18690754649

Committed 21 Oct 2025 04:27PM UTC coverage: 53.953% (+0.02%) from 53.929%

Build # 18690754649

Build Type

push

github

Committed by

web-flow

Commit Message

endpoints: add paths (#5888)

## Summary
Add additional paths to the `endpoints` package.


## Checklist

- [ ] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

Run Details

60 of 76 new or added lines in 22 files covered. (78.95%)

8 existing lines in 5 files now uncovered.

27424 of 50829 relevant lines covered (53.95%)

86.61 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/pkg/zero/ping/ping.go

package clusterping

import (
        "context"
        "crypto/tls"
        "encoding/json"
        "errors"
        "fmt"
        "net"
        "net/http"
        "net/url"

        "github.com/go-jose/go-jose/v3"

        "github.com/pomerium/pomerium/internal/version"
        "github.com/pomerium/pomerium/pkg/endpoints"
)

type CheckErrorCode int

const (
        ErrInvalidCert CheckErrorCode = iota
        ErrDNSError
        ErrConnectionError
        ErrKeyNotFound
        ErrUnexpectedResponse
)

type CheckError struct {
        Code CheckErrorCode
        Err  error
}

func NewCheckError(code CheckErrorCode, err error) *CheckError {
        return &CheckError{
                Code: code,
                Err:  err,
        }
}

var errorCodeToString = map[CheckErrorCode]string{
        ErrInvalidCert:        "invalid certificate",
        ErrDNSError:           "DNS error",
        ErrConnectionError:    "connection error",
        ErrKeyNotFound:        "key not found",
        ErrUnexpectedResponse: "unexpected response",
}

func (e *CheckError) Error() string {
        return fmt.Sprintf("%s: %v", errorCodeToString[e.Code], e.Err)
}

func (e *CheckError) Unwrap() error {
        return e.Err
}

func GetJWKSURL(host string) string {
        return (&url.URL{
                Scheme: "https",
                Host:   host,
                Path:   endpoints.PathJWKS,
        }).String()
}

func CheckKey(
        ctx context.Context,
        jwksURL string,
        key jose.JSONWebKey,
        client *http.Client,
) error {
        keys, err := fetchKeys(ctx, client, jwksURL)
        if err != nil {
                return err
        }

        if !containsKey(keys, key) {
                return NewCheckError(ErrKeyNotFound, fmt.Errorf("key %s not found in JWKS", key.KeyID))
        }

        return nil
}

func containsKey(keys []jose.JSONWebKey, key jose.JSONWebKey) bool {
        for _, k := range keys {
                if k.KeyID == key.KeyID {
                        return true
                }
        }
        return false
}

func fetchKeys(ctx context.Context, client *http.Client, jwksURL string) ([]jose.JSONWebKey, error) {
        req, err := http.NewRequestWithContext(ctx, http.MethodGet, jwksURL, nil)
        if err != nil {
                return nil, fmt.Errorf("error creating request: %w", err)
        }
        req.Header.Set("Accept", "application/json")
        req.Header.Set("User-Agent", version.UserAgent())
        resp, err := client.Do(req)
        if err != nil {
                return nil, convertRequestError(err)
        }
        defer resp.Body.Close()

        if resp.StatusCode != http.StatusOK {
                return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("unexpected status code %d", resp.StatusCode))
        }

        if resp.Header.Get("Content-Type") != "application/json" {
                return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("unexpected content type %s", resp.Header.Get("Content-Type")))
        }

        var jwks struct {
                Keys []jose.JSONWebKey `json:"keys"`
        }
        if err := json.NewDecoder(resp.Body).Decode(&jwks); err != nil {
                return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("error decoding response: %w", err))
        }

        return jwks.Keys, nil
}

func convertRequestError(err error) error {
        if tlsErr := new(tls.CertificateVerificationError); errors.As(err, &tlsErr) {
                return NewCheckError(ErrInvalidCert, err)
        }
        if dnsErr := new(net.DNSError); errors.As(err, &dnsErr) {
                return NewCheckError(ErrDNSError, err)
        }
        if netErr := new(net.Error); errors.As(err, netErr) {
                return NewCheckError(ErrConnectionError, err)
        }

        return fmt.Errorf("error making request: %w", err)
}

1	package clusterping
2
3	import (
4	"context"
5	"crypto/tls"
6	"encoding/json"
7	"errors"
8	"fmt"
9	"net"
10	"net/http"
11	"net/url"
12
13	"github.com/go-jose/go-jose/v3"
14
15	"github.com/pomerium/pomerium/internal/version"
16	"github.com/pomerium/pomerium/pkg/endpoints"
17	)
18
19	type CheckErrorCode int
20
21	const (
22	ErrInvalidCert CheckErrorCode = iota
23	ErrDNSError
24	ErrConnectionError
25	ErrKeyNotFound
26	ErrUnexpectedResponse
27	)
28
29	type CheckError struct {
30	Code CheckErrorCode
31	Err error
32	}
33
34	func NewCheckError(code CheckErrorCode, err error) *CheckError {	×
35	return &CheckError{	×
36	Code: code,	×
37	Err: err,	×
38	}	×
39	}	×
40
41	var errorCodeToString = map[CheckErrorCode]string{
42	ErrInvalidCert: "invalid certificate",
43	ErrDNSError: "DNS error",
44	ErrConnectionError: "connection error",
45	ErrKeyNotFound: "key not found",
46	ErrUnexpectedResponse: "unexpected response",
47	}
48
49	func (e *CheckError) Error() string {	×
50	return fmt.Sprintf("%s: %v", errorCodeToString[e.Code], e.Err)	×
51	}	×
52
53	func (e *CheckError) Unwrap() error {	×
54	return e.Err	×
55	}	×
56
57	func GetJWKSURL(host string) string {	×
58	return (&url.URL{	×
59	Scheme: "https",	×
60	Host: host,	×
NEW 61	Path: endpoints.PathJWKS,	×
62	}).String()	×
63	}	×
64
65	func CheckKey(
66	ctx context.Context,
67	jwksURL string,
68	key jose.JSONWebKey,
69	client *http.Client,
70	) error {	×
71	keys, err := fetchKeys(ctx, client, jwksURL)	×
72	if err != nil {	×
73	return err	×
74	}	×
75
76	if !containsKey(keys, key) {	×
77	return NewCheckError(ErrKeyNotFound, fmt.Errorf("key %s not found in JWKS", key.KeyID))	×
78	}	×
79
80	return nil	×
81	}
82
83	func containsKey(keys []jose.JSONWebKey, key jose.JSONWebKey) bool {	×
84	for _, k := range keys {	×
85	if k.KeyID == key.KeyID {	×
86	return true	×
87	}	×
88	}
89	return false	×
90	}
91
92	func fetchKeys(ctx context.Context, client *http.Client, jwksURL string) ([]jose.JSONWebKey, error) {	×
93	req, err := http.NewRequestWithContext(ctx, http.MethodGet, jwksURL, nil)	×
94	if err != nil {	×
95	return nil, fmt.Errorf("error creating request: %w", err)	×
96	}	×
97	req.Header.Set("Accept", "application/json")	×
98	req.Header.Set("User-Agent", version.UserAgent())	×
99	resp, err := client.Do(req)	×
100	if err != nil {	×
101	return nil, convertRequestError(err)	×
102	}	×
103	defer resp.Body.Close()	×
104		×
105	if resp.StatusCode != http.StatusOK {	×
106	return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("unexpected status code %d", resp.StatusCode))	×
107	}	×
108
109	if resp.Header.Get("Content-Type") != "application/json" {	×
110	return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("unexpected content type %s", resp.Header.Get("Content-Type")))	×
111	}	×
112
113	var jwks struct {	×
114	Keys []jose.JSONWebKey `json:"keys"`	×
115	}	×
116	if err := json.NewDecoder(resp.Body).Decode(&jwks); err != nil {	×
117	return nil, NewCheckError(ErrUnexpectedResponse, fmt.Errorf("error decoding response: %w", err))	×
118	}	×
119
120	return jwks.Keys, nil	×
121	}
122
123	func convertRequestError(err error) error {	×
124	if tlsErr := new(tls.CertificateVerificationError); errors.As(err, &tlsErr) {	×
125	return NewCheckError(ErrInvalidCert, err)	×
126	}	×
127	if dnsErr := new(net.DNSError); errors.As(err, &dnsErr) {	×
128	return NewCheckError(ErrDNSError, err)	×
129	}	×
130	if netErr := new(net.Error); errors.As(err, netErr) {	×
131	return NewCheckError(ErrConnectionError, err)	×
132	}	×
133
134	return fmt.Errorf("error making request: %w", err)	×
135	}

pomerium / pomerium / 18690754649

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous