1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
21 "git.curoverse.com/arvados.git/lib/config"
22 "git.curoverse.com/arvados.git/lib/controller/rpc"
23 "git.curoverse.com/arvados.git/sdk/go/arvados"
24 "git.curoverse.com/arvados.git/sdk/go/arvadostest"
25 "git.curoverse.com/arvados.git/sdk/go/auth"
26 "git.curoverse.com/arvados.git/sdk/go/ctxlog"
27 check "gopkg.in/check.v1"
28 jose "gopkg.in/square/go-jose.v2"
31 // Gocheck boilerplate
32 func Test(t *testing.T) {
36 var _ = check.Suite(&LoginSuite{})
38 type LoginSuite struct {
39 cluster *arvados.Cluster
42 railsSpy *arvadostest.Proxy
43 fakeIssuer *httptest.Server
44 issuerKey *rsa.PrivateKey
46 // expected token request
48 // desired response from token endpoint
50 authEmailVerified bool
54 func (s *LoginSuite) SetUpTest(c *check.C) {
56 s.issuerKey, err = rsa.GenerateKey(rand.Reader, 2048)
57 c.Assert(err, check.IsNil)
59 s.authEmail = "active-user@arvados.local"
60 s.authEmailVerified = true
61 s.authName = "Fake User Name"
62 s.fakeIssuer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
64 c.Logf("fakeIssuer: got req: %s %s %s", req.Method, req.URL, req.Form)
65 w.Header().Set("Content-Type", "application/json")
67 case "/.well-known/openid-configuration":
68 json.NewEncoder(w).Encode(map[string]interface{}{
69 "issuer": s.fakeIssuer.URL,
70 "authorization_endpoint": s.fakeIssuer.URL + "/auth",
71 "token_endpoint": s.fakeIssuer.URL + "/token",
72 "jwks_uri": s.fakeIssuer.URL + "/jwks",
73 "userinfo_endpoint": s.fakeIssuer.URL + "/userinfo",
76 if req.Form.Get("code") != s.validCode || s.validCode == "" {
77 w.WriteHeader(http.StatusUnauthorized)
80 idToken, _ := json.Marshal(map[string]interface{}{
81 "iss": s.fakeIssuer.URL,
82 "aud": []string{"test%client$id"},
83 "sub": "fake-user-id",
84 "exp": time.Now().UTC().Add(time.Minute).UnixNano(),
85 "iat": time.Now().UTC().UnixNano(),
86 "nonce": "fake-nonce",
88 "email_verified": s.authEmailVerified,
91 json.NewEncoder(w).Encode(struct {
92 AccessToken string `json:"access_token"`
93 TokenType string `json:"token_type"`
94 RefreshToken string `json:"refresh_token"`
95 ExpiresIn int32 `json:"expires_in"`
96 IDToken string `json:"id_token"`
98 AccessToken: s.fakeToken(c, []byte("fake access token")),
100 RefreshToken: "test-refresh-token",
102 IDToken: s.fakeToken(c, idToken),
105 json.NewEncoder(w).Encode(jose.JSONWebKeySet{
106 Keys: []jose.JSONWebKey{
107 {Key: s.issuerKey.Public(), Algorithm: string(jose.RS256), KeyID: ""},
111 w.WriteHeader(http.StatusInternalServerError)
113 w.WriteHeader(http.StatusInternalServerError)
115 w.WriteHeader(http.StatusNotFound)
119 cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
120 s.cluster, err = cfg.GetCluster("")
121 s.cluster.Login.GoogleClientID = "test%client$id"
122 s.cluster.Login.GoogleClientSecret = "test#client/secret"
123 c.Assert(err, check.IsNil)
125 s.localdb = NewConn(s.cluster)
126 s.localdb.googleLoginController.issuer = s.fakeIssuer.URL
128 s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
129 s.localdb.railsProxy = rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
132 func (s *LoginSuite) TearDownTest(c *check.C) {
136 func (s *LoginSuite) TestGoogleLoginStart_Bogus(c *check.C) {
137 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{})
138 c.Check(err, check.IsNil)
139 c.Check(resp.RedirectLocation, check.Equals, "")
140 c.Check(resp.HTML.String(), check.Matches, `.*missing return_to parameter.*`)
143 func (s *LoginSuite) TestGoogleLoginStart(c *check.C) {
144 for _, remote := range []string{"", "zzzzz"} {
145 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{Remote: remote, ReturnTo: "https://app.example.com/foo?bar"})
146 c.Check(err, check.IsNil)
147 target, err := url.Parse(resp.RedirectLocation)
148 c.Check(err, check.IsNil)
149 issuerURL, _ := url.Parse(s.fakeIssuer.URL)
150 c.Check(target.Host, check.Equals, issuerURL.Host)
152 c.Check(q.Get("client_id"), check.Equals, "test%client$id")
153 state := s.localdb.googleLoginController.parseOAuth2State(q.Get("state"))
154 c.Check(state.verify([]byte(s.cluster.SystemRootToken)), check.Equals, true)
155 c.Check(state.Time, check.Not(check.Equals), 0)
156 c.Check(state.Remote, check.Equals, remote)
157 c.Check(state.ReturnTo, check.Equals, "https://app.example.com/foo?bar")
161 func (s *LoginSuite) TestGoogleLoginSuccess(c *check.C) {
162 // Initiate login, but instead of following the redirect to
163 // the provider, just grab state from the redirect URL.
164 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{ReturnTo: "https://app.example.com/foo?bar"})
165 c.Check(err, check.IsNil)
166 target, err := url.Parse(resp.RedirectLocation)
167 c.Check(err, check.IsNil)
168 state := target.Query().Get("state")
169 c.Check(state, check.Not(check.Equals), "")
171 // Prime the fake issuer with a valid code.
172 s.validCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
174 // Callback with invalid code.
175 resp, err = s.localdb.Login(context.Background(), arvados.LoginOptions{
176 Code: "first-try-a-bogus-code",
179 c.Check(err, check.IsNil)
180 c.Check(resp.RedirectLocation, check.Equals, "")
181 c.Check(resp.HTML.String(), check.Matches, `(?ms).*error in OAuth2 exchange.*cannot fetch token.*`)
183 // Callback with invalid state.
184 resp, err = s.localdb.Login(context.Background(), arvados.LoginOptions{
186 State: "bogus-state",
188 c.Check(err, check.IsNil)
189 c.Check(resp.RedirectLocation, check.Equals, "")
190 c.Check(resp.HTML.String(), check.Matches, `(?ms).*invalid OAuth2 state.*`)
192 // Callback with valid code and state.
193 resp, err = s.localdb.Login(context.Background(), arvados.LoginOptions{
197 c.Check(err, check.IsNil)
198 c.Check(resp.HTML.String(), check.Equals, "")
199 c.Check(resp.RedirectLocation, check.Not(check.Equals), "")
200 target, err = url.Parse(resp.RedirectLocation)
201 c.Check(err, check.IsNil)
202 c.Check(target.Host, check.Equals, "app.example.com")
203 c.Check(target.Path, check.Equals, "/foo")
204 token := target.Query().Get("api_token")
205 c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
207 foundCallback := false
208 for _, dump := range s.railsSpy.RequestDumps {
209 c.Logf("spied request: %q", dump)
210 split := bytes.Split(dump, []byte("\r\n\r\n"))
211 c.Assert(split, check.HasLen, 2)
212 hdr, body := string(split[0]), string(split[1])
213 if strings.Contains(hdr, "POST /auth/controller/callback") {
214 vs, err := url.ParseQuery(body)
215 var authinfo map[string]interface{}
216 c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
217 c.Check(err, check.IsNil)
218 c.Check(authinfo["first_name"], check.Equals, "Fake User")
219 c.Check(authinfo["last_name"], check.Equals, "Name")
220 c.Check(authinfo["email"], check.Equals, "active-user@arvados.local")
224 c.Check(foundCallback, check.Equals, true)
226 // Try using the returned Arvados token.
227 c.Logf("trying an API call with new token %q", token)
228 ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
229 cl, err := s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
230 c.Check(cl.ItemsAvailable, check.Not(check.Equals), 0)
231 c.Check(cl.Items, check.Not(check.HasLen), 0)
232 c.Check(err, check.IsNil)
234 // Might as well check that bogus tokens aren't accepted.
235 badtoken := token + "plussomeboguschars"
236 c.Logf("trying an API call with mangled token %q", badtoken)
237 ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{badtoken}})
238 cl, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
239 c.Check(cl.Items, check.HasLen, 0)
240 c.Check(err, check.NotNil)
241 c.Check(err, check.ErrorMatches, `.*401 Unauthorized: Not logged in.*`)
244 func (s *LoginSuite) fakeToken(c *check.C, payload []byte) string {
245 signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: s.issuerKey}, nil)
249 object, err := signer.Sign(payload)
253 t, err := object.CompactSerialize()
257 c.Logf("fakeToken(%q) == %q", payload, t)