cloudflared/token/token_test.go

package token

import (
	"encoding/json"
	"net/http"
	"net/url"
	"testing"
)

func TestHandleRedirects_AttachOrgToken(t *testing.T) {
	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/login", nil)
	via := []*http.Request{}
	orgToken := "orgTokenValue"

	_ = handleRedirects(req, via, orgToken)

	// Check if the orgToken cookie is attached
	cookies := req.Cookies()
	found := false
	for _, cookie := range cookies {
		if cookie.Name == tokenCookie && cookie.Value == orgToken {
			found = true
			break
		}
	}

	if !found {
		t.Errorf("OrgToken cookie not attached to the request.")
	}
}

func TestHandleRedirects_AttachAppSessionCookie(t *testing.T) {
	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/authorized", nil)
	via := []*http.Request{
		{
			URL: &url.URL{Path: "/cdn-cgi/access/login"},
			Response: &http.Response{
				Header: http.Header{"Set-Cookie": {"CF_AppSession=appSessionValue"}},
			},
		},
	}
	orgToken := "orgTokenValue"

	err := handleRedirects(req, via, orgToken)

	// Check if the appSessionCookie is attached to the request
	cookies := req.Cookies()
	found := false
	for _, cookie := range cookies {
		if cookie.Name == appSessionCookie && cookie.Value == "appSessionValue" {
			found = true
			break
		}
	}

	if !found {
		t.Errorf("AppSessionCookie not attached to the request.")
	}

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
}

func TestHandleRedirects_StopAtAuthorizedEndpoint(t *testing.T) {
	req, _ := http.NewRequest("GET", "http://example.com/cdn-cgi/access/authorized", nil)
	via := []*http.Request{
		{
			URL: &url.URL{Path: "other"},
		},
		{
			URL: &url.URL{Path: AccessAuthorizedWorkerPath},
		},
	}
	orgToken := "orgTokenValue"

	err := handleRedirects(req, via, orgToken)

	// Check if ErrUseLastResponse is returned
	if err != http.ErrUseLastResponse {
		t.Errorf("Expected ErrUseLastResponse, got %v", err)
	}
}

func TestJwtPayloadUnmarshal_AudAsString(t *testing.T) {
	jwt := `{"aud":"7afbdaf987054f889b3bdd0d29ebfcd2"}`
	var payload jwtPayload
	if err := json.Unmarshal([]byte(jwt), &payload); err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if len(payload.Aud) != 1 || payload.Aud[0] != "7afbdaf987054f889b3bdd0d29ebfcd2" {
		t.Errorf("Expected aud to be 7afbdaf987054f889b3bdd0d29ebfcd2, got %v", payload.Aud)
	}
}

func TestJwtPayloadUnmarshal_AudAsSlice(t *testing.T) {
	jwt := `{"aud":["7afbdaf987054f889b3bdd0d29ebfcd2", "f835c0016f894768976c01e076844efe"]}`
	var payload jwtPayload
	if err := json.Unmarshal([]byte(jwt), &payload); err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if len(payload.Aud) != 2 || payload.Aud[0] != "7afbdaf987054f889b3bdd0d29ebfcd2" || payload.Aud[1] != "f835c0016f894768976c01e076844efe" {
		t.Errorf("Expected aud to be [7afbdaf987054f889b3bdd0d29ebfcd2, f835c0016f894768976c01e076844efe], got %v", payload.Aud)
	}
}

func TestJwtPayloadUnmarshal_FailsWhenAudIsInt(t *testing.T) {
	jwt := `{"aud":123}`
	var payload jwtPayload
	err := json.Unmarshal([]byte(jwt), &payload)
	wantErr := "aud field is not a string or an array of strings"
	if err.Error() != wantErr {
		t.Errorf("Expected %v, got %v", wantErr, err)
	}
}

func TestJwtPayloadUnmarshal_FailsWhenAudIsArrayOfInts(t *testing.T) {
	jwt := `{"aud": [999, 123] }`
	var payload jwtPayload
	err := json.Unmarshal([]byte(jwt), &payload)
	wantErr := "aud array contains non-string elements"
	if err.Error() != wantErr {
		t.Errorf("Expected %v, got %v", wantErr, err)
	}
}

func TestJwtPayloadUnmarshal_FailsWhenAudIsOmitted(t *testing.T) {
	jwt := `{}`
	var payload jwtPayload
	err := json.Unmarshal([]byte(jwt), &payload)
	wantErr := "aud field is not a string or an array of strings"
	if err.Error() != wantErr {
		t.Errorf("Expected %v, got %v", wantErr, err)
	}
}