Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit137decb

Browse files
committed
adapting unit tests and fixing minor issues introduced with the derefing
Signed-off-by: Jan Larwig <jan@larwig.com>
1 parent638fba4 commit137decb

File tree

7 files changed

+103
-50
lines changed

7 files changed

+103
-50
lines changed

‎pkg/apis/middleware/session.go‎

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,10 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
4141
claims.Email=claims.Subject
4242
}
4343

44-
if!ptr.Deref(claims.Verified,false) {
44+
// Ensure email is verified
45+
// If the email is not verified, return an error
46+
// If the email_verified claim is missing, assume it is verified
47+
if!ptr.Deref(claims.Verified,true) {
4548
returnnil,fmt.Errorf("email in id_token (%s) isn't verified",claims.Email)
4649
}
4750

‎pkg/apis/options/legacy_options.go‎

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ func (l *LegacyOptions) ToOptions() (*Options, error) {
9696
returnnil,fmt.Errorf("error converting provider: %v",err)
9797
}
9898
l.Options.Providers=providers
99+
l.Options.EnsureDefaults()
99100

100101
return&l.Options,nil
101102
}
@@ -178,6 +179,10 @@ func (l *LegacyUpstreams) convert() (UpstreamConfig, error) {
178179
upstream.URI=""
179180
upstream.InsecureSkipTLSVerify=ptr.Ptr(false)
180181
upstream.DisableKeepAlives=ptr.Ptr(false)
182+
upstream.PassHostHeader=nil
183+
upstream.ProxyWebSockets=nil
184+
upstream.FlushInterval=nil
185+
upstream.Timeout=nil
181186
case"unix":
182187
upstream.Path="/"
183188
}
@@ -284,7 +289,8 @@ func getBasicAuthHeader(preferEmailToUser bool, basicAuthPassword string) Header
284289
}
285290

286291
returnHeader{
287-
Name:"Authorization",
292+
Name:"Authorization",
293+
PreserveRequestValue:ptr.Ptr(false),
288294
Values: []HeaderValue{
289295
{
290296
ClaimSource:&ClaimSource{
@@ -302,7 +308,8 @@ func getBasicAuthHeader(preferEmailToUser bool, basicAuthPassword string) Header
302308
funcgetPassUserHeaders(preferEmailToUserbool) []Header {
303309
headers:= []Header{
304310
{
305-
Name:"X-Forwarded-Groups",
311+
Name:"X-Forwarded-Groups",
312+
PreserveRequestValue:ptr.Ptr(false),
306313
Values: []HeaderValue{
307314
{
308315
ClaimSource:&ClaimSource{
@@ -316,7 +323,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
316323
ifpreferEmailToUser {
317324
returnappend(headers,
318325
Header{
319-
Name:"X-Forwarded-User",
326+
Name:"X-Forwarded-User",
327+
PreserveRequestValue:ptr.Ptr(false),
320328
Values: []HeaderValue{
321329
{
322330
ClaimSource:&ClaimSource{
@@ -330,7 +338,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
330338

331339
returnappend(headers,
332340
Header{
333-
Name:"X-Forwarded-User",
341+
Name:"X-Forwarded-User",
342+
PreserveRequestValue:ptr.Ptr(false),
334343
Values: []HeaderValue{
335344
{
336345
ClaimSource:&ClaimSource{
@@ -340,7 +349,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
340349
},
341350
},
342351
Header{
343-
Name:"X-Forwarded-Email",
352+
Name:"X-Forwarded-Email",
353+
PreserveRequestValue:ptr.Ptr(false),
344354
Values: []HeaderValue{
345355
{
346356
ClaimSource:&ClaimSource{
@@ -354,7 +364,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
354364

355365
funcgetPassAccessTokenHeader()Header {
356366
returnHeader{
357-
Name:"X-Forwarded-Access-Token",
367+
Name:"X-Forwarded-Access-Token",
368+
PreserveRequestValue:ptr.Ptr(false),
358369
Values: []HeaderValue{
359370
{
360371
ClaimSource:&ClaimSource{
@@ -367,7 +378,8 @@ func getPassAccessTokenHeader() Header {
367378

368379
funcgetAuthorizationHeader()Header {
369380
returnHeader{
370-
Name:"Authorization",
381+
Name:"Authorization",
382+
PreserveRequestValue:ptr.Ptr(false),
371383
Values: []HeaderValue{
372384
{
373385
ClaimSource:&ClaimSource{
@@ -381,7 +393,8 @@ func getAuthorizationHeader() Header {
381393

382394
funcgetPreferredUsernameHeader()Header {
383395
returnHeader{
384-
Name:"X-Forwarded-Preferred-Username",
396+
Name:"X-Forwarded-Preferred-Username",
397+
PreserveRequestValue:ptr.Ptr(false),
385398
Values: []HeaderValue{
386399
{
387400
ClaimSource:&ClaimSource{
@@ -395,7 +408,8 @@ func getPreferredUsernameHeader() Header {
395408
funcgetXAuthRequestHeaders() []Header {
396409
headers:= []Header{
397410
{
398-
Name:"X-Auth-Request-User",
411+
Name:"X-Auth-Request-User",
412+
PreserveRequestValue:ptr.Ptr(false),
399413
Values: []HeaderValue{
400414
{
401415
ClaimSource:&ClaimSource{
@@ -405,7 +419,8 @@ func getXAuthRequestHeaders() []Header {
405419
},
406420
},
407421
{
408-
Name:"X-Auth-Request-Email",
422+
Name:"X-Auth-Request-Email",
423+
PreserveRequestValue:ptr.Ptr(false),
409424
Values: []HeaderValue{
410425
{
411426
ClaimSource:&ClaimSource{
@@ -415,7 +430,8 @@ func getXAuthRequestHeaders() []Header {
415430
},
416431
},
417432
{
418-
Name:"X-Auth-Request-Preferred-Username",
433+
Name:"X-Auth-Request-Preferred-Username",
434+
PreserveRequestValue:ptr.Ptr(false),
419435
Values: []HeaderValue{
420436
{
421437
ClaimSource:&ClaimSource{
@@ -425,7 +441,8 @@ func getXAuthRequestHeaders() []Header {
425441
},
426442
},
427443
{
428-
Name:"X-Auth-Request-Groups",
444+
Name:"X-Auth-Request-Groups",
445+
PreserveRequestValue:ptr.Ptr(false),
429446
Values: []HeaderValue{
430447
{
431448
ClaimSource:&ClaimSource{
@@ -441,7 +458,8 @@ func getXAuthRequestHeaders() []Header {
441458

442459
funcgetXAuthRequestAccessTokenHeader()Header {
443460
returnHeader{
444-
Name:"X-Auth-Request-Access-Token",
461+
Name:"X-Auth-Request-Access-Token",
462+
PreserveRequestValue:ptr.Ptr(false),
445463
Values: []HeaderValue{
446464
{
447465
ClaimSource:&ClaimSource{

‎pkg/apis/options/legacy_options_test.go‎

Lines changed: 59 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -122,16 +122,19 @@ var _ = Describe("Legacy Options", func() {
122122
BindAddress:"127.0.0.1:4180",
123123
}
124124

125-
opts.Providers[0].ClientID="oauth-proxy"
126125
opts.Providers[0].ID="google=oauth-proxy"
127-
opts.Providers[0].OIDCConfig.InsecureSkipNonce=ptr.Ptr(true)
126+
opts.Providers[0].ClientID="oauth-proxy"
128127
opts.Providers[0].OIDCConfig.AudienceClaims= []string{"aud"}
129128
opts.Providers[0].OIDCConfig.ExtraAudiences= []string{}
129+
opts.Providers[0].OIDCConfig.InsecureSkipNonce=ptr.Ptr(true)
130+
opts.Providers[0].OIDCConfig.InsecureSkipIssuerVerification=ptr.Ptr(false)
130131
opts.Providers[0].LoginURLParameters= []LoginURLParameter{
131132
{Name:"approval_prompt",Default: []string{"force"}},
132133
}
133134

134135
converted,err:=legacyOpts.ToOptions()
136+
opts.EnsureDefaults()
137+
135138
Expect(err).ToNot(HaveOccurred())
136139
Expect(converted).To(EqualOpts(opts))
137140
})
@@ -944,37 +947,50 @@ var _ = Describe("Legacy Options", func() {
944947
{Name:"approval_prompt",Default: []string{"force"}},
945948
}
946949

947-
defaultProvider:=Provider{
948-
ID:"google="+clientID,
949-
ClientID:clientID,
950-
Type:"google",
951-
LoginURLParameters:defaultURLParams,
950+
defaultOIDCOptions:=OIDCOptions{
951+
SkipDiscovery:ptr.Ptr(false),
952+
InsecureSkipNonce:ptr.Ptr(false),
953+
InsecureAllowUnverifiedEmail:ptr.Ptr(false),
954+
InsecureSkipIssuerVerification:ptr.Ptr(false),
952955
}
956+
957+
defaultGoogleOptions:=GoogleOptions{
958+
UseApplicationDefaultCredentials:ptr.Ptr(false),
959+
}
960+
953961
defaultLegacyProvider:=LegacyProvider{
954962
ClientID:clientID,
955963
ProviderType:"google",
956964
}
957965

958-
defaultProviderWithPrompt:=Provider{
959-
ID:"google="+clientID,
960-
ClientID:clientID,
961-
Type:"google",
962-
LoginURLParameters: []LoginURLParameter{
963-
{Name:"prompt",Default: []string{"switch_user"}},
964-
},
966+
defaultProvider:=Provider{
967+
ID:"google="+clientID,
968+
ClientID:clientID,
969+
Type:"google",
970+
OIDCConfig:defaultOIDCOptions,
971+
GoogleConfig:defaultGoogleOptions,
972+
LoginURLParameters:defaultURLParams,
973+
UseSystemTrustStore:ptr.Ptr(false),
974+
SkipClaimsFromProfileURL:ptr.Ptr(false),
965975
}
976+
966977
defaultLegacyProviderWithPrompt:=LegacyProvider{
967978
ClientID:clientID,
968979
ProviderType:"google",
969980
Prompt:"switch_user",
970981
}
971982

972-
displayNameProvider:=Provider{
973-
ID:"displayName",
974-
Name:"displayName",
975-
ClientID:clientID,
976-
Type:"google",
977-
LoginURLParameters:defaultURLParams,
983+
defaultProviderWithPrompt:=Provider{
984+
ID:"google="+clientID,
985+
ClientID:clientID,
986+
Type:"google",
987+
OIDCConfig:defaultOIDCOptions,
988+
GoogleConfig:defaultGoogleOptions,
989+
LoginURLParameters: []LoginURLParameter{
990+
{Name:"prompt",Default: []string{"switch_user"}},
991+
},
992+
UseSystemTrustStore:ptr.Ptr(false),
993+
SkipClaimsFromProfileURL:ptr.Ptr(false),
978994
}
979995

980996
displayNameLegacyProvider:=LegacyProvider{
@@ -983,16 +999,32 @@ var _ = Describe("Legacy Options", func() {
983999
ProviderType:"google",
9841000
}
9851001

1002+
displayNameProvider:=Provider{
1003+
ID:"displayName",
1004+
Name:"displayName",
1005+
ClientID:clientID,
1006+
Type:"google",
1007+
OIDCConfig:defaultOIDCOptions,
1008+
GoogleConfig:defaultGoogleOptions,
1009+
LoginURLParameters:defaultURLParams,
1010+
UseSystemTrustStore:ptr.Ptr(false),
1011+
SkipClaimsFromProfileURL:ptr.Ptr(false),
1012+
}
1013+
9861014
internalConfigProvider:=Provider{
987-
ID:"google="+clientID,
988-
ClientID:clientID,
989-
Type:"google",
1015+
ID:"google="+clientID,
1016+
ClientID:clientID,
1017+
Type:"google",
1018+
OIDCConfig:defaultOIDCOptions,
9901019
GoogleConfig:GoogleOptions{
991-
AdminEmail:"email@email.com",
992-
ServiceAccountJSON:"test.json",
993-
Groups: []string{"1","2"},
1020+
AdminEmail:"email@email.com",
1021+
ServiceAccountJSON:"test.json",
1022+
Groups: []string{"1","2"},
1023+
UseApplicationDefaultCredentials:ptr.Ptr(false),
9941024
},
995-
LoginURLParameters:defaultURLParams,
1025+
LoginURLParameters:defaultURLParams,
1026+
UseSystemTrustStore:ptr.Ptr(false),
1027+
SkipClaimsFromProfileURL:ptr.Ptr(false),
9961028
}
9971029

9981030
internalConfigLegacyProvider:=LegacyProvider{

‎pkg/apis/options/providers.go‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ const (
4343

4444
// DefaultUseSystemTrustStore is the default value
4545
// for Provider.UseSystemTrustStore
46-
DefaultUseSystemTrustStorebool=true
46+
DefaultUseSystemTrustStorebool=false
4747
)
4848

4949
// OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.

‎pkg/middleware/jwt_session_test.go‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -304,7 +304,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
304304
authorizationHeader:fmt.Sprintf("Bearer %s",nonVerifiedToken),
305305
expectedErr:k8serrors.NewAggregate([]error{
306306
errors.New("unable to verify bearer token"),
307-
errors.New("oidc: malformed jwt:oidc: malformed jwt payload:illegal base64 data at input byte 8"),
307+
errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
308308
}),
309309
expectedSession:nil,
310310
}),
@@ -317,7 +317,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
317317
authorizationHeader:"Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6",
318318
expectedErr:k8serrors.NewAggregate([]error{
319319
errors.New("unable to verify bearer token"),
320-
errors.New("oidc: malformed jwt:oidc: malformed jwt payload:illegal base64 data at input byte 8"),
320+
errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
321321
}),
322322
expectedSession:nil,
323323
}),

‎pkg/validation/sessions_test.go‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -193,8 +193,8 @@ var _ = Describe("Sessions", func() {
193193
unreachableRedisDelMsg="unable to delete the redis initialization key: dial tcp 127.0.0.1:65535: connect: connection refused"
194194
unreachableSentinelSetMsg="unable to set a redis initialization key: redis: all sentinels specified in configuration are unreachable: redis: nil"
195195
unrechableSentinelDelMsg="unable to delete the redis initialization key: redis: all sentinels specified in configuration are unreachable: redis: nil"
196-
refusedSentinelSetMsg="unable to set a redis initialization key: redis: all sentinels specified in configuration are unreachable:dial tcp 127.0.0.1:65535: connect: connection refused"
197-
refusedSentinelDelMsg="unable to delete the redis initialization key: redis: all sentinels specified in configuration are unreachable:dial tcp 127.0.0.1:65535: connect: connection refused"
196+
refusedSentinelSetMsg="unable to set a redis initialization key: redis: all sentinels specified in configuration are unreachable:context deadline exceeded"
197+
refusedSentinelDelMsg="unable to delete the redis initialization key: redis: all sentinels specified in configuration are unreachable:context deadline exceeded"
198198
)
199199

200200
typeredisStoreTableInputstruct {

‎pkg/validation/upstreams.go‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -70,13 +70,13 @@ func validateStaticUpstream(upstream options.Upstream) []string {
7070
ifptr.Deref(upstream.InsecureSkipTLSVerify,options.DefaultUpsteamInsecureSkipTLSVerify) {
7171
msgs=append(msgs,fmt.Sprintf("upstream %q has insecureSkipTLSVerify, but is a static upstream, this will have no effect.",upstream.ID))
7272
}
73-
ifptr.Deref(upstream.FlushInterval,options.DefaultUpstreamFlushInterval)!=options.DefaultUpstreamFlushInterval {
73+
ifupstream.FlushInterval!=nil&&*upstream.FlushInterval!=options.DefaultUpstreamFlushInterval {
7474
msgs=append(msgs,fmt.Sprintf("upstream %q has flushInterval, but is a static upstream, this will have no effect.",upstream.ID))
7575
}
76-
ifptr.Deref(upstream.PassHostHeader,options.DefaultUpstreamPassHostHeader) {
76+
ifupstream.PassHostHeader!=nil {
7777
msgs=append(msgs,fmt.Sprintf("upstream %q has passHostHeader, but is a static upstream, this will have no effect.",upstream.ID))
7878
}
79-
ifptr.Deref(upstream.ProxyWebSockets,options.DefaultUpstreamProxyWebSockets) {
79+
ifupstream.ProxyWebSockets!=nil {
8080
msgs=append(msgs,fmt.Sprintf("upstream %q has proxyWebSockets, but is a static upstream, this will have no effect.",upstream.ID))
8181
}
8282

@@ -92,7 +92,7 @@ func validateUpstreamURI(upstream options.Upstream) []string {
9292
}
9393

9494
// Checks after this only make sense the upstream is not static
95-
if!ptr.Deref(upstream.Static,options.DefaultUpstreamStatic) {
95+
ifptr.Deref(upstream.Static,options.DefaultUpstreamStatic) {
9696
returnmsgs
9797
}
9898

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp