Merge pull request #27 from gambol99/wip

Wip

Merge pull request #27 from gambol99/wip
b3a1eea4 · Rohith · 00629a68 · 3f41a6a4 · b3a1eea4 · b3a1eea4
Commit b3a1eea4 authored Feb 24, 2016 by Rohith
--- a/config.go
+++ b/config.go
@@ -158,6 +158,9 @@ func readOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("encryption-key") {
 		config.EncryptionKey = cx.String("encryption-key")
 	}
+	if cx.IsSet("no-redirects") {
+		config.NoRedirects = cx.Bool("no-redirects")
+	}
 	if cx.IsSet("redirection-url") {
 		config.RedirectionURL = cx.String("redirection-url")
 	}
@@ -309,6 +312,10 @@ func getOptions() []cli.Flag {
 			Name:  "encryption-key",
 			Usage: "the encryption key used to encrpytion the session state",
 		},
+		cli.BoolFlag{
+			Name:  "no-redirects",
+			Usage: "do not have back redirects when no authentication is present, simple reply with 401 code",
+		},
 		cli.StringFlag{
 			Name:  "redirection-url",
 			Usage: fmt.Sprintf("the redirection url, namely the site url, note: %s will be added to it", oauthURL),

--- a/doc.go
+++ b/doc.go
@@ -95,6 +95,8 @@ type Config struct {
 	ClientID string `json:"clientid" yaml:"clientid"`
 	// Secret is the secret for AS
 	Secret string `json:"secret" yaml:"secret"`
+	// NoRedirects informs we should hand back a 401 not a redirect
+	NoRedirects bool `json:"no-redirects" yaml:"no-redirects"`
 	// RedirectionURL the redirection url
 	RedirectionURL string `json:"redirection_url" yaml:"redirection_url"`
 	// EnableSecurityFilter enabled the security handler

--- a/server.go
+++ b/server.go
@@ -217,13 +217,19 @@ func (r KeycloakProxy) accessForbidden(cx *gin.Context) {

 // redirectToAuthorization redirects the user to authorization handler
 func (r KeycloakProxy) redirectToAuthorization(cx *gin.Context) {
+	// step: are we handling redirects?
+	if r.config.NoRedirects {
+		cx.AbortWithStatus(http.StatusUnauthorized)
+		return
+	}
+
 	// step: add a state referrer to the authorization page
 	authQuery := fmt.Sprintf("?state=%s", cx.Request.URL.String())

 	// step: if verification is switched off, we can't authorization
 	if r.config.SkipTokenVerification {
 		log.Errorf("refusing to redirection to authorization endpoint, skip token verification switched on")
-		r.accessForbidden(cx)
+		cx.AbortWithStatus(http.StatusForbidden)
 		return
 	}

@@ -253,6 +259,20 @@ func (r *KeycloakProxy) injectCORSHeaders(cx *gin.Context) {
 	}
 }

+func (r *KeycloakProxy) addAuthenticationHeader(cx *gin.Context, errorCode, errorMessage string) {
+	// step: inject the error message
+	header := "Bearer realm=\"secure\""
+	if errorCode != "" {
+		header += fmt.Sprintf(",error=\"%s\"", errorCode)
+	}
+	if errorMessage != "" {
+		header += fmt.Sprintf(", error_description=\"%s\"", errorMessage)
+	}
+
+	// step: add the www-authenticate header
+	cx.Writer.Header().Set("WWW-Authenticate", header)
+}
+
 // tryUpdateConnection attempt to upgrade the connection to a http pdy stream
 func (r *KeycloakProxy) tryUpdateConnection(cx *gin.Context) error {
 	// step: dial the endpoint

--- a/server_test.go
+++ b/server_test.go
@@ -20,11 +20,12 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
+	"net/url"
 	"testing"

 	log "github.com/Sirupsen/logrus"
 	"github.com/gin-gonic/gin"
-	"net/url"
+	"github.com/stretchr/testify/assert"
 )

 const (
@@ -48,11 +49,8 @@ func newFakeKeycloakProxyWithResources(t *testing.T, resources []*Resource) *Key
 	return kc
 }

-func newFakeKeycloakProxy(t *testing.T) *KeycloakProxy {
-	log.SetOutput(ioutil.Discard)
-
-	kc := &KeycloakProxy{
-		config: &Config{
+func newFakeKeycloakConfig(t *testing.T) *Config {
+	return &Config{
 		DiscoveryURL:          "127.0.0.1:",
 		ClientID:              fakeClientID,
 		Secret:                fakeSecret,
@@ -95,7 +93,14 @@ func newFakeKeycloakProxy(t *testing.T) *KeycloakProxy {
 			},
 		},
 		CORS: &CORS{},
-		},
+	}
+}
+
+func newFakeKeycloakProxy(t *testing.T) *KeycloakProxy {
+	log.SetOutput(ioutil.Discard)
+
+	kc := &KeycloakProxy{
+		config: newFakeKeycloakConfig(t),
 		proxy:  new(fakeReverseProxy),
 	}
 	kc.router = gin.New()
@@ -106,21 +111,50 @@ func newFakeKeycloakProxy(t *testing.T) *KeycloakProxy {
 	return kc
 }

+func TestNewKeycloakProxy(t *testing.T) {
+	proxy, err := newKeycloakProxy(newFakeKeycloakConfig(t))
+	assert.NoError(t, err)
+	assert.NotNil(t, proxy)
+	assert.NotNil(t, proxy.config)
+	assert.NotNil(t, proxy.router)
+	assert.NotNil(t, proxy.upstreamURL)
+}
+
 func TestRedirectToAuthorization(t *testing.T) {
 	context := newFakeGinContext("GET", "/admin")
 	proxy := newFakeKeycloakProxy(t)

 	proxy.config.SkipTokenVerification = false
 	proxy.redirectToAuthorization(context)
-	if context.Writer.Status() != http.StatusTemporaryRedirect {
-		t.Errorf("we should have been given a temporary redirect")
+	assert.Equal(t, http.StatusTemporaryRedirect, context.Writer.Status())
 }

+func TestRedirectToAuthorizationSkipToken(t *testing.T) {
+	context := newFakeGinContext("GET", "/admin")
+	proxy := newFakeKeycloakProxy(t)
+
 	proxy.config.SkipTokenVerification = true
 	proxy.redirectToAuthorization(context)
-	if context.Writer.Status() != http.StatusForbidden {
-		t.Errorf("we should have been given a forbidden code")
+	assert.Equal(t, http.StatusForbidden, context.Writer.Status())
+}
+
+func TestRedirectToAuthorizationUnauthorized(t *testing.T) {
+	context := newFakeGinContext("GET", "/admin")
+	proxy := newFakeKeycloakProxy(t)
+	proxy.config.SkipTokenVerification = false
+	proxy.config.NoRedirects = true
+
+	proxy.redirectToAuthorization(context)
+	assert.Equal(t, http.StatusUnauthorized, context.Writer.Status())
 }
+
+func TestInitializeReverseProxy(t *testing.T) {
+	proxy := newFakeKeycloakProxy(t)
+
+	uri, _ := url.Parse("http://127.0.0.1:8080")
+	reverse, err := proxy.initializeReverseProxy(uri)
+	assert.NoError(t, err)
+	assert.NotNil(t, reverse)
 }

 func TestRedirectURL(t *testing.T) {