TT-1322-Fix SAML vuln and broken tests

api.go

@@ -8,9 +8,9 @@ import (
 	"io/ioutil"
 	"net/http"
 
-	"github.com/sirupsen/logrus"
 	"github.com/TykTechnologies/tyk-identity-broker/tap"
 	"github.com/gorilla/mux"
+	"github.com/sirupsen/logrus"
 )
 
 var APILogTag string = "API"
@@ -91,7 +91,7 @@ func HandleGetProfile(w http.ResponseWriter, r *http.Request) {
 	key := mux.Vars(r)["id"]
 	thisProfile := tap.Profile{}
 
-	keyErr := AuthConfigStore.GetKey(key,thisProfile.OrgID, &thisProfile)
+	keyErr := AuthConfigStore.GetKey(key, thisProfile.OrgID, &thisProfile)
 	if keyErr != nil {
 		HandleAPIError(APILogTag, "Profile not found", keyErr, 404, w, r)
 		return
@@ -121,9 +121,9 @@ func HandleAddProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	httpErr := tap.AddProfile(thisProfile,AuthConfigStore, GlobalDataLoader.Flush)
+	httpErr := tap.AddProfile(thisProfile, AuthConfigStore, GlobalDataLoader.Flush)
 	if httpErr != nil {
-		HandleAPIError(APILogTag,httpErr.Message, httpErr.Error, httpErr.Code, w, r)
+		HandleAPIError(APILogTag, httpErr.Message, httpErr.Error, httpErr.Code, w, r)
 		return
 	}
 
@@ -148,7 +148,7 @@ func HandleUpdateProfile(w http.ResponseWriter, r *http.Request) {
 
 	updateErr := tap.UpdateProfile(key, thisProfile, AuthConfigStore, GlobalDataLoader.Flush)
 	if updateErr != nil {
-		HandleAPIError(APILogTag,updateErr.Message,updateErr.Error, updateErr.Code,w,r)
+		HandleAPIError(APILogTag, updateErr.Message, updateErr.Error, updateErr.Code, w, r)
 		return
 	}
 
@@ -157,12 +157,12 @@ func HandleUpdateProfile(w http.ResponseWriter, r *http.Request) {
 
 func HandleDeleteProfile(w http.ResponseWriter, r *http.Request) {
 	key := mux.Vars(r)["id"]
-	err := tap.DeleteProfile(key,"",AuthConfigStore, GlobalDataLoader.Flush)
+	err := tap.DeleteProfile(key, "", AuthConfigStore, GlobalDataLoader.Flush)
 	if err != nil {
 		HandleAPIError(APILogTag, err.Message, err.Error, err.Code, w, r)
 		return
 	}
 
 	data := make(map[string]string)
 	HandleAPIOK(data, key, 200, w, r)
-}
+}

configuration/config.go

@@ -4,12 +4,12 @@ import (
 	"encoding/json"
 	"io/ioutil"
 
+	"github.com/kelseyhightower/envconfig"
+	"github.com/sirupsen/logrus"
+
 	logger "github.com/TykTechnologies/tyk-identity-broker/log"
 	"github.com/TykTechnologies/tyk-identity-broker/tothic"
-
 	tyk "github.com/TykTechnologies/tyk-identity-broker/tyk-api"
-	"github.com/kelseyhightower/envconfig"
-	"github.com/sirupsen/logrus"
 )
 
 var failCount int
@@ -82,9 +82,8 @@ type Configuration struct {
 	Storage               *Storage
 }
 
-//LoadConfig will load the config from a file
+// LoadConfig will load the config from a file
 func LoadConfig(filePath string, conf *Configuration) {
-
 	log = logger.Get()
 	mainLogger = &logrus.Entry{Logger: log}
 	mainLogger = mainLogger.Logger.WithField("prefix", mainLoggerTag)

configuration/config_test.go

@@ -3,20 +3,23 @@ package configuration
 import (
 	"fmt"
 	"os"
-	"reflect"
 	"strconv"
 	"testing"
+
+	"github.com/matryer/is"
 )
 
 func TestOverrideConfigWithEnvVars(t *testing.T) {
+	is := is.New(t)
+
 	secret := "SECRET"
 	port := 1234
 	profileDir := "PROFILEDIR"
 
-	_ = os.Setenv("TYK_IB_SECRET", secret)
-	_ = os.Setenv("TYK_IB_PORT", strconv.Itoa(port))
-	_ = os.Setenv("TYK_IB_PROFILEDIR", profileDir)
-	_ = os.Setenv("TYK_IB_SSLINSECURESKIPVERIFY", "true")
+	is.NoErr(os.Setenv("TYK_IB_SECRET", secret))
+	is.NoErr(os.Setenv("TYK_IB_PORT", strconv.Itoa(port)))
+	is.NoErr(os.Setenv("TYK_IB_PROFILEDIR", profileDir))
+	is.NoErr(os.Setenv("TYK_IB_SSLINSECURESKIPVERIFY", "true"))
 
 	// Backend
 	maxIdle := 1020
@@ -34,67 +37,60 @@ func TestOverrideConfigWithEnvVars(t *testing.T) {
 		}
 		hostsStr += fmt.Sprintf("%s:%s", key, value)
 	}
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXIDLE", strconv.Itoa(maxIdle))
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXACTIVE", strconv.Itoa(maxActive))
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_DATABASE", strconv.Itoa(database))
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_PASSWORD", password)
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_ENABLECLUSTER", "true")
-	_ = os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_HOSTS", hostsStr)
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXIDLE", strconv.Itoa(maxIdle)))
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_MAXACTIVE", strconv.Itoa(maxActive)))
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_DATABASE", strconv.Itoa(database)))
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_PASSWORD", password))
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_ENABLECLUSTER", "true"))
+	is.NoErr(os.Setenv("TYK_IB_BACKEND_IDENTITYBACKENDSETTINGS_HOSTS", hostsStr))
 
 	// TykAPISettings.GatewayConfig
 	gwEndpoint := "http://dummyhost"
 	gwPort := "7890"
 	gwAdminSecret := "76543"
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ENDPOINT", gwEndpoint)
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_PORT", gwPort)
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ADMINSECRET", gwAdminSecret)
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ENDPOINT", gwEndpoint))
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_PORT", gwPort))
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_GATEWAYCONFIG_ADMINSECRET", gwAdminSecret))
 
 	// TykAPISettings.DashboardConfig
 	dbEndpoint := "http://dummyhost2"
 	dbPort := "9876"
 	dbAdminSecret := "87654"
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ENDPOINT", dbEndpoint)
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_PORT", dbPort)
-	_ = os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ADMINSECRET", dbAdminSecret)
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ENDPOINT", dbEndpoint))
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_PORT", dbPort))
+	is.NoErr(os.Setenv("TYK_IB_TYKAPISETTINGS_DASHBOARDCONFIG_ADMINSECRET", dbAdminSecret))
 
 	// HttpServerOptions
 	certFile := "./certs/server.pem"
 	keyFile := "./certs/key.pem"
-	_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_USESSL", "true")
-	_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_CERTFILE", certFile)
-	_ = os.Setenv("TYK_IB_HTTPSERVEROPTIONS_KEYFILE", keyFile)
+	is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_USESSL", "true"))
+	is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_CERTFILE", certFile))
+	is.NoErr(os.Setenv("TYK_IB_HTTPSERVEROPTIONS_KEYFILE", keyFile))
 
 	// Assertions
 	var conf Configuration
-	loadConfig("tib_sample.conf", &conf)
-
-	assert(t, secret, conf.Secret)
-	assert(t, port, conf.Port)
-	assert(t, profileDir, conf.ProfileDir)
-	assert(t, true, conf.SSLInsecureSkipVerify)
+	LoadConfig("testdata/tib_test.conf", &conf)
 
-	assert(t, maxIdle, conf.BackEnd.IdentityBackendSettings.MaxIdle)
-	assert(t, maxActive, conf.BackEnd.IdentityBackendSettings.MaxActive)
-	assert(t, database, conf.BackEnd.IdentityBackendSettings.Database)
-	assert(t, password, conf.BackEnd.IdentityBackendSettings.Password)
-	assert(t, true, conf.BackEnd.IdentityBackendSettings.EnableCluster)
-	assert(t, hosts, conf.BackEnd.IdentityBackendSettings.Hosts)
+	is.Equal(secret, conf.Secret)
+	is.Equal(port, conf.Port)
+	is.Equal(profileDir, conf.ProfileDir)
+	is.Equal(true, conf.SSLInsecureSkipVerify)
 
-	assert(t, gwEndpoint, conf.TykAPISettings.GatewayConfig.Endpoint)
-	assert(t, gwPort, conf.TykAPISettings.GatewayConfig.Port)
-	assert(t, gwAdminSecret, conf.TykAPISettings.GatewayConfig.AdminSecret)
-	assert(t, dbEndpoint, conf.TykAPISettings.DashboardConfig.Endpoint)
-	assert(t, dbPort, conf.TykAPISettings.DashboardConfig.Port)
-	assert(t, dbAdminSecret, conf.TykAPISettings.DashboardConfig.AdminSecret)
+	is.Equal(maxIdle, conf.BackEnd.IdentityBackendSettings.MaxIdle)
+	is.Equal(maxActive, conf.BackEnd.IdentityBackendSettings.MaxActive)
+	is.Equal(database, conf.BackEnd.IdentityBackendSettings.Database)
+	is.Equal(password, conf.BackEnd.IdentityBackendSettings.Password)
+	is.Equal(true, conf.BackEnd.IdentityBackendSettings.EnableCluster)
+	is.Equal(hosts, conf.BackEnd.IdentityBackendSettings.Hosts)
 
-	assert(t, true, conf.HttpServerOptions.UseSSL)
-	assert(t, certFile, conf.HttpServerOptions.CertFile)
-	assert(t, keyFile, conf.HttpServerOptions.KeyFile)
+	is.Equal(gwEndpoint, conf.TykAPISettings.GatewayConfig.Endpoint)
+	is.Equal(gwPort, conf.TykAPISettings.GatewayConfig.Port)
+	is.Equal(gwAdminSecret, conf.TykAPISettings.GatewayConfig.AdminSecret)
+	is.Equal(dbEndpoint, conf.TykAPISettings.DashboardConfig.Endpoint)
+	is.Equal(dbPort, conf.TykAPISettings.DashboardConfig.Port)
+	is.Equal(dbAdminSecret, conf.TykAPISettings.DashboardConfig.AdminSecret)
 
-}
-
-func assert(t *testing.T, expected interface{}, actual interface{}) {
-	if !reflect.DeepEqual(expected, actual) {
-		t.Errorf("Expected %v, actual %v", expected, actual)
-	}
+	is.Equal(true, conf.HttpServerOptions.UseSSL)
+	is.Equal(certFile, conf.HttpServerOptions.CertFile)
+	is.Equal(keyFile, conf.HttpServerOptions.KeyFile)
 }

configuration/testdata/tib_test.conf

@@ -0,0 +1,34 @@
+{
+  "BackEnd": {
+    "IdentityBackendSettings": {
+      "Database": 0,
+      "EnableCluster": false,
+      "Hosts": {
+        "localhost": "6379"
+      },
+      "MaxActive": 2000,
+      "MaxIdle": 1000,
+      "Password": ""
+    },
+    "Name": "in_memory",
+    "ProfileBackendSettings": {}
+  },
+  "HttpServerOptions": {
+    "CertFile": "./certs/server.pem",
+    "KeyFile": "./certs/server.key",
+    "UseSSL": false
+  },
+  "Secret": "test-secret",
+  "TykAPISettings": {
+    "DashboardConfig": {
+      "AdminSecret": "12345",
+      "Endpoint": "http://localhost",
+      "Port": "3000"
+    },
+    "GatewayConfig": {
+      "AdminSecret": "54321",
+      "Endpoint": "http://localhost",
+      "Port": "80"
+    }
+  }
+}

data_loader/data-loader.go → data_loader/data_loader.go

@@ -1,11 +1,12 @@
 package data_loader
 
 import (
+	"github.com/sirupsen/logrus"
+	"gopkg.in/mgo.v2"
+
 	"github.com/TykTechnologies/tyk-identity-broker/configuration"
 	logger "github.com/TykTechnologies/tyk-identity-broker/log"
 	"github.com/TykTechnologies/tyk-identity-broker/tap"
-	"github.com/sirupsen/logrus"
-	"gopkg.in/mgo.v2"
 )
 
 var log = logger.Get()
@@ -19,13 +20,13 @@ type DataLoader interface {
 	Flush(tap.AuthRegisterBackend) error
 }
 
-func reloadDataLoaderLogger(){
+func reloadDataLoaderLogger() {
 	log = logger.Get()
-	dataLogger = &logrus.Entry{Logger:log}
+	dataLogger = &logrus.Entry{Logger: log}
 	dataLogger = dataLogger.Logger.WithField("prefix", dataLoaderLoggerTag)
 }
 
-func CreateMongoLoaderFromConnection(db *mgo.Database)DataLoader{
+func CreateMongoLoaderFromConnection(db *mgo.Database) DataLoader {
 	var dataLoader DataLoader
 
 	reloadDataLoaderLogger()

data_loader/data_loader_test.go

@@ -1,29 +1,30 @@
-package data_loader
+// +build test_mongo
+
+package data_loader_test
 
 import (
-	"github.com/TykTechnologies/tyk-identity-broker/configuration"
-	"reflect"
 	"testing"
-)
 
-func TestCreateDataMongoLoader(t *testing.T){
+	"github.com/TykTechnologies/tyk-identity-broker/configuration"
+	"github.com/TykTechnologies/tyk-identity-broker/data_loader"
+)
 
+func TestCreateDataMongoLoader(t *testing.T) {
 	conf := configuration.Configuration{
-		Storage:               &configuration.Storage{
-			StorageType:       configuration.MONGO,
-			MongoConf:         &configuration.MongoConf{
-				MongoURL:                   "mongodb://tyk-mongo:27017/tyk_tib",
+		Storage: &configuration.Storage{
+			StorageType: configuration.MONGO,
+			MongoConf: &configuration.MongoConf{
+				MongoURL: "mongodb://tyk-mongo:27017/tyk_tib",
 			},
 		},
 	}
-	dataLoader, err := CreateDataLoader(conf, nil)
 
+	dataLoader, err := data_loader.CreateDataLoader(conf, nil)
 	if err != nil {
-		t.Error("creating mongo data loader: "+err.Error())
+		t.Fatalf("creating Mongo data loader: %v", err)
 	}
 
-	loaderType := reflect.TypeOf(dataLoader)
-	if loaderType.String() != "*data_loader.MongoLoader"{
-		t.Error("type of data loader is not correct. Expected *data_loader.MongoLoader but get:"+loaderType.String())
+	if _, ok := dataLoader.(*data_loader.MongoLoader); !ok {
+		t.Fatalf("type of data loader is not correct; expected '*data_loader.MongoLoader' but got '%T'", dataLoader)
 	}
 }

data_loader/file-loader.go → data_loader/file_loader.go

@@ -2,9 +2,9 @@ package data_loader
 
 import (
 	"encoding/json"
-	"github.com/sirupsen/logrus"
 	"github.com/TykTechnologies/tyk-identity-broker/configuration"
 	"github.com/TykTechnologies/tyk-identity-broker/tap"
+	"github.com/sirupsen/logrus"
 	"io/ioutil"
 	"path"
 	"strconv"
@@ -43,7 +43,7 @@ func (f *FileLoader) LoadIntoStore(store tap.AuthRegisterBackend) error {
 
 	var loaded int
 	for _, profile := range profiles {
-		inputErr := store.SetKey(profile.ID,profile.OrgID, profile)
+		inputErr := store.SetKey(profile.ID, profile.OrgID, profile)
 		if inputErr != nil {
 			dataLogger.WithField("error", inputErr).Error("Couldn't encode configuration")
 		} else {