AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie

- Refactor HandleRedirects function and add unit tests - Move signal test to its own file because of OS specific instructions
2025-07-27 20:29:57 +00:00 · 2023-11-13 11:46:06 -06:00
parent 33baad35b8
commit 652df22831
3 changed files with 161 additions and 56 deletions
--- a/token/token_test.go
+++ b/token/token_test.go
@@ -1,54 +1,82 @@
-//go:build linux
-
 package token

 import (
-	"os"
-	"syscall"
+	"net/http"
+	"net/url"
 	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

-func TestSignalHandler(t *testing.T) {
-	sigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}
-	handlerRan := false
-	done := make(chan struct{})
-	timer := time.NewTimer(time.Second)
-	sigHandler.register(func() {
-		handlerRan = true
-		done <- struct{}{}
-	})
+func TestHandleRedirects_AttachOrgToken(t *testing.T) {
+	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/login", nil)
+	via := []*http.Request{}
+	orgToken := "orgTokenValue"

-	p, err := os.FindProcess(os.Getpid())
-	require.Nil(t, err)
-	p.Signal(syscall.SIGUSR1)
+	handleRedirects(req, via, orgToken)

-	// Blocks for up to one second to make sure the handler callback runs before the assert.
-	select {
-	case <-done:
-		assert.True(t, handlerRan)
-	case <-timer.C:
-		t.Fail()
+	// Check if the orgToken cookie is attached
+	cookies := req.Cookies()
+	found := false
+	for _, cookie := range cookies {
+		if cookie.Name == tokenCookie && cookie.Value == orgToken {
+			found = true
+			break
+		}
 	}
-	sigHandler.deregister()
-}

-func TestSignalHandlerClose(t *testing.T) {
-	sigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}
-	done := make(chan struct{})
-	timer := time.NewTimer(time.Second)
-	sigHandler.register(func() { done <- struct{}{} })
-	sigHandler.deregister()
-
-	p, err := os.FindProcess(os.Getpid())
-	require.Nil(t, err)
-	p.Signal(syscall.SIGUSR1)
-	select {
-	case <-done:
-		t.Fail()
-	case <-timer.C:
+	if !found {
+		t.Errorf("OrgToken cookie not attached to the request.")
+	}
+}
+
+func TestHandleRedirects_AttachAppSessionCookie(t *testing.T) {
+	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/authorized", nil)
+	via := []*http.Request{
+		{
+			URL: &url.URL{Path: "/cdn-cgi/access/login"},
+			Response: &http.Response{
+				Header: http.Header{"Set-Cookie": {"CF_AppSession=appSessionValue"}},
+			},
+		},
+	}
+	orgToken := "orgTokenValue"
+
+	err := handleRedirects(req, via, orgToken)
+
+	// Check if the appSessionCookie is attached to the request
+	cookies := req.Cookies()
+	found := false
+	for _, cookie := range cookies {
+		if cookie.Name == appSessionCookie && cookie.Value == "appSessionValue" {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		t.Errorf("AppSessionCookie not attached to the request.")
+	}
+
+	if err != nil {
+		t.Errorf("Expected no error, got %v", err)
+	}
+}
+
+func TestHandleRedirects_StopAtAuthorizedEndpoint(t *testing.T) {
+	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/authorized", nil)
+	via := []*http.Request{
+		{
+			URL: &url.URL{Path: "other"},
+		},
+		{
+			URL: &url.URL{Path: AccessAuthorizedWorkerPath},
+		},
+	}
+	orgToken := "orgTokenValue"
+
+	err := handleRedirects(req, via, orgToken)
+
+	// Check if ErrUseLastResponse is returned
+	if err != http.ErrUseLastResponse {
+		t.Errorf("Expected ErrUseLastResponse, got %v", err)
 	}
 }