jkroepke · jkroepke · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -3,7 +3,7 @@ name: CI
 env:
   PACKAGES: openvpn crossbuild-essential-arm64 libssl-dev:arm64
   # renovate: github=golangci/golangci-lint
-  GO_LINT_CI_VERSION: v1.61.0
+  GO_LINT_CI_VERSION: v1.62.0
   # renovate: github=goreleaser/goreleaser
   GORELEASER_VERSION: v2.4.4
 

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -3,13 +3,12 @@ linters:
   disable:
     - depguard
     - exhaustruct
-    - gomnd
     - funlen
     - ireturn
     - err113
-    - execinquery
     - mnd
     - exportloopref
+    - recvcheck # https://github.com/raeperd/recvcheck/issues/7
 
 issues:
   exclude-rules:

diff --git a/cmd/daemon/full_test.go b/cmd/daemon/full_test.go
@@ -59,7 +59,7 @@ func TestFull(t *testing.T) {
 			resourceServer, _, clientCredentials, err := testutils.SetupResourceServer(t, httpListener)
 			require.NoError(t, err)
 
-			buf := new(testutils.Buffer)
+			buf := new(testutils.SyncBuffer)
 
 			jar, err := cookiejar.New(nil)
 			require.NoError(t, err)

diff --git a/cmd/daemon/root_test.go b/cmd/daemon/root_test.go
@@ -1,8 +1,6 @@
 package daemon_test
 
 import (
-	"bytes"
-	"io"
 	"testing"
 
 	"github.com/jkroepke/openvpn-auth-oauth2/cmd/daemon"
@@ -15,27 +13,21 @@ import (
 func TestExecuteVersion(t *testing.T) {
 	t.Parallel()
 
-	var buf bytes.Buffer
+	logger := testutils.NewTestLogger()
+	returnCode := daemon.Execute([]string{"", "--version"}, logger, "version", "commit", "date")
+	output := logger.String()
 
-	buf.Grow(16 << 20) // pre-allocate buffer to avoid race conditions. (grow vs string)
-	_ = io.Writer(&buf)
-
-	returnCode := daemon.Execute([]string{"", "--version"}, &buf, "version", "commit", "date")
-	assert.Equal(t, 0, returnCode, buf.String())
+	assert.Equal(t, 0, returnCode, output)
 }
 
 func TestExecuteHelp(t *testing.T) {
 	t.Parallel()
 
-	var buf bytes.Buffer
-
-	buf.Grow(16 << 20) // pre-allocate buffer to avoid race conditions. (grow vs string)
-	_ = io.Writer(&buf)
-
-	returnCode := daemon.Execute([]string{"openvpn-auth-oauth2-test", "--help"}, &buf, "version", "commit", "date")
-	output := buf.String()
+	logger := testutils.NewTestLogger()
+	returnCode := daemon.Execute([]string{"openvpn-auth-oauth2-test", "--help"}, logger, "version", "commit", "date")
+	output := logger.String()
 
-	assert.Equal(t, 0, returnCode, buf.String())
+	assert.Equal(t, 0, returnCode, output)
 	assert.Contains(t, output, "Usage of openvpn-auth-oauth2-test")
 	assert.Contains(t, output, "--version")
 }
@@ -96,22 +88,19 @@ func TestExecuteConfigInvalid(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			var buf bytes.Buffer
-
-			buf.Grow(16 << 20) // pre-allocate buffer to avoid race conditions. (grow vs string)
-			_ = io.Writer(&buf)
-
 			managementInterface, err := nettest.NewLocalListener("tcp")
 			require.NoError(t, err)
 
 			t.Cleanup(func() {
 				assert.NoError(t, managementInterface.Close())
 			})
 
-			returnCode := daemon.Execute(append(tt.args, "--openvpn.addr=tcp://"+managementInterface.Addr().String()), &buf, "version", "commit", "date")
+			logger := testutils.NewTestLogger()
+			returnCode := daemon.Execute(append(tt.args, "--openvpn.addr=tcp://"+managementInterface.Addr().String()), logger, "version", "commit", "date")
+			output := logger.String()
 
-			assert.Equal(t, 1, returnCode, buf.String())
-			assert.Contains(t, buf.String(), tt.err, buf.String())
+			assert.Equal(t, 1, returnCode, output)
+			assert.Contains(t, output, tt.err, output)
 		})
 	}
 }
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/madflojo/testcerts v1.3.0
 	github.com/stretchr/testify v1.9.0
 	github.com/zitadel/logging v0.6.1
-	github.com/zitadel/oidc/v3 v3.32.1
+	github.com/zitadel/oidc/v3 v3.33.0
 	golang.org/x/net v0.31.0
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/text v0.20.0

diff --git a/go.sum b/go.sum
@@ -70,8 +70,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/zitadel/logging v0.6.1 h1:Vyzk1rl9Kq9RCevcpX6ujUaTYFX43aa4LkvV1TvUk+Y=
 github.com/zitadel/logging v0.6.1/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow=
-github.com/zitadel/oidc/v3 v3.32.1 h1:uE7IgQq4yJfQPXaIbvkOjOaIyb10OF1QtG1COUB/efE=
-github.com/zitadel/oidc/v3 v3.32.1/go.mod h1:DyE/XClysRK/ozFaZSqlYamKVnTh4l6Ln25ihSNI03w=
+github.com/zitadel/oidc/v3 v3.33.0 h1:jAWjymx780VCSr1PpLIjGWzlfr/rB3GJEgN/UTRIk64=
+github.com/zitadel/oidc/v3 v3.33.0/go.mod h1:zkoZ1Oq6CweX3BaLrftLEGCs6YK6zDpjjVGZrP10AWU=
 github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0=
 github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc=
 go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=

diff --git a/internal/oauth2/refresh_test.go b/internal/oauth2/refresh_test.go
@@ -33,14 +33,16 @@ func TestRefreshReAuth(t *testing.T) {
 	var refreshToken string
 
 	for _, tt := range []struct {
-		name             string
-		clientCommonName string
-		conf             config.Config
-		rt               http.RoundTripper
+		name                     string
+		clientCommonName         string
+		nonInteractiveShouldWork bool
+		conf                     config.Config
+		rt                       http.RoundTripper
 	}{
 		{
-			name:             "Refresh",
-			clientCommonName: "test",
+			name:                     "Refresh",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OAuth2.Refresh.Enabled = true
@@ -52,8 +54,9 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh with empty common name",
-			clientCommonName: "",
+			name:                     "Refresh with empty common name",
+			clientCommonName:         "",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OpenVpn.AuthTokenUser = true
@@ -66,8 +69,9 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh with ValidateUser=false",
-			clientCommonName: "test",
+			name:                     "Refresh with ValidateUser=false",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OAuth2.Refresh.Enabled = true
@@ -79,8 +83,9 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh with SessionID=true + ValidateUser=false",
-			clientCommonName: "test",
+			name:                     "Refresh with SessionID=true + ValidateUser=false",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OpenVpn.AuthTokenUser = false
@@ -93,8 +98,9 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh with provider=google",
-			clientCommonName: "test",
+			name:                     "Refresh with provider=google",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OpenVpn.AuthTokenUser = false
@@ -109,8 +115,9 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh with provider=github",
-			clientCommonName: "test",
+			name:                     "Refresh with provider=github",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OpenVpn.AuthTokenUser = false
@@ -124,8 +131,46 @@ func TestRefreshReAuth(t *testing.T) {
 			rt: http.DefaultTransport,
 		},
 		{
-			name:             "Refresh without returning refresh token",
-			clientCommonName: "test",
+			name:                     "Refresh with failed non-interactive authentication",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: false,
+			conf: func() config.Config {
+				conf := config.Defaults
+				conf.OpenVpn.AuthTokenUser = false
+				conf.OAuth2.Provider = generic.Name
+				conf.OAuth2.Refresh.Enabled = true
+				conf.OAuth2.Refresh.ValidateUser = true
+				conf.OAuth2.Refresh.UseSessionID = false
+
+				return conf
+			}(),
+			rt: testutils.NewRoundTripperFunc(http.DefaultTransport, func(rt http.RoundTripper, req *http.Request) (*http.Response, error) {
+				if req.URL.Path != "/oauth/token" {
+					return rt.RoundTrip(req)
+				}
+
+				requestBody, err := io.ReadAll(req.Body)
+				if err != nil {
+					return nil, err
+				}
+
+				// Initial request should work
+				if strings.Contains(string(requestBody), `&code=`) {
+					req.Body = io.NopCloser(bytes.NewReader(requestBody))
+
+					return rt.RoundTrip(req)
+				}
+
+				res := httptest.NewRecorder()
+				res.WriteHeader(http.StatusInternalServerError)
+
+				return res.Result(), nil
+			}),
+		},
+		{
+			name:                     "Refresh without returning refresh token",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: true,
 			conf: func() config.Config {
 				conf := config.Defaults
 				conf.OpenVpn.AuthTokenUser = false
@@ -272,6 +317,17 @@ func TestRefreshReAuth(t *testing.T) {
 				tt.clientCommonName,
 			)
 
+			if !tt.nonInteractiveShouldWork {
+				auth := testutils.ReadLine(t, managementInterfaceConn, reader)
+				assert.Contains(t, auth, "client-pending-auth 1 3 \"WEB_AUTH::")
+				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: %s command succeeded", strings.SplitN(auth, " ", 2)[0])
+
+				openVPNClient.Shutdown()
+				wg.Wait()
+
+				return
+			}
+
 			if tt.conf.OpenVpn.AuthTokenUser {
 				testutils.ExpectMessage(t, managementInterfaceConn, reader, "client-auth 1 3")
 

diff --git a/internal/utils/testutils/logger.go b/internal/utils/testutils/logger.go
@@ -8,30 +8,31 @@ import (
 
 type Logger struct {
 	*slog.Logger
-	*Buffer
+	*SyncBuffer
 }
 
 func NewTestLogger() *Logger {
-	buffer := new(Buffer)
+	syncBuffer := new(SyncBuffer)
+	syncBuffer.buffer.Grow(16 << 20)
 
 	return &Logger{
-		slog.New(slog.NewTextHandler(buffer, nil)),
-		buffer,
+		slog.New(slog.NewTextHandler(syncBuffer, nil)),
+		syncBuffer,
 	}
 }
 
 func (l Logger) GetLogs() string {
-	return l.Buffer.String()
+	return l.SyncBuffer.String()
 }
 
-type Buffer struct {
+type SyncBuffer struct {
 	buffer bytes.Buffer
 	mutex  sync.Mutex
 }
 
 // Write appends the contents of p to the buffer, growing the buffer as needed.
 // It returns the number of bytes written.
-func (s *Buffer) Write(p []byte) (int, error) {
+func (s *SyncBuffer) Write(p []byte) (int, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
@@ -40,8 +41,8 @@ func (s *Buffer) Write(p []byte) (int, error) {
 
 // String returns the contents of the unread portion of the buffer
 // as a string.
-// If the Buffer is a nil pointer, it returns "<nil>".
-func (s *Buffer) String() string {
+// If the SyncBuffer is a nil pointer, it returns "<nil>".
+func (s *SyncBuffer) String() string {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 

diff --git a/pkg/plugin/go.mod b/pkg/plugin/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/zitadel/logging v0.6.1 // indirect
-	github.com/zitadel/oidc/v3 v3.32.1 // indirect
+	github.com/zitadel/oidc/v3 v3.33.0 // indirect
 	github.com/zitadel/schema v1.3.0 // indirect
 	go.opentelemetry.io/otel v1.32.0 // indirect
 	go.opentelemetry.io/otel/metric v1.32.0 // indirect

diff --git a/pkg/plugin/go.sum b/pkg/plugin/go.sum
@@ -70,8 +70,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/zitadel/logging v0.6.1 h1:Vyzk1rl9Kq9RCevcpX6ujUaTYFX43aa4LkvV1TvUk+Y=
 github.com/zitadel/logging v0.6.1/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow=
-github.com/zitadel/oidc/v3 v3.32.1 h1:uE7IgQq4yJfQPXaIbvkOjOaIyb10OF1QtG1COUB/efE=
-github.com/zitadel/oidc/v3 v3.32.1/go.mod h1:DyE/XClysRK/ozFaZSqlYamKVnTh4l6Ln25ihSNI03w=
+github.com/zitadel/oidc/v3 v3.33.0 h1:jAWjymx780VCSr1PpLIjGWzlfr/rB3GJEgN/UTRIk64=
+github.com/zitadel/oidc/v3 v3.33.0/go.mod h1:zkoZ1Oq6CweX3BaLrftLEGCs6YK6zDpjjVGZrP10AWU=
 github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0=
 github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc=
 go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=