test: update SSL cases to use stub

author: Jaime Martinez <jmartinez@gitlab.com> 2021-08-16 10:11:45 +0300
committer: Jaime Martinez <jmartinez@gitlab.com> 2021-08-16 10:13:34 +0300
commit: d4f76c30c37307de77041cc72cc5d45036e3ad7a (patch)
tree: 9f98890473b0ccee0e4bb2360b96e9f9fce0ae52
parent: d2cb598421d42936e0e7c35f314e49f7a9526616 (diff)
9 files changed, 62 insertions, 119 deletions
diff --git a/app.go b/app.go
index 058c56a0..324d0ed8 100644
--- a/app.go
+++ b/app.go
@@ -95,12 +95,6 @@ func (a *theApp) redirectToHTTPS(w http.ResponseWriter, r *http.Request, statusC
 func (a *theApp) getHostAndDomain(r *http.Request) (string, *domain.Domain, error) {
 	host := request.GetHostWithoutPort(r)
 
-	// TODO: @jaime REMOVE THIS CHECK AND OPEN AN ISSUE
-	if host == a.config.General.Domain || host == "127.0.0.1" {
-		// skip resolving the domain with the internal API
-		return host, nil, nil
-	}
-
 	domain, err := a.domain(r.Context(), host)
 
 	return host, domain, err
diff --git a/internal/httptransport/metered_round_tripper.go b/internal/httptransport/metered_round_tripper.go
index 45dfeb7e..8978f824 100644
--- a/internal/httptransport/metered_round_tripper.go
+++ b/internal/httptransport/metered_round_tripper.go
@@ -3,6 +3,7 @@ package httptransport
 import (
 	"context"
 	"net/http"
+	"net/http/httptrace"
 	"strconv"
 	"time"
 
@@ -44,8 +45,8 @@ func NewMeteredRoundTripper(transport http.RoundTripper, name string, tracerVec,
 func (mrt *meteredRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
 	start := time.Now()
 
-	//ctx := httptrace.WithClientTrace(r.Context(), mrt.newTracer(start))
-	ctx, cancel := context.WithCancel(r.Context())
+	ctx := httptrace.WithClientTrace(r.Context(), mrt.newTracer(start))
+	ctx, cancel := context.WithCancel(ctx)
 
 	timer := time.AfterFunc(mrt.ttfbTimeout, cancel)
 	defer timer.Stop()
diff --git a/shared/pages/group.auth/private.project.2/public.zip b/shared/pages/group.auth/private.project.2/public.zip
new file mode 100644
index 00000000..688b9381
--- /dev/null
+++ b/shared/pages/group.auth/private.project.2/public.zip
diff --git a/shared/pages/group.auth/subgroup/private.project.1/public.zip b/shared/pages/group.auth/subgroup/private.project.1/public.zip
new file mode 100644
index 00000000..688b9381
--- /dev/null
+++ b/shared/pages/group.auth/subgroup/private.project.1/public.zip
diff --git a/shared/pages/group.auth/subgroup/private.project.2/public.zip b/shared/pages/group.auth/subgroup/private.project.2/public.zip
new file mode 100644
index 00000000..688b9381
--- /dev/null
+++ b/shared/pages/group.auth/subgroup/private.project.2/public.zip
diff --git a/shared/pages/group.auth/subgroup/private.project/public.zip b/shared/pages/group.auth/subgroup/private.project/public.zip
new file mode 100644
index 00000000..688b9381
--- /dev/null
+++ b/shared/pages/group.auth/subgroup/private.project/public.zip
diff --git a/test/acceptance/auth_test.go b/test/acceptance/auth_test.go
index fd92a582..152030b0 100644
--- a/test/acceptance/auth_test.go
+++ b/test/acceptance/auth_test.go
@@ -1,14 +1,12 @@
 package acceptance_test
 
 import (
-	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/require"
 )
@@ -285,14 +283,7 @@ func TestCustomErrorPageWithAuth(t *testing.T) {
 }
 
 func TestAccessControlUnderCustomDomainWithHTTPSProxy(t *testing.T) {
-	skipUnlessEnabled(t, "not-inplace-chroot")
-
-	testServer := makeGitLabPagesAccessStub(t)
-	testServer.Start()
-	defer testServer.Close()
-
-	teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), testServer.URL, "https://public-gitlab-auth.com")
-	defer teardown()
+	runPagesWithAuth(t, []ListenSpec{proxyListener})
 
 	rsp, err := GetProxyRedirectPageWithCookie(t, proxyListener, "private.domain.com", "/", "", true)
 	require.NoError(t, err)
@@ -353,8 +344,7 @@ func TestAccessControlUnderCustomDomainWithHTTPSProxy(t *testing.T) {
 }
 
 func TestAccessControlGroupDomain404RedirectsAuth(t *testing.T) {
-	teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), "https://internal-gitlab-auth.com", "https://public-gitlab-auth.com")
-	defer teardown()
+	runPagesWithAuth(t, []ListenSpec{httpListener})
 
 	rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "/nonexistent/")
 	require.NoError(t, err)
@@ -366,9 +356,9 @@ func TestAccessControlGroupDomain404RedirectsAuth(t *testing.T) {
 	require.Equal(t, "projects.gitlab-example.com", url.Host)
 	require.Equal(t, "/auth", url.Path)
 }
+
 func TestAccessControlProject404DoesNotRedirect(t *testing.T) {
-	teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), "https://internal-gitlab-auth.com", "https://public-gitlab-auth.com")
-	defer teardown()
+	runPagesWithAuth(t, []ListenSpec{httpListener})
 
 	rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "/project/nonexistent/")
 	require.NoError(t, err)
@@ -376,119 +366,79 @@ func TestAccessControlProject404DoesNotRedirect(t *testing.T) {
 	require.Equal(t, http.StatusNotFound, rsp.StatusCode)
 }
 
-func setupTransport(t *testing.T) {
-	transport := (TestHTTPSClient.Transport).(*http.Transport)
-	defer func(t time.Duration) {
-		transport.ResponseHeaderTimeout = t
-	}(transport.ResponseHeaderTimeout)
-	transport.ResponseHeaderTimeout = 5 * time.Second
-}
-
-type runPagesFunc func(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, sslCertFile string, authServer string) func()
+type runPagesFunc func(t *testing.T, listeners []ListenSpec, sslCertFile string)
 
 func testAccessControl(t *testing.T, runPages runPagesFunc) {
-	skipUnlessEnabled(t, "not-inplace-chroot")
-
 	setupTransport(t)
 
 	keyFile, certFile := CreateHTTPSFixtureFiles(t)
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	require.NoError(t, err)
 
 	t.Cleanup(func() {
 		os.Remove(keyFile)
 		os.Remove(certFile)
 	})
 
-	testServer := makeGitLabPagesAccessStub(t)
-	testServer.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
-	testServer.StartTLS()
-	defer testServer.Close()
-
-	tests := []struct {
+	tests := map[string]struct {
 		host         string
 		path         string
 		status       int
 		redirectBack bool
-		name         string
 	}{
-		{
-			name:         "project with access",
+		"project_with_access": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/private.project/",
 			status:       http.StatusOK,
 			redirectBack: false,
 		},
-		{
-			name:         "project without access",
+		"project_without_access": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/private.project.1/",
 			status:       http.StatusNotFound, // Do not expose project existed
 			redirectBack: false,
 		},
-		{
-			name:         "invalid token test should redirect back",
+		"invalid_token_test_should_redirect_back": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/private.project.2/",
 			status:       http.StatusFound,
 			redirectBack: true,
 		},
-		{
-			name:         "no project should redirect to login and then return 404",
+		"no_project_should_redirect_to_login_and_then_return404": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/nonexistent/",
 			status:       http.StatusNotFound,
 			redirectBack: false,
 		},
-		{
-			name:         "no project should redirect to login and then return 404",
-			host:         "nonexistent.gitlab-example.com",
-			path:         "/nonexistent/",
-			status:       http.StatusNotFound,
-			redirectBack: false,
-		}, // subgroups
-		{
-			name:         "[subgroup] project with access",
+		// subgroups
+		"subgroup_project_with_access": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/subgroup/private.project/",
 			status:       http.StatusOK,
 			redirectBack: false,
 		},
-		{
-			name:         "[subgroup] project without access",
+		"subgroup_project_without_access": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/subgroup/private.project.1/",
 			status:       http.StatusNotFound, // Do not expose project existed
 			redirectBack: false,
 		},
-		{
-			name:         "[subgroup] invalid token test should redirect back",
+		"subgroup_invalid_token_test_should_redirect_back": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/subgroup/private.project.2/",
 			status:       http.StatusFound,
 			redirectBack: true,
 		},
-		{
-			name:         "[subgroup] no project should redirect to login and then return 404",
+		"subgroup_no_project_should_redirect_to_login_and_then_return404": {
 			host:         "group.auth.gitlab-example.com",
 			path:         "/subgroup/nonexistent/",
 			status:       http.StatusNotFound,
 			redirectBack: false,
 		},
-		{
-			name:         "[subgroup] no project should redirect to login and then return 404",
-			host:         "nonexistent.gitlab-example.com",
-			path:         "/subgroup/nonexistent/",
-			status:       http.StatusNotFound,
-			redirectBack: false,
-		},
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			teardown := runPages(t, *pagesBinary, []ListenSpec{httpsListener}, "", certFile, testServer.URL)
-			defer teardown()
+	runPages(t, []ListenSpec{httpsListener}, certFile)
 
+	for tn, tt := range tests {
+		t.Run(tn, func(t *testing.T) {
 			rsp1, err1 := GetRedirectPage(t, httpsListener, tt.host, tt.path)
 			require.NoError(t, err1)
 			defer rsp1.Body.Close()
@@ -561,14 +511,7 @@ func TestAccessControlWithSSLCertDir(t *testing.T) {
 // Read the issue description if any changes to internal/auth/ break this test.
 // Related to https://tools.ietf.org/html/rfc6749#section-10.6.
 func TestHijackedCode(t *testing.T) {
-	skipUnlessEnabled(t, "not-inplace-chroot")
-
-	testServer := makeGitLabPagesAccessStub(t)
-	testServer.Start()
-	defer testServer.Close()
-
-	teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), testServer.URL, "https://public-gitlab-auth.com")
-	defer teardown()
+	runPagesWithAuth(t, []ListenSpec{proxyListener})
 
 	/****ATTACKER******/
 	// get valid cookie for a different private project
@@ -644,12 +587,13 @@ func getValidCookieAndState(t *testing.T, domain string) (string, string) {
 func runPagesWithAuth(t *testing.T, listeners []ListenSpec) {
 	t.Helper()
 
-	//testServer := makeGitLabPagesAccessStub(t)
-	//testServer.Start()
-	//t.Cleanup(testServer.Close)
+	runPagesWithAuthAndEnv(t, listeners, nil)
+}
+
+func runPagesWithAuthAndEnv(t *testing.T, listeners []ListenSpec, env []string) {
+	t.Helper()
 
 	configFile := defaultConfigFileWith(t,
-		//"internal-gitlab-server="+testServer.URL,
 		"gitlab-server=https://public-gitlab-auth.com",
 		"auth-redirect-uri=https://projects.gitlab-example.com/auth",
 	)
@@ -659,5 +603,6 @@ func runPagesWithAuth(t *testing.T, listeners []ListenSpec) {
 		withArguments([]string{
 			"-config=" + configFile,
 		}),
+		withEnv(env),
 	)
 }
diff --git a/test/acceptance/helpers_test.go b/test/acceptance/helpers_test.go
index 376a94b8..1c168b86 100644
--- a/test/acceptance/helpers_test.go
+++ b/test/acceptance/helpers_test.go
@@ -256,24 +256,11 @@ func RunPagesProcessWithStubGitLabServer(t *testing.T, opts ...processOption) *L
 	return logBuf
 }
 
-func RunPagesProcessWithAuth(t *testing.T, pagesBinary string, listeners []ListenSpec, internalServer string, publicServer string) func() {
-	configFile := defaultConfigFileWith(t,
-		"internal-gitlab-server="+internalServer,
-		"gitlab-server="+publicServer,
-		"auth-redirect-uri=https://projects.gitlab-example.com/auth")
-
-	_, cleanup2 := runPagesProcess(t, true, pagesBinary, listeners, "", nil,
-		"-config="+configFile,
-	)
-	return cleanup2
-}
-
-func RunPagesProcessWithGitlabServerWithSSLCertFile(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, sslCertFile string, gitlabServer string) func() {
-	return runPagesProcessWithGitlabServer(t, pagesBinary, listeners, promPort,
-		[]string{"SSL_CERT_FILE=" + sslCertFile}, gitlabServer)
+func RunPagesProcessWithGitlabServerWithSSLCertFile(t *testing.T, listeners []ListenSpec, sslCertFile string) {
+	runPagesWithAuthAndEnv(t, listeners, []string{"SSL_CERT_FILE=" + sslCertFile})
 }
 
-func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, sslCertFile string, gitlabServer string) func() {
+func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, listeners []ListenSpec, sslCertFile string) {
 	// Create temporary cert dir
 	sslCertDir, err := ioutil.TempDir("", "pages-test-SSL_CERT_DIR")
 	require.NoError(t, err)
@@ -282,23 +269,11 @@ func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, pagesBinary str
 	err = copyFile(sslCertDir+"/"+path.Base(sslCertFile), sslCertFile)
 	require.NoError(t, err)
 
-	innerCleanup := runPagesProcessWithGitlabServer(t, pagesBinary, listeners, promPort,
-		[]string{"SSL_CERT_DIR=" + sslCertDir}, gitlabServer)
+	runPagesWithAuthAndEnv(t, listeners, []string{"SSL_CERT_DIR=" + sslCertDir})
 
-	return func() {
-		innerCleanup()
+	t.Cleanup(func() {
 		os.RemoveAll(sslCertDir)
-	}
-}
-
-func runPagesProcessWithGitlabServer(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, extraEnv []string, gitlabServer string) func() {
-	configFile := defaultConfigFileWith(t,
-		"gitlab-server="+gitlabServer,
-		"auth-redirect-uri=https://projects.gitlab-example.com/auth")
-
-	_, cleanup2 := runPagesProcess(t, true, pagesBinary, listeners, promPort, extraEnv,
-		"-config="+configFile)
-	return cleanup2
+	})
 }
 
 func runPagesProcess(t *testing.T, wait bool, pagesBinary string, listeners []ListenSpec, promPort string, extraEnv []string, extraArgs ...string) (*LogCaptureBuffer, func()) {
@@ -570,6 +545,8 @@ func waitForRoundtrips(t *testing.T, listeners []ListenSpec, timeout time.Durati
 type stubOpts struct {
 	m                   sync.RWMutex
 	apiCalled           bool
+	enableSSL           bool
+	enableSSLEnv        bool
 	statusReadyCount    int
 	authHandler         http.HandlerFunc
 	userHandler         http.HandlerFunc
@@ -767,3 +744,13 @@ func copyFile(dest, src string) error {
 	_, err = io.Copy(destFile, srcFile)
 	return err
 }
+
+func setupTransport(t *testing.T) {
+	t.Helper()
+
+	transport := (TestHTTPSClient.Transport).(*http.Transport)
+	defer func(t time.Duration) {
+		transport.ResponseHeaderTimeout = t
+	}(transport.ResponseHeaderTimeout)
+	transport.ResponseHeaderTimeout = 5 * time.Second
+}
diff --git a/test/acceptance/testdata/api_responses.go b/test/acceptance/testdata/api_responses.go
index 4bc0b24e..10121f40 100644
--- a/test/acceptance/testdata/api_responses.go
+++ b/test/acceptance/testdata/api_responses.go
@@ -88,6 +88,22 @@ var DomainResponses = map[string]responseFn{
 			projectID:     2006,
 			accessControl: true,
 		},
+		"/private.project.2": {
+			projectID:     3006,
+			accessControl: true,
+		},
+		"/subgroup/private.project": {
+			projectID:     1007,
+			accessControl: true,
+		},
+		"/subgroup/private.project.1": {
+			projectID:     2007,
+			accessControl: true,
+		},
+		"/subgroup/private.project.2": {
+			projectID:     3007,
+			accessControl: true,
+		},
 	}),
 	"private.domain.com": customDomain(projectConfig{
 		projectID:     1007,
author	Jaime Martinez <jmartinez@gitlab.com>	2021-08-16 10:11:45 +0300
committer	Jaime Martinez <jmartinez@gitlab.com>	2021-08-16 10:13:34 +0300
commit	d4f76c30c37307de77041cc72cc5d45036e3ad7a (patch)
tree	9f98890473b0ccee0e4bb2360b96e9f9fce0ae52
parent	d2cb598421d42936e0e7c35f314e49f7a9526616 (diff)