Fix hurl tests, enable them in gh action and disable SAML hurl tests - broken

Author: dzervas

.github/workflows/test.yaml

@@ -27,11 +27,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
-      - name: Install Rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: cachix/install-nix-action@v31
         with:
-          cache: true
+          nix_path: nixpkgs=channel:nixos-unstable
 
       - name: Test
-        run: cargo test --release --all-features
+        run: nix develop --command bash -c "yarn install && yarn test"

flake.nix

@@ -19,6 +19,7 @@
             cargo-criterion
             gnuplot # For benchmarks
             hurl
+            watchexec
 
             yarn
           ];

hurl/authurl.hurl

@@ -28,13 +28,13 @@ header "Location" startsWith "http://localhost:8081/asdf?a=b&magicentry_code=me_
 
 # Make the initial request after returning to the service
 GET http://localhost:8080/auth-url/status
-X-Original-Uri: {{proxy_link}}
+X-Original-Url: {{proxy_link}}
 HTTP 200
 [Captures]
 proxy_session: cookie "magicentry_session_id"
 
 GET http://localhost:8080/auth-url/status
-X-Original-Uri: http://localhost:8080/asdasdasdas
+X-Original-Url: http://localhost:8080/asdasdasdas
 [Cookies]
 magicentry_session_id: {{proxy_session}}
 HTTP 200

hurl/saml.hurl

@@ -18,53 +18,54 @@ Location: /
 [Captures]
 session: cookie "session_id"
 
-GET http://localhost:8080/saml/sso
-[Cookies]
-session_id: {{session}}
-[Query]
-request: example
-HTTP 200
-[Captures]
-authcode: regex "code=(me_oidc_authcode_\\w+)&"
-
-# Test the authorization redirect
-GET http://localhost:8080/saml/sso
-[Options]
-variable: redirect=https://openidconnect.net/callback
-[Query]
-client_id: my_client
-redirect_uri: {{redirect urlEncode}}
-scope: openid
-response_type: code
-HTTP 302
-[Captures]
-login: header "Location"
-
-# Click the "Login" button in the UI that the proxy redirected us to
-POST {{login}}
-[Form]
-email: valid@example.com
-HTTP 200
-
-# Set up a temporary webserver to serve the login link
-# python3 -m http.server -d hurl 8081
-GET http://localhost:8081/.link.txt
-HTTP 200
-[Captures]
-link: body
-
-# Visit the magic link that was sent
-GET {{link}}
-HTTP 302
-[Asserts]
-header "Location" startsWith "/oidc/authorize?"
-[Captures]
-session: cookie "session_id"
-authorize_link: header "Location"
-
-GET http://localhost:8080{{authorize_link}}
-[Cookies]
-session_id: {{session}}
-HTTP 200
-[Asserts]
-body contains "https://openidconnect.net/callback?code=me_oidc_authcode_"
+# TODO: Use a normal XML SAML request (b64 encoded, deflated too?)
+# GET http://localhost:8080/saml/sso
+# [Cookies]
+# session_id: {{session}}
+# [Query]
+# request: example
+# HTTP 200
+# [Captures]
+# authcode: regex "code=(me_oidc_authcode_\\w+)&"
+#
+# # Test the authorization redirect
+# GET http://localhost:8080/saml/sso
+# [Options]
+# variable: redirect=https://openidconnect.net/callback
+# [Query]
+# client_id: my_client
+# redirect_uri: {{redirect urlEncode}}
+# scope: openid
+# response_type: code
+# HTTP 302
+# [Captures]
+# login: header "Location"
+#
+# # Click the "Login" button in the UI that the proxy redirected us to
+# POST {{login}}
+# [Form]
+# email: valid@example.com
+# HTTP 200
+#
+# # Set up a temporary webserver to serve the login link
+# # python3 -m http.server -d hurl 8081
+# GET http://localhost:8081/.link.txt
+# HTTP 200
+# [Captures]
+# link: body
+#
+# # Visit the magic link that was sent
+# GET {{link}}
+# HTTP 302
+# [Asserts]
+# header "Location" startsWith "/oidc/authorize?"
+# [Captures]
+# session: cookie "session_id"
+# authorize_link: header "Location"
+#
+# GET http://localhost:8080{{authorize_link}}
+# [Cookies]
+# session_id: {{session}}
+# HTTP 200
+# [Asserts]
+# body contains "https://openidconnect.net/callback?code=me_oidc_authcode_"

package.json

@@ -5,23 +5,27 @@
   "license": "GPL-3.0-or-later",
   "scripts": {
     "start": "concurrently 'npm:start-web' 'npm:start-e2e'",
+    "build": "webpack build --mode production && tailwindcss --input static/css/main.css --output static/main.build.css --minify",
+
     "test": "cargo test --color always --features kube && concurrently --kill-others 'npm:start-e2e' 'npm:test-e2e'",
-    "test-e2e": "hurl --test --jobs 1 ./hurl",
+    "test-e2e": "until curl -sSf http://localhost:8080 >/dev/null; do sleep 1; done; hurl --test --jobs 1 ./hurl",
     "test-server": "cargo test --color always --features e2e-test",
+
     "start-web": "concurrently 'npm:tailwind-dev' 'npm:webpack-dev'",
     "tailwind-dev": "tailwindcss --input static/css/main.css --output static/main.build.css --watch",
     "webpack-dev": "webpack watch --mode development",
-    "build": "webpack build --mode production && tailwindcss --input static/css/main.css --output static/main.build.css --minify",
+
     "start-e2e": "concurrently 'npm:start-server' 'npm:e2e-server'",
     "start-server": "RUST_LOG_STYLE=always CONFIG_FILE=config.sample.yaml watchexec --debounce 2 --watch ./Cargo.toml --watch ./src --watch ./static --watch ./benches --restart cargo run --color always --features e2e-test",
     "start-test": "RUST_LOG_STYLE=always watchexec --debounce 2 --watch ./Cargo.toml --watch ./src --watch ./static --watch ./benches --restart cargo test --color always --features kube",
     "e2e-server": "http-server hurl -p 8081",
+
     "start-server-docs": "concurrently 'watchexec --debounce 2 --watch ./Cargo.toml --watch ./src cargo doc --color always --lib --features kube' 'browser-sync start --server ./target/doc --startPath magicentry --reload-delay 5000 --watch'"
   },
   "devDependencies": {
     "@tailwindcss/cli": "4",
     "browser-sync": "*",
-    "concurrently": "9",
+    "concurrently": "*",
     "http-server": "*",
     "tailwindcss": "4",
     "webpack": "5",

src/config.rs

@@ -112,15 +112,16 @@ impl Default for ConfigFile {
 			request_data        : Some("to={email}&subject={title} Login&body=Click the link to login: <a href=\"{magic_link}\">Login</a>&type=text/html".to_string()),
 			request_content_type: "application/x-www-form-urlencoded".to_string(),
 
-                        webauthn_enable: true,
+			webauthn_enable: true,
 
-                        // force_https_redirects: true,
+			// force_https_redirects: true,
 
-                        users_file: None,
-                        users: vec![],
-                        services: Services(vec![]),
-                }
+			users_file: None,
+			users: vec![],
+
+			services: Services(vec![]),
         }
+    }
 }
 
 impl ConfigFile {
@@ -152,17 +153,17 @@ impl ConfigFile {
 	/// Note that live-updating the CONFIG_FILE environment variable
 	/// is **NOT** supported
 	pub async fn reload() -> crate::error::Result<()> {
-                let mut config = CONFIG.write().await;
-                log::info!("Reloading config from {}", CONFIG_FILE.as_str());
-                let mut new_config =
-                        serde_yaml::from_str::<ConfigFile>(&std::fs::read_to_string(CONFIG_FILE.as_str())?)?;
-                if let Some(users_file) = &new_config.users_file {
-                        new_config.users =
-                                serde_yaml::from_str::<Vec<User>>(&std::fs::read_to_string(users_file)?)?;
-                }
-                *config = new_config;
-                Ok(())
-        }
+		let mut config = CONFIG.write().await;
+		log::info!("Reloading config from {}", CONFIG_FILE.as_str());
+		let mut new_config =
+		serde_yaml::from_str::<ConfigFile>(&std::fs::read_to_string(CONFIG_FILE.as_str())?)?;
+		if let Some(users_file) = &new_config.users_file {
+			new_config.users =
+				serde_yaml::from_str::<Vec<User>>(&std::fs::read_to_string(users_file)?)?;
+		}
+		*config = new_config;
+		Ok(())
+	}
 
 	/// Set up a file watcher that fires the [reload](ConfigFile::reload) method so
 	/// that config file changes get automatically picked up
@@ -180,24 +181,24 @@ impl ConfigFile {
 				}
 			})
 		}, watcher_config)
-		.expect("Failed to create watcher for the config file");
-
-                watcher
-                        .watch(Path::new(CONFIG_FILE.as_str()), notify::RecursiveMode::NonRecursive)
-                        .expect("Failed to watch config file for changes");
-
-                if let Some(users_file) = CONFIG
-                        .try_read()
-                        .ok()
-                        .and_then(|c| c.users_file.clone())
-                {
-                        watcher
-                                .watch(Path::new(&users_file), notify::RecursiveMode::NonRecursive)
-                                .expect("Failed to watch users file for changes");
-                }
-
-                watcher
-        }
+			.expect("Failed to create watcher for the config file");
+
+		watcher
+			.watch(Path::new(CONFIG_FILE.as_str()), notify::RecursiveMode::NonRecursive)
+			.expect("Failed to watch config file for changes");
+
+		if let Some(users_file) = CONFIG
+			.try_read()
+			.ok()
+			.and_then(|c| c.users_file.clone())
+		{
+			watcher
+				.watch(Path::new(&users_file), notify::RecursiveMode::NonRecursive)
+				.expect("Failed to watch users file for changes");
+		}
+
+		watcher
+	}
 
 	/// Read the SAML certificate from the [saml_cert_pem_path](ConfigFile::saml_cert_pem_path)
 	/// filepath
@@ -214,14 +215,14 @@ impl ConfigFile {
 	/// filepath
 	pub fn get_saml_key(&self) -> Result<String, std::io::Error> {
 		let data = std::fs::read_to_string(&self.saml_key_pem_path)?;
-                Ok(data
-                        .lines()
-                        .filter(|line| {
-                                !line.contains("BEGIN PRIVATE KEY") && !line.contains("END PRIVATE KEY")
-                        })
-                        .collect::<String>()
-                        .replace("\n", ""))
-        }
+		Ok(data
+			.lines()
+			.filter(|line| {
+				!line.contains("BEGIN PRIVATE KEY") && !line.contains("END PRIVATE KEY")
+			})
+			.collect::<String>()
+			.replace("\n", ""))
+	}
 }
 
 /// Basic key-value store database schema for some minor config values,

src/error.rs

@@ -43,7 +43,7 @@ pub enum AppErrorKind {
 	// Proxy (auth-url) errors
 	#[display("Missing auth_url code in (query string or cookie)")]
 	MissingAuthURLCode,
-	#[display("Could not parse X-Original-URI header (it is set but not valid)")]
+	#[display("Could not parse X-Original-URL header (it is set but not valid)")]
 	CouldNotParseXOriginalURIHeader,
 	#[display("The provided return destination URL (`rd` query parameter) doesn't have a an origin that is allowed in the config")]
 	InvalidReturnDestinationUrl,

yarn.lock

@@ -806,7 +806,7 @@ concat-map@0.0.1:
   resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
   integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==
 
-concurrently@9:
+concurrently@*:
   version "9.2.0"
   resolved "https://registry.yarnpkg.com/concurrently/-/concurrently-9.2.0.tgz#233e3892ceb0b5db9fd49e9c8c739737a7b638b5"
   integrity sha512-IsB/fiXTupmagMW4MNp2lx2cdSN2FfZq78vF90LBB+zZHArbIQZjQtzXCiXnvTxCZSvXanTqFLWBjw2UkLx1SQ==