Add tests on headers forwarded to backend

Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
This commit is contained in:
Clement Michaud 2017-10-14 15:04:43 +02:00
parent f041b946d9
commit 8cf58d7b31
11 changed files with 65 additions and 16 deletions

View File

@ -0,0 +1,6 @@
version: '2'
services:
httpbin:
image: citizenstig/httpbin
networks:
- example-network

View File

@ -74,16 +74,16 @@ http {
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
proxy_pass http://authelia/verify; proxy_pass http://authelia/verify;
} }
location / { location / {
auth_request /auth_verify; auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $redirect $upstream_http_redirect;
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user; proxy_set_header X-Forwarded-User $user;
@ -93,6 +93,23 @@ http {
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
} }
location /headers {
auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header Custom-Forwarded-User $user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Custom-Forwarded-Groups $groups;
proxy_pass http://httpbin:8000/headers;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403;
}
} }
server { server {
@ -110,15 +127,15 @@ http {
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
proxy_pass http://authelia/verify; proxy_pass http://authelia/verify;
} }
location / { location / {
auth_request /auth_verify; auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect; auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user; proxy_set_header X-Forwarded-User $user;
@ -146,15 +163,15 @@ http {
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
proxy_pass http://authelia/verify; proxy_pass http://authelia/verify;
} }
location / { location / {
auth_request /auth_verify; auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect; auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user; proxy_set_header X-Forwarded-User $user;
@ -189,9 +206,8 @@ http {
location / { location / {
auth_request /auth_verify; auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect; auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user; proxy_set_header X-Forwarded-User $user;
@ -226,9 +242,8 @@ http {
location / { location / {
auth_request /auth_verify; auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect; auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user; proxy_set_header X-Forwarded-User $user;

View File

@ -10,5 +10,6 @@ docker-compose \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.admin.yml \ -f example/ldap/docker-compose.admin.yml \
-f example/ldap/docker-compose.yml $* -f example/ldap/docker-compose.yml $*

View File

@ -9,4 +9,5 @@ docker-compose \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.yml $* -f example/ldap/docker-compose.yml $*

View File

@ -3,4 +3,4 @@
DC_SCRIPT=./scripts/example-commit/dc-example.sh DC_SCRIPT=./scripts/example-commit/dc-example.sh
$DC_SCRIPT build $DC_SCRIPT build
$DC_SCRIPT up -d mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp

View File

@ -9,4 +9,5 @@ docker-compose \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.yml $* -f example/ldap/docker-compose.yml $*

View File

@ -3,4 +3,4 @@
DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh
#$DC_SCRIPT build #$DC_SCRIPT build
$DC_SCRIPT up -d mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp

View File

@ -1,14 +1,14 @@
#!/bin/bash #!/bin/bash
DC_SCRIPT=./scripts/example-commit/dc-example.sh DC_SCRIPT=./scripts/example-commit/dc-example.sh
EXPECTED_SERVICES_COUNT=6 EXPECTED_SERVICES_COUNT=7
build_services() { build_services() {
$DC_SCRIPT build authelia $DC_SCRIPT build authelia
} }
start_services() { start_services() {
$DC_SCRIPT up -d mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
sleep 3 sleep 3
} }

View File

@ -0,0 +1,6 @@
Feature: User and groups headers are correctly forwarded to backend
@need-authenticated-user-john
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend
When I visit "https://public.test.local:8080/headers"
Then I see header "Custom-Forwarded-User" set to "john"
Then I see header "Custom-Forwarded-Groups" set to "dev,admin"

View File

@ -0,0 +1,20 @@
import Cucumber = require("cucumber");
import seleniumWebdriver = require("selenium-webdriver");
import CustomWorld = require("../support/world");
import Util = require("util");
import BluebirdPromise = require("bluebird");
Cucumber.defineSupportCode(function ({ Given, When, Then }) {
Then("I see header {stringInDoubleQuotes} set to {stringInDoubleQuotes}",
{ timeout: 5000 },
function (expectedHeaderName: string, expectedValue: string) {
return this.driver.findElement(seleniumWebdriver.By.tagName("body")).getText()
.then(function (txt: string) {
const expectedLine = Util.format("\"%s\": \"%s\"", expectedHeaderName, expectedValue);
if (txt.indexOf(expectedLine) > 0)
return BluebirdPromise.resolve();
else
return BluebirdPromise.reject(new Error(Util.format("No such header or with unexpected value.")));
});
})
});

View File

@ -23,5 +23,4 @@ Cucumber.defineSupportCode(function ({ Given, When, Then }) {
return that.driver.sleep(500); return that.driver.sleep(500);
}); });
}); });
}); });