mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3419 Commits
34 Branches
98 Tags
73 MiB
Tree: 095eb750b0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '095eb750b0'
${ noResults }
dex/server/handlers_test.go

825 lines
21 KiB
Raw Normal View History Unescape

initial commit
10 years ago
package server
server: add a test for the health check handler
10 years ago
import (
Add tests for some callback handler error conditions
7 years ago
"bytes"
*: update go-oidc and use standard library's context package
9 years ago
"context"
Add tests for some callback handler error conditions
7 years ago
"encoding/json"
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
"errors"
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
"fmt"
server: add a test for the health check handler
10 years ago
"net/http"
"net/http/httptest"
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
"net/url"
"path"
OAuth 2.0 Token Exchange (#2806) Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
3 years ago
"strings"
server: add a test for the health check handler
10 years ago
"testing"
abort connector login if connector was already set #1707 Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
6 years ago
"time"
refactor: use new health checker Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
gosundheit "github.com/AppsFlyer/go-sundheit"
"github.com/AppsFlyer/go-sundheit/checks"
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
"github.com/coreos/go-oidc/v3/oidc"
"github.com/stretchr/testify/require"
"golang.org/x/oauth2"
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
"github.com/dexidp/dex/storage"
server: add a test for the health check handler
10 years ago
)
func TestHandleHealth(t *testing.T) {
{cmd,server}: move garbage collection logic to server
10 years ago
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
*: fix linting
10 years ago
httpServer, server := newTestServer(ctx, t, nil)
server: add a test for the health check handler
10 years ago
defer httpServer.Close()
rr := httptest.NewRecorder()
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
server.ServeHTTP(rr, httptest.NewRequest("GET", "/healthz", nil))
server: add a test for the health check handler
10 years ago
if rr.Code != http.StatusOK {
t.Errorf("expected 200 got %d", rr.Code)
}
}
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
[RFC7662] Add introspect endpoint to introspect access & refresh token (#3404) Signed-off-by: Romain Caire <super.cairos@gmail.com>
2 years ago
func TestHandleDiscovery(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpServer, server := newTestServer(ctx, t, nil)
defer httpServer.Close()
rr := httptest.NewRecorder()
server.ServeHTTP(rr, httptest.NewRequest("GET", "/.well-known/openid-configuration", nil))
if rr.Code != http.StatusOK {
t.Errorf("expected 200 got %d", rr.Code)
}
var res discovery
err := json.NewDecoder(rr.Result().Body).Decode(&res)
require.NoError(t, err)
require.Equal(t, discovery{
Issuer: httpServer.URL,
Auth: fmt.Sprintf("%s/auth", httpServer.URL),
Token: fmt.Sprintf("%s/token", httpServer.URL),
Keys: fmt.Sprintf("%s/keys", httpServer.URL),
UserInfo: fmt.Sprintf("%s/userinfo", httpServer.URL),
DeviceEndpoint: fmt.Sprintf("%s/device/code", httpServer.URL),
Introspect: fmt.Sprintf("%s/token/introspect", httpServer.URL),
GrantTypes: []string{
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:token-exchange",
},
ResponseTypes: []string{
"code",
},
Subjects: []string{
"public",
},
IDTokenAlgs: []string{
"RS256",
},
CodeChallengeAlgs: []string{
"S256",
"plain",
},
Scopes: []string{
"openid",
"email",
"groups",
"profile",
"offline_access",
},
AuthMethods: []string{
"client_secret_basic",
"client_secret_post",
},
Claims: []string{
"iss",
"sub",
"aud",
"iat",
"exp",
"email",
"email_verified",
"locale",
"name",
"preferred_username",
"at_hash",
},
}, res)
}
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
func TestHandleHealthFailure(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpServer, server := newTestServer(ctx, t, func(c *Config) {
refactor: use new health checker Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
c.HealthChecker = gosundheit.New()
chore(deps): update gosundheit Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
c.HealthChecker.RegisterCheck(
&checks.CustomCheck{
refactor: use new health checker Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
CheckName: "fail",
chore(deps): update gosundheit Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
CheckFunc: func(_ context.Context) (details interface{}, err error) {
refactor: use new health checker Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
return nil, errors.New("error")
},
},
chore(deps): update gosundheit Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
5 years ago
gosundheit.InitiallyPassing(false),
gosundheit.ExecutionPeriod(1*time.Second),
)
server: update health check endpoint to query storage periodically Instead of querying the storage every time a health check is performed query it periodically and save the result.
7 years ago
})
defer httpServer.Close()
rr := httptest.NewRecorder()
server.ServeHTTP(rr, httptest.NewRequest("GET", "/healthz", nil))
if rr.Code != http.StatusInternalServerError {
t.Errorf("expected 500 got %d", rr.Code)
}
}
Add tests for some callback handler error conditions
7 years ago
type emptyStorage struct {
storage.Storage
}
Passing context storage (#3941) Signed-off-by: Bob Maertz <1771054+bobmaertz@users.noreply.github.com>
1 year ago
func (*emptyStorage) GetAuthRequest(context.Context, string) (storage.AuthRequest, error) {
Add tests for some callback handler error conditions
7 years ago
return storage.AuthRequest{}, storage.ErrNotFound
}
func TestHandleInvalidOAuth2Callbacks(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpServer, server := newTestServer(ctx, t, func(c *Config) {
c.Storage = &emptyStorage{c.Storage}
})
defer httpServer.Close()
tests := []struct {
TargetURI string
ExpectedCode int
}{
{"/callback", http.StatusBadRequest},
{"/callback?code=&state=", http.StatusBadRequest},
{"/callback?code=AAAAAAA&state=BBBBBBB", http.StatusBadRequest},
}
rr := httptest.NewRecorder()
for i, r := range tests {
server.ServeHTTP(rr, httptest.NewRequest("GET", r.TargetURI, nil))
if rr.Code != r.ExpectedCode {
t.Fatalf("test %d expected %d, got %d", i, r.ExpectedCode, rr.Code)
}
}
}
func TestHandleInvalidSAMLCallbacks(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpServer, server := newTestServer(ctx, t, func(c *Config) {
c.Storage = &emptyStorage{c.Storage}
})
defer httpServer.Close()
type requestForm struct {
RelayState string
}
tests := []struct {
RequestForm requestForm
ExpectedCode int
}{
{requestForm{}, http.StatusBadRequest},
{requestForm{RelayState: "AAAAAAA"}, http.StatusBadRequest},
}
rr := httptest.NewRecorder()
for i, r := range tests {
jsonValue, err := json.Marshal(r.RequestForm)
if err != nil {
t.Fatal(err.Error())
}
server.ServeHTTP(rr, httptest.NewRequest("POST", "/callback", bytes.NewBuffer(jsonValue)))
if rr.Code != r.ExpectedCode {
t.Fatalf("test %d expected %d, got %d", i, r.ExpectedCode, rr.Code)
}
}
}
abort connector login if connector was already set #1707 Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
6 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
// TestHandleAuthCode checks that it is forbidden to use same code twice
func TestHandleAuthCode(t *testing.T) {
tests := []struct {
name string
handleCode func(*testing.T, context.Context, *oauth2.Config, string)
}{
{
name: "Code Reuse should return invalid_grant",
handleCode: func(t *testing.T, ctx context.Context, oauth2Config *oauth2.Config, code string) {
_, err := oauth2Config.Exchange(ctx, code)
require.NoError(t, err)
_, err = oauth2Config.Exchange(ctx, code)
require.Error(t, err)
oauth2Err, ok := err.(*oauth2.RetrieveError)
require.True(t, ok)
var errResponse struct{ Error string }
err = json.Unmarshal(oauth2Err.Body, &errResponse)
require.NoError(t, err)
// invalid_grant must be returned for invalid values
// https://tools.ietf.org/html/rfc6749#section-5.2
require.Equal(t, errInvalidGrant, errResponse.Error)
},
},
{
name: "No Code should return invalid_request",
handleCode: func(t *testing.T, ctx context.Context, oauth2Config *oauth2.Config, _ string) {
_, err := oauth2Config.Exchange(ctx, "")
require.Error(t, err)
oauth2Err, ok := err.(*oauth2.RetrieveError)
require.True(t, ok)
var errResponse struct{ Error string }
err = json.Unmarshal(oauth2Err.Body, &errResponse)
require.NoError(t, err)
require.Equal(t, errInvalidRequest, errResponse.Error)
},
},
}
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
httpServer, s := newTestServer(ctx, t, func(c *Config) { c.Issuer += "/non-root-path" })
defer httpServer.Close()
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
p, err := oidc.NewProvider(ctx, httpServer.URL)
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
require.NoError(t, err)
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
var oauth2Client oauth2Client
oauth2Client.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/callback" {
http.Redirect(w, r, oauth2Client.config.AuthCodeURL(""), http.StatusSeeOther)
return
}
q := r.URL.Query()
require.Equal(t, q.Get("error"), "", q.Get("error_description"))
code := q.Get("code")
tc.handleCode(t, ctx, oauth2Client.config, code)
w.WriteHeader(http.StatusOK)
}))
defer oauth2Client.server.Close()
redirectURL := oauth2Client.server.URL + "/callback"
client := storage.Client{
ID: "testclient",
Secret: "testclientsecret",
RedirectURIs: []string{redirectURL},
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
err = s.storage.CreateClient(ctx, client)
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
require.NoError(t, err)
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
oauth2Client.config = &oauth2.Config{
ClientID: client.ID,
ClientSecret: client.Secret,
Endpoint: p.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "email", "offline_access"},
RedirectURL: redirectURL,
}
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
resp, err := http.Get(oauth2Client.server.URL + "/login")
require.NoError(t, err)
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
fix: check code presence Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
resp.Body.Close()
})
fix: return invalid_grant error for invalid or expired auth codes Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
5 years ago
}
}
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
ctx := context.Background()
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
c := storage.Client{
ID: "test",
Secret: "barfoo",
RedirectURIs: []string{"foo://bar.com/", "https://auth.example.com"},
Name: "dex client",
LogoURL: "https://goo.gl/JIyzIC",
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
err := s.CreateClient(ctx, c)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
require.NoError(t, err)
c1 := storage.Connector{
ID: "test",
Type: "mockPassword",
Name: "mockPassword",
Config: []byte(`{
"username": "test",
"password": "test"
}`),
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
err = s.CreateConnector(ctx, c1)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
require.NoError(t, err)
correctly handle path escaping for connector IDs Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
5 years ago
c2 := storage.Connector{
ID: "http://any.valid.url/",
Type: "mock",
Name: "mockURLID",
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
err = s.CreateConnector(ctx, c2)
correctly handle path escaping for connector IDs Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
5 years ago
require.NoError(t, err)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
}
fix: return 401 if password is invalid (#2796) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
func TestHandlePassword(t *testing.T) {
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
tests := []struct {
name string
scopes string
offlineSessionCreated bool
}{
{
name: "Password login, request refresh token",
scopes: "openid offline_access email",
offlineSessionCreated: true,
},
{
name: "Password login",
scopes: "openid email",
offlineSessionCreated: false,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
// Setup a dex server.
httpServer, s := newTestServer(ctx, t, func(c *Config) {
c.PasswordConnector = "test"
c.Now = time.Now
})
defer httpServer.Close()
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
mockConnectorDataTestStorage(t, s.storage)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
makeReq := func(username, password string) *httptest.ResponseRecorder {
u, err := url.Parse(s.issuerURL.String())
require.NoError(t, err)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
u.Path = path.Join(u.Path, "/token")
v := url.Values{}
v.Add("scope", tc.scopes)
v.Add("grant_type", "password")
v.Add("username", username)
v.Add("password", password)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
req.SetBasicAuth("test", "barfoo")
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
rr := httptest.NewRecorder()
s.ServeHTTP(rr, req)
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
return rr
}
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
// Check unauthorized error
{
rr := makeReq("test", "invalid")
require.Equal(t, 401, rr.Code)
}
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
// Check that we received expected refresh token
{
rr := makeReq("test", "test")
require.Equal(t, 200, rr.Code)
fix: return 401 if password is invalid (#2796) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
var ref struct {
Token string `json:"refresh_token"`
}
err := json.Unmarshal(rr.Body.Bytes(), &ref)
require.NoError(t, err)
fix: return 401 if password is invalid (#2796) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
Passing context storage (#3941) Signed-off-by: Bob Maertz <1771054+bobmaertz@users.noreply.github.com>
1 year ago
newSess, err := s.storage.GetOfflineSessions(ctx, "0-385-28089-0", "test")
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
if tc.offlineSessionCreated {
require.NoError(t, err)
require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
} else {
require.Error(t, storage.ErrNotFound, err)
}
}
})
fix: return 401 if password is invalid (#2796) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
}
handlePasswordGrant: insert connectorData into OfflineSession (#2199) * handlePasswordGrant: insert connectorData into OfflineSession This change will insert the ConnectorData from the initial Login into the OfflineSession, as already done in handlePasswordLogin. Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
5 years ago
}
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
func TestHandlePasswordLoginWithSkipApproval(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
connID := "mockPw"
authReqID := "test"
expiry := time.Now().Add(100 * time.Second)
OAuth 2.0 Token Exchange (#2806) Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
3 years ago
resTypes := []string{responseTypeCode}
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
tests := []struct {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
name string
skipApproval bool
authReq storage.AuthRequest
expectedRes string
offlineSessionCreated bool
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
}{
{
name: "Force approval",
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
{
name: "Skip approval by server config",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
{
fix: Do not skip approval screen by default (#2897) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
name: "No skip",
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
fix: Do not skip approval screen by default (#2897) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
},
{
name: "Skip approval",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/auth/mockPw/cb",
offlineSessionCreated: false,
},
{
name: "Force approval, request refresh token",
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
Scopes: []string{"offline_access"},
},
expectedRes: "/approval",
offlineSessionCreated: true,
},
{
name: "Skip approval, request refresh token",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
Scopes: []string{"offline_access"},
},
expectedRes: "/auth/mockPw/cb",
Create offline sessions if approval is skipped (#3828) Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 year ago
offlineSessionCreated: true,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
}
for _, tc := range tests {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
t.Run(tc.name, func(t *testing.T) {
httpServer, s := newTestServer(ctx, t, func(c *Config) {
c.SkipApprovalScreen = tc.skipApproval
c.Now = time.Now
})
defer httpServer.Close()
sc := storage.Connector{
ID: connID,
Type: "mockPassword",
Name: "MockPassword",
ResourceVersion: "1",
Config: []byte("{\"username\": \"foo\", \"password\": \"password\"}"),
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
if err := s.storage.CreateConnector(ctx, sc); err != nil {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
t.Fatalf("create connector: %v", err)
}
if _, err := s.OpenConnector(sc); err != nil {
t.Fatalf("open connector: %v", err)
}
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
if err := s.storage.CreateAuthRequest(ctx, tc.authReq); err != nil {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
t.Fatalf("failed to create AuthRequest: %v", err)
}
rr := httptest.NewRecorder()
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
path := fmt.Sprintf("/auth/%s/login?state=%s&back=&login=foo&password=password", connID, authReqID)
s.handlePasswordLogin(rr, httptest.NewRequest("POST", path, nil))
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
require.Equal(t, 303, rr.Code)
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
resp := rr.Result()
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
defer resp.Body.Close()
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
cb, _ := url.Parse(resp.Header.Get("Location"))
require.Equal(t, tc.expectedRes, cb.Path)
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Passing context storage (#3941) Signed-off-by: Bob Maertz <1771054+bobmaertz@users.noreply.github.com>
1 year ago
offlineSession, err := s.storage.GetOfflineSessions(ctx, "0-385-28089-0", connID)
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
if tc.offlineSessionCreated {
require.NoError(t, err)
require.NotEmpty(t, offlineSession)
} else {
require.Error(t, storage.ErrNotFound, err)
}
})
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
}
}
func TestHandleConnectorCallbackWithSkipApproval(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
connID := "mock"
authReqID := "test"
expiry := time.Now().Add(100 * time.Second)
OAuth 2.0 Token Exchange (#2806) Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
3 years ago
resTypes := []string{responseTypeCode}
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
tests := []struct {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
name string
skipApproval bool
authReq storage.AuthRequest
expectedRes string
offlineSessionCreated bool
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
}{
{
name: "Force approval",
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
{
name: "Skip approval by server config",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
{
name: "Skip approval by auth request",
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/approval",
offlineSessionCreated: false,
fix: Do not skip approval screen by default (#2897) Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
3 years ago
},
{
name: "Skip approval",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
},
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
expectedRes: "/callback/cb",
offlineSessionCreated: false,
},
{
name: "Force approval, request refresh token",
skipApproval: false,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: true,
Scopes: []string{"offline_access"},
},
expectedRes: "/approval",
offlineSessionCreated: true,
},
{
name: "Skip approval, request refresh token",
skipApproval: true,
authReq: storage.AuthRequest{
ID: authReqID,
ConnectorID: connID,
RedirectURI: "cb",
Expiry: expiry,
ResponseTypes: resTypes,
ForceApprovalPrompt: false,
Scopes: []string{"offline_access"},
},
expectedRes: "/callback/cb",
offlineSessionCreated: false,
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
},
}
for _, tc := range tests {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
t.Run(tc.name, func(t *testing.T) {
httpServer, s := newTestServer(ctx, t, func(c *Config) {
c.SkipApprovalScreen = tc.skipApproval
c.Now = time.Now
})
defer httpServer.Close()
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
if err := s.storage.CreateAuthRequest(ctx, tc.authReq); err != nil {
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
t.Fatalf("failed to create AuthRequest: %v", err)
}
rr := httptest.NewRecorder()
path := fmt.Sprintf("/callback/%s?state=%s", connID, authReqID)
s.handleConnectorCallback(rr, httptest.NewRequest("GET", path, nil))
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
require.Equal(t, 303, rr.Code)
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
resp := rr.Result()
defer resp.Body.Close()
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
cb, _ := url.Parse(resp.Header.Get("Location"))
require.Equal(t, tc.expectedRes, cb.Path)
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
Passing context storage (#3941) Signed-off-by: Bob Maertz <1771054+bobmaertz@users.noreply.github.com>
1 year ago
offlineSession, err := s.storage.GetOfflineSessions(ctx, "0-385-28089-0", connID)
Store offline sessions only if they were requested by the user (#3125) Signed-off-by: MM53 <2821Signed-off-by: MM53 <28218664+MM53@users.noreply.github.com>
2 years ago
if tc.offlineSessionCreated {
require.NoError(t, err)
require.NotEmpty(t, offlineSession)
} else {
require.Error(t, storage.ErrNotFound, err)
}
})
Add test for skipping approval Signed-off-by: nobuyo <longzechangsheng@gmail.com>
3 years ago
}
}
OAuth 2.0 Token Exchange (#2806) Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
3 years ago
func TestHandleTokenExchange(t *testing.T) {
tests := []struct {
name string
scope string
requestedTokenType string
subjectTokenType string
subjectToken string
expectedCode int
expectedTokenType string
}{
{
"id-for-acccess",
"openid",
tokenTypeAccess,
tokenTypeID,
"foobar",
http.StatusOK,
tokenTypeAccess,
},
{
"id-for-id",
"openid",
tokenTypeID,
tokenTypeID,
"foobar",
http.StatusOK,
tokenTypeID,
},
{
"id-for-default",
"openid",
"",
tokenTypeID,
"foobar",
http.StatusOK,
tokenTypeAccess,
},
{
"access-for-access",
"openid",
tokenTypeAccess,
tokenTypeAccess,
"foobar",
http.StatusOK,
tokenTypeAccess,
},
{
"missing-subject_token_type",
"openid",
tokenTypeAccess,
"",
"foobar",
http.StatusBadRequest,
"",
},
{
"missing-subject_token",
"openid",
tokenTypeAccess,
tokenTypeAccess,
"",
http.StatusBadRequest,
"",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpServer, s := newTestServer(ctx, t, func(c *Config) {
Add context to storage's Create endpoints (#2935) * Initial commit Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Finish the syntex fixes Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Add fixes after running the tests Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> * Change background context to request context Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com> --------- Signed-off-by: PumpkinSeed <qwer.kocka@gmail.com>
2 years ago
c.Storage.CreateClient(ctx, storage.Client{
OAuth 2.0 Token Exchange (#2806) Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
3 years ago
ID: "client_1",
Secret: "secret_1",
})
})
defer httpServer.Close()
vals := make(url.Values)
vals.Set("grant_type", grantTypeTokenExchange)
setNonEmpty(vals, "connector_id", "mock")
setNonEmpty(vals, "scope", tc.scope)
setNonEmpty(vals, "requested_token_type", tc.requestedTokenType)
setNonEmpty(vals, "subject_token_type", tc.subjectTokenType)
setNonEmpty(vals, "subject_token", tc.subjectToken)
setNonEmpty(vals, "client_id", "client_1")
setNonEmpty(vals, "client_secret", "secret_1")
rr := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodPost, httpServer.URL+"/token", strings.NewReader(vals.Encode()))
req.Header.Set("content-type", "application/x-www-form-urlencoded")
s.handleToken(rr, req)
require.Equal(t, tc.expectedCode, rr.Code, rr.Body.String())
require.Equal(t, "application/json", rr.Result().Header.Get("content-type"))
if tc.expectedCode == http.StatusOK {
var res accessTokenResponse
err := json.NewDecoder(rr.Result().Body).Decode(&res)
require.NoError(t, err)
require.Equal(t, tc.expectedTokenType, res.IssuedTokenType)
}
})
}
}
func setNonEmpty(vals url.Values, key, value string) {
if value != "" {
vals.Set(key, value)
}
}