-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Huabing Zhao <[email protected]>
- Loading branch information
1 parent
2a71021
commit 623e1f1
Showing
2 changed files
with
299 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,295 @@ | ||
| diff --git a/single-page-app/verify.sh b/single-page-app/verify.sh | ||
| index 6b1547f..582917d 100755 | ||
| --- a/single-page-app/verify.sh | ||
| +++ b/single-page-app/verify.sh | ||
| @@ -10,11 +10,13 @@ export PORT_PROXY="${SPA_PORT_PROXY:-11900}" | ||
| export PORT_MYHUB="${SPA_PORT_MYHUB:-11902}" | ||
| export MANUAL=true | ||
|
|
||
| + | ||
| BACKUP_FILES=( | ||
| - "envoy.yml" | ||
| + "envoy.yml" | ||
| ) | ||
|
|
||
| -finally() { | ||
| + | ||
| +finally () { | ||
| rm -rf .local.ci | ||
| for file in "${BACKUP_FILES[@]}"; do | ||
| move_if_exists "${file}.bak" "${file}" | ||
| @@ -30,8 +32,9 @@ export -f finally | ||
| # eg selenium or similar. | ||
| # Everything else should be tested. | ||
|
|
||
| + | ||
| EXPECTED_USER_JQ=$( | ||
| - cat <<'EOF' | ||
| +cat << 'EOF' | ||
| {"avatar_url": "http://localhost:\($port)/images/users/envoy.svg", | ||
| "followers": 3, | ||
| "following": 2, | ||
| @@ -44,11 +47,10 @@ EXPECTED_USER="$( | ||
| yq -c \ | ||
| --arg port "$PORT_MYHUB" \ | ||
| "$EXPECTED_USER_JQ" \ | ||
| - <myhub/data.yml | ||
| -)" | ||
| + < myhub/data.yml)" | ||
|
|
||
| EXPECTED_REPOS_JQ=$( | ||
| - cat <<'EOF' | ||
| +cat << 'EOF' | ||
| .users.envoydemo.public_repos as $user_repos | ||
| | .repos as $repos | ||
| | $user_repos | ||
| @@ -62,11 +64,10 @@ EXPECTED_REPOS="$( | ||
| yq -c \ | ||
| --arg port "$PORT_MYHUB" \ | ||
| "$EXPECTED_REPOS_JQ" \ | ||
| - <myhub/data.yml | ||
| -)" | ||
| + < myhub/data.yml)" | ||
|
|
||
| EXPECTED_FOLLOWERS_JQ=$( | ||
| - cat <<'EOF' | ||
| +cat << 'EOF' | ||
| .users.envoydemo.followers as $followers | ||
| | .users as $users | ||
| | $followers | ||
| @@ -81,11 +82,10 @@ EXPECTED_FOLLOWING="$( | ||
| yq -c \ | ||
| --arg port "$PORT_MYHUB" \ | ||
| "$EXPECTED_FOLLOWERS_JQ" \ | ||
| - <myhub/data.yml | ||
| -)" | ||
| + < myhub/data.yml)" | ||
|
|
||
| EXPECTED_FOLLOWING_JQ=$( | ||
| - cat <<'EOF' | ||
| +cat << 'EOF' | ||
| .users.envoydemo.following as $following | ||
| | .users as $users | ||
| | $following | ||
| @@ -100,10 +100,10 @@ EXPECTED_FOLLOWING="$( | ||
| yq -c \ | ||
| --arg port "$PORT_MYHUB" \ | ||
| "$EXPECTED_FOLLOWING_JQ" \ | ||
| - <myhub/data.yml | ||
| -)" | ||
| + < myhub/data.yml)" | ||
| + | ||
|
|
||
| -test_auth() { | ||
| +test_auth () { | ||
| local proxy_port | ||
| proxy_scheme=$1 | ||
| proxy_port=$2 | ||
| @@ -122,12 +122,10 @@ test_auth() { | ||
| # Nonce-less verification will remain for backward compatibility with previous releases. | ||
| # TODO: zhaohuabing - Remove the nonce-less verification after a reasonable transition period, such as one year. | ||
| run_log "Check whether the nonce is used in the OAuth2 filter" | ||
| - | ||
| - BASE64URL_PREFIX="eyJ1cmwiOi" # The state is prefixed with this string when it is a base64url encoded json object ({"url":) | ||
| - STATE_BASE64URL_ENCODE="false" # Whether the state is a base64url encoded json object | ||
| + SUPPORT_NONCE="false" | ||
| LOCATION=$(_curl "${curl_args[@]}" --head "${proxy_scheme}://localhost:${proxy_port}/login" | grep location) | ||
| - if [[ "$LOCATION" == ${BASE64URL_PREFIX}* ]]; then | ||
| - STATE_BASE64URL_ENCODE="true" | ||
| + if [[ "$LOCATION" == *"nonce%3D"* ]]; then | ||
| + SUPPORT_NONCE="true" | ||
| fi | ||
|
|
||
| run_log "Inititiate login" | ||
| @@ -135,52 +133,50 @@ test_auth() { | ||
| "HTTP/1.1 302 Found" \ | ||
| "${proxy_scheme}://localhost:${proxy_port}/login" \ | ||
| "${curl_args[@]}" | ||
| - if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| + if [[ "$SUPPORT_NONCE" == "true" ]]; then | ||
| responds_with_header \ | ||
| - "location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \ | ||
| + "location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D" \ | ||
| + "${proxy_scheme}://localhost:${proxy_port}/login" \ | ||
| + "${curl_args[@]}" | ||
| + responds_with_header \ | ||
| + "set-cookie: OauthNonce=" \ | ||
| "${proxy_scheme}://localhost:${proxy_port}/login" \ | ||
| "${curl_args[@]}" | ||
| else | ||
| responds_with_header \ | ||
| - "location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D" \ | ||
| + "location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \ | ||
| "${proxy_scheme}://localhost:${proxy_port}/login" \ | ||
| "${curl_args[@]}" | ||
| fi | ||
| - responds_with_header \ | ||
| - "set-cookie: OauthNonce=" \ | ||
| - "${proxy_scheme}://localhost:${proxy_port}/login" \ | ||
| - "${curl_args[@]}" | ||
| - | ||
| - encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"nonce\":\"12345678\"}" | basenc --base64url) | ||
|
|
||
| run_log "Fetch the myhub authorization page" | ||
| - if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| + if [[ "$SUPPORT_NONCE" == "true" ]]; then | ||
| responds_with_header \ | ||
| "HTTP/1.1 302 Found" \ | ||
| - "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" \ | ||
| + "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \ | ||
| "${curl_args[@]}" | ||
| responds_with_header \ | ||
| "Location: ${proxy_scheme}://localhost:${proxy_port}/authorize?code=" \ | ||
| - "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" \ | ||
| + "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \ | ||
| "${curl_args[@]}" | ||
| else | ||
| responds_with_header \ | ||
| "HTTP/1.1 302 Found" \ | ||
| - "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \ | ||
| + "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \ | ||
| "${curl_args[@]}" | ||
| responds_with_header \ | ||
| "Location: ${proxy_scheme}://localhost:${proxy_port}/authorize?code=" \ | ||
| - "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \ | ||
| + "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \ | ||
| "${curl_args[@]}" | ||
| fi | ||
|
|
||
| run_log "Return to the app and receive creds" | ||
| - if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| - CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" | grep Location | cut -d= -f2 | cut -d\& -f1) | ||
| - RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}") | ||
| - else | ||
| + if [[ "$SUPPORT_NONCE" == "true" ]]; then | ||
| CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" | grep Location | cut -d= -f2 | cut -d\& -f1) | ||
| RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678") | ||
| + else | ||
| + CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" | grep Location | cut -d= -f2 | cut -d\& -f1) | ||
| + RESPONSE=$(_curl "${curl_args[@]}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin") | ||
| fi | ||
| echo "$RESPONSE" | grep "HTTP/1.1 302 Found" | ||
| echo "$RESPONSE" | grep "location: ${proxy_scheme}://localhost:${proxy_port}/login" | ||
| @@ -204,7 +200,7 @@ test_auth() { | ||
| ) | ||
|
|
||
| for endpoint in "${endpoints[@]}"; do | ||
| - IFS='|' read -r log_message expected_response path <<<"$endpoint" | ||
| + IFS='|' read -r log_message expected_response path <<< "$endpoint" | ||
| run_log "$log_message" | ||
| responds_with \ | ||
| "$expected_response" \ | ||
| @@ -221,12 +217,12 @@ test_auth() { | ||
| echo "$RESPONSE" | grep "set-cookie: BearerToken=deleted" | ||
| } | ||
|
|
||
| -get_js() { | ||
| - _curl -k "https://localhost:${PORT_PROXY}" | | ||
| - grep "assets/index" | | ||
| - grep -oP '<script type="module" crossorigin src="/assets/[^"]+"></script>' | | ||
| - grep -oP '/assets/[^"]+' | | ||
| - sed 's/\/assets\///;s/".*//' | ||
| +get_js () { | ||
| + _curl -k "https://localhost:${PORT_PROXY}" \ | ||
| + | grep "assets/index" \ | ||
| + | grep -oP '<script type="module" crossorigin src="/assets/[^"]+"></script>' \ | ||
| + | grep -oP '/assets/[^"]+' \ | ||
| + | sed 's/\/assets\///;s/".*//' | ||
| } | ||
|
|
||
| run_log "Adjust environment for CI" | ||
| @@ -238,8 +234,8 @@ export UI_PATH=./.local.ci/ui | ||
| for file in "${BACKUP_FILES[@]}"; do | ||
| cp -a "${file}" "${file}.bak" | ||
| done | ||
| -echo "VITE_APP_API_URL=https://localhost:${PORT_PROXY}" >ui/.env.production.local | ||
| -echo "VITE_APP_API_URL=http://localhost:${PORT_DEV_PROXY}" >ui/.env.development.local | ||
| +echo "VITE_APP_API_URL=https://localhost:${PORT_PROXY}" > ui/.env.production.local | ||
| +echo "VITE_APP_API_URL=http://localhost:${PORT_DEV_PROXY}" > ui/.env.development.local | ||
| sed -i "s/localhost:7000/localhost:${PORT_MYHUB}/g" envoy.yml | ||
| export UID | ||
|
|
||
| @@ -248,7 +244,7 @@ cp -a secrets/ .local.ci/ | ||
| export SECRETS_PATH=./.local.ci/secrets/ | ||
| HMAC_SECRET=$(echo "MY_HMAC_SECRET" | mkpasswd -s) | ||
| export HMAC_SECRET | ||
| -envsubst <hmac-secret.tmpl.yml >.local.ci/secrets/hmac-secret.yml | ||
| +envsubst < hmac-secret.tmpl.yml > .local.ci/secrets/hmac-secret.yml | ||
|
|
||
| run_log "Start servers" | ||
| bring_up_example | ||
| @@ -273,7 +269,7 @@ docker compose up --build -d envoy | ||
| docker compose run --rm ui build.sh | ||
|
|
||
| run_log "Check the created routes" | ||
| -jq '.resources[0].filter_chains[0].filters[0].typed_config.route_config.virtual_hosts[0].routes' <.local.ci/production/xds/lds.yml | ||
| +jq '.resources[0].filter_chains[0].filters[0].typed_config.route_config.virtual_hosts[0].routes' < .local.ci/production/xds/lds.yml | ||
|
|
||
| test_auth https "${PORT_PROXY}" | ||
|
|
||
| @@ -301,7 +297,7 @@ responds_with \ | ||
|
|
||
| run_log "Update Envoy's configuration to use Github" | ||
| export TOKEN_SECRET=ZZZ | ||
| -envsubst <token-secret.tmpl.yml >.local.ci/secrets/github-token-secret.yml | ||
| +envsubst < token-secret.tmpl.yml > .local.ci/secrets/github-token-secret.yml | ||
| GITHUB_PROVIDED_CLIENT_ID=XXX | ||
| cp -a envoy.yml .local.ci/ | ||
| sed -i "s@cluster:\ hub@cluster:\ github@g" .local.ci/envoy.yml | ||
| @@ -310,10 +306,10 @@ sed -i "s@authorization_endpoint:\ http://localhost:${PORT_MYHUB}/authorize@auth | ||
| sed -i "s@uri:\ http://myhub:${PORT_MYHUB}/authenticate@uri:\ https://github.com/login/oauth/access_token@g" .local.ci/envoy.yml | ||
| sed -i "s@path:\ /etc/envoy/secrets/myhub-token-secret.yml@path:\ /etc/envoy/secrets/github-token-secret.yml@g" .local.ci/envoy.yml | ||
| sed -i "s@host_rewrite_literal:\ api.myhub@host_rewrite_literal:\ api.github.com@g" .local.ci/envoy.yml | ||
| -cat _github-clusters.yml >>.local.ci/envoy.yml | ||
| +cat _github-clusters.yml >> .local.ci/envoy.yml | ||
|
|
||
| run_log "Update the app configuration to use Github" | ||
| -echo "VITE_APP_AUTH_PROVIDER=github" >.local.ci/ui/.env.local | ||
| +echo "VITE_APP_AUTH_PROVIDER=github" > .local.ci/ui/.env.local | ||
|
|
||
| run_log "Rebuild the app and restart Envoy (Github)" | ||
| export ENVOY_CONFIG=.local.ci/envoy.yml | ||
| @@ -330,16 +326,16 @@ run_log "Inititiate dev login (Github)" | ||
| responds_with_header \ | ||
| "HTTP/1.1 302 Found" \ | ||
| "http://localhost:${PORT_DEV_PROXY}/login" | ||
| -if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| +if [[ "$SUPPORT_NONCE" == "true" ]]; then | ||
| responds_with_header \ | ||
| - "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \ | ||
| + "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttp%253A%252F%252Flocalhost%253A${PORT_DEV_PROXY}%252Flogin%26nonce%3D" \ | ||
| "http://localhost:${PORT_DEV_PROXY}/login" | ||
| responds_with_header \ | ||
| "set-cookie: OauthNonce=" \ | ||
| "http://localhost:${PORT_DEV_PROXY}/login" | ||
| else | ||
| responds_with_header \ | ||
| - "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttp%253A%252F%252Flocalhost%253A${PORT_DEV_PROXY}%252Flogin%26nonce%3D" \ | ||
| + "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Flogin" \ | ||
| "http://localhost:${PORT_DEV_PROXY}/login" | ||
| fi | ||
|
|
||
| @@ -348,9 +344,9 @@ responds_with \ | ||
| "Envoy single page app example" \ | ||
| "https://localhost:${PORT_PROXY}" \ | ||
| -k | ||
| -if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| +if [[ "$SUPPORT_NONCE" == "true" ]]; then | ||
| responds_with_header \ | ||
| - "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \ | ||
| + "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttps%253A%252F%252Flocalhost%253A${PORT_PROXY}%252Flogin%26nonce%3D" \ | ||
| "https://localhost:${PORT_PROXY}/login" \ | ||
| -k | ||
| responds_with_header \ | ||
| @@ -359,7 +355,7 @@ if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then | ||
| -k | ||
| else | ||
| responds_with_header \ | ||
| - "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttps%253A%252F%252Flocalhost%253A${PORT_PROXY}%252Flogin%26nonce%3D" \ | ||
| + "location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Flogin" \ | ||
| "https://localhost:${PORT_PROXY}/login" \ | ||
| -k | ||
| fi | ||
| diff --git a/single-page-app/xds/lds.yml b/single-page-app/xds/lds.yml | ||
| deleted file mode 100644 | ||
| index e69de29..0000000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters