VmRuntimeJettyAuthTest.java

/**
 * Copyright 2015 Google Inc. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS-IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.google.apphosting.vmruntime.jetty9;

import com.google.apphosting.api.ApiProxy;
import com.google.apphosting.api.UserServicePb.CreateLoginURLResponse;
import com.google.apphosting.vmruntime.VmApiProxyEnvironment;

import java.net.InetAddress;

import org.apache.commons.httpclient.Header;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;

/**
 * Testing Jetty9 auth handling.
 *
 */
public class VmRuntimeJettyAuthTest extends VmRuntimeTestBase {

  public void testAuth_UserNotRequired() throws Exception {
    String[] lines = fetchUrl(createUrl("/test-auth"));
    assertEquals(1, lines.length);
    assertEquals("null: null", lines[0].trim());
  }

  public void testAuth_UserRequiredNoUser() throws Exception {
    String loginUrl = "http://login-url?url=http://test-app.googleapp.com/user/test-auth";
    CreateLoginURLResponse loginUrlResponse = new CreateLoginURLResponse();
    loginUrlResponse.setLoginUrl(loginUrl);
    // Fake the expected call to "user/CreateLoginUrl".
    FakeableVmApiProxyDelegate fakeApiProxy = new FakeableVmApiProxyDelegate();
    ApiProxy.setDelegate(fakeApiProxy);
    fakeApiProxy.addApiResponse(loginUrlResponse);

    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/user/test-auth").toString());
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(302, httpCode);
    Header redirUrl = get.getResponseHeader("Location");
    assertEquals(loginUrl, redirUrl.getValue());
  }

  public void testAuth_UserRequiredWithUser() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/user/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.EMAIL_HEADER, "isdal@google.com");
    get.addRequestHeader(VmApiProxyEnvironment.AUTH_DOMAIN_HEADER, "google.com");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("isdal@google.com: isdal@google.com", get.getResponseBodyAsString());
  }

  public void testAuth_UserRequiredWithAdmin() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/user/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.EMAIL_HEADER, "isdal@google.com");
    get.addRequestHeader(VmApiProxyEnvironment.AUTH_DOMAIN_HEADER, "google.com");
    get.addRequestHeader(VmApiProxyEnvironment.IS_ADMIN_HEADER, "1");

    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("isdal@google.com: isdal@google.com", get.getResponseBodyAsString());
  }

  public void testAuth_AdminRequiredWithNonAdmin() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.EMAIL_HEADER, "isdal@google.com");
    get.addRequestHeader(VmApiProxyEnvironment.AUTH_DOMAIN_HEADER, "google.com");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(403, httpCode);
  }

  public void testAuth_AdminRequiredNoUser() throws Exception {
    String loginUrl = "http://login-url?url=http://test-app.googleapp.com/user/test-auth";
    CreateLoginURLResponse loginUrlResponse = new CreateLoginURLResponse();
    loginUrlResponse.setLoginUrl(loginUrl);
    // Fake the expected call to "user/CreateLoginUrl".
    FakeableVmApiProxyDelegate fakeApiProxy = new FakeableVmApiProxyDelegate();
    ApiProxy.setDelegate(fakeApiProxy);
    fakeApiProxy.addApiResponse(loginUrlResponse);

    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(302, httpCode);
    Header redirUrl = get.getResponseHeader("Location");
    assertEquals(loginUrl, redirUrl.getValue());
  }

  public void testAuth_AdminRequiredWithAdmin() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.EMAIL_HEADER, "isdal@google.com");
    get.addRequestHeader(VmApiProxyEnvironment.AUTH_DOMAIN_HEADER, "google.com");
    get.addRequestHeader(VmApiProxyEnvironment.IS_ADMIN_HEADER, "1");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("isdal@google.com: isdal@google.com", get.getResponseBodyAsString());
  }

  public void testAuth_AdminRequiredNoUser_SkipAdminCheck() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.addRequestHeader("X-Google-Internal-SkipAdminCheck", "1");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("null: null", get.getResponseBodyAsString());
  }

  public void testAuth_AdminRequiredNoUser_TaskQueueHeader() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.addRequestHeader("X-AppEngine-QueueName", "default");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("null: null", get.getResponseBodyAsString());
  }

  public void testAuth_UntrustedInboundIp() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrlForHostIP("/admin/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.REAL_IP_HEADER, "127.0.0.2"); // Force untrusted dev IP
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(307, httpCode);
    assertEquals("https://testversion-dot-testbackend-dot-testhostname/admin/test-auth",
            get.getResponseHeader("Location").getValue());
  }

  public void testAuth_UntrustedInboundIpWithQuery() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrlForHostIP("/admin/test-auth?foo=bar").toString());
    get.addRequestHeader(VmApiProxyEnvironment.REAL_IP_HEADER, "127.0.0.2"); // Force untrusted dev IP
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(307, httpCode);
    assertEquals("https://testversion-dot-testbackend-dot-testhostname/admin/test-auth?foo=bar",
            get.getResponseHeader("Location").getValue());
  }

  public void testAuth_TrustedRealIP() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrlForHostIP("/admin/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.REAL_IP_HEADER, "127.0.0.1");
    get.addRequestHeader(VmApiProxyEnvironment.EMAIL_HEADER, "isdal@google.com");
    get.addRequestHeader(VmApiProxyEnvironment.AUTH_DOMAIN_HEADER, "google.com");
    get.addRequestHeader(VmApiProxyEnvironment.IS_ADMIN_HEADER, "1");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(200, httpCode);
    assertEquals("isdal@google.com: isdal@google.com", get.getResponseBodyAsString());
  }

  public void testAuth_UntrustedRealIP() throws Exception {
    HttpClient httpClient = new HttpClient();
    httpClient.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
    GetMethod get = new GetMethod(createUrl("/admin/test-auth").toString());
    get.addRequestHeader(VmApiProxyEnvironment.REAL_IP_HEADER, "123.123.123.123");
    get.setFollowRedirects(false);
    int httpCode = httpClient.executeMethod(get);
    assertEquals(307, httpCode);
    assertEquals("https://testversion-dot-testbackend-dot-testhostname/admin/test-auth",
            get.getResponseHeader("Location").getValue());
  }
}