diff options
| author | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-01 10:54:28 +0300 |
|---|---|---|
| committer | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-01 10:54:28 +0300 |
| commit | 1c7ed827db6ede4dab91ef8b8fef239e3bed5dd5 (patch) | |
| tree | 776981ddc98acc32a73d42a5257bbba8d982a77a /test | |
| parent | 5faf8597fb879348e09000958d5a8af07c0cda4b (diff) | |
| parent | 9dbeb71c8a99ed0517b3ba44950ee63c00eb6cf6 (diff) | |
Merge branch 'security-validate-session-host' into 'master'
fix: validate that session was issued on the same host
See merge request gitlab-org/security/gitlab-pages!28
Diffstat (limited to 'test')
| -rw-r--r-- | test/acceptance/auth_test.go | 66 |
1 files changed, 41 insertions, 25 deletions
diff --git a/test/acceptance/auth_test.go b/test/acceptance/auth_test.go index d7677622..dbc7b900 100644 --- a/test/acceptance/auth_test.go +++ b/test/acceptance/auth_test.go @@ -120,7 +120,7 @@ func TestWhenLoginCallbackWithUnencryptedCode(t *testing.T) { } // Go to auth page with correct state will cause fetching the token - authrsp, err := GetPageFromListenerWithHeaders(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+ + authrsp, err := GetPageFromListenerWithHeaders(t, httpsListener, "group.auth.gitlab-example.com", "/auth?code=1&state="+ url.Query().Get("state"), header) require.NoError(t, err) @@ -153,60 +153,76 @@ func TestAccessControlUnderCustomDomain(t *testing.T) { } for name, tt := range tests { t.Run(name, func(t *testing.T) { + // visit to custom domain rsp, err := GetRedirectPage(t, httpListener, tt.domain, tt.path) require.NoError(t, err) testhelpers.Close(t, rsp.Body) - cookie := rsp.Header.Get("Set-Cookie") + domainCookie := rsp.Header.Get("Set-Cookie") - url, err := url.Parse(rsp.Header.Get("Location")) + projectProxyURL, err := url.Parse(rsp.Header.Get("Location")) require.NoError(t, err) - state := url.Query().Get("state") - require.Equal(t, "http://"+tt.domain, url.Query().Get("domain")) + state := projectProxyURL.Query().Get("state") + require.Equal(t, "http://"+tt.domain, projectProxyURL.Query().Get("domain")) - pagesrsp, err := GetRedirectPage(t, httpListener, url.Host, url.Path+"?"+url.RawQuery) + // visit projects.gitlab-example.com?state=something + projectsProxyRsp, err := GetRedirectPage(t, httpListener, + projectProxyURL.Host, projectProxyURL.Path+"?"+projectProxyURL.RawQuery) require.NoError(t, err) - testhelpers.Close(t, pagesrsp.Body) + testhelpers.Close(t, projectsProxyRsp.Body) - pagescookie := pagesrsp.Header.Get("Set-Cookie") + projectsCookie := projectsProxyRsp.Header.Get("Set-Cookie") - // Go to auth page with correct state will cause fetching the token - authrsp, err := GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code=1&state="+ - state, pagescookie) + // visit projects.gitlab-example.com?state=something&code=1 + authRsp, err := GetRedirectPageWithCookie(t, httpListener, projectProxyURL.Host, "/auth?code=1&state="+ + state, projectsCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) + testhelpers.Close(t, authRsp.Body) - url, err = url.Parse(authrsp.Header.Get("Location")) + backDomainURL, err := projectProxyURL.Parse(authRsp.Header.Get("Location")) require.NoError(t, err) // Will redirect to custom domain - require.Equal(t, tt.domain, url.Host) - code := url.Query().Get("code") + require.Equal(t, tt.domain, backDomainURL.Host) + code := backDomainURL.Query().Get("code") require.NotEqual(t, "1", code) - authrsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code="+code+"&state="+ - state, cookie) + // visit domain.com/auth?code&state will set the cookie and redirect back to original page + selfRedirectRsp, err := GetRedirectPageWithCookie(t, httpListener, tt.domain, "/auth?code="+code+"&state="+ + state, domainCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) + testhelpers.Close(t, selfRedirectRsp.Body) // Will redirect to the page - cookie = authrsp.Header.Get("Set-Cookie") - require.Equal(t, http.StatusFound, authrsp.StatusCode) + domainCookie = selfRedirectRsp.Header.Get("Set-Cookie") + require.Equal(t, http.StatusFound, selfRedirectRsp.StatusCode) - url, err = url.Parse(authrsp.Header.Get("Location")) + selfRedirectURL, err := projectProxyURL.Parse(selfRedirectRsp.Header.Get("Location")) require.NoError(t, err) // Will redirect to custom domain - require.Equal(t, "http://"+tt.domain+"/"+tt.path, url.String()) + require.Equal(t, "http://"+tt.domain+"/"+tt.path, selfRedirectURL.String()) // Fetch page in custom domain - authrsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, tt.path, cookie) + authRsp, err = GetRedirectPageWithCookie(t, httpListener, tt.domain, tt.path, domainCookie) require.NoError(t, err) - testhelpers.Close(t, authrsp.Body) - require.Equal(t, http.StatusOK, authrsp.StatusCode) + testhelpers.Close(t, authRsp.Body) + require.Equal(t, http.StatusOK, authRsp.StatusCode) + + // Try to fetch page from another domain + // it should restart the auth process ignoring already existing cookie + secondAuthRsp, err := GetRedirectPageWithCookie(t, httpListener, "group.auth.gitlab-example.com", "/private.project/", domainCookie) + require.NoError(t, err) + testhelpers.Close(t, authRsp.Body) + + secondAuthURL, err := url.Parse(secondAuthRsp.Header.Get("Location")) + require.NoError(t, err) + require.Equal(t, "projects.gitlab-example.com", secondAuthURL.Host) + require.Equal(t, "/auth", secondAuthURL.Path) + require.Equal(t, "http://group.auth.gitlab-example.com", secondAuthURL.Query().Get("domain")) }) } } |