diff options
author | Jaime Martinez <jmartinez@gitlab.com> | 2021-08-16 10:11:45 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-08-16 10:13:34 +0300 |
commit | d4f76c30c37307de77041cc72cc5d45036e3ad7a (patch) | |
tree | 9f98890473b0ccee0e4bb2360b96e9f9fce0ae52 | |
parent | d2cb598421d42936e0e7c35f314e49f7a9526616 (diff) |
test: update SSL cases to use stub
-rw-r--r-- | app.go | 6 | ||||
-rw-r--r-- | internal/httptransport/metered_round_tripper.go | 5 | ||||
-rw-r--r-- | shared/pages/group.auth/private.project.2/public.zip | bin | 0 -> 333 bytes | |||
-rw-r--r-- | shared/pages/group.auth/subgroup/private.project.1/public.zip | bin | 0 -> 333 bytes | |||
-rw-r--r-- | shared/pages/group.auth/subgroup/private.project.2/public.zip | bin | 0 -> 333 bytes | |||
-rw-r--r-- | shared/pages/group.auth/subgroup/private.project/public.zip | bin | 0 -> 333 bytes | |||
-rw-r--r-- | test/acceptance/auth_test.go | 105 | ||||
-rw-r--r-- | test/acceptance/helpers_test.go | 49 | ||||
-rw-r--r-- | test/acceptance/testdata/api_responses.go | 16 |
9 files changed, 62 insertions, 119 deletions
@@ -95,12 +95,6 @@ func (a *theApp) redirectToHTTPS(w http.ResponseWriter, r *http.Request, statusC func (a *theApp) getHostAndDomain(r *http.Request) (string, *domain.Domain, error) { host := request.GetHostWithoutPort(r) - // TODO: @jaime REMOVE THIS CHECK AND OPEN AN ISSUE - if host == a.config.General.Domain || host == "127.0.0.1" { - // skip resolving the domain with the internal API - return host, nil, nil - } - domain, err := a.domain(r.Context(), host) return host, domain, err diff --git a/internal/httptransport/metered_round_tripper.go b/internal/httptransport/metered_round_tripper.go index 45dfeb7e..8978f824 100644 --- a/internal/httptransport/metered_round_tripper.go +++ b/internal/httptransport/metered_round_tripper.go @@ -3,6 +3,7 @@ package httptransport import ( "context" "net/http" + "net/http/httptrace" "strconv" "time" @@ -44,8 +45,8 @@ func NewMeteredRoundTripper(transport http.RoundTripper, name string, tracerVec, func (mrt *meteredRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) { start := time.Now() - //ctx := httptrace.WithClientTrace(r.Context(), mrt.newTracer(start)) - ctx, cancel := context.WithCancel(r.Context()) + ctx := httptrace.WithClientTrace(r.Context(), mrt.newTracer(start)) + ctx, cancel := context.WithCancel(ctx) timer := time.AfterFunc(mrt.ttfbTimeout, cancel) defer timer.Stop() diff --git a/shared/pages/group.auth/private.project.2/public.zip b/shared/pages/group.auth/private.project.2/public.zip Binary files differnew file mode 100644 index 00000000..688b9381 --- /dev/null +++ b/shared/pages/group.auth/private.project.2/public.zip diff --git a/shared/pages/group.auth/subgroup/private.project.1/public.zip b/shared/pages/group.auth/subgroup/private.project.1/public.zip Binary files differnew file mode 100644 index 00000000..688b9381 --- /dev/null +++ b/shared/pages/group.auth/subgroup/private.project.1/public.zip diff --git a/shared/pages/group.auth/subgroup/private.project.2/public.zip b/shared/pages/group.auth/subgroup/private.project.2/public.zip Binary files differnew file mode 100644 index 00000000..688b9381 --- /dev/null +++ b/shared/pages/group.auth/subgroup/private.project.2/public.zip diff --git a/shared/pages/group.auth/subgroup/private.project/public.zip b/shared/pages/group.auth/subgroup/private.project/public.zip Binary files differnew file mode 100644 index 00000000..688b9381 --- /dev/null +++ b/shared/pages/group.auth/subgroup/private.project/public.zip diff --git a/test/acceptance/auth_test.go b/test/acceptance/auth_test.go index fd92a582..152030b0 100644 --- a/test/acceptance/auth_test.go +++ b/test/acceptance/auth_test.go @@ -1,14 +1,12 @@ package acceptance_test import ( - "crypto/tls" "fmt" "io/ioutil" "net/http" "net/url" "os" "testing" - "time" "github.com/stretchr/testify/require" ) @@ -285,14 +283,7 @@ func TestCustomErrorPageWithAuth(t *testing.T) { } func TestAccessControlUnderCustomDomainWithHTTPSProxy(t *testing.T) { - skipUnlessEnabled(t, "not-inplace-chroot") - - testServer := makeGitLabPagesAccessStub(t) - testServer.Start() - defer testServer.Close() - - teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), testServer.URL, "https://public-gitlab-auth.com") - defer teardown() + runPagesWithAuth(t, []ListenSpec{proxyListener}) rsp, err := GetProxyRedirectPageWithCookie(t, proxyListener, "private.domain.com", "/", "", true) require.NoError(t, err) @@ -353,8 +344,7 @@ func TestAccessControlUnderCustomDomainWithHTTPSProxy(t *testing.T) { } func TestAccessControlGroupDomain404RedirectsAuth(t *testing.T) { - teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), "https://internal-gitlab-auth.com", "https://public-gitlab-auth.com") - defer teardown() + runPagesWithAuth(t, []ListenSpec{httpListener}) rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "/nonexistent/") require.NoError(t, err) @@ -366,9 +356,9 @@ func TestAccessControlGroupDomain404RedirectsAuth(t *testing.T) { require.Equal(t, "projects.gitlab-example.com", url.Host) require.Equal(t, "/auth", url.Path) } + func TestAccessControlProject404DoesNotRedirect(t *testing.T) { - teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), "https://internal-gitlab-auth.com", "https://public-gitlab-auth.com") - defer teardown() + runPagesWithAuth(t, []ListenSpec{httpListener}) rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "/project/nonexistent/") require.NoError(t, err) @@ -376,119 +366,79 @@ func TestAccessControlProject404DoesNotRedirect(t *testing.T) { require.Equal(t, http.StatusNotFound, rsp.StatusCode) } -func setupTransport(t *testing.T) { - transport := (TestHTTPSClient.Transport).(*http.Transport) - defer func(t time.Duration) { - transport.ResponseHeaderTimeout = t - }(transport.ResponseHeaderTimeout) - transport.ResponseHeaderTimeout = 5 * time.Second -} - -type runPagesFunc func(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, sslCertFile string, authServer string) func() +type runPagesFunc func(t *testing.T, listeners []ListenSpec, sslCertFile string) func testAccessControl(t *testing.T, runPages runPagesFunc) { - skipUnlessEnabled(t, "not-inplace-chroot") - setupTransport(t) keyFile, certFile := CreateHTTPSFixtureFiles(t) - cert, err := tls.LoadX509KeyPair(certFile, keyFile) - require.NoError(t, err) t.Cleanup(func() { os.Remove(keyFile) os.Remove(certFile) }) - testServer := makeGitLabPagesAccessStub(t) - testServer.TLS = &tls.Config{Certificates: []tls.Certificate{cert}} - testServer.StartTLS() - defer testServer.Close() - - tests := []struct { + tests := map[string]struct { host string path string status int redirectBack bool - name string }{ - { - name: "project with access", + "project_with_access": { host: "group.auth.gitlab-example.com", path: "/private.project/", status: http.StatusOK, redirectBack: false, }, - { - name: "project without access", + "project_without_access": { host: "group.auth.gitlab-example.com", path: "/private.project.1/", status: http.StatusNotFound, // Do not expose project existed redirectBack: false, }, - { - name: "invalid token test should redirect back", + "invalid_token_test_should_redirect_back": { host: "group.auth.gitlab-example.com", path: "/private.project.2/", status: http.StatusFound, redirectBack: true, }, - { - name: "no project should redirect to login and then return 404", + "no_project_should_redirect_to_login_and_then_return404": { host: "group.auth.gitlab-example.com", path: "/nonexistent/", status: http.StatusNotFound, redirectBack: false, }, - { - name: "no project should redirect to login and then return 404", - host: "nonexistent.gitlab-example.com", - path: "/nonexistent/", - status: http.StatusNotFound, - redirectBack: false, - }, // subgroups - { - name: "[subgroup] project with access", + // subgroups + "subgroup_project_with_access": { host: "group.auth.gitlab-example.com", path: "/subgroup/private.project/", status: http.StatusOK, redirectBack: false, }, - { - name: "[subgroup] project without access", + "subgroup_project_without_access": { host: "group.auth.gitlab-example.com", path: "/subgroup/private.project.1/", status: http.StatusNotFound, // Do not expose project existed redirectBack: false, }, - { - name: "[subgroup] invalid token test should redirect back", + "subgroup_invalid_token_test_should_redirect_back": { host: "group.auth.gitlab-example.com", path: "/subgroup/private.project.2/", status: http.StatusFound, redirectBack: true, }, - { - name: "[subgroup] no project should redirect to login and then return 404", + "subgroup_no_project_should_redirect_to_login_and_then_return404": { host: "group.auth.gitlab-example.com", path: "/subgroup/nonexistent/", status: http.StatusNotFound, redirectBack: false, }, - { - name: "[subgroup] no project should redirect to login and then return 404", - host: "nonexistent.gitlab-example.com", - path: "/subgroup/nonexistent/", - status: http.StatusNotFound, - redirectBack: false, - }, } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - teardown := runPages(t, *pagesBinary, []ListenSpec{httpsListener}, "", certFile, testServer.URL) - defer teardown() + runPages(t, []ListenSpec{httpsListener}, certFile) + for tn, tt := range tests { + t.Run(tn, func(t *testing.T) { rsp1, err1 := GetRedirectPage(t, httpsListener, tt.host, tt.path) require.NoError(t, err1) defer rsp1.Body.Close() @@ -561,14 +511,7 @@ func TestAccessControlWithSSLCertDir(t *testing.T) { // Read the issue description if any changes to internal/auth/ break this test. // Related to https://tools.ietf.org/html/rfc6749#section-10.6. func TestHijackedCode(t *testing.T) { - skipUnlessEnabled(t, "not-inplace-chroot") - - testServer := makeGitLabPagesAccessStub(t) - testServer.Start() - defer testServer.Close() - - teardown := RunPagesProcessWithAuth(t, *pagesBinary, supportedListeners(), testServer.URL, "https://public-gitlab-auth.com") - defer teardown() + runPagesWithAuth(t, []ListenSpec{proxyListener}) /****ATTACKER******/ // get valid cookie for a different private project @@ -644,12 +587,13 @@ func getValidCookieAndState(t *testing.T, domain string) (string, string) { func runPagesWithAuth(t *testing.T, listeners []ListenSpec) { t.Helper() - //testServer := makeGitLabPagesAccessStub(t) - //testServer.Start() - //t.Cleanup(testServer.Close) + runPagesWithAuthAndEnv(t, listeners, nil) +} + +func runPagesWithAuthAndEnv(t *testing.T, listeners []ListenSpec, env []string) { + t.Helper() configFile := defaultConfigFileWith(t, - //"internal-gitlab-server="+testServer.URL, "gitlab-server=https://public-gitlab-auth.com", "auth-redirect-uri=https://projects.gitlab-example.com/auth", ) @@ -659,5 +603,6 @@ func runPagesWithAuth(t *testing.T, listeners []ListenSpec) { withArguments([]string{ "-config=" + configFile, }), + withEnv(env), ) } diff --git a/test/acceptance/helpers_test.go b/test/acceptance/helpers_test.go index 376a94b8..1c168b86 100644 --- a/test/acceptance/helpers_test.go +++ b/test/acceptance/helpers_test.go @@ -256,24 +256,11 @@ func RunPagesProcessWithStubGitLabServer(t *testing.T, opts ...processOption) *L return logBuf } -func RunPagesProcessWithAuth(t *testing.T, pagesBinary string, listeners []ListenSpec, internalServer string, publicServer string) func() { - configFile := defaultConfigFileWith(t, - "internal-gitlab-server="+internalServer, - "gitlab-server="+publicServer, - "auth-redirect-uri=https://projects.gitlab-example.com/auth") - - _, cleanup2 := runPagesProcess(t, true, pagesBinary, listeners, "", nil, - "-config="+configFile, - ) - return cleanup2 -} - -func RunPagesProcessWithGitlabServerWithSSLCertFile(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, sslCertFile string, gitlabServer string) func() { - return runPagesProcessWithGitlabServer(t, pagesBinary, listeners, promPort, - []string{"SSL_CERT_FILE=" + sslCertFile}, gitlabServer) +func RunPagesProcessWithGitlabServerWithSSLCertFile(t *testing.T, listeners []ListenSpec, sslCertFile string) { + runPagesWithAuthAndEnv(t, listeners, []string{"SSL_CERT_FILE=" + sslCertFile}) } -func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, sslCertFile string, gitlabServer string) func() { +func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, listeners []ListenSpec, sslCertFile string) { // Create temporary cert dir sslCertDir, err := ioutil.TempDir("", "pages-test-SSL_CERT_DIR") require.NoError(t, err) @@ -282,23 +269,11 @@ func RunPagesProcessWithGitlabServerWithSSLCertDir(t *testing.T, pagesBinary str err = copyFile(sslCertDir+"/"+path.Base(sslCertFile), sslCertFile) require.NoError(t, err) - innerCleanup := runPagesProcessWithGitlabServer(t, pagesBinary, listeners, promPort, - []string{"SSL_CERT_DIR=" + sslCertDir}, gitlabServer) + runPagesWithAuthAndEnv(t, listeners, []string{"SSL_CERT_DIR=" + sslCertDir}) - return func() { - innerCleanup() + t.Cleanup(func() { os.RemoveAll(sslCertDir) - } -} - -func runPagesProcessWithGitlabServer(t *testing.T, pagesBinary string, listeners []ListenSpec, promPort string, extraEnv []string, gitlabServer string) func() { - configFile := defaultConfigFileWith(t, - "gitlab-server="+gitlabServer, - "auth-redirect-uri=https://projects.gitlab-example.com/auth") - - _, cleanup2 := runPagesProcess(t, true, pagesBinary, listeners, promPort, extraEnv, - "-config="+configFile) - return cleanup2 + }) } func runPagesProcess(t *testing.T, wait bool, pagesBinary string, listeners []ListenSpec, promPort string, extraEnv []string, extraArgs ...string) (*LogCaptureBuffer, func()) { @@ -570,6 +545,8 @@ func waitForRoundtrips(t *testing.T, listeners []ListenSpec, timeout time.Durati type stubOpts struct { m sync.RWMutex apiCalled bool + enableSSL bool + enableSSLEnv bool statusReadyCount int authHandler http.HandlerFunc userHandler http.HandlerFunc @@ -767,3 +744,13 @@ func copyFile(dest, src string) error { _, err = io.Copy(destFile, srcFile) return err } + +func setupTransport(t *testing.T) { + t.Helper() + + transport := (TestHTTPSClient.Transport).(*http.Transport) + defer func(t time.Duration) { + transport.ResponseHeaderTimeout = t + }(transport.ResponseHeaderTimeout) + transport.ResponseHeaderTimeout = 5 * time.Second +} diff --git a/test/acceptance/testdata/api_responses.go b/test/acceptance/testdata/api_responses.go index 4bc0b24e..10121f40 100644 --- a/test/acceptance/testdata/api_responses.go +++ b/test/acceptance/testdata/api_responses.go @@ -88,6 +88,22 @@ var DomainResponses = map[string]responseFn{ projectID: 2006, accessControl: true, }, + "/private.project.2": { + projectID: 3006, + accessControl: true, + }, + "/subgroup/private.project": { + projectID: 1007, + accessControl: true, + }, + "/subgroup/private.project.1": { + projectID: 2007, + accessControl: true, + }, + "/subgroup/private.project.2": { + projectID: 3007, + accessControl: true, + }, }), "private.domain.com": customDomain(projectConfig{ projectID: 1007, |