Expect custom content type on API responses

fe53d260 · Jacob Vosmaer · cdcabf45 · fe53d260 · fe53d260 · fe53d260
Commit fe53d260 authored Aug 19, 2016 by Jacob Vosmaer
4 changed files
--- a/authorization_test.go
+++ b/authorization_test.go
@@ -18,10 +18,11 @@ func okHandler(w http.ResponseWriter, _ *http.Request, _ *api.Response) {
 	fmt.Fprint(w, "{\"status\":\"ok\"}")
 }

-func runPreAuthorizeHandler(t *testing.T, suffix string, url *regexp.Regexp, apiResponse interface{}, returnCode, expectedCode int) *httptest.ResponseRecorder {
-	// Prepare test server and backend
-	ts := testAuthServer(url, returnCode, apiResponse)
-	defer ts.Close()
+func runPreAuthorizeHandler(t *testing.T, ts *httptest.Server, suffix string, url *regexp.Regexp, apiResponse interface{}, returnCode, expectedCode int) *httptest.ResponseRecorder {
+	if ts == nil {
+		ts = testAuthServer(url, returnCode, apiResponse)
+		defer ts.Close()
+	}

 	// Create http request
 	httpRequest, err := http.NewRequest("GET", "/address", nil)
@@ -39,7 +40,7 @@ func runPreAuthorizeHandler(t *testing.T, suffix string, url *regexp.Regexp, api

 func TestPreAuthorizeHappyPath(t *testing.T) {
 	runPreAuthorizeHandler(
-		t, "/authorize",
+		t, nil, "/authorize",
 		regexp.MustCompile(`/authorize\z`),
 		&api.Response{},
 		200, 201)
@@ -47,7 +48,7 @@ func TestPreAuthorizeHappyPath(t *testing.T) {

 func TestPreAuthorizeSuffix(t *testing.T) {
 	runPreAuthorizeHandler(
-		t, "/different-authorize",
+		t, nil, "/different-authorize",
 		regexp.MustCompile(`/authorize\z`),
 		&api.Response{},
 		200, 404)
@@ -55,8 +56,23 @@ func TestPreAuthorizeSuffix(t *testing.T) {

 func TestPreAuthorizeJsonFailure(t *testing.T) {
 	runPreAuthorizeHandler(
-		t, "/authorize",
+		t, nil, "/authorize",
 		regexp.MustCompile(`/authorize\z`),
 		"not-json",
 		200, 500)
 }
+
+func TestPreAuthorizeContentTypeFailure(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if _, err := w.Write([]byte(`{"hello":"world"}`)); err != nil {
+			t.Fatalf("write auth response: %v", err)
+		}
+	}))
+	defer ts.Close()
+
+	runPreAuthorizeHandler(
+		t, ts, "/authorize",
+		regexp.MustCompile(`/authorize\z`),
+		"",
+		200, 500)
+}
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -13,6 +13,9 @@ import (
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
 )

+// Custom content type for API responses, to catch routing / programming mistakes
+const ResponseContentType = "application/vnd.gitlab-workhorse+json"
+
 type API struct {
 	Client  *http.Client
 	URL     *url.URL
@@ -138,11 +141,6 @@ func (api *API) PreAuthorizeHandler(h HandleFunc, suffix string) http.Handler {
 		defer authResponse.Body.Close()

 		if authResponse.StatusCode != 200 {
-			// The Git request is not allowed by the backend. Maybe the
-			// client needs to send HTTP Basic credentials.  Forward the
-			// response from the auth backend to our client. This includes
-			// the 'WWW-Authenticate' header that acts as a hint that
-			// Basic auth credentials are needed.
 			for k, v := range authResponse.Header {
 				// Accomodate broken clients that do case-sensitive header lookup
 				if k == "Www-Authenticate" {
@@ -156,6 +154,11 @@ func (api *API) PreAuthorizeHandler(h HandleFunc, suffix string) http.Handler {
 			return
 		}

+		if contentType := authResponse.Header.Get("Content-Type"); contentType != ResponseContentType {
+			helper.Fail500(w, fmt.Errorf("preAuthorizeHandler: API responded with wrong content type: %v", contentType))
+			return
+		}
+
 		a := &Response{}
 		// The auth backend validated the client request and told us additional
 		// request metadata. We must extract this information from the auth

--- a/internal/artifacts/artifacts_upload_test.go
+++ b/internal/artifacts/artifacts_upload_test.go
@@ -29,7 +29,7 @@ func testArtifactsUploadServer(t *testing.T, tempPath string) *httptest.Server {
 			t.Fatal("Expected POST request")
 		}

-		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Content-Type", api.ResponseContentType)

 		data, err := json.Marshal(&api.Response{
 			TempPath: tempPath,

--- a/main_test.go
+++ b/main_test.go
@@ -537,6 +537,7 @@ func TestArtifactsUpload(t *testing.T) {

 	ts := testhelper.TestServerWithHandler(regexp.MustCompile(`.`), func(w http.ResponseWriter, r *http.Request) {
 		if strings.HasSuffix(r.URL.Path, "/authorize") {
+			w.Header().Set("Content-Type", api.ResponseContentType)
 			if _, err := fmt.Fprintf(w, `{"TempPath":"%s"}`, scratchDir); err != nil {
 				t.Fatal(err)
 			}
@@ -775,6 +776,8 @@ func newBranch() string {

 func testAuthServer(url *regexp.Regexp, code int, body interface{}) *httptest.Server {
 	return testhelper.TestServerWithHandler(url, func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", api.ResponseContentType)
+
 		// Write pure string
 		if data, ok := body.(string); ok {
 			log.Println("UPSTREAM", r.Method, r.URL, code)