implement cache proxy with authentication
This commit is contained in:
parent
aa13287f67
commit
affaa13e4b
5 changed files with 419 additions and 15 deletions
|
|
@ -1,24 +1,151 @@
|
|||
import { env, createExecutionContext, waitOnExecutionContext, SELF } from 'cloudflare:test';
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { env, createExecutionContext, fetchMock } from 'cloudflare:test';
|
||||
import { describe, it, expect, beforeAll } from 'vitest';
|
||||
import { generateKeyPair, SignJWT, exportJWK } from 'jose';
|
||||
import worker from '../src/index';
|
||||
|
||||
// For now, you'll need to do something like this to get a correctly-typed
|
||||
// `Request` to pass to `worker.fetch()`.
|
||||
const IncomingRequest = Request<unknown, IncomingRequestCfProperties>;
|
||||
|
||||
describe('Hello World worker', () => {
|
||||
it('responds with Hello World! (unit style)', async () => {
|
||||
const request = new IncomingRequest('http://example.com');
|
||||
// Create an empty context to pass to `worker.fetch()`.
|
||||
let privateKey: CryptoKey;
|
||||
let jwksResponse: object;
|
||||
|
||||
beforeAll(async () => {
|
||||
const { publicKey, privateKey: pk } = await generateKeyPair('RS256');
|
||||
privateKey = pk;
|
||||
|
||||
const publicJwk = await exportJWK(publicKey);
|
||||
publicJwk.alg = 'RS256';
|
||||
publicJwk.use = 'sig';
|
||||
publicJwk.kid = 'test-key';
|
||||
jwksResponse = { keys: [publicJwk] };
|
||||
|
||||
fetchMock.activate();
|
||||
fetchMock.disableNetConnect();
|
||||
|
||||
fetchMock
|
||||
.get('https://id.guardianproject.info')
|
||||
.intercept({ path: '/realms/gp/protocol/openid-connect/certs' })
|
||||
.reply(200, JSON.stringify(jwksResponse), {
|
||||
headers: { 'content-type': 'application/json' },
|
||||
})
|
||||
.persist();
|
||||
});
|
||||
|
||||
async function makeJWT(overrides: Record<string, unknown> = {}): Promise<string> {
|
||||
const now = Math.floor(Date.now() / 1000);
|
||||
const defaults = {
|
||||
iss: env.KEYCLOAK_ISSUER,
|
||||
aud: env.KEYCLOAK_AUDIENCE,
|
||||
sub: 'test-user',
|
||||
groups: [env.REQUIRED_GROUP],
|
||||
iat: now,
|
||||
exp: now + 3600,
|
||||
};
|
||||
|
||||
const claims = { ...defaults, ...overrides };
|
||||
|
||||
let builder = new SignJWT(claims)
|
||||
.setProtectedHeader({ alg: 'RS256', kid: 'test-key' });
|
||||
|
||||
if (claims.iss !== undefined) builder = builder.setIssuer(claims.iss as string);
|
||||
if (claims.aud !== undefined) builder = builder.setAudience(claims.aud as string);
|
||||
if (claims.exp !== undefined) builder = builder.setExpirationTime(claims.exp as number);
|
||||
|
||||
return builder.sign(privateKey);
|
||||
}
|
||||
|
||||
describe('nix-cache auth', () => {
|
||||
it('OPTIONS without auth returns 200', async () => {
|
||||
const request = new IncomingRequest('http://example.com/', { method: 'OPTIONS' });
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
// Wait for all `Promise`s passed to `ctx.waitUntil()` to settle before running test assertions
|
||||
await waitOnExecutionContext(ctx);
|
||||
expect(await response.text()).toMatchInlineSnapshot(`"Hello World!"`);
|
||||
expect(response.status).toBe(200);
|
||||
});
|
||||
|
||||
it('responds with Hello World! (integration style)', async () => {
|
||||
const response = await SELF.fetch('https://example.com');
|
||||
expect(await response.text()).toMatchInlineSnapshot(`"Hello World!"`);
|
||||
it('GET with no Authorization header returns 401', async () => {
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info');
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
expect(response.headers.get('WWW-Authenticate')).toBe('Bearer realm="nix-cache"');
|
||||
});
|
||||
|
||||
it('GET with unrecognized auth scheme returns 401', async () => {
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: 'Token xyz' },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
});
|
||||
|
||||
it('GET with Bearer + valid JWT passes auth', async () => {
|
||||
const token = await makeJWT();
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Bearer ${token}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).not.toBe(401);
|
||||
});
|
||||
|
||||
it('GET with Basic auth :token format passes auth', async () => {
|
||||
const token = await makeJWT();
|
||||
const basic = btoa(':' + token);
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Basic ${basic}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).not.toBe(401);
|
||||
});
|
||||
|
||||
it('GET with Basic auth user:token format passes auth', async () => {
|
||||
const token = await makeJWT();
|
||||
const basic = btoa('user:' + token);
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Basic ${basic}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).not.toBe(401);
|
||||
});
|
||||
|
||||
it('GET with invalid Bearer token returns 401', async () => {
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: 'Bearer garbage-token' },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
});
|
||||
|
||||
it('GET with expired JWT returns 401', async () => {
|
||||
const token = await makeJWT({ exp: Math.floor(Date.now() / 1000) - 3600 });
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Bearer ${token}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
});
|
||||
|
||||
it('GET with JWT missing groups claim returns 401', async () => {
|
||||
const token = await makeJWT({ groups: undefined });
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Bearer ${token}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
});
|
||||
|
||||
it('GET with JWT where groups does not contain required group returns 401', async () => {
|
||||
const token = await makeJWT({ groups: ['some-other-group'] });
|
||||
const request = new IncomingRequest('http://example.com/nix-cache-info', {
|
||||
headers: { Authorization: `Bearer ${token}` },
|
||||
});
|
||||
const ctx = createExecutionContext();
|
||||
const response = await worker.fetch(request, env, ctx);
|
||||
expect(response.status).toBe(401);
|
||||
});
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue