From ce6670c95bc384902db67bcc369ae78b2cb86013 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 08:45:51 +0200 Subject: [PATCH 01/25] Test oauth guard --- .github/workflows/pr.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f74d5b8..aab989e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -45,3 +45,31 @@ jobs: - name: Helm Lint run: helm lint charts/radix-oauth-guard + + integration-test: + name: Integration test + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v4 + with: + go-version-file: 'go.mod' + - name: Install dependencies + run: go mod download + - name: Test Auth + env: + LOG_PRETTY: True + LOG_LEVEL: Trace + ISSUER: "https://token.actions.githubusercontent.com" + AUDIENCE: "https://github.com/equinor" + SUBJECTS: repo:equinor/radix-oauth-guard:pull_request + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + go run . & + GO_PID=$! + curl --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth -v + kill -9 $GO_PID + From a2271859f503d536f640ba87ed713b71b18267ec Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 08:48:21 +0200 Subject: [PATCH 02/25] sleep a bit so guard can start --- .github/workflows/pr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index aab989e..dfc39b1 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -70,6 +70,10 @@ jobs: run: | go run . & GO_PID=$! + sleep 2s curl --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth -v + CURL_RESPONSE=$? kill -9 $GO_PID + echo "Curl Exit code: ${CURL_RESPONSE}!" + : From 3cc399552cdf7e79761ac476df2b67c18596f87b Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 08:50:55 +0200 Subject: [PATCH 03/25] test curl response and token --- .github/workflows/pr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index dfc39b1..d617594 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -71,9 +71,9 @@ jobs: go run . & GO_PID=$! sleep 2s - curl --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth -v - CURL_RESPONSE=$? + echo "${GH_TOKEN}" + CURL_RESPONSE=$(curl --write-out '%{http_code}' --silent --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) kill -9 $GO_PID - echo "Curl Exit code: ${CURL_RESPONSE}!" + echo "Curl status code: ${CURL_RESPONSE}!" : From bd281649952cd34f30a524d9443d7fe26181716f Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 08:58:25 +0200 Subject: [PATCH 04/25] test curl response and token --- .github/workflows/build.yaml | 3 --- .github/workflows/pr.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4778a7f..089b86e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -6,9 +6,6 @@ on: branches: - main workflow_dispatch: - pull_request: - branches: - - main env: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d617594..31b49ff 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -72,7 +72,7 @@ jobs: GO_PID=$! sleep 2s echo "${GH_TOKEN}" - CURL_RESPONSE=$(curl --write-out '%{http_code}' --silent --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) + CURL_RESPONSE=$(curl --write-out '%{http_code}' --silent --output /dev/null --header "Authorization: Bearer $(echo GH_TOKEN | base64 -d)" http://localhost:8000/auth) kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" : From 634efcf81a2ae3b6ef5ec1d8d44b389ce0452275 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:00:38 +0200 Subject: [PATCH 05/25] test curl response and token --- .github/workflows/pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 31b49ff..7e41b7c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -71,8 +71,8 @@ jobs: go run . & GO_PID=$! sleep 2s - echo "${GH_TOKEN}" - CURL_RESPONSE=$(curl --write-out '%{http_code}' --silent --output /dev/null --header "Authorization: Bearer $(echo GH_TOKEN | base64 -d)" http://localhost:8000/auth) + echo "$(GH_TOKEN | base64)" + CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" : From fe531b5c1d6715fa4482dbad0b097b53b6f5335b Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:24:45 +0200 Subject: [PATCH 06/25] test curl response and token --- .github/workflows/pr.yml | 1 - auth.go | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 7e41b7c..2188921 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -71,7 +71,6 @@ jobs: go run . & GO_PID=$! sleep 2s - echo "$(GH_TOKEN | base64)" CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" diff --git a/auth.go b/auth.go index b7d8e37..d587a4a 100644 --- a/auth.go +++ b/auth.go @@ -26,10 +26,10 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { log.Trace().Func(func(e *zerolog.Event) { headers := r.Header.Clone() - headers.Del("Authorization") - if r.Header.Get("Authorization") != "" { - headers.Set("Authorization", "!REMOVED!") - } + // headers.Del("Authorization") + // if r.Header.Get("Authorization") != "" { + // headers.Set("Authorization", "!REMOVED!") + // } e.Interface("headers", headers) }).Msg("Request details") t := time.Now() From f1170b19c0ec731c5e173010e2b2a3232d9cbf4b Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:26:47 +0200 Subject: [PATCH 07/25] test curl response and token --- .github/workflows/pr.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 2188921..ec2dd68 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -59,6 +59,8 @@ jobs: go-version-file: 'go.mod' - name: Install dependencies run: go mod download + - name: Install oauth guard + run: go install . - name: Test Auth env: LOG_PRETTY: True @@ -68,7 +70,7 @@ jobs: SUBJECTS: repo:equinor/radix-oauth-guard:pull_request GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - go run . & + radix-oauth-guard & GO_PID=$! sleep 2s CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) From 16c80be0e19976b8dc4c0e08bdd613cec4cd10d6 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:29:12 +0200 Subject: [PATCH 08/25] encode auth header --- auth.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/auth.go b/auth.go index d587a4a..902fbae 100644 --- a/auth.go +++ b/auth.go @@ -2,6 +2,7 @@ package main import ( "context" + "encoding/base64" "errors" "net/http" "slices" @@ -26,10 +27,11 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { log.Trace().Func(func(e *zerolog.Event) { headers := r.Header.Clone() - // headers.Del("Authorization") - // if r.Header.Get("Authorization") != "" { - // headers.Set("Authorization", "!REMOVED!") - // } + headers.Del("Authorization") + if authHeader := r.Header.Get("Authorization"); authHeader != "" { + authHeader = base64.StdEncoding.EncodeToString([]byte(authHeader)) + headers.Set("Authorization", authHeader) + } e.Interface("headers", headers) }).Msg("Request details") t := time.Now() From d58a7f54bceb1f0be1da1912290eceb87c905381 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:32:13 +0200 Subject: [PATCH 09/25] encode auth header --- auth.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/auth.go b/auth.go index 902fbae..764fef7 100644 --- a/auth.go +++ b/auth.go @@ -2,6 +2,7 @@ package main import ( "context" + "crypto/aes" "encoding/base64" "errors" "net/http" @@ -29,7 +30,14 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { headers := r.Header.Clone() headers.Del("Authorization") if authHeader := r.Header.Get("Authorization"); authHeader != "" { - authHeader = base64.StdEncoding.EncodeToString([]byte(authHeader)) + + secretKey := "N1PCdw3M2B1TfJhoaY2mL736p2vCUc47" + aes, _ := aes.NewCipher([]byte(secretKey)) + + // Make a buffer the same length as plaintext + ciphertext := make([]byte, len(authHeader)) + aes.Encrypt(ciphertext, []byte(authHeader)) + authHeader = base64.StdEncoding.EncodeToString(ciphertext) headers.Set("Authorization", authHeader) } e.Interface("headers", headers) From a263422502ee7860a1050d31527f065ce1fe2a2b Mon Sep 17 00:00:00 2001 From: Richard87 Date: Wed, 10 Apr 2024 09:35:19 +0200 Subject: [PATCH 10/25] encode auth header --- auth.go | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/auth.go b/auth.go index 764fef7..2902be0 100644 --- a/auth.go +++ b/auth.go @@ -3,6 +3,8 @@ package main import ( "context" "crypto/aes" + "crypto/cipher" + "crypto/rand" "encoding/base64" "errors" "net/http" @@ -32,12 +34,7 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { if authHeader := r.Header.Get("Authorization"); authHeader != "" { secretKey := "N1PCdw3M2B1TfJhoaY2mL736p2vCUc47" - aes, _ := aes.NewCipher([]byte(secretKey)) - - // Make a buffer the same length as plaintext - ciphertext := make([]byte, len(authHeader)) - aes.Encrypt(ciphertext, []byte(authHeader)) - authHeader = base64.StdEncoding.EncodeToString(ciphertext) + authHeader = base64.StdEncoding.EncodeToString([]byte(encrypt(authHeader, secretKey))) headers.Set("Authorization", authHeader) } e.Interface("headers", headers) @@ -90,3 +87,30 @@ func parseAuthHeader(authorization string) (string, error) { return token, nil } + +func encrypt(plaintext, secretKey string) string { + aes, err := aes.NewCipher([]byte(secretKey)) + if err != nil { + panic(err) + } + + gcm, err := cipher.NewGCM(aes) + if err != nil { + panic(err) + } + + // We need a 12-byte nonce for GCM (modifiable if you use cipher.NewGCMWithNonceSize()) + // A nonce should always be randomly generated for every encryption. + nonce := make([]byte, gcm.NonceSize()) + _, err = rand.Read(nonce) + if err != nil { + panic(err) + } + + // ciphertext here is actually nonce+ciphertext + // So that when we decrypt, just knowing the nonce size + // is enough to separate it from the ciphertext. + ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil) + + return string(ciphertext) +} From 49da343c887edbb2a1b200435a0afc84bbb635d9 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 09:45:29 +0200 Subject: [PATCH 11/25] get id token --- .github/workflows/pr.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index ec2dd68..f8be036 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -61,6 +61,13 @@ jobs: run: go mod download - name: Install oauth guard run: go install . + + - uses: actions/github-script@v7 + id: get-id-token + with: + script: | + return await core.getIDToken() + result-encoding: string - name: Test Auth env: LOG_PRETTY: True @@ -68,7 +75,7 @@ jobs: ISSUER: "https://token.actions.githubusercontent.com" AUDIENCE: "https://github.com/equinor" SUBJECTS: repo:equinor/radix-oauth-guard:pull_request - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.get-id-token.outputs.result }} run: | radix-oauth-guard & GO_PID=$! From a2c69b462131d3c0192e503d282789ac7de1aedd Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 09:48:13 +0200 Subject: [PATCH 12/25] restart test --- .github/workflows/pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f8be036..f0cb013 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -84,4 +84,3 @@ jobs: kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" : - From 60cda0ebb0c75edc5fa1157fef438f38229a5911 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:00:00 +0200 Subject: [PATCH 13/25] remove auth header --- auth.go | 38 ++------------------------------------ 1 file changed, 2 insertions(+), 36 deletions(-) diff --git a/auth.go b/auth.go index 2902be0..b7d8e37 100644 --- a/auth.go +++ b/auth.go @@ -2,10 +2,6 @@ package main import ( "context" - "crypto/aes" - "crypto/cipher" - "crypto/rand" - "encoding/base64" "errors" "net/http" "slices" @@ -31,11 +27,8 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { log.Trace().Func(func(e *zerolog.Event) { headers := r.Header.Clone() headers.Del("Authorization") - if authHeader := r.Header.Get("Authorization"); authHeader != "" { - - secretKey := "N1PCdw3M2B1TfJhoaY2mL736p2vCUc47" - authHeader = base64.StdEncoding.EncodeToString([]byte(encrypt(authHeader, secretKey))) - headers.Set("Authorization", authHeader) + if r.Header.Get("Authorization") != "" { + headers.Set("Authorization", "!REMOVED!") } e.Interface("headers", headers) }).Msg("Request details") @@ -87,30 +80,3 @@ func parseAuthHeader(authorization string) (string, error) { return token, nil } - -func encrypt(plaintext, secretKey string) string { - aes, err := aes.NewCipher([]byte(secretKey)) - if err != nil { - panic(err) - } - - gcm, err := cipher.NewGCM(aes) - if err != nil { - panic(err) - } - - // We need a 12-byte nonce for GCM (modifiable if you use cipher.NewGCMWithNonceSize()) - // A nonce should always be randomly generated for every encryption. - nonce := make([]byte, gcm.NonceSize()) - _, err = rand.Read(nonce) - if err != nil { - panic(err) - } - - // ciphertext here is actually nonce+ciphertext - // So that when we decrypt, just knowing the nonce size - // is enough to separate it from the ciphertext. - ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil) - - return string(ciphertext) -} From 6e72f38abb48d4a8d1aa08f35a9f3ba87b0d94cf Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:00:14 +0200 Subject: [PATCH 14/25] add test --- .github/workflows/pr.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f0cb013..43be949 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -77,10 +77,21 @@ jobs: SUBJECTS: repo:equinor/radix-oauth-guard:pull_request GH_TOKEN: ${{ steps.get-id-token.outputs.result }} run: | + function assert() { + local $token="${1}" + local $expected="${1}" + local $msg="${2}" + + CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${token}" http://localhost:8000/auth) + printf "Test: %15s: Result %s == %s\n" ${msg} ${expected} ${CURL_RESPONSE} + } + radix-oauth-guard & GO_PID=$! sleep 2s - CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) + + assert "${GH_TOKEN}" "200" "Valid token is OK" + kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" : From 308ce7c964a625c43a1860771c04990ebea472e7 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:02:49 +0200 Subject: [PATCH 15/25] add tests --- .github/workflows/pr.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 43be949..b4bedf9 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -68,6 +68,12 @@ jobs: script: | return await core.getIDToken() result-encoding: string + - uses: actions/github-script@v7 + id: get-invalid-aud-id-token + with: + script: | + return await core.getIDToken("invalid-audience") + result-encoding: string - name: Test Auth env: LOG_PRETTY: True @@ -76,6 +82,7 @@ jobs: AUDIENCE: "https://github.com/equinor" SUBJECTS: repo:equinor/radix-oauth-guard:pull_request GH_TOKEN: ${{ steps.get-id-token.outputs.result }} + INVALID_GH_TOKEN: ${{ steps.get-invalid-aud-id-token.outputs.result }} run: | function assert() { local $token="${1}" @@ -91,6 +98,9 @@ jobs: sleep 2s assert "${GH_TOKEN}" "200" "Valid token is OK" + assert "" "401" "No token is unauthorized" + assert "ABCD${GH_TOKEN}" "403" "Invalid token is forbidden" + assert "${INVALID_GH_TOKEN}" "403" "Wrong Audience is forbidden" kill -9 $GO_PID echo "Curl status code: ${CURL_RESPONSE}!" From 60ccb05bc5a36f0bc97114e864bee878c1c7b29d Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:07:43 +0200 Subject: [PATCH 16/25] add tests --- .github/workflows/pr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index b4bedf9..a061786 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -85,9 +85,9 @@ jobs: INVALID_GH_TOKEN: ${{ steps.get-invalid-aud-id-token.outputs.result }} run: | function assert() { - local $token="${1}" - local $expected="${1}" - local $msg="${2}" + local token="${1}" + local expected="${2}" + local msg="${3}" CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${token}" http://localhost:8000/auth) printf "Test: %15s: Result %s == %s\n" ${msg} ${expected} ${CURL_RESPONSE} From 0635393f55ad83de450cecc08f4113e4be11fab1 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:08:48 +0200 Subject: [PATCH 17/25] add tests --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a061786..eaf7f56 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -89,7 +89,7 @@ jobs: local expected="${2}" local msg="${3}" - CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${token}" http://localhost:8000/auth) + CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) printf "Test: %15s: Result %s == %s\n" ${msg} ${expected} ${CURL_RESPONSE} } From 90543353d979065eb83b67d8df11580611b0f0b3 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:10:45 +0200 Subject: [PATCH 18/25] cleanup test --- .github/workflows/pr.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index eaf7f56..cec382d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -90,7 +90,7 @@ jobs: local msg="${3}" CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) - printf "Test: %15s: Result %s == %s\n" ${msg} ${expected} ${CURL_RESPONSE} + printf "Test: %15s: Result %s == %s\n" "${msg}" "${expected}" "${CURL_RESPONSE}" } radix-oauth-guard & @@ -103,5 +103,4 @@ jobs: assert "${INVALID_GH_TOKEN}" "403" "Wrong Audience is forbidden" kill -9 $GO_PID - echo "Curl status code: ${CURL_RESPONSE}!" : From 3377e30931aa9f54a0528deba4f91d34fd95b2dc Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:13:26 +0200 Subject: [PATCH 19/25] exit failed --- .github/workflows/pr.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index cec382d..82ee525 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -90,7 +90,14 @@ jobs: local msg="${3}" CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) - printf "Test: %15s: Result %s == %s\n" "${msg}" "${expected}" "${CURL_RESPONSE}" + printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" + + if [ "${2}" != "${CURL_RESPONSE}" ]; then + printf "Failed\n" + exit 255 + fi + + printf "OK\n" } radix-oauth-guard & From 1ecc726b9aa86925255ad52b39e48f78f9e59d95 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:16:58 +0200 Subject: [PATCH 20/25] fix invalid token test --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 82ee525..be9d3a0 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -106,7 +106,7 @@ jobs: assert "${GH_TOKEN}" "200" "Valid token is OK" assert "" "401" "No token is unauthorized" - assert "ABCD${GH_TOKEN}" "403" "Invalid token is forbidden" + assert "ABCD${GH_TOKEN}" "401" "Invalid token is unauthorized" assert "${INVALID_GH_TOKEN}" "403" "Wrong Audience is forbidden" kill -9 $GO_PID From 9fdab2bcab65d3dd28ea8850c8a2e7518683bdac Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:20:43 +0200 Subject: [PATCH 21/25] Add test for wrong subject --- .github/workflows/pr.yml | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index be9d3a0..725351e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -80,7 +80,7 @@ jobs: LOG_LEVEL: Trace ISSUER: "https://token.actions.githubusercontent.com" AUDIENCE: "https://github.com/equinor" - SUBJECTS: repo:equinor/radix-oauth-guard:pull_request + SUBJECTS: repo:equinor/radix-oauth-guard:pull_request,testmultiplesubjects GH_TOKEN: ${{ steps.get-id-token.outputs.result }} INVALID_GH_TOKEN: ${{ steps.get-invalid-aud-id-token.outputs.result }} run: | @@ -107,7 +107,40 @@ jobs: assert "${GH_TOKEN}" "200" "Valid token is OK" assert "" "401" "No token is unauthorized" assert "ABCD${GH_TOKEN}" "401" "Invalid token is unauthorized" - assert "${INVALID_GH_TOKEN}" "403" "Wrong Audience is forbidden" + assert "${INVALID_GH_TOKEN}" "401" "Wrong Audience is unauthorized" + + kill -9 $GO_PID + : + - name: Test Wrong subject Auth + env: + LOG_PRETTY: True + LOG_LEVEL: Trace + ISSUER: "https://token.actions.githubusercontent.com" + AUDIENCE: "https://github.com/equinor" + SUBJECTS: repo:equinor/radix-oauth-guard:WRONG_SUBJECT + GH_TOKEN: ${{ steps.get-id-token.outputs.result }} + run: | + function assert() { + local token="${1}" + local expected="${2}" + local msg="${3}" + + CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) + printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" + + if [ "${2}" != "${CURL_RESPONSE}" ]; then + printf "Failed\n" + exit 255 + fi + + printf "OK\n" + } + + radix-oauth-guard & + GO_PID=$! + sleep 2s + + assert "${GH_TOKEN}" "200" "Wrong Subject is Forbidden" kill -9 $GO_PID : From cb3ef1ec43608bc2a3e6ba36889a2a7bc3ff13ed Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:21:51 +0200 Subject: [PATCH 22/25] fix test --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 725351e..935b924 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -140,7 +140,7 @@ jobs: GO_PID=$! sleep 2s - assert "${GH_TOKEN}" "200" "Wrong Subject is Forbidden" + assert "${GH_TOKEN}" "403" "Wrong Subject is Forbidden" kill -9 $GO_PID : From a9525ef1125129a97b07d3c07d1e98a6bef3874e Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:23:16 +0200 Subject: [PATCH 23/25] fix test --- .github/workflows/pr.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 935b924..11996dc 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -93,11 +93,11 @@ jobs: printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" if [ "${2}" != "${CURL_RESPONSE}" ]; then - printf "Failed\n" + printf "Failed\n\n" exit 255 fi - printf "OK\n" + printf "OK\n\n" } radix-oauth-guard & @@ -129,11 +129,11 @@ jobs: printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" if [ "${2}" != "${CURL_RESPONSE}" ]; then - printf "Failed\n" + printf "Failed\n\n" exit 255 fi - printf "OK\n" + printf "OK\n\n" } radix-oauth-guard & From ac6f34627865a7827704de845ae5084d03afbe91 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:32:52 +0200 Subject: [PATCH 24/25] simplify test --- .github/workflows/pr.yml | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 11996dc..10d5146 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -65,14 +65,12 @@ jobs: - uses: actions/github-script@v7 id: get-id-token with: - script: | - return await core.getIDToken() + script: return await core.getIDToken() result-encoding: string - uses: actions/github-script@v7 id: get-invalid-aud-id-token with: - script: | - return await core.getIDToken("invalid-audience") + script: return await core.getIDToken("invalid-audience") result-encoding: string - name: Test Auth env: @@ -110,37 +108,12 @@ jobs: assert "${INVALID_GH_TOKEN}" "401" "Wrong Audience is unauthorized" kill -9 $GO_PID - : - - name: Test Wrong subject Auth - env: - LOG_PRETTY: True - LOG_LEVEL: Trace - ISSUER: "https://token.actions.githubusercontent.com" - AUDIENCE: "https://github.com/equinor" - SUBJECTS: repo:equinor/radix-oauth-guard:WRONG_SUBJECT - GH_TOKEN: ${{ steps.get-id-token.outputs.result }} - run: | - function assert() { - local token="${1}" - local expected="${2}" - local msg="${3}" - CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) - printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" - - if [ "${2}" != "${CURL_RESPONSE}" ]; then - printf "Failed\n\n" - exit 255 - fi - - printf "OK\n\n" - } - - radix-oauth-guard & + # Test different subject + SUBJECTS=WRONG_SUBJECT radix-oauth-guard & GO_PID=$! sleep 2s assert "${GH_TOKEN}" "403" "Wrong Subject is Forbidden" - kill -9 $GO_PID : From 49b2a4c46cd43f1fabfeb463643d68884590cd61 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 18 Apr 2024 10:41:37 +0200 Subject: [PATCH 25/25] use local variable name in if statement --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 10d5146..cd98284 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -90,7 +90,7 @@ jobs: CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth) printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}" - if [ "${2}" != "${CURL_RESPONSE}" ]; then + if [ "${expected}" != "${CURL_RESPONSE}" ]; then printf "Failed\n\n" exit 255 fi