Use internal-gitlab-server in auth-related tasks

Update the auth package to use the internal server when fetching access token or checking for authentication. Changelog: changed
author: feistel <6742251-feistel@users.noreply.gitlab.com> 2021-06-15 13:09:36 +0300
committer: feistel <6742251-feistel@users.noreply.gitlab.com> 2021-07-22 15:23:32 +0300
commit: 7a9c492b619078aed6f9c3f95cf21640afd63100 (patch)
tree: adc5b78be1cc17fba212e3859e7515d29cbb7760 /internal/auth
parent: b72ce71418f5474b1e7dc455052a32b12ae67c39 (diff)
3 files changed, 62 insertions, 44 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 30cb1e38..7307d668 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -55,18 +55,19 @@ var (
 
 // Auth handles authenticating users with GitLab API
 type Auth struct {
-	pagesDomain   string
-	clientID      string
-	clientSecret  string
-	redirectURI   string
-	gitLabServer  string
-	authSecret    string
-	authScope     string
-	jwtSigningKey []byte
-	jwtExpiry     time.Duration
-	apiClient     *http.Client
-	store         sessions.Store
-	now           func() time.Time // allows to stub time.Now() easily in tests
+	pagesDomain          string
+	clientID             string
+	clientSecret         string
+	redirectURI          string
+	internalGitlabServer string // used for exchanging OAuth code for token and Accessing API and checking if the user has access to the project
+	publicGitlabServer   string // used for redirecting users to gitlab on the start of OAuth workflow
+	authSecret           string
+	authScope            string
+	jwtSigningKey        []byte
+	jwtExpiry            time.Duration
+	apiClient            *http.Client
+	store                sessions.Store
+	now                  func() time.Time // allows to stub time.Now() easily in tests
 }
 
 type tokenResponse struct {
@@ -232,7 +233,7 @@ func (a *Auth) domainAllowed(ctx context.Context, name string, domains source.So
 }
 
 func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, domains source.Source) bool {
-	// handle auth callback e.g. https://gitlab.io/auth?domain&domain&state=state
+	// handle auth callback e.g. https://gitlab.io/auth?domain=domain&state=state
 	if shouldProxyAuthToGitlab(r) {
 		domain := r.URL.Query().Get("domain")
 		state := r.URL.Query().Get("state")
@@ -269,11 +270,11 @@ func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWrit
 			return true
 		}
 
-		url := fmt.Sprintf(authorizeURLTemplate, a.gitLabServer, a.clientID, a.redirectURI, state, a.authScope)
+		url := fmt.Sprintf(authorizeURLTemplate, a.publicGitlabServer, a.clientID, a.redirectURI, state, a.authScope)
 
 		logRequest(r).WithFields(logrus.Fields{
-			"gitlab_server": a.gitLabServer,
-			"pages_domain":  domain,
+			"public_gitlab_server": a.publicGitlabServer,
+			"pages_domain":         domain,
 		}).Info("Redirecting user to gitlab for oauth")
 
 		http.Redirect(w, r, url, 302)
@@ -377,7 +378,7 @@ func (a *Auth) fetchAccessToken(code string) (tokenResponse, error) {
 	token := tokenResponse{}
 
 	// Prepare request
-	url := fmt.Sprintf(tokenURLTemplate, a.gitLabServer)
+	url := fmt.Sprintf(tokenURLTemplate, a.internalGitlabServer)
 	content := fmt.Sprintf(tokenContentTemplate, a.clientID, a.clientSecret, code, a.redirectURI)
 	req, err := http.NewRequest("POST", url, strings.NewReader(content))
 
@@ -489,9 +490,9 @@ func (a *Auth) checkAuthentication(w http.ResponseWriter, r *http.Request, domai
 	// Access token exists, authorize request
 	var url string
 	if projectID > 0 {
-		url = fmt.Sprintf(apiURLProjectTemplate, a.gitLabServer, projectID)
+		url = fmt.Sprintf(apiURLProjectTemplate, a.internalGitlabServer, projectID)
 	} else {
-		url = fmt.Sprintf(apiURLUserTemplate, a.gitLabServer)
+		url = fmt.Sprintf(apiURLUserTemplate, a.internalGitlabServer)
 	}
 	req, err := http.NewRequest("GET", url, nil)
 
@@ -643,7 +644,7 @@ func generateKeys(secret string, count int) ([][]byte, error) {
 }
 
 // New when authentication supported this will be used to create authentication handler
-func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, gitLabServer, authScope string) (*Auth, error) {
+func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internalGitlabServer, publicGitlabServer, authScope string) (*Auth, error) {
 	// generate 3 keys, 2 for the cookie store and 1 for JWT signing
 	keys, err := generateKeys(storeSecret, 3)
 	if err != nil {
@@ -651,11 +652,12 @@ func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, gitLabSe
 	}
 
 	return &Auth{
-		pagesDomain:  pagesDomain,
-		clientID:     clientID,
-		clientSecret: clientSecret,
-		redirectURI:  redirectURI,
-		gitLabServer: strings.TrimRight(gitLabServer, "/"),
+		pagesDomain:          pagesDomain,
+		clientID:             clientID,
+		clientSecret:         clientSecret,
+		redirectURI:          redirectURI,
+		internalGitlabServer: strings.TrimRight(internalGitlabServer, "/"),
+		publicGitlabServer:   strings.TrimRight(publicGitlabServer, "/"),
 		apiClient: &http.Client{
 			Timeout:   5 * time.Second,
 			Transport: httptransport.DefaultTransport,
diff --git a/internal/auth/auth_code_test.go b/internal/auth/auth_code_test.go
index d54fcc7e..5a496066 100644
--- a/internal/auth/auth_code_test.go
+++ b/internal/auth/auth_code_test.go
@@ -8,7 +8,7 @@ import (
 )
 
 func TestEncryptAndDecryptSignedCode(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	tests := map[string]struct {
 		auth              *Auth
@@ -86,8 +86,8 @@ func TestEncryptAndDecryptSignedCode(t *testing.T) {
 }
 
 func TestDecryptCodeWithInvalidJWT(t *testing.T) {
-	auth1 := createTestAuth(t, "")
-	auth2 := createTestAuth(t, "")
+	auth1 := createTestAuth(t, "", "")
+	auth2 := createTestAuth(t, "", "")
 	auth2.jwtSigningKey = []byte("another signing key")
 
 	encCode, err := auth1.EncryptAndSignCode("domain", "code")
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index 1bd52d09..c1fc834a 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -17,7 +17,7 @@ import (
 	"gitlab.com/gitlab-org/gitlab-pages/internal/source"
 )
 
-func createTestAuth(t *testing.T, url string) *Auth {
+func createTestAuth(t *testing.T, internalServer string, publicServer string) *Auth {
 	t.Helper()
 
 	a, err := New("pages.gitlab-example.com",
@@ -25,7 +25,8 @@ func createTestAuth(t *testing.T, url string) *Auth {
 		"id",
 		"secret",
 		"http://pages.gitlab-example.com/auth",
-		url,
+		internalServer,
+		publicServer,
 		"scope")
 
 	require.NoError(t, err)
@@ -70,7 +71,7 @@ func setSessionValues(t *testing.T, r *http.Request, store sessions.Store, value
 }
 
 func TestTryAuthenticate(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/something/else")
@@ -82,7 +83,7 @@ func TestTryAuthenticate(t *testing.T) {
 }
 
 func TestTryAuthenticateWithError(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?error=access_denied")
@@ -96,7 +97,7 @@ func TestTryAuthenticateWithError(t *testing.T) {
 }
 
 func TestTryAuthenticateWithCodeButInvalidState(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=invalid")
@@ -115,7 +116,7 @@ func TestTryAuthenticateWithCodeButInvalidState(t *testing.T) {
 }
 
 func TestTryAuthenticateRemoveTokenFromRedirect(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=state&token=secret")
@@ -141,6 +142,21 @@ func TestTryAuthenticateRemoveTokenFromRedirect(t *testing.T) {
 	require.Empty(t, redirect.Query().Get("token"), "token is gone after redirecting")
 }
 
+func TestTryAuthenticateWithDomainAndState(t *testing.T) {
+	auth := createTestAuth(t, "", "public-gitlab.example.com")
+	result := httptest.NewRecorder()
+	reqURL, err := url.Parse("/auth?domain=https%3A%2F%2Fpages.gitlab-example.com&state=state")
+	require.NoError(t, err)
+	r := &http.Request{URL: reqURL}
+
+	require.Equal(t, true, auth.TryAuthenticate(result, r, source.NewMockSource()))
+	require.Equal(t, http.StatusFound, result.Code)
+	redirect, err := url.Parse(result.Header().Get("Location"))
+	require.NoError(t, err)
+
+	require.Equal(t, "/public-gitlab.example.com/oauth/authorize?client_id=id&redirect_uri=http://pages.gitlab-example.com/auth&response_type=code&state=state&scope=scope", redirect.String())
+}
+
 func testTryAuthenticateWithCodeAndState(t *testing.T, https bool) {
 	t.Helper()
 
@@ -163,7 +179,7 @@ func testTryAuthenticateWithCodeAndState(t *testing.T, https bool) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	domain := apiServer.URL
 	if https {
@@ -220,7 +236,7 @@ func TestCheckAuthenticationWhenAccess(t *testing.T) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=state")
@@ -256,7 +272,7 @@ func TestCheckAuthenticationWhenNoAccess(t *testing.T) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	w := httptest.NewRecorder()
 
@@ -300,7 +316,7 @@ func TestCheckAuthenticationWhenInvalidToken(t *testing.T) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=state")
@@ -335,7 +351,7 @@ func TestCheckAuthenticationWithoutProject(t *testing.T) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=state")
@@ -371,7 +387,7 @@ func TestCheckAuthenticationWithoutProjectWhenInvalidToken(t *testing.T) {
 	apiServer.Start()
 	defer apiServer.Close()
 
-	auth := createTestAuth(t, apiServer.URL)
+	auth := createTestAuth(t, apiServer.URL, "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/auth?code=1&state=state")
@@ -404,7 +420,7 @@ func TestGenerateKeys(t *testing.T) {
 }
 
 func TestGetTokenIfExistsWhenTokenExists(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/")
@@ -423,7 +439,7 @@ func TestGetTokenIfExistsWhenTokenExists(t *testing.T) {
 }
 
 func TestGetTokenIfExistsWhenTokenDoesNotExist(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("http://pages.gitlab-example.com/test")
@@ -441,7 +457,7 @@ func TestGetTokenIfExistsWhenTokenDoesNotExist(t *testing.T) {
 }
 
 func TestCheckResponseForInvalidTokenWhenInvalidToken(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("http://pages.gitlab-example.com/test")
@@ -456,7 +472,7 @@ func TestCheckResponseForInvalidTokenWhenInvalidToken(t *testing.T) {
 }
 
 func TestCheckResponseForInvalidTokenWhenNotInvalidToken(t *testing.T) {
-	auth := createTestAuth(t, "")
+	auth := createTestAuth(t, "", "")
 
 	result := httptest.NewRecorder()
 	reqURL, err := url.Parse("/something")
author	feistel <6742251-feistel@users.noreply.gitlab.com>	2021-06-15 13:09:36 +0300
committer	feistel <6742251-feistel@users.noreply.gitlab.com>	2021-07-22 15:23:32 +0300
commit	7a9c492b619078aed6f9c3f95cf21640afd63100 (patch)
tree	adc5b78be1cc17fba212e3859e7515d29cbb7760 /internal/auth
parent	b72ce71418f5474b1e7dc455052a32b12ae67c39 (diff)