Files
vikunja/pkg/modules/auth/openid/status_test.go

375 lines
11 KiB
Go

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package openid
import (
"encoding/json"
"net"
"net/http"
"net/http/httptest"
"sync/atomic"
"testing"
"time"
"code.vikunja.io/api/pkg/config"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetProvidersStatus(t *testing.T) {
defer func() {
config.AuthOpenIDEnabled.Set(false)
config.AuthOpenIDProviders.Set(nil)
CleanupSavedOpenIDProviders()
}()
t.Run("disabled returns nil", func(t *testing.T) {
CleanupSavedOpenIDProviders()
config.AuthOpenIDEnabled.Set(false)
assert.Nil(t, GetProvidersStatus())
})
t.Run("no providers returns nil", func(t *testing.T) {
CleanupSavedOpenIDProviders()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(nil)
assert.Nil(t, GetProvidersStatus())
})
t.Run("reports provider availability", func(t *testing.T) {
CleanupSavedOpenIDProviders()
server := newMockOIDCServer()
defer server.Close()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{
"up": map[string]interface{}{
"name": "Up Provider",
"authurl": server.URL,
"clientid": "client1",
"clientsecret": "secret1",
},
"down": map[string]interface{}{
"name": "Down Provider",
"authurl": "http://127.0.0.1:1",
"clientid": "client2",
"clientsecret": "secret2",
},
})
_, err := GetAllProviders()
require.NoError(t, err)
statuses := GetProvidersStatus()
require.Len(t, statuses, 2)
// Results are sorted by provider key.
assert.Equal(t, "down", statuses[0].Key)
assert.False(t, statuses[0].Available)
assert.Equal(t, "up", statuses[1].Key)
assert.True(t, statuses[1].Available)
})
t.Run("nil before the provider list is initialized", func(t *testing.T) {
CleanupSavedOpenIDProviders()
server := newMockOIDCServer()
defer server.Close()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{
"up": map[string]interface{}{
"name": "Up Provider",
"authurl": server.URL,
"clientid": "client1",
"clientsecret": "secret1",
},
})
// The status must come from cached state only — /health must never
// trigger a provider build.
assert.Nil(t, GetProvidersStatus())
})
t.Run("invalid provider config is reported as unavailable", func(t *testing.T) {
CleanupSavedOpenIDProviders()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{
"broken": "not-a-map",
})
_, err := GetAllProviders()
require.NoError(t, err)
statuses := GetProvidersStatus()
require.Len(t, statuses, 1)
assert.Equal(t, "broken", statuses[0].Key)
assert.False(t, statuses[0].Available)
})
t.Run("yaml style config maps work", func(t *testing.T) {
CleanupSavedOpenIDProviders()
server := newMockOIDCServer()
defer server.Close()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[interface{}]interface{}{
"yaml": map[interface{}]interface{}{
"name": "Yaml Provider",
"authurl": server.URL,
"clientid": "client1",
"clientsecret": "secret1",
},
})
_, err := GetAllProviders()
require.NoError(t, err)
statuses := GetProvidersStatus()
require.Len(t, statuses, 1)
assert.Equal(t, "yaml", statuses[0].Key)
assert.True(t, statuses[0].Available)
})
}
func TestInitializeUnavailableProviders(t *testing.T) {
defer func() {
config.AuthOpenIDEnabled.Set(false)
config.AuthOpenIDProviders.Set(nil)
CleanupSavedOpenIDProviders()
}()
CleanupSavedOpenIDProviders()
// Reserve a port, then release it to simulate a provider that is down
// while Vikunja starts.
var lc net.ListenConfig
listener, err := lc.Listen(t.Context(), "tcp", "127.0.0.1:0")
require.NoError(t, err)
addr := listener.Addr().String()
providerURL := "http://" + addr
require.NoError(t, listener.Close())
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{
"flaky": map[string]interface{}{
"name": "Flaky Provider",
"authurl": providerURL,
"clientid": "client1",
"clientsecret": "secret1",
},
})
providers, err := GetAllProviders()
require.NoError(t, err)
assert.Empty(t, providers, "the provider must fail initialization while its server is down")
// Retrying while the provider is still down must not make it available.
initializeUnavailableProviders(unavailableProviderKeys())
statuses := GetProvidersStatus()
require.Len(t, statuses, 1)
assert.False(t, statuses[0].Available)
// The provider comes back on the same address.
mux := http.NewServeMux()
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"issuer": providerURL,
"authorization_endpoint": providerURL + "/auth",
"token_endpoint": providerURL + "/token",
"jwks_uri": providerURL + "/jwks",
})
})
for range 20 {
listener, err = lc.Listen(t.Context(), "tcp", addr)
if err == nil {
break
}
time.Sleep(50 * time.Millisecond)
}
require.NoError(t, err, "could not re-listen on %s", addr)
srv := &http.Server{Handler: mux, ReadHeaderTimeout: time.Second}
go func() { _ = srv.Serve(listener) }()
defer srv.Close()
initializeUnavailableProviders(unavailableProviderKeys())
providers, err = GetAllProviders()
require.NoError(t, err)
require.Len(t, providers, 1)
assert.Equal(t, "flaky", providers[0].Key)
statuses = GetProvidersStatus()
require.Len(t, statuses, 1)
assert.True(t, statuses[0].Available)
}
func resetProviderRetryState() {
providerRetryState.Lock()
defer providerRetryState.Unlock()
resetProviderRetryBackoff(nil)
}
func setProviderRetryDue() {
providerRetryState.Lock()
defer providerRetryState.Unlock()
providerRetryState.nextAttempt = time.Now().Add(-time.Second)
}
func TestRetryUnavailableProvidersBackoff(t *testing.T) {
defer func() {
config.AuthOpenIDEnabled.Set(false)
config.AuthOpenIDProviders.Set(nil)
CleanupSavedOpenIDProviders()
resetProviderRetryState()
}()
CleanupSavedOpenIDProviders()
resetProviderRetryState()
// A provider that can be flipped between broken (500) and healthy,
// counting how often initialization actually dials it.
var healthy atomic.Bool
var hits atomic.Int64
var server *httptest.Server
server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
hits.Add(1)
if !healthy.Load() {
w.WriteHeader(http.StatusServiceUnavailable)
return
}
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"issuer": server.URL,
"authorization_endpoint": server.URL + "/auth",
"token_endpoint": server.URL + "/token",
"jwks_uri": server.URL + "/jwks",
})
}))
defer server.Close()
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{
"flaky": map[string]interface{}{
"name": "Flaky Provider",
"authurl": server.URL,
"clientid": "client1",
"clientsecret": "secret1",
},
})
// First tick: attempt runs, fails and arms the backoff.
retryUnavailableProviders()
require.Positive(t, hits.Load())
providerRetryState.Lock()
assert.Equal(t, 1, providerRetryState.failures)
assert.False(t, providerRetryState.nextAttempt.IsZero())
providerRetryState.Unlock()
// Ticks within the backoff delay must not dial the provider.
dialed := hits.Load()
retryUnavailableProviders()
assert.Equal(t, dialed, hits.Load())
// Once due, the next tick attempts again and doubles the backoff.
setProviderRetryDue()
retryUnavailableProviders()
assert.Greater(t, hits.Load(), dialed)
providerRetryState.Lock()
assert.Equal(t, 2, providerRetryState.failures)
providerRetryState.Unlock()
// A successful attempt resets the backoff.
healthy.Store(true)
setProviderRetryDue()
retryUnavailableProviders()
providerRetryState.Lock()
assert.Equal(t, 0, providerRetryState.failures)
assert.True(t, providerRetryState.nextAttempt.IsZero())
providerRetryState.Unlock()
statuses := GetProvidersStatus()
require.Len(t, statuses, 1)
assert.True(t, statuses[0].Available)
// With everything available, further ticks don't dial at all.
dialed = hits.Load()
retryUnavailableProviders()
assert.Equal(t, dialed, hits.Load())
}
func TestRetryBackoffResetsWhenUnavailableSetChanges(t *testing.T) {
defer func() {
config.AuthOpenIDEnabled.Set(false)
config.AuthOpenIDProviders.Set(nil)
CleanupSavedOpenIDProviders()
resetProviderRetryState()
}()
CleanupSavedOpenIDProviders()
resetProviderRetryState()
var hits atomic.Int64
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
hits.Add(1)
w.WriteHeader(http.StatusServiceUnavailable)
}))
defer server.Close()
flakyConfig := map[string]interface{}{
"name": "Flaky Provider",
"authurl": server.URL,
"clientid": "client1",
"clientsecret": "secret1",
}
config.AuthOpenIDEnabled.Set(true)
config.AuthOpenIDProviders.Set(map[string]interface{}{"flaky": flakyConfig})
retryUnavailableProviders()
providerRetryState.Lock()
assert.Equal(t, 1, providerRetryState.failures)
providerRetryState.Unlock()
// While the backoff is armed, ticks don't attempt.
dialed := hits.Load()
retryUnavailableProviders()
assert.Equal(t, dialed, hits.Load())
// A second provider failing changes the unavailable set, which must reset
// the backoff and retry immediately instead of waiting out the old delay.
config.AuthOpenIDProviders.Set(map[string]interface{}{
"flaky": flakyConfig,
"alsodown": map[string]interface{}{
"name": "Also Down",
"authurl": "http://127.0.0.1:1",
"clientid": "client2",
"clientsecret": "secret2",
},
})
retryUnavailableProviders()
assert.Greater(t, hits.Load(), dialed)
providerRetryState.Lock()
assert.Equal(t, 1, providerRetryState.failures)
assert.Equal(t, []string{"alsodown", "flaky"}, providerRetryState.lastUnavailable)
providerRetryState.Unlock()
}