Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #147 from TykTechnologies/fix/saml-vuln-and-broken…
…-tests

TT-13322-Fix SAML vuln and broken tests
  • Loading branch information
sredxny committed Mar 24, 2021
2 parents e344d25 + c5df655 commit 46f7042
Show file tree
Hide file tree
Showing 311 changed files with 13,418 additions and 16,451 deletions.
14 changes: 7 additions & 7 deletions api.go
Expand Up @@ -8,9 +8,9 @@ import (
"io/ioutil"
"net/http"

"github.com/sirupsen/logrus"
"github.com/TykTechnologies/tyk-identity-broker/tap"
"github.com/gorilla/mux"
"github.com/sirupsen/logrus"
)

var APILogTag string = "API"
Expand Down Expand Up @@ -91,7 +91,7 @@ func HandleGetProfile(w http.ResponseWriter, r *http.Request) {
key := mux.Vars(r)["id"]
thisProfile := tap.Profile{}

keyErr := AuthConfigStore.GetKey(key,thisProfile.OrgID, &thisProfile)
keyErr := AuthConfigStore.GetKey(key, thisProfile.OrgID, &thisProfile)
if keyErr != nil {
HandleAPIError(APILogTag, "Profile not found", keyErr, 404, w, r)
return
Expand Down Expand Up @@ -121,9 +121,9 @@ func HandleAddProfile(w http.ResponseWriter, r *http.Request) {
return
}

httpErr := tap.AddProfile(thisProfile,AuthConfigStore, GlobalDataLoader.Flush)
httpErr := tap.AddProfile(thisProfile, AuthConfigStore, GlobalDataLoader.Flush)
if httpErr != nil {
HandleAPIError(APILogTag,httpErr.Message, httpErr.Error, httpErr.Code, w, r)
HandleAPIError(APILogTag, httpErr.Message, httpErr.Error, httpErr.Code, w, r)
return
}

Expand All @@ -148,7 +148,7 @@ func HandleUpdateProfile(w http.ResponseWriter, r *http.Request) {

updateErr := tap.UpdateProfile(key, thisProfile, AuthConfigStore, GlobalDataLoader.Flush)
if updateErr != nil {
HandleAPIError(APILogTag,updateErr.Message,updateErr.Error, updateErr.Code,w,r)
HandleAPIError(APILogTag, updateErr.Message, updateErr.Error, updateErr.Code, w, r)
return
}

Expand All @@ -157,12 +157,12 @@ func HandleUpdateProfile(w http.ResponseWriter, r *http.Request) {

func HandleDeleteProfile(w http.ResponseWriter, r *http.Request) {
key := mux.Vars(r)["id"]
err := tap.DeleteProfile(key,"",AuthConfigStore, GlobalDataLoader.Flush)
err := tap.DeleteProfile(key, "", AuthConfigStore, GlobalDataLoader.Flush)
if err != nil {
HandleAPIError(APILogTag, err.Message, err.Error, err.Code, w, r)
return
}

data := make(map[string]string)
HandleAPIOK(data, key, 200, w, r)
}
}
9 changes: 4 additions & 5 deletions configuration/config.go
Expand Up @@ -4,12 +4,12 @@ import (
"encoding/json"
"io/ioutil"

"github.com/kelseyhightower/envconfig"
"github.com/sirupsen/logrus"

logger "github.com/TykTechnologies/tyk-identity-broker/log"
"github.com/TykTechnologies/tyk-identity-broker/tothic"

tyk "github.com/TykTechnologies/tyk-identity-broker/tyk-api"
"github.com/kelseyhightower/envconfig"
"github.com/sirupsen/logrus"
)

var failCount int
Expand Down Expand Up @@ -82,9 +82,8 @@ type Configuration struct {
Storage *Storage
}

//LoadConfig will load the config from a file
// LoadConfig will load the config from a file
func LoadConfig(filePath string, conf *Configuration) {

log = logger.Get()
mainLogger = &logrus.Entry{Logger: log}
mainLogger = mainLogger.Logger.WithField("prefix", mainLoggerTag)
Expand Down
90 changes: 43 additions & 47 deletions configuration/config_test.go
Expand Up @@ -3,20 +3,23 @@ package configuration
import (
"fmt"
"os"
"reflect"
"strconv"
"testing"

"github.com/matryer/is"
)

func TestOverrideConfigWithEnvVars(t *testing.T) {
is := is.New(t)

secret := "SECRET"
port := 1234
profileDir := "PROFILEDIR"

_ = os.Setenv("TYK_IB_SECRET", secret)
_ = os.Setenv("TYK_IB_PORT", strconv.Itoa(port))
_ = os.Setenv("TYK_IB_PROFILEDIR", profileDir)
_ = os.Setenv("TYK_IB_SSLINSECURESKIPVERIFY", "true")
is.NoErr(os.Setenv("TYK_IB_SECRET", secret))
is.NoErr(os.Setenv("TYK_IB_PORT", strconv.Itoa(port)))
is.NoErr(os.Setenv("TYK_IB_PROFILEDIR", profileDir))
is.NoErr(os.Setenv("TYK_IB_SSLINSECURESKIPVERIFY", "true"))

// Backend
maxIdle := 1020
Expand All @@ -34,67 +37,60 @@ func TestOverrideConfigWithEnvVars(t *testing.T) {
}
hostsStr += fmt.Sprintf("%s:%s", key, value)
}
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXIDLE", strconv.Itoa(maxIdle))
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXACTIVE", strconv.Itoa(maxActive))
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_DATABASE", strconv.Itoa(database))
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_PASSWORD", password)
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_ENABLECLUSTER", "true")
_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_HOSTS", hostsStr)
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXIDLE", strconv.Itoa(maxIdle)))
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXACTIVE", strconv.Itoa(maxActive)))
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_DATABASE", strconv.Itoa(database)))
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_PASSWORD", password))
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_ENABLECLUSTER", "true"))
is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_HOSTS", hostsStr))

// TykAPISettings.GatewayConfig
gwEndpoint := "http://dummyhost"
gwPort := "7890"
gwAdminSecret := "76543"
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ENDPOINT", gwEndpoint)
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_PORT", gwPort)
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ADMINSECRET", gwAdminSecret)
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ENDPOINT", gwEndpoint))
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_PORT", gwPort))
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ADMINSECRET", gwAdminSecret))

// TykAPISettings.DashboardConfig
dbEndpoint := "http://dummyhost2"
dbPort := "9876"
dbAdminSecret := "87654"
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ENDPOINT", dbEndpoint)
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_PORT", dbPort)
_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ADMINSECRET", dbAdminSecret)
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ENDPOINT", dbEndpoint))
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_PORT", dbPort))
is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ADMINSECRET", dbAdminSecret))

// HttpServerOptions
certFile := "./certs/server.pem"
keyFile := "./certs/key.pem"
_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_USESSL", "true")
_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_CERTFILE", certFile)
_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_KEYFILE", keyFile)
is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_USESSL", "true"))
is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_CERTFILE", certFile))
is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_KEYFILE", keyFile))

// Assertions
var conf Configuration
loadConfig("tib_sample.conf", &conf)

assert(t, secret, conf.Secret)
assert(t, port, conf.Port)
assert(t, profileDir, conf.ProfileDir)
assert(t, true, conf.SSLInsecureSkipVerify)
LoadConfig("testdata/tib_test.conf", &conf)

assert(t, maxIdle, conf.BackEnd.IdentityBackendSettings.MaxIdle)
assert(t, maxActive, conf.BackEnd.IdentityBackendSettings.MaxActive)
assert(t, database, conf.BackEnd.IdentityBackendSettings.Database)
assert(t, password, conf.BackEnd.IdentityBackendSettings.Password)
assert(t, true, conf.BackEnd.IdentityBackendSettings.EnableCluster)
assert(t, hosts, conf.BackEnd.IdentityBackendSettings.Hosts)
is.Equal(secret, conf.Secret)
is.Equal(port, conf.Port)
is.Equal(profileDir, conf.ProfileDir)
is.Equal(true, conf.SSLInsecureSkipVerify)

assert(t, gwEndpoint, conf.TykAPISettings.GatewayConfig.Endpoint)
assert(t, gwPort, conf.TykAPISettings.GatewayConfig.Port)
assert(t, gwAdminSecret, conf.TykAPISettings.GatewayConfig.AdminSecret)
assert(t, dbEndpoint, conf.TykAPISettings.DashboardConfig.Endpoint)
assert(t, dbPort, conf.TykAPISettings.DashboardConfig.Port)
assert(t, dbAdminSecret, conf.TykAPISettings.DashboardConfig.AdminSecret)
is.Equal(maxIdle, conf.BackEnd.IdentityBackendSettings.MaxIdle)
is.Equal(maxActive, conf.BackEnd.IdentityBackendSettings.MaxActive)
is.Equal(database, conf.BackEnd.IdentityBackendSettings.Database)
is.Equal(password, conf.BackEnd.IdentityBackendSettings.Password)
is.Equal(true, conf.BackEnd.IdentityBackendSettings.EnableCluster)
is.Equal(hosts, conf.BackEnd.IdentityBackendSettings.Hosts)

assert(t, true, conf.HttpServerOptions.UseSSL)
assert(t, certFile, conf.HttpServerOptions.CertFile)
assert(t, keyFile, conf.HttpServerOptions.KeyFile)
is.Equal(gwEndpoint, conf.TykAPISettings.GatewayConfig.Endpoint)
is.Equal(gwPort, conf.TykAPISettings.GatewayConfig.Port)
is.Equal(gwAdminSecret, conf.TykAPISettings.GatewayConfig.AdminSecret)
is.Equal(dbEndpoint, conf.TykAPISettings.DashboardConfig.Endpoint)
is.Equal(dbPort, conf.TykAPISettings.DashboardConfig.Port)
is.Equal(dbAdminSecret, conf.TykAPISettings.DashboardConfig.AdminSecret)

}

func assert(t *testing.T, expected interface{}, actual interface{}) {
if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected %v, actual %v", expected, actual)
}
is.Equal(true, conf.HttpServerOptions.UseSSL)
is.Equal(certFile, conf.HttpServerOptions.CertFile)
is.Equal(keyFile, conf.HttpServerOptions.KeyFile)
}
34 changes: 34 additions & 0 deletions configuration/testdata/tib_test.conf
@@ -0,0 +1,34 @@
{
"BackEnd": {
"IdentityBackendSettings": {
"Database": 0,
"EnableCluster": false,
"Hosts": {
"localhost": "6379"
},
"MaxActive": 2000,
"MaxIdle": 1000,
"Password": ""
},
"Name": "in_memory",
"ProfileBackendSettings": {}
},
"HttpServerOptions": {
"CertFile": "./certs/server.pem",
"KeyFile": "./certs/server.key",
"UseSSL": false
},
"Secret": "test-secret",
"TykAPISettings": {
"DashboardConfig": {
"AdminSecret": "12345",
"Endpoint": "http://localhost",
"Port": "3000"
},
"GatewayConfig": {
"AdminSecret": "54321",
"Endpoint": "http://localhost",
"Port": "80"
}
}
}
11 changes: 6 additions & 5 deletions data_loader/data-loader.go → data_loader/data_loader.go
@@ -1,11 +1,12 @@
package data_loader

import (
"github.com/sirupsen/logrus"
"gopkg.in/mgo.v2"

"github.com/TykTechnologies/tyk-identity-broker/configuration"
logger "github.com/TykTechnologies/tyk-identity-broker/log"
"github.com/TykTechnologies/tyk-identity-broker/tap"
"github.com/sirupsen/logrus"
"gopkg.in/mgo.v2"
)

var log = logger.Get()
Expand All @@ -19,13 +20,13 @@ type DataLoader interface {
Flush(tap.AuthRegisterBackend) error
}

func reloadDataLoaderLogger(){
func reloadDataLoaderLogger() {
log = logger.Get()
dataLogger = &logrus.Entry{Logger:log}
dataLogger = &logrus.Entry{Logger: log}
dataLogger = dataLogger.Logger.WithField("prefix", dataLoaderLoggerTag)
}

func CreateMongoLoaderFromConnection(db *mgo.Database)DataLoader{
func CreateMongoLoaderFromConnection(db *mgo.Database) DataLoader {
var dataLoader DataLoader

reloadDataLoaderLogger()
Expand Down
29 changes: 15 additions & 14 deletions data_loader/data_loader_test.go
@@ -1,29 +1,30 @@
package data_loader
// +build test_mongo

package data_loader_test

import (
"github.com/TykTechnologies/tyk-identity-broker/configuration"
"reflect"
"testing"
)

func TestCreateDataMongoLoader(t *testing.T){
"github.com/TykTechnologies/tyk-identity-broker/configuration"
"github.com/TykTechnologies/tyk-identity-broker/data_loader"
)

func TestCreateDataMongoLoader(t *testing.T) {
conf := configuration.Configuration{
Storage: &configuration.Storage{
StorageType: configuration.MONGO,
MongoConf: &configuration.MongoConf{
MongoURL: "mongodb://tyk-mongo:27017/tyk_tib",
Storage: &configuration.Storage{
StorageType: configuration.MONGO,
MongoConf: &configuration.MongoConf{
MongoURL: "mongodb://tyk-mongo:27017/tyk_tib",
},
},
}
dataLoader, err := CreateDataLoader(conf, nil)

dataLoader, err := data_loader.CreateDataLoader(conf, nil)
if err != nil {
t.Error("creating mongo data loader: "+err.Error())
t.Fatalf("creating Mongo data loader: %v", err)
}

loaderType := reflect.TypeOf(dataLoader)
if loaderType.String() != "*data_loader.MongoLoader"{
t.Error("type of data loader is not correct. Expected *data_loader.MongoLoader but get:"+loaderType.String())
if _, ok := dataLoader.(*data_loader.MongoLoader); !ok {
t.Fatalf("type of data loader is not correct; expected '*data_loader.MongoLoader' but got '%T'", dataLoader)
}
}
File renamed without changes.
4 changes: 2 additions & 2 deletions data_loader/file-loader.go → data_loader/file_loader.go
Expand Up @@ -2,9 +2,9 @@ package data_loader

import (
"encoding/json"
"github.com/sirupsen/logrus"
"github.com/TykTechnologies/tyk-identity-broker/configuration"
"github.com/TykTechnologies/tyk-identity-broker/tap"
"github.com/sirupsen/logrus"
"io/ioutil"
"path"
"strconv"
Expand Down Expand Up @@ -43,7 +43,7 @@ func (f *FileLoader) LoadIntoStore(store tap.AuthRegisterBackend) error {

var loaded int
for _, profile := range profiles {
inputErr := store.SetKey(profile.ID,profile.OrgID, profile)
inputErr := store.SetKey(profile.ID, profile.OrgID, profile)
if inputErr != nil {
dataLogger.WithField("error", inputErr).Error("Couldn't encode configuration")
} else {
Expand Down

0 comments on commit 46f7042

Please sign in to comment.