mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
300 lines
6.3 KiB
Go
300 lines
6.3 KiB
Go
package httpclient
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"sync"
|
|
"sync/atomic"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestFactoryCreateClient(t *testing.T) {
|
|
factory := NewFactory(nil)
|
|
|
|
// Test creating default client
|
|
client, err := factory.CreateDefault()
|
|
if err != nil {
|
|
t.Fatalf("Failed to create default client: %v", err)
|
|
}
|
|
if client == nil {
|
|
t.Fatal("Expected non-nil client")
|
|
}
|
|
|
|
// Test creating token client
|
|
tokenClient, err := factory.CreateToken()
|
|
if err != nil {
|
|
t.Fatalf("Failed to create token client: %v", err)
|
|
}
|
|
if tokenClient == nil {
|
|
t.Fatal("Expected non-nil token client")
|
|
}
|
|
}
|
|
|
|
func TestFactoryCreateClientWithPreset(t *testing.T) {
|
|
factory := NewFactory(nil)
|
|
|
|
testCases := []struct {
|
|
name string
|
|
clientType ClientType
|
|
shouldFail bool
|
|
}{
|
|
{"Default", ClientTypeDefault, false},
|
|
{"Token", ClientTypeToken, false},
|
|
{"API", ClientTypeAPI, false},
|
|
{"Proxy", ClientTypeProxy, false},
|
|
{"Invalid", ClientType("invalid"), true},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
client, err := factory.CreateClientWithPreset(tc.clientType)
|
|
if tc.shouldFail {
|
|
if err == nil {
|
|
t.Fatal("Expected error for invalid client type")
|
|
}
|
|
} else {
|
|
if err != nil {
|
|
t.Fatalf("Failed to create %s client: %v", tc.clientType, err)
|
|
}
|
|
if client == nil {
|
|
t.Fatal("Expected non-nil client")
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestFactoryValidateConfig(t *testing.T) {
|
|
factory := NewFactory(nil)
|
|
|
|
testCases := []struct {
|
|
name string
|
|
config Config
|
|
shouldFail bool
|
|
}{
|
|
{
|
|
name: "Valid config",
|
|
config: PresetConfigs[ClientTypeDefault],
|
|
shouldFail: false,
|
|
},
|
|
{
|
|
name: "Negative MaxIdleConns",
|
|
config: Config{
|
|
MaxIdleConns: -1,
|
|
},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
name: "Excessive MaxIdleConns",
|
|
config: Config{
|
|
MaxIdleConns: 2000,
|
|
},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
name: "Negative timeout",
|
|
config: Config{
|
|
Timeout: -1 * time.Second,
|
|
},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
name: "Excessive timeout",
|
|
config: Config{
|
|
Timeout: 10 * time.Minute,
|
|
},
|
|
shouldFail: true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := factory.ValidateConfig(&tc.config)
|
|
if tc.shouldFail && err == nil {
|
|
t.Fatal("Expected validation to fail")
|
|
}
|
|
if !tc.shouldFail && err != nil {
|
|
t.Fatalf("Unexpected validation error: %v", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTransportPoolConcurrency(t *testing.T) {
|
|
pool := &TransportPool{
|
|
transports: make(map[string]*sharedTransport),
|
|
maxConns: 20,
|
|
clientCount: 0,
|
|
maxClients: 5,
|
|
}
|
|
|
|
config := PresetConfigs[ClientTypeDefault]
|
|
|
|
var wg sync.WaitGroup
|
|
numGoroutines := 10
|
|
|
|
// Test concurrent transport creation
|
|
wg.Add(numGoroutines)
|
|
for i := 0; i < numGoroutines; i++ {
|
|
go func() {
|
|
defer wg.Done()
|
|
transport := pool.GetOrCreateTransport(config)
|
|
if transport != nil {
|
|
// Simulate usage
|
|
time.Sleep(10 * time.Millisecond)
|
|
pool.Release(transport)
|
|
}
|
|
}()
|
|
}
|
|
wg.Wait()
|
|
|
|
// Verify client count is within limits
|
|
clientCount := atomic.LoadInt32(&pool.clientCount)
|
|
if clientCount > pool.maxClients {
|
|
t.Fatalf("Client count %d exceeds max %d", clientCount, pool.maxClients)
|
|
}
|
|
}
|
|
|
|
func TestHTTPClientRequests(t *testing.T) {
|
|
// Create test server
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte("test response"))
|
|
}))
|
|
defer server.Close()
|
|
|
|
factory := NewFactory(nil)
|
|
client, err := factory.CreateDefault()
|
|
if err != nil {
|
|
t.Fatalf("Failed to create client: %v", err)
|
|
}
|
|
|
|
// Make request
|
|
resp, err := client.Get(server.URL)
|
|
if err != nil {
|
|
t.Fatalf("Request failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Fatalf("Expected status 200, got %d", resp.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestClientWithCookieJar(t *testing.T) {
|
|
config := PresetConfigs[ClientTypeToken]
|
|
if !config.UseCookieJar {
|
|
t.Skip("Token client should have cookie jar enabled")
|
|
}
|
|
|
|
factory := NewFactory(nil)
|
|
client, err := factory.CreateToken()
|
|
if err != nil {
|
|
t.Fatalf("Failed to create token client: %v", err)
|
|
}
|
|
|
|
if client.Jar == nil {
|
|
t.Fatal("Expected cookie jar to be set")
|
|
}
|
|
}
|
|
|
|
func TestTransportPoolCleanup(t *testing.T) {
|
|
pool := &TransportPool{
|
|
transports: make(map[string]*sharedTransport),
|
|
maxConns: 20,
|
|
clientCount: 0,
|
|
maxClients: 5,
|
|
}
|
|
|
|
config := PresetConfigs[ClientTypeDefault]
|
|
|
|
// Create transport
|
|
transport := pool.GetOrCreateTransport(config)
|
|
if transport == nil {
|
|
t.Fatal("Failed to create transport")
|
|
}
|
|
|
|
// Release transport
|
|
pool.Release(transport)
|
|
|
|
// Simulate idle time
|
|
pool.mu.Lock()
|
|
for _, shared := range pool.transports {
|
|
shared.lastUsed = time.Now().Add(-11 * time.Minute)
|
|
atomic.StoreInt32(&shared.refCount, 0)
|
|
}
|
|
pool.mu.Unlock()
|
|
|
|
// Run cleanup
|
|
pool.cleanupIdle()
|
|
|
|
// Verify transport was removed
|
|
pool.mu.RLock()
|
|
count := len(pool.transports)
|
|
pool.mu.RUnlock()
|
|
|
|
if count != 0 {
|
|
t.Fatalf("Expected 0 transports after cleanup, got %d", count)
|
|
}
|
|
}
|
|
|
|
func TestGlobalFactorySingleton(t *testing.T) {
|
|
factory1 := GetGlobalFactory(nil)
|
|
factory2 := GetGlobalFactory(nil)
|
|
|
|
if factory1 != factory2 {
|
|
t.Fatal("Expected singleton factory instances to be the same")
|
|
}
|
|
}
|
|
|
|
func TestCompatibilityFunctions(t *testing.T) {
|
|
// Test CreateDefaultHTTPClient
|
|
defaultClient := CreateDefaultHTTPClient()
|
|
if defaultClient == nil {
|
|
t.Fatal("Expected non-nil default client")
|
|
}
|
|
|
|
// Test CreateTokenHTTPClient
|
|
tokenClient := CreateTokenHTTPClient()
|
|
if tokenClient == nil {
|
|
t.Fatal("Expected non-nil token client")
|
|
}
|
|
|
|
// Test CreateHTTPClientWithConfig
|
|
config := PresetConfigs[ClientTypeAPI]
|
|
apiClient := CreateHTTPClientWithConfig(config)
|
|
if apiClient == nil {
|
|
t.Fatal("Expected non-nil API client")
|
|
}
|
|
}
|
|
|
|
func BenchmarkFactoryCreateClient(b *testing.B) {
|
|
factory := NewFactory(nil)
|
|
|
|
b.ResetTimer()
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
for pb.Next() {
|
|
client, err := factory.CreateDefault()
|
|
if err != nil || client == nil {
|
|
b.Fatal("Failed to create client")
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
func BenchmarkTransportPoolGetOrCreate(b *testing.B) {
|
|
pool := GetGlobalTransportPool()
|
|
config := PresetConfigs[ClientTypeDefault]
|
|
|
|
b.ResetTimer()
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
for pb.Next() {
|
|
transport := pool.GetOrCreateTransport(config)
|
|
if transport != nil {
|
|
pool.Release(transport)
|
|
}
|
|
}
|
|
})
|
|
}
|