Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oauth2 filter: Make OAuth scopes configurable. #14034

Closed
wants to merge 75 commits into from
Closed

oauth2 filter: Make OAuth scopes configurable. #14034

Show file tree
Hide file tree
Changes from 29 commits
Commits
Show all changes
75 commits
Select commit Hold shift + click to select a range
80acc89
Add scope to oauth2 filter proto file
andreyprezotto Nov 3, 2020
c276e54
Use configured scopes in authorizarion request
andreyprezotto Nov 3, 2020
d26dd3a
Initialize member in the correct order
andreyprezotto Nov 4, 2020
1577ed6
Update proto files after proto_format.sh
andreyprezotto Nov 4, 2020
47f1fa4
Fix oauth filter tests
andreyprezotto Nov 4, 2020
906a91f
fix semicolon
andreyprezotto Nov 5, 2020
94fa8b1
fix tests
andreyprezotto Nov 5, 2020
2fdf64a
fix tests
andreyprezotto Nov 5, 2020
7c689b9
fix tests after rebase
andreyprezotto Nov 5, 2020
6549060
Add debug log for test
andreyprezotto Nov 6, 2020
5e709f9
Add debug log for test
andreyprezotto Nov 6, 2020
c2567ec
Auth_scope default value if config wasn't set
andreyprezotto Nov 13, 2020
657e21f
add config test for default user
andreyprezotto Nov 13, 2020
a7acd87
add config test for default user
andreyprezotto Nov 13, 2020
5381f74
Revert "Auth_scope default value if config wasn't set"
andreyprezotto Nov 13, 2020
4d9eab9
Revert "Revert "Auth_scope default value if config wasn't set""
andreyprezotto Nov 13, 2020
5e126b9
revert implementation
andreyprezotto Nov 13, 2020
b64e322
change defaul value implementation
andreyprezotto Nov 13, 2020
7359ad3
fix with .empty
andreyprezotto Nov 13, 2020
62f1ff4
fix semicolon
andreyprezotto Nov 13, 2020
b3c2071
fix property name
andreyprezotto Nov 13, 2020
a18a184
semicolon
andreyprezotto Nov 13, 2020
2aa7274
fix tests
andreyprezotto Nov 13, 2020
a097339
Add auth_scopes to the docs
andreyprezotto Nov 16, 2020
47598a2
Update Release Notes
andreyprezotto Nov 16, 2020
6cca203
Fix colon in docs
andreyprezotto Nov 16, 2020
a5d64d0
Fix release notes
andreyprezotto Nov 16, 2020
5aef557
Fix formatting
andreyprezotto Nov 16, 2020
b956a6e
Fix documentation
andreyprezotto Nov 16, 2020
e8393a7
include default value in proto field comment
andreyprezotto Nov 18, 2020
feb36f7
log the internal error message from *SSL when the cert and private ke…
qudongfang Nov 16, 2020
54af113
sds: improve watched directory documentation. (#14029)
htuch Nov 16, 2020
8d0ece6
quiche: update QUICHE tar (#13949)
danzh2010 Nov 16, 2020
8795f12
jwt_authn: update to jwt_verify_lib with 1 minute clock skew (#13872)
qiwzhang Nov 16, 2020
990899d
[test host utils] use make_shared to avoid memory leaks (#14042)
Nov 16, 2020
f769059
Build: Propagate user-supplied tags to external headers library. (#14…
AngusDavis Nov 16, 2020
b0b90ad
config: fix crash when type URL doesn't match proto. (#14031)
htuch Nov 16, 2020
6cd68d5
ci: fix CodeQL-build by removing deprecated set-env command (#14046)
tbarrella Nov 17, 2020
d01b49e
grpc-json-transcoder: Add support for configuring unescaping behavior…
Nov 17, 2020
bbfe4fb
wasm: use static registration for runtimes (#14014)
lizan Nov 17, 2020
96156bc
stats: use RE2 and a better pattern to accelerate a single stats tag-…
jmarantz Nov 17, 2020
86fbfae
tidy: use last_github_commit script instead of target branch (#14052)
lizan Nov 17, 2020
aa78e42
quiche: fix stream trailer decoding issue (#13871)
danzh2010 Nov 17, 2020
6bf0a56
docs: updating 100-continue docs (#14040)
alyssawilk Nov 17, 2020
81b02b6
wasm: make dependency clearer (#14062)
lizan Nov 18, 2020
854b797
[http1] fix H/1 response pipelining (#13983)
asraa Nov 18, 2020
36fabd0
vrp: allow supervisord to open its log file (#14066)
akonradi Nov 18, 2020
9576515
Fix sandboxes doc (#14058)
yangy2000 Nov 18, 2020
4cd22a2
comments: clarify comment for IoHandle::write (#13982)
antoniovicente Nov 18, 2020
5dd7bd8
Added Fatal Action extension point. (#13676)
KBaichoo Nov 18, 2020
8771252
conn_pool: track streams across the pool (#13684)
alyssawilk Nov 18, 2020
b89bcae
dispatcher: Remove obsolete runtime feature envoy.reloadable_features…
antoniovicente Nov 18, 2020
7c7fb6c
fix sds_dynamic_key_rotation_setup.sh running from other repos (#14086)
lizan Nov 19, 2020
fb4a4b7
matching: only provide string matcher in SinglePredicate (#14084)
snowp Nov 19, 2020
85a911e
doc fix (#14093)
lambdai Nov 19, 2020
7e6b6c7
test: Adding zerolen headers upstream flood tests (#14035)
adisuissa Nov 19, 2020
a52935a
listener: allow setting only a default filter chain (#14025)
tbarrella Nov 19, 2020
0026696
wasm: fix network leak (#13836)
kyessenov Nov 19, 2020
b1d1fc0
http2: fixing upstream sending metadata after ending the stream (#14061)
adisuissa Nov 19, 2020
c72c15c
test: improve docs and robustness of coverage script. (#14021)
htuch Nov 19, 2020
783b773
tls: update BoringSSL to 1ce6682c (4280). (#14072)
PiotrSikora Nov 19, 2020
21a81cf
test: avoid use after free in oauth_integration_test (#14103)
antoniovicente Nov 19, 2020
22a820b
buffer: add a method for getting only the first slice (#14050)
ggreenway Nov 19, 2020
e73172e
[Level Events] manage level events registration mask (#13787)
Nov 20, 2020
e0a80c4
examples: Update SkyWalking version (#13938)
JaredTan95 Nov 20, 2020
723475a
examples: add VRP runtime validation to verify_examples. (#14099)
htuch Nov 20, 2020
ab6e2ff
udp: properly handle truncated/dropped datagrams (#14122)
cpakulski Nov 20, 2020
ca66519
mongo: swap cx destroy metrics (#13991)
Nov 20, 2020
51185ab
Windows CI: Upload test results to AZP (#14083)
sunjayBhatia Nov 20, 2020
59945aa
proxy protocol: set downstreamRemoteAddress on StreamInfo (#14131)
ggreenway Nov 21, 2020
ce172b7
lua: reset downstream_ssl_connection in StreamInfoWrapper when object…
MarcinFalkowski Nov 23, 2020
40aaf60
Fix release notes
andreyprezotto Nov 16, 2020
c8d39ea
Fix formatting
andreyprezotto Nov 16, 2020
446df5e
Fix documentation
andreyprezotto Nov 16, 2020
57cfd34
Code review changes
andreyprezotto Nov 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion api/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ message OAuth2Credentials {

// OAuth config
//
// [#next-free-field: 9]
// [#next-free-field: 10]
message OAuth2Config {
// Endpoint on the authorization server to retrieve the access token from.
config.core.v3.HttpUri token_endpoint = 1;
Expand Down Expand Up @@ -74,6 +74,9 @@ message OAuth2Config {

// Any request that matches any of the provided matchers will be passed through without OAuth validation.
repeated config.route.v3.HeaderMatcher pass_through_matcher = 8;

// Space separated list of scopes to be claimed in the authorization request
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why space separate rather than make this a repeated string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@htuch basically my lack of knowledge of how to handle this in proto. And also because I've been seen other OAuth solutions that use space separate as a solution, so I had that in mind.
If you want to request the change that's fine, I'll work on that. Any guidance would be much appreciated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this betrays my lack of knowledge on the OAuth space; generally in proto we prefer structure, but if there is some standard format then this is OK. CC @snowp

Copy link
Contributor

@adisuissa adisuissa Nov 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add the default value ("user") in the comment?
Can this be an empty string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adisuissa I've just added the default value in the comment, thanks for your suggestion
if the property is not provided, it will be compared to an empty string in the FilterConfig getter property. Then it will default to 'user' in this case since 'scope' is a mandatory parameter for OAuth

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm working to implement repeated string auth_scopes = 9;, but having issues with the generated cpp code. Looks like the accessors described in https://developers.google.com/protocol-buffers/docs/reference/cpp-generated#repeatedstring are not available.
Posted a question in Slack's #envoy-users channel, if anyone have time to check it I'd appreciate

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably need to re-run ./tools/proto_format/proto_format.sh fix as the actual protos are read from the "generated_api_shadow" directory (see here).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of special casing 'scope', would it make sense to make this:
map<string, string> additional_authorize_parameters = 9 ?

This would allow passing other parameters (such as audience) using the same mechanism

Copy link
Contributor Author

@andreyprezotto andreyprezotto Nov 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @adisuissa, this fixed the issue and now the code is compiling.
But now I'm facing an error to run automated tests, even in the upstream master branch or in my feature branch after rebasing it (this was not happening before).

This error is thrown in both master as well, without any changes added: ERROR: /source/test/mocks/server/BUILD:234:14: C++ compilation of rule '//test/mocks/server:transport_socket_factory_context_mocks' failed (Exit 1) gcc failed: error executing command /usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer '-std=c++0x' -MD -MF ... (remaining 580 argument(s) skipped).

I'm running the tests for oauth filter only as follows: ./ci/run_envoy_docker.sh 'bazel test test/extensions/filters/http/oauth2/...'.
The build runs fine: ./ci/run_envoy_docker.sh 'bazel build source/extensions/filters/http/oauth2/...'

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just updated to the latest master and tried ./ci/run_envoy_docker.sh 'bazel test test/extensions/filters/http/oauth2/...' (without your changes) and it works.
I don't see the entire error from your comment. Would you be able to copy-paste it to a slack chat (my user is "Adi Peleg" in the Envoy slack)?

string auth_scopes = 9;
}

// Filter config.
Expand Down
5 changes: 4 additions & 1 deletion api/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions docs/root/configuration/http/http_filters/oauth2_filter.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ The following is an example configuring the filter.
name: hmac
sds_config:
path: "/etc/envoy/hmac.yaml"
# (Optional): defaults to 'user' scope if not provided
auth_scopes: "profile email"

Below is a complete code example of how we employ the filter as one of
:ref:`HttpConnectionManager HTTP filters
Expand Down Expand Up @@ -114,6 +116,8 @@ Below is a complete code example of how we employ the filter as one of
name: hmac
sds_config:
path: "/etc/envoy/hmac.yaml"
# (Optional): defaults to 'user' scope is not provided
auth_scopes: "profile email"
- name: envoy.router
tracing: {}
codec_type: "AUTO"
Expand Down
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Minor Behavior Changes
* ext_authz filter: the deprecated field :ref:`use_alpha <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.use_alpha>` is no longer supported and cannot be set anymore.
* grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before.
* memory: enable new tcmalloc with restartable sequences for aarch64 builds.
* oauth filter: added the optional parameter :ref:`auth_scopes <config_http_filters_oauth>` with default value of 'user' if not provided. Enables for this value to be overridden in the Authorization request to the OAuth provider.
* tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults.
* watchdog: the watchdog action :ref:`abort_action <envoy_v3_api_msg_watchdog.v3alpha.AbortActionConfig>` is now the default action to terminate the process if watchdog kill / multikill is enabled.
* xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the
Expand Down
5 changes: 4 additions & 1 deletion generated_api_shadow/envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions source/extensions/filters/http/oauth2/config.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ secretsProvider(const envoy::extensions::transport_sockets::tls::v3::SdsSecretCo
return secret_manager.findStaticGenericSecretProvider(config.name());
}
}

} // namespace

Http::FilterFactoryCb OAuth2Config::createFilterFactoryFromProtoTyped(
Expand Down
12 changes: 8 additions & 4 deletions source/extensions/filters/http/oauth2/filter.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ constexpr const char* CookieTailHttpOnlyFormatString =
";version=1;path=/;Max-Age={};secure;HttpOnly";

const char* AuthorizationEndpointFormat =
"{}?client_id={}&scope=user&response_type=code&redirect_uri={}&state={}";
"{}?client_id={}&scope={}&response_type=code&redirect_uri={}&state={}";

constexpr absl::string_view UnauthorizedBodyMessage = "OAuth flow failed.";

Expand All @@ -61,6 +61,8 @@ constexpr absl::string_view REDIRECT_LOGGED_IN = "oauth.logged_in";
constexpr absl::string_view REDIRECT_FOR_CREDENTIALS = "oauth.missing_credentials";
constexpr absl::string_view SIGN_OUT = "oauth.sign_out";

const std::string& DEFAULT_AUTH_SCOPE = "user";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd make this absl::string_view for consistency with the others unless you need this to be a std::string


template <class T>
std::vector<Http::HeaderUtility::HeaderData> headerMatchers(const T& matcher_protos) {
std::vector<Http::HeaderUtility::HeaderData> matchers;
Expand Down Expand Up @@ -90,6 +92,8 @@ FilterConfig::FilterConfig(
redirect_matcher_(proto_config.redirect_path_matcher()),
signout_path_(proto_config.signout_path()), secret_reader_(secret_reader),
stats_(FilterConfig::generateStats(stats_prefix, scope)),
auth_scopes_((!proto_config.auth_scopes().empty()) ? proto_config.auth_scopes()
: DEFAULT_AUTH_SCOPE),
forward_bearer_token_(proto_config.forward_bearer_token()),
pass_through_header_matchers_(headerMatchers(proto_config.pass_through_matcher())) {
if (!cluster_manager.get(oauth_token_endpoint_.cluster())) {
Expand Down Expand Up @@ -275,9 +279,9 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he
const std::string escaped_redirect_uri =
Http::Utility::PercentEncoding::encode(redirect_uri, ":/=&?");

const std::string new_url =
fmt::format(AuthorizationEndpointFormat, config_->authorizationEndpoint(),
config_->clientId(), escaped_redirect_uri, escaped_state);
const std::string new_url = fmt::format(
AuthorizationEndpointFormat, config_->authorizationEndpoint(), config_->clientId(),
config_->authScopes(), escaped_redirect_uri, escaped_state);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the auth scope need to be URL encoded here or somewhere else?

response_headers->setLocation(new_url);
decoder_callbacks_->encodeHeaders(std::move(response_headers), true, REDIRECT_FOR_CREDENTIALS);

Expand Down
2 changes: 2 additions & 0 deletions source/extensions/filters/http/oauth2/filter.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ class FilterConfig {
std::string clientSecret() const { return secret_reader_->clientSecret(); }
std::string tokenSecret() const { return secret_reader_->tokenSecret(); }
FilterStats& stats() { return stats_; }
const std::string authScopes() const { return auth_scopes_; }

private:
static FilterStats generateStats(const std::string& prefix, Stats::Scope& scope);
Expand All @@ -135,6 +136,7 @@ class FilterConfig {
const Matchers::PathMatcher signout_path_;
std::shared_ptr<SecretReader> secret_reader_;
FilterStats stats_;
const std::string auth_scopes_;
const bool forward_bearer_token_ : 1;
const std::vector<Http::HeaderUtility::HeaderData> pass_through_header_matchers_;
};
Expand Down
1 change: 1 addition & 0 deletions source/extensions/filters/http/oauth2/oauth_client.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&,
const auto response_code = message->headers().Status()->value().getStringView();
if (response_code != "200") {
ENVOY_LOG(debug, "Oauth response code: {}", response_code);
ENVOY_LOG(debug, "Oauth response body: {}", message->bodyAsString());
parent_->sendUnauthorizedResponse();
return;
}
Expand Down
2 changes: 2 additions & 0 deletions test/extensions/filters/http/oauth2/config_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ void expectInvalidSecretConfig(const std::string& failed_secret_name,
signout_path:
path:
exact: /signout
auth_scopes: user
)EOF";

OAuth2Config factory;
Expand Down Expand Up @@ -87,6 +88,7 @@ TEST(ConfigTest, CreateFilter) {
signout_path:
path:
exact: /signout
auth_scopes: user
)EOF";

OAuth2Config factory;
Expand Down
67 changes: 53 additions & 14 deletions test/extensions/filters/http/oauth2/filter_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ static const std::string TEST_CALLBACK = "/_oauth";
static const std::string TEST_CLIENT_ID = "1";
static const std::string TEST_CLIENT_SECRET_ID = "MyClientSecretKnoxID";
static const std::string TEST_TOKEN_SECRET_ID = "MyTokenSecretKnoxID";
static const std::string TEST_AUTH_SCOPES = "user openid email";

namespace {
Http::RegisterCustomInlineHeader<Http::CustomInlineHeaderRegistry::Type::RequestHeaders>
Expand Down Expand Up @@ -91,6 +92,7 @@ class OAuth2Test : public testing::Test {
p.set_authorization_endpoint("https://auth.example.com/oauth/authorize/");
p.mutable_signout_path()->mutable_path()->set_exact("/_signout");
p.set_forward_bearer_token(true);
p.set_auth_scopes(TEST_AUTH_SCOPES);
auto* matcher = p.add_pass_through_matcher();
matcher->set_name(":method");
matcher->set_exact_match("OPTIONS");
Expand Down Expand Up @@ -147,6 +149,41 @@ TEST_F(OAuth2Test, InvalidCluster) {
"specify which cluster to direct OAuth requests to.");
}

// Verifies that the OAuth config is created with a default value for auth_scopes field when it is
// not set in proto/yaml.
TEST_F(OAuth2Test, DefaultAuthScope) {

// Set up proto fields
envoy::extensions::filters::http::oauth2::v3alpha::OAuth2Config p;
auto* endpoint = p.mutable_token_endpoint();
endpoint->set_cluster("auth.example.com");
endpoint->set_uri("auth.example.com/_oauth");
endpoint->mutable_timeout()->set_seconds(1);
p.set_redirect_uri("%REQ(x-forwarded-proto)%://%REQ(:authority)%" + TEST_CALLBACK);
p.mutable_redirect_path_matcher()->mutable_path()->set_exact(TEST_CALLBACK);
p.set_authorization_endpoint("https://auth.example.com/oauth/authorize/");
p.mutable_signout_path()->mutable_path()->set_exact("/_signout");
p.set_forward_bearer_token(true);
auto* matcher = p.add_pass_through_matcher();
matcher->set_name(":method");
matcher->set_exact_match("OPTIONS");

auto credentials = p.mutable_credentials();
credentials->set_client_id(TEST_CLIENT_ID);
credentials->mutable_token_secret()->set_name("secret");
credentials->mutable_hmac_secret()->set_name("hmac");

MessageUtil::validate(p, ProtobufMessage::getStrictValidationVisitor());

// Create the OAuth config.
auto secret_reader = std::make_shared<MockSecretReader>();
FilterConfigSharedPtr test_config_;
test_config_ = std::make_shared<FilterConfig>(p, factory_context_.cluster_manager_, secret_reader,
scope_, "test.");

EXPECT_EQ(test_config_->authScopes(), "user");
}

/**
* Scenario: The OAuth filter receives a sign out request.
*
Expand Down Expand Up @@ -239,8 +276,8 @@ TEST_F(OAuth2Test, OAuthErrorNonOAuthHttpCallback) {
{Http::Headers::get().Location.get(),
"https://auth.example.com/oauth/"
"authorize/?client_id=" +
TEST_CLIENT_ID +
"&scope=user&response_type=code&"
TEST_CLIENT_ID + "&scope=" + TEST_AUTH_SCOPES +
"&response_type=code&"
"redirect_uri=http%3A%2F%2Ftraffic.example.com%2F"
"_oauth&state=http%3A%2F%2Ftraffic.example.com%2Fnot%2F_oauth"},
};
Expand Down Expand Up @@ -392,8 +429,8 @@ TEST_F(OAuth2Test, OAuthTestInvalidUrlInStateQueryParam) {
Http::TestRequestHeaderMapImpl request_headers{
{Http::Headers::get().Host.get(), "traffic.example.com"},
{Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
"state=blah"},
{Http::Headers::get().Path.get(),
"/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES + "&state=blah"},
{Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
{Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
{Http::Headers::get().Cookie.get(),
Expand Down Expand Up @@ -426,8 +463,8 @@ TEST_F(OAuth2Test, OAuthTestCallbackUrlInStateQueryParam) {
Http::TestRequestHeaderMapImpl request_headers{
{Http::Headers::get().Host.get(), "traffic.example.com"},
{Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
"state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
"&state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
{Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
{Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
{Http::Headers::get().Cookie.get(),
Expand Down Expand Up @@ -457,8 +494,8 @@ TEST_F(OAuth2Test, OAuthTestCallbackUrlInStateQueryParam) {
Http::TestRequestHeaderMapImpl final_request_headers{
{Http::Headers::get().Host.get(), "traffic.example.com"},
{Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
"state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
"&state=https%3A%2F%2Ftraffic.example.com%2F_oauth"},
{Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
{Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
{Http::Headers::get().Cookie.get(),
Expand All @@ -482,8 +519,9 @@ TEST_F(OAuth2Test, OAuthTestUpdatePathAfterSuccess) {
Http::TestRequestHeaderMapImpl request_headers{
{Http::Headers::get().Host.get(), "traffic.example.com"},
{Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
"state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
{Http::Headers::get().Path.get(),
"/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
"&state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
{Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
{Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
{Http::Headers::get().Cookie.get(),
Expand Down Expand Up @@ -511,8 +549,9 @@ TEST_F(OAuth2Test, OAuthTestUpdatePathAfterSuccess) {
Http::TestRequestHeaderMapImpl final_request_headers{
{Http::Headers::get().Host.get(), "traffic.example.com"},
{Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get},
{Http::Headers::get().Path.get(), "/_oauth?code=abcdefxyz123&scope=user&"
"state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
{Http::Headers::get().Path.get(),
"/_oauth?code=abcdefxyz123&scope=" + TEST_AUTH_SCOPES +
"&state=https%3A%2F%2Ftraffic.example.com%2Foriginal_path"},
{Http::Headers::get().Cookie.get(), "OauthExpires=123;version=test"},
{Http::Headers::get().Cookie.get(), "BearerToken=legit_token;version=test"},
{Http::Headers::get().Cookie.get(),
Expand Down Expand Up @@ -545,8 +584,8 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithParameters) {
{Http::Headers::get().Location.get(),
"https://auth.example.com/oauth/"
"authorize/?client_id=" +
TEST_CLIENT_ID +
"&scope=user&response_type=code&"
TEST_CLIENT_ID + "&scope=" + TEST_AUTH_SCOPES +
"&response_type=code&"
"redirect_uri=https%3A%2F%2Ftraffic.example.com%2F"
"_oauth&state=https%3A%2F%2Ftraffic.example.com%2Ftest%"
"3Fname%3Dadmin%26level%3Dtrace"},
Expand Down
1 change: 1 addition & 0 deletions test/extensions/filters/http/oauth2/oauth_integration_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ name: oauth
name: token
hmac_secret:
name: hmac
auth_scopes: user openid email
)EOF");

// Add the OAuth cluster.
Expand Down