2022-04-20 21:58:09 +00:00
|
|
|
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
2021-05-11 17:31:33 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package idpdiscovery
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
2021-08-17 22:23:03 +00:00
|
|
|
"go.pinniped.dev/internal/here"
|
2021-05-11 17:31:33 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
|
|
|
"go.pinniped.dev/internal/testutil/oidctestutil"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestIDPDiscovery(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
|
|
|
|
method string
|
|
|
|
path string
|
|
|
|
|
|
|
|
wantStatus int
|
|
|
|
wantContentType string
|
2021-08-17 22:23:03 +00:00
|
|
|
wantFirstResponseBodyJSON string
|
|
|
|
wantSecondResponseBodyJSON string
|
2021-05-11 17:31:33 +00:00
|
|
|
wantBodyString string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "happy path",
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: "/some/path" + oidc.WellKnownEndpointPath,
|
|
|
|
wantStatus: http.StatusOK,
|
|
|
|
wantContentType: "application/json",
|
2021-08-17 22:23:03 +00:00
|
|
|
wantFirstResponseBodyJSON: here.Doc(`{
|
|
|
|
"pinniped_identity_providers": [
|
2022-04-20 21:58:09 +00:00
|
|
|
{"name": "a-some-ldap-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},
|
2021-08-24 19:19:29 +00:00
|
|
|
{"name": "a-some-oidc-idp", "type": "oidc", "flows": ["browser_authcode"]},
|
2022-04-20 21:58:09 +00:00
|
|
|
{"name": "x-some-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},
|
2021-08-24 19:19:29 +00:00
|
|
|
{"name": "x-some-idp", "type": "oidc", "flows": ["browser_authcode"]},
|
2022-04-20 21:58:09 +00:00
|
|
|
{"name": "y-some-ad-idp", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
|
|
|
|
{"name": "z-some-ad-idp", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
|
|
|
|
{"name": "z-some-ldap-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},
|
2021-08-24 19:19:29 +00:00
|
|
|
{"name": "z-some-oidc-idp", "type": "oidc", "flows": ["browser_authcode", "cli_password"]}
|
2021-08-17 22:23:03 +00:00
|
|
|
]
|
|
|
|
}`),
|
|
|
|
wantSecondResponseBodyJSON: here.Doc(`{
|
|
|
|
"pinniped_identity_providers": [
|
2022-04-20 21:58:09 +00:00
|
|
|
{"name": "some-other-ad-idp-1", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
|
|
|
|
{"name": "some-other-ad-idp-2", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
|
|
|
|
{"name": "some-other-ldap-idp-1", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},
|
|
|
|
{"name": "some-other-ldap-idp-2", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},
|
2021-08-24 19:19:29 +00:00
|
|
|
{"name": "some-other-oidc-idp-1", "type": "oidc", "flows": ["browser_authcode", "cli_password"]},
|
|
|
|
{"name": "some-other-oidc-idp-2", "type": "oidc", "flows": ["browser_authcode"]}
|
2021-08-17 22:23:03 +00:00
|
|
|
]
|
|
|
|
}`),
|
2021-05-11 17:31:33 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "bad method",
|
|
|
|
method: http.MethodPost,
|
|
|
|
path: oidc.WellKnownEndpointPath,
|
|
|
|
wantStatus: http.StatusMethodNotAllowed,
|
|
|
|
wantContentType: "text/plain; charset=utf-8",
|
|
|
|
wantBodyString: "Method not allowed (try GET)\n",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
idpLister := oidctestutil.NewUpstreamIDPListerBuilder().
|
2021-08-12 17:00:18 +00:00
|
|
|
WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "z-some-oidc-idp", AllowPasswordGrant: true}).
|
2021-05-11 17:31:33 +00:00
|
|
|
WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "x-some-idp"}).
|
|
|
|
WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "a-some-ldap-idp"}).
|
|
|
|
WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "a-some-oidc-idp"}).
|
|
|
|
WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "z-some-ldap-idp"}).
|
|
|
|
WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "x-some-idp"}).
|
2021-07-02 22:30:27 +00:00
|
|
|
WithActiveDirectory(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "z-some-ad-idp"}).
|
2021-07-26 23:03:12 +00:00
|
|
|
WithActiveDirectory(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "y-some-ad-idp"}).
|
2021-05-11 17:31:33 +00:00
|
|
|
Build()
|
|
|
|
|
|
|
|
handler := NewHandler(idpLister)
|
|
|
|
req := httptest.NewRequest(test.method, test.path, nil)
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, test.wantStatus, rsp.Code)
|
|
|
|
|
|
|
|
require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))
|
|
|
|
|
2021-08-17 22:23:03 +00:00
|
|
|
if test.wantFirstResponseBodyJSON != "" {
|
|
|
|
require.JSONEq(t, test.wantFirstResponseBodyJSON, rsp.Body.String())
|
2021-05-11 17:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if test.wantBodyString != "" {
|
|
|
|
require.Equal(t, test.wantBodyString, rsp.Body.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Change the list of IDPs in the cache.
|
|
|
|
idpLister.SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
|
|
|
|
&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-1"},
|
|
|
|
&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-2"},
|
|
|
|
})
|
|
|
|
idpLister.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
|
2021-08-12 17:00:18 +00:00
|
|
|
&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-1", AllowPasswordGrant: true},
|
2021-05-11 17:31:33 +00:00
|
|
|
&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-2"},
|
|
|
|
})
|
|
|
|
|
2021-07-02 22:30:27 +00:00
|
|
|
idpLister.SetActiveDirectoryIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
|
2021-07-26 23:03:12 +00:00
|
|
|
&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ad-idp-2"},
|
2021-07-02 22:30:27 +00:00
|
|
|
&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ad-idp-1"},
|
|
|
|
})
|
|
|
|
|
2021-05-11 17:31:33 +00:00
|
|
|
// Make the same request to the same handler instance again, and expect different results.
|
|
|
|
rsp = httptest.NewRecorder()
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, test.wantStatus, rsp.Code)
|
|
|
|
|
|
|
|
require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))
|
|
|
|
|
2021-08-17 22:23:03 +00:00
|
|
|
if test.wantFirstResponseBodyJSON != "" {
|
|
|
|
require.JSONEq(t, test.wantSecondResponseBodyJSON, rsp.Body.String())
|
2021-05-11 17:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if test.wantBodyString != "" {
|
|
|
|
require.Equal(t, test.wantBodyString, rsp.Body.String())
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|