Add a test for: auth is required, but Authorization must be deleted.

In order to avoid return(pass) in builtin vcl_recv when req.http.Authorization is present -- if the backends don't need the header, it can be deleted. But we need to make sure that it isn't removed before the auth protocol is executed.

Add a test for: auth is required, but Authorization must be deleted.
In order to avoid return(pass) in builtin vcl_recv when req.http.Authorization is present -- if the backends don't need the header, it can be deleted. But we need to make sure that it isn't removed before the auth protocol is executed.
23bb6c6c · Geoff Simmons · a68082d8 · 23bb6c6c · 23bb6c6c
Commit 23bb6c6c authored Mar 13, 2019 by Geoff Simmons
Hide whitespace changes
Inline Side-by-side

Showing with 110 additions and 0 deletions

rewrite_test.go pkg/varnish/vcl/rewrite_test.go +41 -0

rewrite_auth_delete.golden pkg/varnish/vcl/testdata/rewrite_auth_delete.golden +69 -0

No files found.
--- a/pkg/varnish/vcl/rewrite_test.go
+++ b/pkg/varnish/vcl/rewrite_test.go
@@ -31,6 +31,7 @@ package vcl
 import (
 	"bytes"
 	"testing"
+	"io/ioutil"
 )

 func testTemplate(t *testing.T, spec Spec, gold string) {
@@ -693,6 +694,46 @@ func TestRewriteSelectOperations(t *testing.T) {
 	testTemplate(t, rewriteSelectOperations, gold)
 }

+// Test the use case that Auth should be executed, but the
+// Authorization header must be removed, to prevent return(pass) from
+// builtin vcl_recv.  For that, the Authorization header delete must
+// run *after* the auth protocol is executed.
+var rewriteDeleteAuth = Spec{
+	Rewrites: []Rewrite{{
+		Target: "req.http.Authorization",
+		Method: Delete,
+	}},
+	Auths: []Auth{{
+		Realm:  "foo",
+		Status: Basic,
+		Credentials: []string{
+			"QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
+			"QWxhZGRpbjpPcGVuU2VzYW1l",
+		},
+	}},
+}
+
+func TestRewriteDeleteAuth(t *testing.T) {
+	gold := "rewrite_auth_delete.golden"
+	var src string
+	var err error
+	var goldbytes []byte
+
+	if src, err = rewriteDeleteAuth.GetSrc(); err != nil {
+		t.Fatal("GetSrc():", err)
+	}
+
+	if goldbytes, err = ioutil.ReadFile("testdata/"+gold); err != nil {
+		t.Fatal("WriteFile():", err)
+	}
+	if !bytes.Equal(goldbytes, []byte(src)) {
+		t.Fatalf("Generated VCL does not match gold file: %s", gold)
+		if testing.Verbose() {
+			t.Logf("Generated: %s", src)
+		}
+	}
+}
+
 // Code boilerplate for writing the golden file.
 // import ioutils
 // func TestRewriteXXX(t *testing.T) {

--- a/pkg/varnish/vcl/testdata/rewrite_auth_delete.golden
+++ b/pkg/varnish/vcl/testdata/rewrite_auth_delete.golden
+vcl 4.0;
+
+import std;
+import directors;
+import re2;
+
+backend vk8s_notfound {
+	# 192.0.2.0/24 reserved for docs & examples (RFC5737).
+	.host = "192.0.2.255";
+	.port = "80";
+}
+
+
+
+sub vcl_init {}
+
+sub vk8s_set_backend {
+	set req.backend_hint = vk8s_notfound;
+
+	if (req.backend_hint == vk8s_notfound) {
+		return (synth(404));
+	}
+}
+
+sub vcl_miss {
+	call vk8s_set_backend;
+}
+
+sub vcl_pass {
+	call vk8s_set_backend;
+}
+
+import re2;
+
+sub vcl_init {
+	new vk8s_foo_auth = re2.set(anchor=both);
+	vk8s_foo_auth.add("Basic\s+\QQWxhZGRpbjpvcGVuIHNlc2FtZQ==\E\s*");
+	vk8s_foo_auth.add("Basic\s+\QQWxhZGRpbjpPcGVuU2VzYW1l\E\s*");
+	vk8s_foo_auth.compile();
+}
+
+sub vcl_recv {
+	if (
+	    !vk8s_foo_auth.match(req.http.Authorization)
+	   ) {
+		set req.http.VK8S-Authenticate = {"Basic realm="foo""};
+		return(synth(60000 + 401));
+	}
+}
+
+sub vcl_synth {
+	if (resp.status == 60401) {
+		set resp.http.WWW-Authenticate = req.http.VK8S-Authenticate;
+		return(deliver);
+	}
+	if (resp.status == 60407) {
+		set resp.http.Proxy-Authenticate = req.http.VK8S-Authenticate;
+		return(deliver);
+	}
+}
+
+import re2;
+import selector;
+
+
+
+sub vcl_recv {
+		unset req.http.Authorization;
+}