(rr, req)
if rr.Header().Get("Strict-Transport-Security") != "" {
t.Error("Expected no HSTS header for HTTP request")
}
// Test HTTPS request (with HSTS)
req = httptest.NewRequest("GET", "https://example.com/test", nil)
req.TLS = &tls.ConnectionState{}
rr = httptest.NewRecorder()
middleware.Apply(rr, req)
if rr.Header().Get("Strict-Transport-Security") == "" {
t.Error("Expected HSTS header for HTTPS request")
}
}
func TestCORSHeaders(t *testing.T) {
config := DefaultSecurityConfig()
config.CORSEnabled = true
config.CORSAllowedOrigins = []string{"https://example.com", "https://*.test.com"}
config.CORSAllowCredentials = true
middleware := NewSecurityHeadersMiddleware(config)
tests := []struct {
name string
origin string
expectedOrigin string
}{
{
name: "exact match",
origin: "https://example.com",
expectedOrigin: "https://example.com",
},
{
name: "wildcard subdomain match",
origin: "https://api.test.com",
expectedOrigin: "https://api.test.com",
},
{
name: "no match",
origin: "https://malicious.com",
expectedOrigin: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "https://example.com/test", nil)
if tt.origin != "" {
req.Header.Set("Origin", tt.origin)
}
rr := httptest.NewRecorder()
middleware.Apply(rr, req)
actualOrigin := rr.Header().Get("Access-Control-Allow-Origin")
if actualOrigin != tt.expectedOrigin {
t.Errorf("Expected origin %s, got %s", tt.expectedOrigin, actualOrigin)
}
if tt.expectedOrigin != "" {
// Should have credentials header
if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
t.Error("Expected credentials header for allowed origin")
}
}
})
}
}
func TestCORSPreflight(t *testing.T) {
config := DefaultSecurityConfig()
config.CORSEnabled = true
config.CORSAllowedOrigins = []string{"*"}
config.CORSAllowedMethods = []string{"GET", "POST", "OPTIONS"}
middleware := NewSecurityHeadersMiddleware(config)
req := httptest.NewRequest("OPTIONS", "https://example.com/test", nil)
req.Header.Set("Origin", "https://other.com")
rr := httptest.NewRecorder()
middleware.Apply(rr, req)
if rr.Header().Get("Access-Control-Allow-Origin") != "*" {
t.Error("Expected wildcard origin for preflight request")
}
if rr.Header().Get("Access-Control-Allow-Methods") == "" {
t.Error("Expected methods header for preflight request")
}
if rr.Code != http.StatusOK {
t.Errorf("Expected status 200 for preflight, got %d", rr.Code)
}
}
func TestOriginMatching(t *testing.T) {
config := &SecurityHeadersConfig{
CORSEnabled: true,
CORSAllowedOrigins: []string{
"https://example.com",
"https://*.example.com",
"http://localhost:*",
},
}
middleware := NewSecurityHeadersMiddleware(config)
tests := []struct {
origin string
expected bool
}{
{"https://example.com", true},
{"https://api.example.com", true},
{"https://sub.api.example.com", true},
{"http://localhost:3000", true},
{"http://localhost:8080", true},
{"https://malicious.com", false},
{"http://example.com", false}, // Different scheme
{"https://example.com.evil.com", false}, // Domain suffix attack
}
for _, tt := range tests {
t.Run(tt.origin, func(t *testing.T) {
result := middleware.isOriginAllowed(tt.origin)
if result != tt.expected {
t.Errorf("Origin %s: expected %v, got %v", tt.origin, tt.expected, result)
}
})
}
}
func TestDevelopmentMode(t *testing.T) {
config := DevelopmentSecurityConfig()
if !config.DevelopmentMode {
t.Error("Expected development mode to be enabled")
}
if !config.CORSEnabled {
t.Error("Expected CORS to be enabled in development mode")
}
if config.FrameOptions != "SAMEORIGIN" {
t.Errorf("Expected frame options to be SAMEORIGIN in dev mode, got %s", config.FrameOptions)
}
// Should be less strict CSP
if strings.Contains(config.ContentSecurityPolicy, "'none'") {
t.Error("Expected less strict CSP in development mode")
}
}
func TestStrictSecurityConfig(t *testing.T) {
config := StrictSecurityConfig()
if !strings.Contains(config.ContentSecurityPolicy, "'none'") {
t.Error("Expected very strict CSP with 'none' defaults")
}
if config.CORSEnabled {
t.Error("Expected CORS to be disabled in strict mode")
}
if config.FrameOptions != "DENY" {
t.Error("Expected frame options to be DENY in strict mode")
}
}
func TestAPISecurityConfig(t *testing.T) {
config := APISecurityConfig()
if !config.CORSEnabled {
t.Error("Expected CORS to be enabled for API config")
}
methods := config.CORSAllowedMethods
expectedMethods := []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"}
for _, method := range expectedMethods {
found := false
for _, allowed := range methods {
if allowed == method {
found = true
break
}
}
if !found {
t.Errorf("Expected method %s to be allowed in API config", method)
}
}
}
func TestMiddlewareWrap(t *testing.T) {
config := DefaultSecurityConfig()
middleware := NewSecurityHeadersMiddleware(config)
// Create a simple handler
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
w.Write([]byte("OK"))
})
// Wrap with security middleware
wrappedHandler := middleware.Wrap(handler)
req := httptest.NewRequest("GET", "https://example.com/test", nil)
req.TLS = &tls.ConnectionState{}
rr := httptest.NewRecorder()
wrappedHandler.ServeHTTP(rr, req)
// Check response
if rr.Code != http.StatusOK {
t.Errorf("Expected status 200, got %d", rr.Code)
}
if rr.Body.String() != "OK" {
t.Errorf("Expected body 'OK', got %s", rr.Body.String())
}
// Check security headers were applied
if rr.Header().Get("X-Frame-Options") == "" {
t.Error("Expected security headers to be applied by wrapper")
}
}
func TestConfigValidation(t *testing.T) {
config := &SecurityHeadersConfig{
StrictTransportSecurityMaxAge: -1,
CORSMaxAge: -1,
FrameOptions: "INVALID",
}
err := config.Validate()
if err != nil {
t.Errorf("Unexpected validation error: %v", err)
}
// Should fix invalid values
if config.StrictTransportSecurityMaxAge != 0 {
t.Error("Expected negative HSTS max age to be reset to 0")
}
if config.CORSMaxAge != 0 {
t.Error("Expected negative CORS max age to be reset to 0")
}
if config.FrameOptions != "DENY" {
t.Error("Expected invalid frame options to be reset to DENY")
}
}
func BenchmarkSecurityHeadersApply(b *testing.B) {
config := DefaultSecurityConfig()
middleware := NewSecurityHeadersMiddleware(config)
req := httptest.NewRequest("GET", "https://example.com/test", nil)
req.TLS = &tls.ConnectionState{}
b.ResetTimer()
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
rr := httptest.NewRecorder()
middleware.Apply(rr, req)
}
})
}
internal/testing/mocks.go
+393
View File
@@ -0,0 +1,393 @@
// Package testing provides unified mock implementations for tests
package testing
import (
"fmt"
"net/http"
"sync"
"time"
)
// UnifiedMockLogger provides a standard mock logger for all tests
type UnifiedMockLogger struct {
LoggedMessages []string
mu sync.RWMutex
}
func NewUnifiedMockLogger() *UnifiedMockLogger {
return &UnifiedMockLogger{
LoggedMessages: make([]string, 0),
}
}
func (l *UnifiedMockLogger) Debug(msg string) {
l.mu.Lock()
defer l.mu.Unlock()
l.LoggedMessages = append(l.LoggedMessages, fmt.Sprintf("DEBUG: %s", msg))
}
func (l *UnifiedMockLogger) Debugf(format string, args ...interface{}) {
l.Debug(fmt.Sprintf(format, args...))
}
func (l *UnifiedMockLogger) Info(msg string) {
l.mu.Lock()
defer l.mu.Unlock()
l.LoggedMessages = append(l.LoggedMessages, fmt.Sprintf("INFO: %s", msg))
}
func (l *UnifiedMockLogger) Infof(format string, args ...interface{}) {
l.Info(fmt.Sprintf(format, args...))
}
func (l *UnifiedMockLogger) Error(msg string) {
l.mu.Lock()
defer l.mu.Unlock()
l.LoggedMessages = append(l.LoggedMessages, fmt.Sprintf("ERROR: %s", msg))
}
func (l *UnifiedMockLogger) Errorf(format string, args ...interface{}) {
l.Error(fmt.Sprintf(format, args...))
}
func (l *UnifiedMockLogger) GetMessages() []string {
l.mu.RLock()
defer l.mu.RUnlock()
result := make([]string, len(l.LoggedMessages))
copy(result, l.LoggedMessages)
return result
}
func (l *UnifiedMockLogger) Clear() {
l.mu.Lock()
defer l.mu.Unlock()
l.LoggedMessages = l.LoggedMessages[:0]
}
// UnifiedMockSession provides a standard mock session for all tests
type UnifiedMockSession struct {
authenticated bool
idToken string
accessToken string
refreshToken string
email string
csrf string
nonce string
codeVerifier string
incomingPath string
redirectCount int
mu sync.RWMutex
}
func NewUnifiedMockSession() *UnifiedMockSession {
return &UnifiedMockSession{}
}
func (s *UnifiedMockSession) GetAuthenticated() bool {
s.mu.RLock()
defer s.mu.RUnlock()
return s.authenticated
}
func (s *UnifiedMockSession) SetAuthenticated(auth bool) error {
s.mu.Lock()
defer s.mu.Unlock()
s.authenticated = auth
return nil
}
func (s *UnifiedMockSession) GetIDToken() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.idToken
}
func (s *UnifiedMockSession) SetIDToken(token string) {
s.mu.Lock()
defer s.mu.Unlock()
s.idToken = token
}
func (s *UnifiedMockSession) GetAccessToken() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.accessToken
}
func (s *UnifiedMockSession) SetAccessToken(token string) {
s.mu.Lock()
defer s.mu.Unlock()
s.accessToken = token
}
func (s *UnifiedMockSession) GetRefreshToken() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.refreshToken
}
func (s *UnifiedMockSession) SetRefreshToken(token string) {
s.mu.Lock()
defer s.mu.Unlock()
s.refreshToken = token
}
func (s *UnifiedMockSession) GetEmail() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.email
}
func (s *UnifiedMockSession) SetEmail(email string) {
s.mu.Lock()
defer s.mu.Unlock()
s.email = email
}
func (s *UnifiedMockSession) GetCSRF() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.csrf
}
func (s *UnifiedMockSession) SetCSRF(csrf string) {
s.mu.Lock()
defer s.mu.Unlock()
s.csrf = csrf
}
func (s *UnifiedMockSession) GetNonce() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.nonce
}
func (s *UnifiedMockSession) SetNonce(nonce string) {
s.mu.Lock()
defer s.mu.Unlock()
s.nonce = nonce
}
func (s *UnifiedMockSession) GetCodeVerifier() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.codeVerifier
}
func (s *UnifiedMockSession) SetCodeVerifier(verifier string) {
s.mu.Lock()
defer s.mu.Unlock()
s.codeVerifier = verifier
}
func (s *UnifiedMockSession) GetIncomingPath() string {
s.mu.RLock()
defer s.mu.RUnlock()
return s.incomingPath
}
func (s *UnifiedMockSession) SetIncomingPath(path string) {
s.mu.Lock()
defer s.mu.Unlock()
s.incomingPath = path
}
func (s *UnifiedMockSession) GetRedirectCount() int {
s.mu.RLock()
defer s.mu.RUnlock()
return s.redirectCount
}
func (s *UnifiedMockSession) IncrementRedirectCount() {
s.mu.Lock()
defer s.mu.Unlock()
s.redirectCount++
}
func (s *UnifiedMockSession) ResetRedirectCount() {
s.mu.Lock()
defer s.mu.Unlock()
s.redirectCount = 0
}
func (s *UnifiedMockSession) Save(req *http.Request, rw http.ResponseWriter) error {
return nil
}
func (s *UnifiedMockSession) Clear(req *http.Request, rw http.ResponseWriter) error {
s.mu.Lock()
defer s.mu.Unlock()
s.authenticated = false
s.idToken = ""
s.accessToken = ""
s.refreshToken = ""
s.email = ""
s.csrf = ""
s.nonce = ""
s.codeVerifier = ""
s.incomingPath = ""
s.redirectCount = 0
return nil
}
func (s *UnifiedMockSession) MarkDirty() {}
func (s *UnifiedMockSession) IsDirty() bool {
return false
}
func (s *UnifiedMockSession) ReturnToPoolSafely() {}
// UnifiedMockTokenVerifier provides a standard mock token verifier
type UnifiedMockTokenVerifier struct {
ShouldFail bool
Error error
}
func NewUnifiedMockTokenVerifier() *UnifiedMockTokenVerifier {
return &UnifiedMockTokenVerifier{}
}
func (v *UnifiedMockTokenVerifier) VerifyToken(token string) error {
if v.ShouldFail {
if v.Error != nil {
return v.Error
}
return fmt.Errorf("mock verification failed")
}
return nil
}
// UnifiedMockTokenCache provides a standard mock token cache
type UnifiedMockTokenCache struct {
data map[string]map[string]interface{}
mu sync.RWMutex
}
func NewUnifiedMockTokenCache() *UnifiedMockTokenCache {
return &UnifiedMockTokenCache{
data: make(map[string]map[string]interface{}),
}
}
func (c *UnifiedMockTokenCache) Get(key string) (map[string]interface{}, bool) {
c.mu.RLock()
defer c.mu.RUnlock()
value, exists := c.data[key]
return value, exists
}
func (c *UnifiedMockTokenCache) Set(key string, claims map[string]interface{}, ttl time.Duration) {
c.mu.Lock()
defer c.mu.Unlock()
c.data[key] = claims
}
func (c *UnifiedMockTokenCache) Delete(key string) {
c.mu.Lock()
defer c.mu.Unlock()
delete(c.data, key)
}
func (c *UnifiedMockTokenCache) SetMaxSize(size int) {}
func (c *UnifiedMockTokenCache) Size() int {
c.mu.RLock()
defer c.mu.RUnlock()
return len(c.data)
}
func (c *UnifiedMockTokenCache) Clear() {
c.mu.Lock()
defer c.mu.Unlock()
c.data = make(map[string]map[string]interface{})
}
func (c *UnifiedMockTokenCache) Cleanup() {}
func (c *UnifiedMockTokenCache) Close() {}
func (c *UnifiedMockTokenCache) GetStats() map[string]interface{} {
return map[string]interface{}{
"size": c.Size(),
}
}
// UnifiedMockHTTPClient provides a mock HTTP client for tests
type UnifiedMockHTTPClient struct {
Responses map[string]*http.Response
Errors map[string]error
mu sync.RWMutex
}
func NewUnifiedMockHTTPClient() *UnifiedMockHTTPClient {
return &UnifiedMockHTTPClient{
Responses: make(map[string]*http.Response),
Errors: make(map[string]error),
}
}
func (c *UnifiedMockHTTPClient) Do(req *http.Request) (*http.Response, error) {
c.mu.RLock()
defer c.mu.RUnlock()
url := req.URL.String()
if err, exists := c.Errors[url]; exists {
return nil, err
}
if resp, exists := c.Responses[url]; exists {
return resp, nil
}
// Default response
return &http.Response{
StatusCode: 200,
Body: http.NoBody,
Header: make(http.Header),
}, nil
}
func (c *UnifiedMockHTTPClient) SetResponse(url string, response *http.Response) {
c.mu.Lock()
defer c.mu.Unlock()
c.Responses[url] = response
}
func (c *UnifiedMockHTTPClient) SetError(url string, err error) {
c.mu.Lock()
defer c.mu.Unlock()
c.Errors[url] = err
}
// TestSuite provides a unified test setup and teardown
type TestSuite struct {
Logger *UnifiedMockLogger
Session *UnifiedMockSession
TokenVerifier *UnifiedMockTokenVerifier
TokenCache *UnifiedMockTokenCache
HTTPClient *UnifiedMockHTTPClient
}
func NewTestSuite() *TestSuite {
return &TestSuite{
Logger: NewUnifiedMockLogger(),
Session: NewUnifiedMockSession(),
TokenVerifier: NewUnifiedMockTokenVerifier(),
TokenCache: NewUnifiedMockTokenCache(),
HTTPClient: NewUnifiedMockHTTPClient(),
}
}
func (ts *TestSuite) Setup() {
// Common test setup
ts.Logger.Clear()
ts.Session.Clear(nil, nil)
ts.TokenCache.Clear()
ts.TokenVerifier.ShouldFail = false
ts.TokenVerifier.Error = nil
}
func (ts *TestSuite) Teardown() {
// Common test teardown
ts.TokenCache.Close()
}
internal/token/verifier.go
+139
View File
@@ -0,0 +1,139 @@
// Package token provides token verification and management functionality
package token
import (
"fmt"
"strings"
"time"
traefikoidc "github.com/lukaszraczylo/traefikoidc"
)
// Verifier handles token verification operations
type Verifier struct {
tokenCache TokenCache
tokenBlacklist Cache
jwkCache JWKCache
limiter RateLimiter
logger Logger
}
// Cache interface for token operations
type Cache interface {
Get(key string) (interface{}, bool)
Set(key string, value interface{}, ttl time.Duration)
}
// TokenCache interface for verified token storage
type TokenCache interface {
Get(key string) (map[string]interface{}, bool)
Set(key string, claims map[string]interface{}, ttl time.Duration)
}
// JWKCache interface for key management
type JWKCache interface {
GetJWKS(providerURL string) (*traefikoidc.JWKSet, error)
}
// RateLimiter interface for request limiting
type RateLimiter interface {
Allow() bool
}
// Logger interface for logging
type Logger interface {
Debugf(format string, args ...interface{})
Errorf(format string, args ...interface{})
}
// JWT represents a parsed JWT token
type JWT struct {
Header map[string]interface{}
Claims map[string]interface{}
}
// NewVerifier creates a new token verifier
func NewVerifier(tokenCache TokenCache, tokenBlacklist Cache, jwkCache JWKCache, limiter RateLimiter, logger Logger) *Verifier {
return &Verifier{
tokenCache: tokenCache,
tokenBlacklist: tokenBlacklist,
jwkCache: jwkCache,
limiter: limiter,
logger: logger,
}
}
// VerifyToken verifies the validity of an ID token or access token
func (v *Verifier) VerifyToken(token string, clientID string, jwksURL string, issuerURL string) error {
if token == "" {
return fmt.Errorf("invalid JWT format: token is empty")
}
if strings.Count(token, ".") != 2 {
return fmt.Errorf("invalid JWT format: expected JWT with 3 parts, got %d parts", strings.Count(token, ".")+1)
}
if len(token) < 10 {
return fmt.Errorf("token too short to be valid JWT")
}
// Check blacklist
if v.tokenBlacklist != nil {
if blacklisted, exists := v.tokenBlacklist.Get(token); exists && blacklisted != nil {
return fmt.Errorf("token is blacklisted")
}
}
// Check cache first
if claims, exists := v.tokenCache.Get(token); exists && len(claims) > 0 {
return nil
}
// Rate limiting
if !v.limiter.Allow() {
return fmt.Errorf("rate limit exceeded")
}
// Parse and verify JWT
jwt, err := v.parseJWT(token)
if err != nil {
return fmt.Errorf("failed to parse JWT: %w", err)
}
if err := v.verifyJWTSignatureAndClaims(jwt, token, clientID, jwksURL, issuerURL); err != nil {
return err
}
// Cache successful verification
v.cacheVerifiedToken(token, jwt.Claims)
return nil
}
// parseJWT parses a JWT token into its components
func (v *Verifier) parseJWT(token string) (*JWT, error) {
// This would contain the actual JWT parsing logic
// For now, return a placeholder
return &JWT{
Header: make(map[string]interface{}),
Claims: make(map[string]interface{}),
}, nil
}
// verifyJWTSignatureAndClaims verifies JWT signature and claims
func (v *Verifier) verifyJWTSignatureAndClaims(jwt *JWT, token string, clientID string, jwksURL string, issuerURL string) error {
// This would contain the actual signature verification logic
// For now, return nil (placeholder)
return nil
}
// cacheVerifiedToken stores a successfully verified token
func (v *Verifier) cacheVerifiedToken(token string, claims map[string]interface{}) {
if expClaim, ok := claims["exp"].(float64); ok {
expirationTime := time.Unix(int64(expClaim), 0)
duration := time.Until(expirationTime)
if duration > 0 {
v.tokenCache.Set(token, claims, duration)
}
}
}
internal/token/verifier_test.go
+457
View File
@@ -0,0 +1,457 @@
package token
import (
"strings"
"testing"
"time"
traefikoidc "github.com/lukaszraczylo/traefikoidc"
)
// Mock implementations for testing
type MockTokenCache struct {
data map[string]map[string]interface{}
}
func (m *MockTokenCache) Get(key string) (map[string]interface{}, bool) {
if m.data == nil {
return nil, false
}
value, exists := m.data[key]
return value, exists
}
func (m *MockTokenCache) Set(key string, claims map[string]interface{}, ttl time.Duration) {
if m.data == nil {
m.data = make(map[string]map[string]interface{})
}
m.data[key] = claims
}
type MockCache struct {
data map[string]interface{}
}
func (m *MockCache) Get(key string) (interface{}, bool) {
if m.data == nil {
return nil, false
}
value, exists := m.data[key]
return value, exists
}
func (m *MockCache) Set(key string, value interface{}, ttl time.Duration) {
if m.data == nil {
m.data = make(map[string]interface{})
}
m.data[key] = value
}
type MockJWKCache struct{}
func (m *MockJWKCache) GetJWKS(providerURL string) (*traefikoidc.JWKSet, error) {
return &traefikoidc.JWKSet{
Keys: []traefikoidc.JWK{
{
Kid: "test-key",
Kty: "RSA",
Use: "sig",
Alg: "RS256",
},
},
}, nil
}
type MockRateLimiter struct {
allow bool
}
func (m *MockRateLimiter) Allow() bool {
return m.allow
}
type MockLogger struct {
debugMessages []string
errorMessages []string
}
func (m *MockLogger) Debugf(format string, args ...interface{}) {
m.debugMessages = append(m.debugMessages, format)
}
func (m *MockLogger) Errorf(format string, args ...interface{}) {
m.errorMessages = append(m.errorMessages, format)
}
func TestNewVerifier(t *testing.T) {
tokenCache := &MockTokenCache{}
tokenBlacklist := &MockCache{}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: true}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
if verifier == nil {
t.Fatal("NewVerifier returned nil")
}
if verifier.tokenCache != tokenCache {
t.Error("TokenCache not set correctly")
}
if verifier.tokenBlacklist != tokenBlacklist {
t.Error("TokenBlacklist not set correctly")
}
// Note: Interface comparison would require reflecting on the actual implementation
// For now, we just check that the field was set to something non-nil
if verifier.jwkCache == nil {
t.Error("JWKCache not set correctly")
}
if verifier.limiter != limiter {
t.Error("RateLimiter not set correctly")
}
if verifier.logger != logger {
t.Error("Logger not set correctly")
}
}
func TestVerifierBasicFunctionality(t *testing.T) {
tokenCache := &MockTokenCache{}
tokenBlacklist := &MockCache{}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: true}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
// Test that the verifier was created successfully
if verifier == nil {
t.Fatal("Expected non-nil verifier")
}
}
func TestJWKSStructure(t *testing.T) {
jwks := &traefikoidc.JWKSet{
Keys: []traefikoidc.JWK{
{
Kid: "test-key-1",
Kty: "RSA",
Use: "sig",
Alg: "RS256",
},
{
Kid: "test-key-2",
Kty: "RSA",
Use: "sig",
Alg: "RS256",
},
},
}
if len(jwks.Keys) != 2 {
t.Errorf("Expected 2 keys, got %d", len(jwks.Keys))
}
if jwks.Keys[0].Kid != "test-key-1" {
t.Errorf("Expected Kid 'test-key-1', got '%s'", jwks.Keys[0].Kid)
}
if jwks.Keys[1].Kid != "test-key-2" {
t.Errorf("Expected Kid 'test-key-2', got '%s'", jwks.Keys[1].Kid)
}
}
func TestJWKStructure(t *testing.T) {
jwk := traefikoidc.JWK{
Kid: "test-key",
Kty: "RSA",
Use: "sig",
Alg: "RS256",
N: "test-modulus",
E: "test-exponent",
}
if jwk.Kid != "test-key" {
t.Errorf("Expected Kid 'test-key', got '%s'", jwk.Kid)
}
if jwk.Kty != "RSA" {
t.Errorf("Expected Kty 'RSA', got '%s'", jwk.Kty)
}
if jwk.Use != "sig" {
t.Errorf("Expected Use 'sig', got '%s'", jwk.Use)
}
if jwk.Alg != "RS256" {
t.Errorf("Expected Alg 'RS256', got '%s'", jwk.Alg)
}
}
func TestVerifyToken(t *testing.T) {
tests := []struct {
name string
token string
clientID string
jwksURL string
issuerURL string
rateLimitAllow bool
cacheData map[string]map[string]interface{}
blacklistData map[string]interface{}
expectedError string
}{
{
name: "Empty token",
token: "",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
expectedError: "invalid JWT format: token is empty",
},
{
name: "Invalid JWT format - too few parts",
token: "header.payload",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
expectedError: "invalid JWT format: expected JWT with 3 parts, got 2 parts",
},
{
name: "Invalid JWT format - too many parts",
token: "header.payload.signature.extra",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
expectedError: "invalid JWT format: expected JWT with 3 parts, got 4 parts",
},
{
name: "Token too short",
token: "a.b.c",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
expectedError: "token too short to be valid JWT",
},
{
name: "Blacklisted token",
token: "valid.format.token",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
blacklistData: map[string]interface{}{"valid.format.token": true},
expectedError: "token is blacklisted",
},
{
name: "Cached token - success",
token: "valid.format.token",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: true,
cacheData: map[string]map[string]interface{}{"valid.format.token": {"sub": "user123"}},
expectedError: "",
},
{
name: "Rate limit exceeded",
token: "valid.format.token",
clientID: "test-client",
jwksURL: "https://example.com/jwks",
issuerURL: "https://example.com",
rateLimitAllow: false,
expectedError: "rate limit exceeded",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tokenCache := &MockTokenCache{data: tt.cacheData}
tokenBlacklist := &MockCache{data: tt.blacklistData}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: tt.rateLimitAllow}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
err := verifier.VerifyToken(tt.token, tt.clientID, tt.jwksURL, tt.issuerURL)
if tt.expectedError == "" {
if err != nil {
t.Errorf("Expected no error, got: %v", err)
}
} else {
if err == nil {
t.Errorf("Expected error containing '%s', got nil", tt.expectedError)
} else if !strings.Contains(err.Error(), tt.expectedError) {
t.Errorf("Expected error containing '%s', got: %v", tt.expectedError, err)
}
}
})
}
}
func TestParseJWT(t *testing.T) {
tokenCache := &MockTokenCache{}
tokenBlacklist := &MockCache{}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: true}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
// Test parseJWT with a valid format token
jwt, err := verifier.parseJWT("header.payload.signature")
if err != nil {
t.Errorf("Expected no error parsing JWT, got: %v", err)
}
if jwt == nil {
t.Error("Expected non-nil JWT object")
return
}
if jwt.Header == nil {
t.Error("Expected non-nil Header map")
}
if jwt.Claims == nil {
t.Error("Expected non-nil Claims map")
}
}
func TestVerifyJWTSignatureAndClaims(t *testing.T) {
tokenCache := &MockTokenCache{}
tokenBlacklist := &MockCache{}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: true}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
jwt := &JWT{
Header: map[string]interface{}{"alg": "RS256"},
Claims: map[string]interface{}{"sub": "user123", "exp": float64(time.Now().Add(time.Hour).Unix())},
}
// Test signature verification (currently returns nil - placeholder)
err := verifier.verifyJWTSignatureAndClaims(jwt, "test.token.here", "client-id", "https://example.com/jwks", "https://example.com")
if err != nil {
t.Errorf("Expected no error from placeholder verification, got: %v", err)
}
}
func TestCacheVerifiedToken(t *testing.T) {
tokenCache := &MockTokenCache{}
tokenBlacklist := &MockCache{}
jwkCache := &MockJWKCache{}
limiter := &MockRateLimiter{allow: true}
logger := &MockLogger{}
verifier := NewVerifier(tokenCache, tokenBlacklist, jwkCache, limiter, logger)
tests := []struct {
name string
token string
claims map[string]interface{}
expected bool
}{
{
name: "Valid expiration time",
token: "test-token-1",
claims: map[string]interface{}{"exp": float64(time.Now().Add(time.Hour).Unix())},
expected: true,
},
{
name: "Expired token",
token: "test-token-2",
claims: map[string]interface{}{"exp": float64(time.Now().Add(-time.Hour).Unix())},
expected: false,
},
{
name: "No expiration claim",
token: "test-token-3",
claims: map[string]interface{}{"sub": "user123"},
expected: false,
},
{
name: "Invalid expiration type",
token: "test-token-4",
claims: map[string]interface{}{"exp": "invalid"},
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Clear cache before test
tokenCache.data = make(map[string]map[string]interface{})
verifier.cacheVerifiedToken(tt.token, tt.claims)
_, exists := tokenCache.Get(tt.token)
if exists != tt.expected {
t.Errorf("Expected cache existence: %v, got: %v", tt.expected, exists)
}
})
}
}
func TestMockInterfaces(t *testing.T) {
// Test MockTokenCache
tokenCache := &MockTokenCache{}
claims := map[string]interface{}{"sub": "user123", "exp": 1234567890}
tokenCache.Set("test-token", claims, time.Hour)
retrieved, exists := tokenCache.Get("test-token")
if !exists {
t.Error("Expected token to exist in cache")
}
if retrieved["sub"] != "user123" {
t.Errorf("Expected sub 'user123', got '%v'", retrieved["sub"])
}
// Test MockCache
cache := &MockCache{}
cache.Set("test-key", "test-value", time.Hour)
value, exists := cache.Get("test-key")
if !exists {
t.Error("Expected key to exist in cache")
}
if value != "test-value" {
t.Errorf("Expected 'test-value', got '%v'", value)
}
// Test MockRateLimiter
limiter := &MockRateLimiter{allow: true}
if !limiter.Allow() {
t.Error("Expected rate limiter to allow request")
}
limiter.allow = false
if limiter.Allow() {
t.Error("Expected rate limiter to deny request")
}
// Test MockLogger
logger := &MockLogger{}
logger.Debugf("test debug message")
logger.Errorf("test error message")
if len(logger.debugMessages) != 1 {
t.Errorf("Expected 1 debug message, got %d", len(logger.debugMessages))
}
if len(logger.errorMessages) != 1 {
t.Errorf("Expected 1 error message, got %d", len(logger.errorMessages))
}
}
internal/utils/utils.go
+125
View File
@@ -0,0 +1,125 @@
// Package utils provides common utility functions used across the OIDC middleware
package utils
import (
"os"
"runtime"
"strings"
)
// CreateStringMap creates a map with string keys for efficient lookups
func CreateStringMap(items []string) map[string]struct{} {
result := make(map[string]struct{})
for _, item := range items {
result[item] = struct{}{}
}
return result
}
// CreateCaseInsensitiveStringMap creates a map with lowercase keys for case-insensitive matching
func CreateCaseInsensitiveStringMap(items []string) map[string]struct{} {
result := make(map[string]struct{})
for _, item := range items {
result[strings.ToLower(item)] = struct{}{}
}
return result
}
// DeduplicateScopes removes duplicate scopes from a slice
func DeduplicateScopes(scopes []string) []string {
seen := make(map[string]bool)
result := []string{}
for _, scope := range scopes {
if !seen[scope] {
seen[scope] = true
result = append(result, scope)
}
}
return result
}
// MergeScopes combines default scopes with user-provided scopes, removing duplicates
func MergeScopes(defaultScopes, userScopes []string) []string {
if len(userScopes) == 0 {
return append([]string(nil), defaultScopes...)
}
seen := make(map[string]bool)
var result []string
for _, scope := range defaultScopes {
if !seen[scope] {
seen[scope] = true
result = append(result, scope)
}
}
for _, scope := range userScopes {
if !seen[scope] {
seen[scope] = true
result = append(result, scope)
}
}
return result
}
// IsTestMode detects if the code is running in a test environment
func IsTestMode() bool {
if os.Getenv("SUPPRESS_DIAGNOSTIC_LOGS") == "1" {
return true
}
if strings.Contains(os.Args[0], ".test") ||
strings.Contains(os.Args[0], "go_build_") ||
os.Getenv("GO_TEST") == "1" ||
runtime.Compiler == "yaegi" {
return true
}
for _, arg := range os.Args {
if strings.Contains(arg, "-test") {
return true
}
}
if runtime.Compiler == "gc" {
progName := os.Args[0]
if strings.Contains(progName, "test") ||
strings.HasSuffix(progName, ".test") ||
strings.Contains(progName, "__debug_bin") {
return true
}
}
// Only use runtime stack check as fallback when no explicit test conditions are being controlled
if os.Getenv("DISABLE_RUNTIME_STACK_CHECK") != "1" &&
os.Getenv("SUPPRESS_DIAGNOSTIC_LOGS") == "" &&
os.Getenv("GO_TEST") == "" {
// Check runtime stack for test functions only as last resort
buf := make([]byte, 2048)
n := runtime.Stack(buf, false)
stack := string(buf[:n])
if strings.Contains(stack, "testing.tRunner") ||
strings.Contains(stack, "testing.(*T)") ||
strings.Contains(stack, ".test.") {
return true
}
}
return false
}
// KeysFromMap extracts string keys from a map for logging purposes
func KeysFromMap(m map[string]struct{}) []string {
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
return keys
}
// BuildFullURL constructs a URL from scheme, host, and path components
func BuildFullURL(scheme, host, path string) string {
return scheme + "://" + host + path
}
internal/utils/utils_test.go
+555
View File
@@ -0,0 +1,555 @@
package utils
import (
"os"
"reflect"
"testing"
)
func TestCreateStringMap(t *testing.T) {
items := []string{"apple", "banana", "cherry"}
result := CreateStringMap(items)
expected := map[string]struct{}{
"apple": {},
"banana": {},
"cherry": {},
}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestCreateCaseInsensitiveStringMap(t *testing.T) {
items := []string{"Apple", "BANANA", "Cherry"}
result := CreateCaseInsensitiveStringMap(items)
expected := map[string]struct{}{
"apple": {},
"banana": {},
"cherry": {},
}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestDeduplicateScopes(t *testing.T) {
scopes := []string{"openid", "profile", "email", "openid", "profile"}
result := DeduplicateScopes(scopes)
expected := []string{"openid", "profile", "email"}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestMergeScopes(t *testing.T) {
defaultScopes := []string{"openid", "profile"}
userScopes := []string{"email", "offline_access"}
result := MergeScopes(defaultScopes, userScopes)
expected := []string{"openid", "profile", "email", "offline_access"}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestMergeScopesWithDuplicates(t *testing.T) {
defaultScopes := []string{"openid", "profile"}
userScopes := []string{"profile", "email", "openid"}
result := MergeScopes(defaultScopes, userScopes)
expected := []string{"openid", "profile", "email"}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestMergeScopesEmptyUserScopes(t *testing.T) {
defaultScopes := []string{"openid", "profile"}
userScopes := []string{}
result := MergeScopes(defaultScopes, userScopes)
expected := []string{"openid", "profile"}
if !reflect.DeepEqual(result, expected) {
t.Errorf("Expected %v, got %v", expected, result)
}
}
func TestKeysFromMap(t *testing.T) {
m := map[string]struct{}{
"key1": {},
"key2": {},
"key3": {},
}
result := KeysFromMap(m)
// Since map iteration order is not guaranteed, we need to check length and presence
if len(result) != 3 {
t.Errorf("Expected 3 keys, got %d", len(result))
}
resultMap := make(map[string]bool)
for _, key := range result {
resultMap[key] = true
}
expectedKeys := []string{"key1", "key2", "key3"}
for _, key := range expectedKeys {
if !resultMap[key] {
t.Errorf("Expected key %s not found in result", key)
}
}
}
func TestBuildFullURL(t *testing.T) {
tests := []struct {
scheme string
host string
path string
expected string
}{
{"https", "example.com", "/path", "https://example.com/path"},
{"http", "localhost:8080", "/callback", "http://localhost:8080/callback"},
{"https", "test.example.com", "/auth/callback", "https://test.example.com/auth/callback"},
}
for _, test := range tests {
result := BuildFullURL(test.scheme, test.host, test.path)
if result != test.expected {
t.Errorf("For scheme=%s, host=%s, path=%s: expected %s, got %s",
test.scheme, test.host, test.path, test.expected, result)
}
}
}
func TestIsTestMode(t *testing.T) {
// This test is challenging because IsTestMode() depends on runtime conditions.
// We'll test what we can control via environment variables.
tests := []struct {
name string
setup func()
cleanup func()
expected bool
}{
{
name: "suppress diagnostic logs enabled",
setup: func() {
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "1")
},
cleanup: func() {
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
},
expected: true,
},
{
name: "GO_TEST environment variable set",
setup: func() {
os.Setenv("GO_TEST", "1")
},
cleanup: func() {
os.Unsetenv("GO_TEST")
},
expected: true,
},
{
name: "normal runtime conditions",
setup: func() {
// Disable runtime stack check to test fallback behavior
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", "1")
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "")
os.Setenv("GO_TEST", "")
},
cleanup: func() {
os.Unsetenv("DISABLE_RUNTIME_STACK_CHECK")
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
os.Unsetenv("GO_TEST")
},
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Setup test environment
tt.setup()
defer tt.cleanup()
result := IsTestMode()
// Note: Some test conditions may still return true due to runtime.Stack
// detecting testing context, so we check the expected behavior when possible
if tt.name == "suppress diagnostic logs enabled" || tt.name == "GO_TEST environment variable set" {
if result != tt.expected {
t.Errorf("Expected %v, got %v", tt.expected, result)
}
}
})
}
// Test that IsTestMode() returns true when called from a test context
// (which it should, since we're in a test right now)
result := IsTestMode()
if !result {
t.Log("Note: IsTestMode() returned false in test context, which may be expected depending on runtime conditions")
}
}
func TestIsTestModeEdgeCases(t *testing.T) {
// Test with various environment variable combinations
tests := []struct {
name string
env map[string]string
}{
{
name: "all env vars empty",
env: map[string]string{
"SUPPRESS_DIAGNOSTIC_LOGS": "",
"GO_TEST": "",
"DISABLE_RUNTIME_STACK_CHECK": "",
},
},
{
name: "mixed env vars",
env: map[string]string{
"SUPPRESS_DIAGNOSTIC_LOGS": "0",
"GO_TEST": "true",
"DISABLE_RUNTIME_STACK_CHECK": "1",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Save original environment
original := make(map[string]string)
for key := range tt.env {
original[key] = os.Getenv(key)
}
// Set test environment
for key, value := range tt.env {
os.Setenv(key, value)
}
// Test IsTestMode (result may vary based on runtime conditions)
result := IsTestMode()
_ = result // We just want to ensure it doesn't panic
// Restore original environment
for key, value := range original {
if value == "" {
os.Unsetenv(key)
} else {
os.Setenv(key, value)
}
}
})
}
}
func TestIsTestModeDetectionMethods(t *testing.T) {
// Test that calling IsTestMode in a test context returns true
// This should cover most of the function branches since we're in a test
result := IsTestMode()
// In a test context, IsTestMode should return true
if !result {
t.Log("IsTestMode returned false in test context - this may be due to environment settings")
}
// Test with explicit environment manipulation to force different paths
originalSuppressDiag := os.Getenv("SUPPRESS_DIAGNOSTIC_LOGS")
originalGoTest := os.Getenv("GO_TEST")
originalDisableStack := os.Getenv("DISABLE_RUNTIME_STACK_CHECK")
defer func() {
// Restore original environment
if originalSuppressDiag == "" {
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
} else {
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", originalSuppressDiag)
}
if originalGoTest == "" {
os.Unsetenv("GO_TEST")
} else {
os.Setenv("GO_TEST", originalGoTest)
}
if originalDisableStack == "" {
os.Unsetenv("DISABLE_RUNTIME_STACK_CHECK")
} else {
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", originalDisableStack)
}
}()
// Test various combinations to exercise different code paths
testCases := []struct {
name string
suppressDiag string
goTest string
disableStack string
expectTrue bool
}{
{
name: "suppress_diagnostic_logs_1",
suppressDiag: "1",
goTest: "",
disableStack: "",
expectTrue: true,
},
{
name: "go_test_1",
suppressDiag: "",
goTest: "1",
disableStack: "",
expectTrue: true,
},
{
name: "runtime_detection_allowed",
suppressDiag: "",
goTest: "",
disableStack: "",
expectTrue: true, // Should detect test context from runtime stack
},
{
name: "runtime_detection_disabled",
suppressDiag: "",
goTest: "",
disableStack: "1",
expectTrue: false, // May still be true due to os.Args detection
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", tc.suppressDiag)
os.Setenv("GO_TEST", tc.goTest)
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", tc.disableStack)
result := IsTestMode()
// For environment variable cases, we can assert the expected result
if tc.name == "suppress_diagnostic_logs_1" || tc.name == "go_test_1" {
if result != tc.expectTrue {
t.Errorf("Expected %v, got %v for case %s", tc.expectTrue, result, tc.name)
}
}
// For runtime detection cases, result may vary based on actual runtime conditions
})
}
}
func TestUtilsPackageComplete(t *testing.T) {
// Test edge cases to improve coverage
// Test CreateStringMap with empty slice
emptyResult := CreateStringMap([]string{})
if len(emptyResult) != 0 {
t.Errorf("Expected empty map, got %v", emptyResult)
}
// Test CreateCaseInsensitiveStringMap with empty slice
emptyInsensitiveResult := CreateCaseInsensitiveStringMap([]string{})
if len(emptyInsensitiveResult) != 0 {
t.Errorf("Expected empty map, got %v", emptyInsensitiveResult)
}
// Test DeduplicateScopes with empty slice
emptyScopes := DeduplicateScopes([]string{})
if len(emptyScopes) != 0 {
t.Errorf("Expected empty slice, got %v", emptyScopes)
}
// Test MergeScopes with nil slices
nilResult := MergeScopes(nil, nil)
if len(nilResult) != 0 {
t.Errorf("Expected empty slice, got %v", nilResult)
}
// Test KeysFromMap with empty map
emptyMapKeys := KeysFromMap(map[string]struct{}{})
if len(emptyMapKeys) != 0 {
t.Errorf("Expected empty slice, got %v", emptyMapKeys)
}
// Test BuildFullURL with empty values
emptyURL := BuildFullURL("", "", "")
expected := "://"
if emptyURL != expected {
t.Errorf("Expected '%s', got '%s'", expected, emptyURL)
}
}
func TestIsTestModeOsArgsDetection(t *testing.T) {
// Save original os.Args
originalArgs := os.Args
defer func() { os.Args = originalArgs }()
// Test with different os.Args[0] values that should trigger test mode
testCases := []struct {
name string
args0 string
expected bool
}{
{
name: "Binary with .test suffix",
args0: "/path/to/myapp.test",
expected: true,
},
{
name: "Binary with go_build_ prefix",
args0: "/tmp/go_build_myapp",
expected: true,
},
{
name: "Binary with test in name",
args0: "/path/to/test_binary",
expected: true,
},
{
name: "Binary with __debug_bin",
args0: "/path/to/__debug_bin123",
expected: true,
},
{
name: "Regular binary name",
args0: "/path/to/myapp",
expected: false,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
// Set up environment to avoid interference from other detection methods
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "")
os.Setenv("GO_TEST", "")
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", "1") // Disable runtime stack check
defer func() {
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
os.Unsetenv("GO_TEST")
os.Unsetenv("DISABLE_RUNTIME_STACK_CHECK")
}()
// Set os.Args
os.Args = []string{tc.args0}
result := IsTestMode()
if result != tc.expected {
t.Errorf("For args[0] = '%s': expected %v, got %v", tc.args0, tc.expected, result)
}
})
}
}
func TestIsTestModeArgsFlagDetection(t *testing.T) {
// Save original os.Args
originalArgs := os.Args
defer func() { os.Args = originalArgs }()
testCases := []struct {
name string
args []string
expected bool
}{
{
name: "Args contain -test flag",
args: []string{"/path/to/app", "-test.v", "true"},
expected: true,
},
{
name: "Args contain -test.timeout",
args: []string{"/path/to/app", "-test.timeout", "30s"},
expected: true,
},
{
name: "Args without test flags",
args: []string{"/path/to/app", "-verbose", "-config", "file.conf"},
expected: false,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
// Set up environment to avoid interference
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "")
os.Setenv("GO_TEST", "")
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", "1")
defer func() {
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
os.Unsetenv("GO_TEST")
os.Unsetenv("DISABLE_RUNTIME_STACK_CHECK")
}()
// Ensure args[0] doesn't trigger detection by itself
if len(tc.args) > 0 {
tc.args[0] = "/regular/app/name"
}
os.Args = tc.args
result := IsTestMode()
if result != tc.expected {
t.Errorf("For args = %v: expected %v, got %v", tc.args, tc.expected, result)
}
})
}
}
func TestIsTestModeRuntimeCompiler(t *testing.T) {
// This test verifies that the runtime.Compiler check works
// We can't easily change runtime.Compiler, but we can test the logic path
// Set up environment to isolate this test
originalArgs := os.Args
defer func() { os.Args = originalArgs }()
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "")
os.Setenv("GO_TEST", "")
os.Setenv("DISABLE_RUNTIME_STACK_CHECK", "1")
defer func() {
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
os.Unsetenv("GO_TEST")
os.Unsetenv("DISABLE_RUNTIME_STACK_CHECK")
}()
// Test with args that should trigger test mode when runtime.Compiler == "gc"
os.Args = []string{"some_test_binary", "arg1"}
result := IsTestMode()
// Since runtime.Compiler is "gc" in most cases and os.Args[0] contains "test",
// this should return true
if !result {
t.Log("Note: This test may vary depending on the actual runtime.Compiler value")
}
}
func TestIsTestModeYaegiCompiler(t *testing.T) {
// Test the yaegi compiler detection
// We can't change runtime.Compiler directly, but we can verify the GO_TEST path
originalArgs := os.Args
defer func() { os.Args = originalArgs }()
// Test that GO_TEST=1 triggers test mode regardless of other conditions
os.Setenv("GO_TEST", "1")
os.Setenv("SUPPRESS_DIAGNOSTIC_LOGS", "")
defer func() {
os.Unsetenv("GO_TEST")
os.Unsetenv("SUPPRESS_DIAGNOSTIC_LOGS")
}()
// Use a non-test-like binary name
os.Args = []string{"/regular/binary/name"}
result := IsTestMode()
if !result {
t.Error("Expected true when GO_TEST=1 is set")
}
}