github.com/Tyktechnologies/tyk@v2.9.5+incompatible/gateway/mw_strip_auth_test.go (about)

     1  package gateway
     2  
     3  import (
     4  	"fmt"
     5  	"net/http"
     6  	"net/url"
     7  	"testing"
     8  
     9  	"github.com/TykTechnologies/tyk/apidef"
    10  )
    11  
    12  type TestAuth struct {
    13  	apidef.AuthConfig
    14  	HeaderKey  string
    15  	QueryParam string
    16  }
    17  
    18  func testPrepareStripAuthStripFromHeaders() ([]string, []TestAuth) {
    19  	testCases := []TestAuth{
    20  		{AuthConfig: apidef.AuthConfig{AuthHeaderName: "Authorization"}, HeaderKey: "Authorization"},
    21  		{AuthConfig: apidef.AuthConfig{AuthHeaderName: ""}, HeaderKey: "Authorization"},
    22  		{AuthConfig: apidef.AuthConfig{AuthHeaderName: "MyAuth"}, HeaderKey: "MyAuth"},
    23  	}
    24  
    25  	miscHeaders := []string{
    26  		"ABC",
    27  		"Def",
    28  		"GHI",
    29  		"Authorisation",
    30  	}
    31  
    32  	return miscHeaders, testCases
    33  }
    34  
    35  func TestStripAuth_stripFromHeaders(t *testing.T) {
    36  	miscHeaders, testCases := testPrepareStripAuthStripFromHeaders()
    37  
    38  	for _, tc := range testCases {
    39  		t.Run(fmt.Sprintf("stripping %+v", tc), func(t *testing.T) {
    40  
    41  			sa := StripAuth{}
    42  			sa.Spec = &APISpec{APIDefinition: &apidef.APIDefinition{}}
    43  
    44  			req, err := http.NewRequest("GET", "http://example.com", nil)
    45  			if err != nil {
    46  				t.Fatal(err)
    47  			}
    48  
    49  			req.Header.Add(tc.HeaderKey, randStringBytes(5))
    50  
    51  			if req.Header.Get(tc.HeaderKey) == "" {
    52  				t.Fatal("headerkey not in headers to start with", tc.HeaderKey)
    53  			}
    54  
    55  			for _, h := range miscHeaders {
    56  				req.Header.Add(h, randStringBytes(5))
    57  			}
    58  
    59  			sa.stripFromHeaders(req, &tc.AuthConfig)
    60  
    61  			if len(req.Header) != len(miscHeaders) {
    62  				t.Logf("miscHeaders %d %+v\n", len(miscHeaders), miscHeaders)
    63  				t.Logf("reqHeader %d %+v\n", len(req.Header), req.Header)
    64  
    65  				t.Error("unexpected number of headers")
    66  			}
    67  
    68  			if req.Header.Get(tc.HeaderKey) != "" {
    69  				t.Error("stripFromHeaders didn't strip", tc.HeaderKey)
    70  			}
    71  		})
    72  	}
    73  
    74  	t.Run("strip authorization from cookie", func(t *testing.T) {
    75  		req, err := http.NewRequest("GET", "http://example.com", nil)
    76  		if err != nil {
    77  			t.Fatal(err)
    78  		}
    79  		sa := StripAuth{}
    80  		sa.Spec = &APISpec{APIDefinition: &apidef.APIDefinition{}}
    81  
    82  		key := "Cookie"
    83  		stripFromCookieTest(t, req, key, sa, "Authorization=AUTHORIZATION", "")
    84  		stripFromCookieTest(t, req, key, sa, "Authorization=AUTHORIZATION;Dummy=DUMMY", "Dummy=DUMMY")
    85  		stripFromCookieTest(t, req, key, sa, "Dummy=DUMMY;Authorization=AUTHORIZATION", "Dummy=DUMMY")
    86  		stripFromCookieTest(t, req, key, sa, "Dummy=DUMMY;Authorization=AUTHORIZATION;Dummy2=DUMMY2", "Dummy=DUMMY;Dummy2=DUMMY2")
    87  
    88  		key = "NonDefaultName"
    89  		sa.Spec.AuthConfigs = map[string]apidef.AuthConfig{
    90  			authTokenType: {CookieName: key},
    91  		}
    92  		stripFromCookieTest(t, req, key, sa, "Dummy=DUMMY;Authorization=AUTHORIZATION;Dummy2=DUMMY2", "Dummy=DUMMY;Dummy2=DUMMY2")
    93  	})
    94  }
    95  
    96  func stripFromCookieTest(t *testing.T, req *http.Request, key string, sa StripAuth, value string, expected string) {
    97  	req.Header.Set(key, value)
    98  	config := sa.Spec.AuthConfigs[authTokenType]
    99  	sa.stripFromHeaders(req, &config)
   100  
   101  	actual := req.Header.Get(key)
   102  
   103  	if expected != actual {
   104  		t.Fatalf("Expected %s, actual %s", expected, actual)
   105  	}
   106  }
   107  
   108  func BenchmarkStripAuth_stripFromHeaders(b *testing.B) {
   109  	b.ReportAllocs()
   110  
   111  	miscHeaders, testCases := testPrepareStripAuthStripFromHeaders()
   112  
   113  	for i := 0; i < b.N; i++ {
   114  		for _, tc := range testCases {
   115  			sa := StripAuth{}
   116  			sa.Spec = &APISpec{APIDefinition: &apidef.APIDefinition{}}
   117  
   118  			req, err := http.NewRequest("GET", "http://example.com", nil)
   119  			if err != nil {
   120  				b.Fatal(err)
   121  			}
   122  
   123  			req.Header.Add(tc.HeaderKey, randStringBytes(5))
   124  
   125  			if req.Header.Get(tc.HeaderKey) == "" {
   126  				b.Fatal("headerkey not in headers to start with", tc.HeaderKey)
   127  			}
   128  
   129  			for _, h := range miscHeaders {
   130  				req.Header.Add(h, randStringBytes(5))
   131  			}
   132  
   133  			sa.stripFromHeaders(req, &tc.AuthConfig)
   134  		}
   135  	}
   136  }
   137  
   138  func testPrepareStripAuthStripFromParams() ([]string, []TestAuth) {
   139  	testCases := []TestAuth{
   140  		// ParamName set, use it
   141  		{AuthConfig: apidef.AuthConfig{UseParam: true, ParamName: "password1"}, QueryParam: "password1"},
   142  		// ParamName not set, use AuthHeaderName
   143  		{AuthConfig: apidef.AuthConfig{UseParam: true, ParamName: "", AuthHeaderName: "auth1"}, QueryParam: "auth1"},
   144  		// ParamName takes precedence over AuthHeaderName
   145  		{AuthConfig: apidef.AuthConfig{UseParam: true, ParamName: "auth2", AuthHeaderName: "auth3"}, QueryParam: "auth2"},
   146  		// Both not set, use Authorization
   147  		{AuthConfig: apidef.AuthConfig{UseParam: true, ParamName: "", AuthHeaderName: ""}, QueryParam: "Authorization"},
   148  	}
   149  
   150  	miscQueryStrings := []string{
   151  		"ABC",
   152  		"Def",
   153  		"GHI",
   154  		"Authorisation",
   155  	}
   156  
   157  	return miscQueryStrings, testCases
   158  }
   159  
   160  func TestStripAuth_stripFromParams(t *testing.T) {
   161  	miscQueryStrings, testCases := testPrepareStripAuthStripFromParams()
   162  
   163  	for _, tc := range testCases {
   164  		t.Run(fmt.Sprintf("stripping %s", tc.QueryParam), func(t *testing.T) {
   165  
   166  			sa := StripAuth{}
   167  			sa.Spec = &APISpec{APIDefinition: &apidef.APIDefinition{}}
   168  
   169  			rawUrl := "http://example.com/abc"
   170  
   171  			req, err := http.NewRequest("GET", rawUrl, nil)
   172  			if err != nil {
   173  				t.Fatal(err)
   174  			}
   175  
   176  			newQs := url.Values{}
   177  			for _, qs := range miscQueryStrings {
   178  				newQs.Add(qs, randStringBytes(5))
   179  			}
   180  			newQs.Add(tc.QueryParam, randStringBytes(10))
   181  
   182  			req.URL.RawQuery = newQs.Encode()
   183  
   184  			t.Logf("PARAM: %+v\n", req.URL.Query())
   185  
   186  			if req.URL.Query().Get(tc.QueryParam) == "" {
   187  				t.Fatal("params not present", tc.QueryParam)
   188  			}
   189  
   190  			sa.stripFromParams(req, &tc.AuthConfig)
   191  
   192  			queryStringValues := req.URL.Query()
   193  
   194  			if queryStringValues.Get(tc.QueryParam) != "" {
   195  				t.Error("stripFromParams didn't strip ", sa.Spec.Auth.ParamName)
   196  			}
   197  		})
   198  	}
   199  }
   200  
   201  func BenchmarkStripAuth_stripFromParams(b *testing.B) {
   202  	b.ReportAllocs()
   203  
   204  	miscQueryStrings, testCases := testPrepareStripAuthStripFromParams()
   205  
   206  	for i := 0; i < b.N; i++ {
   207  		for _, tc := range testCases {
   208  			sa := StripAuth{}
   209  			sa.Spec = &APISpec{APIDefinition: &apidef.APIDefinition{}}
   210  
   211  			req, err := http.NewRequest("GET", "http://example.com/abc", nil)
   212  			if err != nil {
   213  				b.Fatal(err)
   214  			}
   215  
   216  			newQs := url.Values{}
   217  			for _, qs := range miscQueryStrings {
   218  				newQs.Add(qs, randStringBytes(5))
   219  			}
   220  			newQs.Add(tc.QueryParam, randStringBytes(10))
   221  
   222  			req.URL.RawQuery = newQs.Encode()
   223  
   224  			if req.URL.Query().Get(tc.QueryParam) == "" {
   225  				b.Fatal("params not present", tc.QueryParam)
   226  			}
   227  
   228  			sa.stripFromParams(req, &tc.AuthConfig)
   229  		}
   230  	}
   231  }