gogatekeeper · p53 · Sep 13, 2023 · Sep 6, 2023 · Sep 6, 2023 · Sep 8, 2023
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -14,13 +14,13 @@
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"golang.org/x/oauth2/clientcredentials"
 
 	"github.com/PuerkitoBio/goquery"
 	resty "github.com/go-resty/resty/v2"
 	"github.com/gogatekeeper/gatekeeper/pkg/constant"
 	"github.com/gogatekeeper/gatekeeper/pkg/proxy"
 	"github.com/gogatekeeper/gatekeeper/pkg/testsuite"
-	"golang.org/x/oauth2/clientcredentials"
 )
 
 const (
@@ -29,6 +29,8 @@
 	testClientSecret     = "6447d0c0-d510-42a7-b654-6e3a16b2d7e2"
 	pkceTestClient       = "test-client-pkce"
 	pkceTestClientSecret = "F2GqU40xwX0P2LrTvHUHqwNoSk4U4n5R"
+	umaTestClient        = "test-client-uma"
+	umaTestClientSecret  = "A5vokiGdI3H2r4aXFrANbKvn4R7cbf6P"
 	timeout              = time.Second * 300
 	idpURI               = "http://localhost:8081"
 	testUser             = "myuser"
@@ -241,3 +243,238 @@
 		Expect(resp.StatusCode()).To(Equal(http.StatusSeeOther))
 	})
 })
+
+var _ = Describe("UMA Code Flow authorization", func() {
+	var portNum string
+	var proxyAddress string
+	var umaCookieName = "TESTUMACOOKIE"
+
+	BeforeEach(func() {
+		server := httptest.NewServer(&testsuite.FakeUpstreamService{})
+		portNum = generateRandomPort()
+		proxyAddress = "http://localhost:" + portNum
+		osArgs := []string{os.Args[0]}
+		proxyArgs := []string{
+			"--discovery-url=" + idpRealmURI,
+			"--openid-provider-timeout=120s",
+			"--listen=" + "0.0.0.0:" + portNum,
+			"--client-id=" + umaTestClient,
+			"--client-secret=" + umaTestClientSecret,
+			"--upstream-url=" + server.URL,
+			"--no-redirects=false",
+			"--enable-uma=true",
+			"--cookie-uma-name=" + umaCookieName,
+			"--skip-access-token-clientid-check=true",
+			"--skip-access-token-issuer-check=true",
+			"--openid-provider-retry-count=30",
+			"--secure-cookie=false",
+			"--verbose=true",
+		}
+
+		osArgs = append(osArgs, proxyArgs...)
+		startAndWait(portNum, osArgs)
+	})
+
+	When("Accessing resource, where user is allowed to access", func() {
+		It("should login with user/password and logout successfully", func(ctx context.Context) {
+			userAllowedPath := "/pets"
+			userForbiddenPath := "/pets/1"
+			rClient := resty.New().SetRedirectPolicy(resty.FlexibleRedirectPolicy(5))
+			resp, err := rClient.R().Get(proxyAddress + userAllowedPath)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			doc, err := goquery.NewDocumentFromReader(bytes.NewReader(resp.Body()))
+			Expect(err).NotTo(HaveOccurred())
+
+			selection := doc.Find("#kc-form-login")
+			Expect(selection).ToNot(BeNil())
+
+			selection.Each(func(i int, s *goquery.Selection) {
+				action, exists := s.Attr("action")
+				Expect(exists).To(BeTrue())
+
+				rClient.FormData.Add("username", testUser)
+				rClient.FormData.Add("password", testPass)
+				resp, err = rClient.R().Post(action)
+
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
+			})
+
+			body := resp.Body()
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeTrue())
+
+			By("Accessing not allowed path")
+			resp, err = rClient.R().Get(proxyAddress + userForbiddenPath)
+			body = resp.Body()
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusForbidden))
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeFalse())
+
+			resp, err = rClient.R().Get(proxyAddress + "/oauth/logout")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			rClient.SetRedirectPolicy(resty.NoRedirectPolicy())
+			resp, err = rClient.R().Get(proxyAddress + userAllowedPath)
+			Expect(resp.StatusCode()).To(Equal(http.StatusSeeOther))
+		})
+	})
+
+	When("Accessing resource, which does not exist", func() {
+		It("should be forbidden without permission ticket", func(ctx context.Context) {
+			nonExistentResourcePath := "/cat"
+			rClient := resty.New().SetRedirectPolicy(resty.FlexibleRedirectPolicy(5))
+			resp, err := rClient.R().Get(proxyAddress + nonExistentResourcePath)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			doc, err := goquery.NewDocumentFromReader(bytes.NewReader(resp.Body()))
+			Expect(err).NotTo(HaveOccurred())
+
+			selection := doc.Find("#kc-form-login")
+			Expect(selection).ToNot(BeNil())
+
+			selection.Each(func(i int, s *goquery.Selection) {
+				action, exists := s.Attr("action")
+				Expect(exists).To(BeTrue())
+
+				rClient.FormData.Add("username", testUser)
+				rClient.FormData.Add("password", testPass)
+				resp, err = rClient.R().Post(action)
+
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.StatusCode()).To(Equal(http.StatusForbidden))
+			})
+
+			body := resp.Body()
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeFalse())
+			Expect(strings.Contains(string(body), "ticket=")).To(BeFalse())
+		})
+	})
+
+	When("Accessing resource, which exists but user is not allowed and then allowed resource", func() {
+		It("should be forbidden without permission ticket and then allowed", func(ctx context.Context) {
+			userForbiddenPath := "/pets/1"
+			userAllowedPath := "/pets"
+
+			rClient := resty.New().SetRedirectPolicy(resty.FlexibleRedirectPolicy(5))
+			resp, err := rClient.R().Get(proxyAddress + userForbiddenPath)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			doc, err := goquery.NewDocumentFromReader(bytes.NewReader(resp.Body()))
+			Expect(err).NotTo(HaveOccurred())
+
+			selection := doc.Find("#kc-form-login")
+			Expect(selection).ToNot(BeNil())
+
+			selection.Each(func(i int, s *goquery.Selection) {
+				action, exists := s.Attr("action")
+				Expect(exists).To(BeTrue())
+
+				rClient.FormData.Add("username", testUser)
+				rClient.FormData.Add("password", testPass)
+				resp, err = rClient.R().Post(action)
+
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.StatusCode()).To(Equal(http.StatusForbidden))
+			})
+
+			body := resp.Body()
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeFalse())
+			Expect(strings.Contains(string(body), "ticket=")).To(BeFalse())
+
+			By("Accessing allowed resource")
+			resp, err = rClient.R().Get(proxyAddress + userAllowedPath)
+			body = resp.Body()
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeTrue())
+		})
+	})
+})
+
+var _ = Describe("UMA Code Flow authorization with method scope", func() {
+	var portNum string
+	var proxyAddress string
+	var umaCookieName = "TESTUMACOOKIE"
+
+	BeforeEach(func() {
+		server := httptest.NewServer(&testsuite.FakeUpstreamService{})
+		portNum = generateRandomPort()
+		proxyAddress = "http://localhost:" + portNum
+		osArgs := []string{os.Args[0]}
+		proxyArgs := []string{
+			"--discovery-url=" + idpRealmURI,
+			"--openid-provider-timeout=120s",
+			"--listen=" + "0.0.0.0:" + portNum,
+			"--client-id=" + umaTestClient,
+			"--client-secret=" + umaTestClientSecret,
+			"--upstream-url=" + server.URL,
+			"--no-redirects=false",
+			"--enable-uma=true",
+			"--enable-uma-method-scope=true",
+			"--cookie-uma-name=" + umaCookieName,
+			"--skip-access-token-clientid-check=true",
+			"--skip-access-token-issuer-check=true",
+			"--openid-provider-retry-count=30",
+			"--secure-cookie=false",
+			"--verbose=true",
+			"--enable-logging=true",
+			"--enable-request-id=true",
+		}
+
+		osArgs = append(osArgs, proxyArgs...)
+		startAndWait(portNum, osArgs)
+	})
+
+	When("Accessing resource, where user is allowed to access and then not allowed resource", func() {
+		It("should login with user/password, don't access forbidden resource and logout successfully", func(ctx context.Context) {
+			userAllowedPath := "/horse"
+			rClient := resty.New().SetRedirectPolicy(resty.FlexibleRedirectPolicy(5))
+			resp, err := rClient.R().Get(proxyAddress + userAllowedPath)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			doc, err := goquery.NewDocumentFromReader(bytes.NewReader(resp.Body()))
+			Expect(err).NotTo(HaveOccurred())
+
+			selection := doc.Find("#kc-form-login")
+			Expect(selection).ToNot(BeNil())
+
+			selection.Each(func(i int, s *goquery.Selection) {
+				action, exists := s.Attr("action")
+				Expect(exists).To(BeTrue())
+
+				rClient.FormData.Add("username", testUser)
+				rClient.FormData.Add("password", testPass)
+				resp, err = rClient.R().Post(action)
+
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
+			})
+
+			body := resp.Body()
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeTrue())
+
+			By("Accessing not allowed method")
+			resp, err = rClient.R().Post(proxyAddress + userAllowedPath)
+			body = resp.Body()
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusForbidden))
+			Expect(strings.Contains(string(body), umaCookieName)).To(BeFalse())
+
+			resp, err = rClient.R().Get(proxyAddress + "/oauth/logout")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+			rClient.SetRedirectPolicy(resty.NoRedirectPolicy())
+			resp, err = rClient.R().Get(proxyAddress + userAllowedPath)
+			Expect(resp.StatusCode()).To(Equal(http.StatusSeeOther))
+		})
+	})
+})