Skip to content

Commit d79ac92

Browse files
ExtraToastExtraToast
committed
system-tests: cover Nomad forward-auth flows
1 parent 60c8e34 commit d79ac92

File tree

1 file changed

+83
-0
lines changed

1 file changed

+83
-0
lines changed

services/system-tests/src/test/kotlin/com/jorisjonkers/personalstack/systemtests/ForwardAuthChainSystemTest.kt

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,24 @@ class ForwardAuthChainSystemTest {
5757
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest)
5858
}
5959

60+
private fun verifyForwardAuthForHost(
61+
host: String,
62+
sessionCookie: String? = null,
63+
uri: String = "/",
64+
) = TestHelper.givenApi()
65+
.baseUri(authBaseUrl)
66+
.redirects()
67+
.follow(false)
68+
.apply {
69+
header("X-Forwarded-Proto", "https")
70+
header("X-Forwarded-Host", host)
71+
header("X-Forwarded-Uri", uri)
72+
if (sessionCookie != null) {
73+
cookie("SESSION", sessionCookie)
74+
}
75+
}.`when`()
76+
.get("/api/v1/auth/verify")
77+
6078
@ParameterizedTest(name = "{0}: unauthenticated request redirects to login with redirect URL")
6179
@MethodSource("forwardAuthServices")
6280
fun `unauthenticated request redirects to login with service redirect URL`(
@@ -176,6 +194,56 @@ class ForwardAuthChainSystemTest {
176194
assertThat(response.statusCode).isNotEqualTo(401)
177195
}
178196

197+
@Test
198+
fun `nomad unauthenticated verify redirects to login with original URL`() {
199+
val response = verifyForwardAuthForHost("nomad.jorisjonkers.test")
200+
201+
assertThat(response.statusCode).isEqualTo(302)
202+
assertThat(response.header("Location"))
203+
.contains("login")
204+
.contains("redirect=")
205+
.containsIgnoringCase("nomad.jorisjonkers.test")
206+
}
207+
208+
@Test
209+
fun `nomad verify denies user without service permission`() {
210+
val session = TestHelper.registerConfirmAndGetSession()
211+
212+
val response =
213+
verifyForwardAuthForHost(
214+
host = "nomad.jorisjonkers.test",
215+
sessionCookie = session.sessionCookie,
216+
)
217+
218+
assertThat(response.statusCode).isEqualTo(403)
219+
}
220+
221+
@Test
222+
fun `nomad verify allows admin session`() {
223+
val session = TestHelper.registerConfirmAndGetAdminSession()
224+
225+
val response =
226+
verifyForwardAuthForHost(
227+
host = "nomad.jorisjonkers.test",
228+
sessionCookie = session.sessionCookie,
229+
)
230+
231+
assertThat(response.statusCode).isEqualTo(200)
232+
}
233+
234+
@Test
235+
fun `nomad verify allows user with SERVICE_NOMAD`() {
236+
val session = TestHelper.registerConfirmGrantAndGetSession("NOMAD")
237+
238+
val response =
239+
verifyForwardAuthForHost(
240+
host = "nomad.jorisjonkers.test",
241+
sessionCookie = session.sessionCookie,
242+
)
243+
244+
assertThat(response.statusCode).isEqualTo(200)
245+
}
246+
179247
@Test
180248
fun `session-authenticated user can complete oauth2 flow and still pass forward-auth`() {
181249
val user = TestHelper.registerAndConfirm()
@@ -348,4 +416,19 @@ class ForwardAuthChainSystemTest {
348416
.describedAs("Redirect should encode the original URL including the path")
349417
.contains("some-dashboard")
350418
}
419+
420+
@Test
421+
fun `nomad forward-auth redirect preserves original path`() {
422+
val response =
423+
verifyForwardAuthForHost(
424+
host = "nomad.jorisjonkers.test",
425+
uri = "/ui/jobs",
426+
)
427+
428+
assertThat(response.statusCode).isEqualTo(302)
429+
assertThat(response.header("Location"))
430+
.contains("redirect=")
431+
.contains("nomad.jorisjonkers.test")
432+
.contains("ui%2Fjobs")
433+
}
351434
}

0 commit comments

Comments
 (0)