Merge pull request #69 from mlibrary/enable-proxy-specs

Enable proxy specs
mlibrary · Feb 21, 2024 · 7f6d33d · 7f6d33d
2 parents 02e3543 + 9996a9c
commit 7f6d33d
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 15 deletions.
diff --git a/apache/conf/test-site.conf b/apache/conf/test-site.conf
@@ -58,6 +58,8 @@
     AuthType RemoteUser
     ProxyPass "http://proxied-test-app.lauth.local:8008"
     ProxyPassReverse "http://proxied-test-app.lauth.local:8008"
+    RequestHeader set X-Authzd-Coll     %{AUTHZD_COLL}e
+    RequestHeader set X-Public-Coll     %{PUBLIC_COLL}e
     <RequireAll>
       Require valid-user
       Require lauth

diff --git a/apache/module/mod_lauth.cpp b/apache/module/mod_lauth.cpp
@@ -35,16 +35,24 @@ static authz_status lauth_check_authorization(request_rec *r,
                                                   const char *require_line,
                                                   const void *parsed_require_line)
 {
-    if (!r->ap_auth_type) {
-       return AUTHZ_DENIED_NO_USER;
+    if (!r->ap_auth_type) return AUTHZ_DENIED_NO_USER;
+
+    Request req;
+    std::string handler = r->handler ? std::string(r->handler) : "";
+    if (handler.substr(0, handler.find(":")) == "proxy-server") {
+      req = Request {
+        .ip = r->useragent_ip ? std::string(r->useragent_ip) : "",
+        .uri = r->uri ? std::string(r->uri) : "",
+        .user = r->user ? std::string(r->user) : ""
+      };
+    } else {
+      req  = Request {
+        .ip = r->useragent_ip ? std::string(r->useragent_ip) : "",
+        .uri = r->filename,
+        .user = r->user ? std::string(r->user) : ""
+      };
     }
 
-    Request req {
-      .ip = r->useragent_ip ? std::string(r->useragent_ip) : "",
-      .uri = r->filename ? std::string(r->filename) : "",
-      .user = r->user ? std::string(r->user) : ""
-    };
-
     std::map<std::string, std::string> result =
       Authorizer("http://app.lauth.local:2300").authorize(req);
 

diff --git a/db/delegation.sql b/db/delegation.sql
@@ -74,7 +74,7 @@ INSERT INTO aa_coll VALUES(
   'f' -- deleted
 );
 
--- we only need one location for these tests
+-- location for non-proxy scenarios
 INSERT INTO aa_coll_obj VALUES(
   'www.lauth.local', -- server hostname, not vhost
   '/lauth/test-site/cgi/printenv', -- dlpsPath
@@ -83,6 +83,15 @@ INSERT INTO aa_coll_obj VALUES(
   'f' -- deleted
 );
 
+-- location for proxy scenarios, where we match by uri
+INSERT INTO aa_coll_obj VALUES(
+  'www.lauth.local', -- server hostname, not vhost
+  '/app/proxied', -- dlpsPath
+  'target-cats', -- coll.uniqueIdentifier
+  CURRENT_TIMESTAMP, 'root', -- modified info
+  'f' -- deleted
+);
+
 INSERT INTO aa_may_access VALUES(
   NULL, -- uniqueIdentifier
   'lauth-allowed', -- userid

diff --git a/test/delegation/delegated_mode.rb b/test/delegation/delegated_mode.rb
@@ -24,14 +24,14 @@
     end
 
     it "lists the matching public collections" do
-      list = parsed_body["PUBLIC_COLL"]
+      list = parsed_body[public_column]
       expect(list).to match_collection_string_format
       expect(tokenize_collection_string(list))
         .to include "public-cats"
     end
 
     it "lists the matching authorized collections" do
-      list = parsed_body["AUTHZD_COLL"]
+      list = parsed_body[authorized_column]
       expect(list).to match_collection_string_format
       expect(tokenize_collection_string(list))
         .to include "target-cats", "extra-cats", "extra-public-cats"
@@ -45,14 +45,14 @@
     end
 
     it "lists the matching public collections" do
-      list = parsed_body["PUBLIC_COLL"]
+      list = parsed_body[public_column]
       expect(list).to match_collection_string_format
       expect(tokenize_collection_string(list))
         .to include "public-cats", "extra-public-cats"
     end
 
     it "lists the matching authorized collections" do
-      list = parsed_body["AUTHZD_COLL"]
+      list = parsed_body[authorized_column]
       expect(list).to eq ":"
     end
   end

diff --git a/test/delegation/hosted_spec.rb b/test/delegation/hosted_spec.rb
@@ -7,6 +7,8 @@
 
   include_examples "delegated mode" do
     let(:url) { "/hosted" }
+    let(:authorized_column) { "AUTHZD_COLL" }
+    let(:public_column) { "PUBLIC_COLL" }
     let(:parsed_body) do
       response.body
         .split("\n")

diff --git a/test/delegation/proxied_spec.rb b/test/delegation/proxied_spec.rb
@@ -1,18 +1,21 @@
 require_relative "delegated_mode"
 
 # TODO: Currently skipped pending figuring out how to put the data into the headers.
-RSpec.describe "A proxied application in delegated mode", :skip do
+RSpec.describe "A proxied application in delegated mode" do
   # These are apps external to the web server, configured for reverse proxy.
   # They should receive identity and the authorized collections in forwarded
   # headers.
 
   include_examples "delegated mode" do
     let(:url) { "/app/proxied" }
+    let(:authorized_column) { "X-Authzd-Coll" }
+    let(:public_column) { "X-Public-Coll" }
     let(:parsed_body) do
       response.body
         .split("\n")
         .map { |s| s.split(":", 2) }
         .to_h
+        .transform_values(&:lstrip)
     end
   end
 end
diff --git a/test/support/collection_string_helpers.rb b/test/support/collection_string_helpers.rb
@@ -19,7 +19,7 @@ def tokenize_collection_string(s)
       COLLECTION_FORMAT.match? actual
     end
     failure_message do |actual|
-      "#{actual} did not match the format (#{COLLECTION_FORMAT})"
+      "<#{actual.class}>#{actual} did not match the format (#{COLLECTION_FORMAT})"
     end
   end
 end