From 7a13523004a86cd415f18c80cc73ce68da310ff4 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Wed, 25 Apr 2018 09:30:21 +0200 Subject: [PATCH] Fix basic authentication and tests --- example/compose/nginx/portal/nginx.conf | 3 +++ server/src/lib/routes/firstfactor/get.ts | 2 +- server/src/lib/routes/firstfactor/post.ts | 2 +- server/src/lib/routes/verify/get.ts | 6 ++++-- test/features/access-control.feature | 6 +++--- test/features/auth-portal-redirection.feature | 8 ++++---- test/features/authentication.feature | 4 ++-- test/features/redirection.feature | 8 ++++---- test/features/regulation.feature | 4 ++-- test/features/resilience.feature | 4 ++-- test/features/session-timeout.feature | 4 ++-- test/features/single-factor-domain.feature | 8 ++++---- test/features/single-factor-only-server.feature | 2 +- 13 files changed, 33 insertions(+), 28 deletions(-) diff --git a/example/compose/nginx/portal/nginx.conf b/example/compose/nginx/portal/nginx.conf index 84dbd5b0..314e0003 100644 --- a/example/compose/nginx/portal/nginx.conf +++ b/example/compose/nginx/portal/nginx.conf @@ -299,6 +299,9 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; + # This header is required for basic authentication. + proxy_set_header Proxy-Authorization $http_authorization; + proxy_pass_request_body off; proxy_set_header Content-Length ""; diff --git a/server/src/lib/routes/firstfactor/get.ts b/server/src/lib/routes/firstfactor/get.ts index 9cb793da..bddba7e0 100644 --- a/server/src/lib/routes/firstfactor/get.ts +++ b/server/src/lib/routes/firstfactor/get.ts @@ -22,7 +22,7 @@ function redirectToSecondFactorPage(req: express.Request, res: express.Response) else res.redirect(Util.format("%s?%s=%s", Endpoints.SECOND_FACTOR_GET, Constants.REDIRECT_QUERY_PARAM, - encodeURIComponent(redirectUrl))); + redirectUrl)); } function redirectToService(req: express.Request, res: express.Response) { diff --git a/server/src/lib/routes/firstfactor/post.ts b/server/src/lib/routes/firstfactor/post.ts index d72ed1da..ecf1d85a 100644 --- a/server/src/lib/routes/firstfactor/post.ts +++ b/server/src/lib/routes/firstfactor/post.ts @@ -75,7 +75,7 @@ export default function (vars: ServerVariables) { let newRedirectUrl = Endpoint.SECOND_FACTOR_GET; if (redirectUrl) { newRedirectUrl += "?" + Constants.REDIRECT_QUERY_PARAM + "=" - + encodeURIComponent(redirectUrl); + + redirectUrl; } vars.logger.debug(req, "Redirect to '%s'", newRedirectUrl); res.send({ diff --git a/server/src/lib/routes/verify/get.ts b/server/src/lib/routes/verify/get.ts index 79fda877..08d09437 100644 --- a/server/src/lib/routes/verify/get.ts +++ b/server/src/lib/routes/verify/get.ts @@ -6,6 +6,7 @@ import { ServerVariables } from "../../ServerVariables"; import GetWithSessionCookieMethod from "./get_session_cookie"; import GetWithBasicAuthMethod from "./get_basic_auth"; import Constants = require("../../../../../shared/constants"); +import ObjectPath = require("object-path"); import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler"; @@ -30,8 +31,9 @@ function verifyWithSelectedMethod(req: Express.Request, res: Express.Response, function setRedirectHeader(req: Express.Request, res: Express.Response) { return function () { - res.set("Redirect", encodeURIComponent("https://" + req.headers["host"] + - req.headers["x-original-uri"])); + const originalUrl = ObjectPath.get( + req, "headers.x-original-url"); + res.set("Redirect", originalUrl); return BluebirdPromise.resolve(); }; } diff --git a/test/features/access-control.feature b/test/features/access-control.feature index 701e3042..5539b559 100644 --- a/test/features/access-control.feature +++ b/test/features/access-control.feature @@ -2,7 +2,7 @@ Feature: User has access restricted access to domains @need-registered-user-john Scenario: User john has admin access - When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -20,7 +20,7 @@ Feature: User has access restricted access to domains @need-registered-user-bob Scenario: User bob has restricted access - When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/" And I login with user "bob" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -38,7 +38,7 @@ Feature: User has access restricted access to domains @need-registered-user-harry Scenario: User harry has restricted access - When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/" And I login with user "harry" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" diff --git a/test/features/auth-portal-redirection.feature b/test/features/auth-portal-redirection.feature index 22445d79..1fd5bb5c 100644 --- a/test/features/auth-portal-redirection.feature +++ b/test/features/auth-portal-redirection.feature @@ -3,16 +3,16 @@ Feature: User is redirected when factors are already validated @need-registered-user-john Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step. When I visit "https://single_factor.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https://single_factor.example.com:8080/secret.html" And I login with user "john" and password "password" And I'm redirected to "https://single_factor.example.com:8080/secret.html" And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https://public.example.com:8080/secret.html" @need-registered-user-john Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration When I visit "https://public.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -25,7 +25,7 @@ Feature: User is redirected when factors are already validated @need-registered-user-john Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL When I visit "https://public.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" diff --git a/test/features/authentication.feature b/test/features/authentication.feature index 4583d707..851c7e5e 100644 --- a/test/features/authentication.feature +++ b/test/features/authentication.feature @@ -19,7 +19,7 @@ Feature: Authentication scenarii And I login with user "john" and password "password" And I register a TOTP secret called "Sec0" When I visit "https://admin.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "Sec0" as TOTP token handle And I click on "Sign in" @@ -27,7 +27,7 @@ Feature: Authentication scenarii Scenario: User fails TOTP second factor When I visit "https://admin.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "BADTOKEN" as TOTP token And I click on "Sign in" diff --git a/test/features/redirection.feature b/test/features/redirection.feature index 3d392431..e5fc3612 100644 --- a/test/features/redirection.feature +++ b/test/features/redirection.feature @@ -2,7 +2,7 @@ Feature: User is correctly redirected Scenario: User is redirected to authelia when he is not authenticated When I visit "https://public.example.com:8080" - Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F" + Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/" @need-registered-user-john Scenario: User is redirected to home page after several authentication tries @@ -22,7 +22,7 @@ Feature: User is correctly redirected Scenario: Redirection URL is propagated from restricted page to first factor When I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" Scenario: Redirection URL is propagated from first factor to second factor Given I visit "https://login.example.com:8080/" @@ -30,7 +30,7 @@ Feature: User is correctly redirected And I register a TOTP secret called "Sec0" When I visit "https://public.example.com:8080/secret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https://public.example.com:8080/secret.html" Scenario: Redirection URL is used to send user from second factor to target page Given I visit "https://login.example.com:8080/" @@ -67,4 +67,4 @@ Feature: User is correctly redirected When I visit "https://admin.example.com:8080/secret.html" Then I'm redirected to "https://login.example.com:8080/error/403" And I sleep for 5 seconds - And I'm redirected to "https://home.example.com:8080/" \ No newline at end of file + And I'm redirected to "https://home.example.com:8080/" diff --git a/test/features/regulation.feature b/test/features/regulation.feature index d0c385d6..39504d7e 100644 --- a/test/features/regulation.feature +++ b/test/features/regulation.feature @@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force @need-registered-user-blackhat Scenario: User is unbanned after a configured amount of time - Given I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Given I visit "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" And I set field "username" to "blackhat" And I set field "password" to "bad-password" And I click on "Sign in" @@ -36,4 +36,4 @@ Feature: Authelia regulates authentication to avoid brute force And I click on "Sign in" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://public.example.com:8080/secret.html" \ No newline at end of file + Then I'm redirected to "https://public.example.com:8080/secret.html" diff --git a/test/features/resilience.feature b/test/features/resilience.feature index 0bb6d5c5..a110d4f8 100644 --- a/test/features/resilience.feature +++ b/test/features/resilience.feature @@ -8,8 +8,8 @@ Feature: Authelia keeps user sessions despite the application restart @need-registered-user-john Scenario: Secrets are stored even when Authelia restarts When the application restarts - And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://admin.example.com:8080/secret.html" \ No newline at end of file + Then I'm redirected to "https://admin.example.com:8080/secret.html" diff --git a/test/features/session-timeout.feature b/test/features/session-timeout.feature index 0306b001..09bfb1fd 100644 --- a/test/features/session-timeout.feature +++ b/test/features/session-timeout.feature @@ -6,7 +6,7 @@ Feature: Session is closed after a certain amount of time Given I have access to "https://public.example.com:8080/secret.html" When I sleep for 6 seconds And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" @need-authenticated-user-john Scenario: An authenticated user is disconnected after session expiration period @@ -17,4 +17,4 @@ Feature: Session is closed after a certain amount of time And I visit "https://public.example.com:8080/secret.html" And I sleep for 4 seconds And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" \ No newline at end of file + Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" diff --git a/test/features/single-factor-domain.feature b/test/features/single-factor-domain.feature index 6b15847f..db13bb94 100644 --- a/test/features/single-factor-domain.feature +++ b/test/features/single-factor-domain.feature @@ -1,15 +1,15 @@ Feature: User can access certain subdomains with single factor Scenario: User is redirected to service after first factor if allowed - When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https://single_factor.example.com:8080/secret.html" And I login with user "john" and password "password" Then I'm redirected to "https://single_factor.example.com:8080/secret.html" Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor. - When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html" Scenario: User can login using basic authentication When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication - Then I receive the secret page \ No newline at end of file + Then I receive the secret page diff --git a/test/features/single-factor-only-server.feature b/test/features/single-factor-only-server.feature index 25b233ad..4d3fc42f 100644 --- a/test/features/single-factor-only-server.feature +++ b/test/features/single-factor-only-server.feature @@ -3,7 +3,7 @@ Feature: Server is configured as a single factor only server @need-registered-user-john Scenario: User is redirected to service after first factor if allowed - When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html" And I login with user "john" and password "password" Then I'm redirected to "https://public.example.com:8080/secret.html"