240 lines
9.5 KiB
Ruby
240 lines
9.5 KiB
Ruby
require "test_helper"
|
|
|
|
class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@user = users(:one)
|
|
@admin_user = users(:two)
|
|
@group = groups(:one)
|
|
@group2 = groups(:two)
|
|
end
|
|
|
|
# Basic Authentication Flow Tests
|
|
test "complete authentication flow: unauthenticated to authenticated" do
|
|
# Step 1: Unauthenticated request should redirect
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
|
assert_response 302
|
|
assert_match %r{/signin}, response.location
|
|
assert_equal "No session cookie", response.headers["x-auth-reason"]
|
|
|
|
# Step 2: Sign in
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
assert_response 302
|
|
# Signin now redirects back with fa_token parameter
|
|
assert_match(/\?fa_token=/, response.location)
|
|
assert cookies[:session_id]
|
|
|
|
# Step 3: Authenticated request should succeed
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
end
|
|
|
|
test "session expiration handling" do
|
|
# Sign in
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
|
|
# Manually expire the session (get the most recent session for this user)
|
|
session = Session.where(user: @user).order(created_at: :desc).first
|
|
assert session, "No session found for user"
|
|
session.update!(expires_at: 1.hour.ago)
|
|
|
|
# Request should fail and redirect to login
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
|
assert_response 302
|
|
assert_equal "Session expired", response.headers["x-auth-reason"]
|
|
end
|
|
|
|
# Domain and Rule Integration Tests
|
|
test "different domain patterns with same session" do
|
|
# Create test rules
|
|
wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
|
|
exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
|
|
|
|
# Sign in
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
|
|
# Test wildcard domain
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
|
|
# Test exact domain
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
|
|
# Test non-matching domain (should use defaults)
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "other.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
end
|
|
|
|
test "group-based access control integration" do
|
|
# Create restricted rule
|
|
restricted_rule = Application.create!(name: "Restricted App", slug: "restricted-app", app_type: "forward_auth", domain_pattern: "restricted.example.com", active: true)
|
|
restricted_rule.allowed_groups << @group
|
|
|
|
# Sign in user without group
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
|
|
# Should be denied access
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
|
|
assert_response 403
|
|
assert_match %r{permission to access this domain}, response.headers["x-auth-reason"]
|
|
|
|
# Add user to group
|
|
@user.groups << @group
|
|
|
|
# Should now be allowed
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
end
|
|
|
|
# Header Configuration Integration Tests
|
|
test "different header configurations with same user" do
|
|
# Create applications with different configs
|
|
default_rule = Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
|
|
custom_rule = Application.create!(
|
|
name: "Custom App", slug: "custom-app", app_type: "forward_auth",
|
|
domain_pattern: "custom.example.com",
|
|
active: true,
|
|
headers_config: { user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES" }
|
|
)
|
|
no_headers_rule = Application.create!(
|
|
name: "No Headers App", slug: "no-headers-app", app_type: "forward_auth",
|
|
domain_pattern: "noheaders.example.com",
|
|
active: true,
|
|
headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
|
|
)
|
|
|
|
# Add user to groups
|
|
@user.groups << @group
|
|
@user.groups << @group2
|
|
|
|
# Sign in
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
|
|
# Test default headers
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "default.example.com" }
|
|
assert_response 200
|
|
# Rails normalizes header keys to lowercase
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
assert response.headers.key?("x-remote-groups")
|
|
assert_equal "Group Two,Group One", response.headers["x-remote-groups"]
|
|
|
|
# Test custom headers
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "custom.example.com" }
|
|
assert_response 200
|
|
# Custom headers are also normalized to lowercase
|
|
assert_equal @user.email_address, response.headers["x-webauth-user"]
|
|
assert response.headers.key?("x-webauth-roles")
|
|
assert_equal "Group Two,Group One", response.headers["x-webauth-roles"]
|
|
|
|
# Test no headers
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "noheaders.example.com" }
|
|
assert_response 200
|
|
# Check that no auth-related headers are present (excluding security headers)
|
|
auth_headers = response.headers.select { |k, v| k.match?(/^x-remote-|^x-webauth-|^x-admin-/i) }
|
|
assert_empty auth_headers
|
|
end
|
|
|
|
# Redirect URL Integration Tests
|
|
test "unauthenticated request redirects to signin with parameters" do
|
|
# Test that unauthenticated requests redirect to signin with rd and rm parameters
|
|
get "/api/verify", headers: {
|
|
"X-Forwarded-Host" => "grafana.example.com"
|
|
}, params: {
|
|
rd: "https://grafana.example.com/dashboard",
|
|
rm: "GET"
|
|
}
|
|
|
|
assert_response 302
|
|
location = response.location
|
|
|
|
# Should redirect to signin with parameters (rd contains the original URL)
|
|
assert_includes location, "/signin"
|
|
assert_includes location, "rd="
|
|
assert_includes location, "rm=GET"
|
|
# The rd parameter should contain the original grafana.example.com URL
|
|
assert_includes location, "grafana.example.com"
|
|
end
|
|
|
|
test "return URL functionality after authentication" do
|
|
# Initial request should set return URL
|
|
get "/api/verify", headers: {
|
|
"X-Forwarded-Host" => "app.example.com",
|
|
"X-Forwarded-Uri" => "/admin"
|
|
}, params: { rd: "https://app.example.com/admin" }
|
|
|
|
assert_response 302
|
|
location = response.location
|
|
|
|
# Should contain the redirect URL parameter
|
|
assert_includes location, "rd="
|
|
assert_includes location, CGI.escape("https://app.example.com/admin")
|
|
|
|
# Store session return URL
|
|
return_to_after_authenticating = session[:return_to_after_authenticating]
|
|
assert_equal "https://app.example.com/admin", return_to_after_authenticating
|
|
end
|
|
|
|
# Multiple User Scenarios Integration Tests
|
|
test "multiple users with different access levels" do
|
|
regular_user = users(:one)
|
|
admin_user = users(:two)
|
|
|
|
# Create restricted rule
|
|
admin_rule = Application.create!(
|
|
name: "Admin App", slug: "admin-app", app_type: "forward_auth",
|
|
domain_pattern: "admin.example.com",
|
|
active: true,
|
|
headers_config: { user: "X-Admin-User", admin: "X-Admin-Flag" }
|
|
)
|
|
|
|
# Test regular user
|
|
post "/signin", params: { email_address: regular_user.email_address, password: "password" }
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
|
|
assert_response 200
|
|
assert_equal regular_user.email_address, response.headers["x-admin-user"]
|
|
|
|
# Sign out
|
|
delete "/session"
|
|
|
|
# Test admin user
|
|
post "/signin", params: { email_address: admin_user.email_address, password: "password" }
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
|
|
assert_response 200
|
|
assert_equal admin_user.email_address, response.headers["x-admin-user"]
|
|
assert_equal "true", response.headers["x-admin-flag"]
|
|
end
|
|
|
|
# Security Integration Tests
|
|
test "session hijacking prevention" do
|
|
# User A signs in
|
|
post "/signin", params: { email_address: @user.email_address, password: "password" }
|
|
|
|
# Verify User A can access protected resources
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
|
assert_response 200
|
|
assert_equal @user.email_address, response.headers["x-remote-user"]
|
|
user_a_session_id = Session.where(user: @user).last.id
|
|
|
|
# Reset integration test session (but keep User A's session in database)
|
|
reset!
|
|
|
|
# User B signs in (creates a new session)
|
|
post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
|
|
|
|
# Verify User B can access protected resources
|
|
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
|
|
assert_response 200
|
|
assert_equal @admin_user.email_address, response.headers["x-remote-user"]
|
|
user_b_session_id = Session.where(user: @admin_user).last.id
|
|
|
|
# Verify both sessions still exist in the database
|
|
assert Session.exists?(user_a_session_id), "User A's session should still exist"
|
|
assert Session.exists?(user_b_session_id), "User B's session should still exist"
|
|
end
|
|
|
|
end |