ContainerImage.Pinniped/internal/oidc/callback/callback_handler_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package callback

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestCallbackEndpoint(t *testing.T) {
	tests := []struct {
		name string

		method string

		wantStatus int
		wantBody   string
	}{
		// Happy path
		// TODO: GET with good state and cookie and successful upstream token exchange and 302 to downstream client callback with its state and code

		// Pre-upstream-exchange verification
		{
			name:       "PUT method is invalid",
			method:     http.MethodPut,
			wantStatus: http.StatusMethodNotAllowed,
			wantBody:   "Method Not Allowed: PUT (try GET)\n",
		},
		// TODO: POST/PATCH/DELETE is invalid
		// TODO: request has body? maybe we don't need to do anything...
		// TODO: code does not exist
		// TODO: we got called twice with the same state and cookie...is this bad? might be ok if the client's first roundtrip failed
		// TODO: we got called twice with the same state and cookie and the UpstreamOIDCProvider CRD has been deleted
		// TODO: state does not exist
		// TODO: invalid signature on state
		// TODO: state is expired (the expiration is encoded in the state itself)
		// TODO: state csrf value does not match csrf cookie
		// TODO: cookie does not exist
		// TODO: invalid signature on cookie
		// TODO: state version does not match what we want

		// Upstream exchange
		// TODO: we can't figure out what the upstream token endpoint is (do we get this UpstreamOIDCProvider name from the path?)
		// TODO: network call to upstream token endpoint fails
		// TODO: the upstream token endpoint returns an error

		// Post-upstream-exchange verification
		// TODO: returned tokens are invalid (all the stuff from the spec...)
		// TODO: there
		// TODO: are
		// TODO: probably
		// TODO: a
		// TODO: lot
		// TODO: of
		// TODO: test
		// TODO: cases
		// TODO: here (e.g., id jwt cannot be verified, nonce is wrong, we didn't get refresh token, we didn't get access token, we didn't get id token, access token expires too quickly)

		// Downstream redirect
		// TODO: cannot generate auth code
		// TODO: cannot persist downstream state
	}
	for _, test := range tests {
		test := test
		t.Run(test.name, func(t *testing.T) {
			subject := NewHandler()
			req := httptest.NewRequest(test.method, "/path-is-not-yet-tested", nil /* body not yet tested */)
			rsp := httptest.NewRecorder()
			subject.ServeHTTP(rsp, req)

			require.Equal(t, test.wantStatus, rsp.Code)
			require.Equal(t, test.wantBody, rsp.Body.String())
		})
	}
}
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package callback`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`)`

			`func TestCallbackEndpoint(t *testing.T) {`
			`tests := []struct {`
			`name string`

			`method string`

			`wantStatus int`
			`wantBody string`
			`}{`
			`// Happy path`
			`// TODO: GET with good state and cookie and successful upstream token exchange and 302 to downstream client callback with its state and code`

			`// Pre-upstream-exchange verification`
			`{`
			`name: "PUT method is invalid",`
			`method: http.MethodPut,`
			`wantStatus: http.StatusMethodNotAllowed,`
			`wantBody: "Method Not Allowed: PUT (try GET)\n",`
			`},`
			`// TODO: POST/PATCH/DELETE is invalid`
			`// TODO: request has body? maybe we don't need to do anything...`
			`// TODO: code does not exist`
			`// TODO: we got called twice with the same state and cookie...is this bad? might be ok if the client's first roundtrip failed`
			`// TODO: we got called twice with the same state and cookie and the UpstreamOIDCProvider CRD has been deleted`
			`// TODO: state does not exist`
			`// TODO: invalid signature on state`
			`// TODO: state is expired (the expiration is encoded in the state itself)`
			`// TODO: state csrf value does not match csrf cookie`
			`// TODO: cookie does not exist`
			`// TODO: invalid signature on cookie`
			`// TODO: state version does not match what we want`

			`// Upstream exchange`
			`// TODO: we can't figure out what the upstream token endpoint is (do we get this UpstreamOIDCProvider name from the path?)`
			`// TODO: network call to upstream token endpoint fails`
			`// TODO: the upstream token endpoint returns an error`

			`// Post-upstream-exchange verification`
			`// TODO: returned tokens are invalid (all the stuff from the spec...)`
			`// TODO: there`
			`// TODO: are`
			`// TODO: probably`
			`// TODO: a`
			`// TODO: lot`
			`// TODO: of`
			`// TODO: test`
			`// TODO: cases`
			`// TODO: here (e.g., id jwt cannot be verified, nonce is wrong, we didn't get refresh token, we didn't get access token, we didn't get id token, access token expires too quickly)`

			`// Downstream redirect`
			`// TODO: cannot generate auth code`
			`// TODO: cannot persist downstream state`
			`}`
			`for _, test := range tests {`
			`test := test`
			`t.Run(test.name, func(t *testing.T) {`
			`subject := NewHandler()`
			`req := httptest.NewRequest(test.method, "/path-is-not-yet-tested", nil /* body not yet tested */)`
			`rsp := httptest.NewRecorder()`
			`subject.ServeHTTP(rsp, req)`

			`require.Equal(t, test.wantStatus, rsp.Code)`
			`require.Equal(t, test.wantBody, rsp.Body.String())`
			`})`
			`}`
			`}`