ContainerImage.Pinniped/internal/oidc/idpdiscovery/idp_discovery_handler_test.go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package idpdiscovery

import (
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/internal/testutil/oidctestutil"
)

func TestIDPDiscovery(t *testing.T) {
	tests := []struct {
		name string

		method string
		path   string

		wantStatus                 int
		wantContentType            string
		wantFirstResponseBodyJSON  interface{}
		wantSecondResponseBodyJSON interface{}
		wantBodyString             string
	}{
		{
			name:            "happy path",
			method:          http.MethodGet,
			path:            "/some/path" + oidc.WellKnownEndpointPath,
			wantStatus:      http.StatusOK,
			wantContentType: "application/json",
			wantFirstResponseBodyJSON: &response{
				IDPs: []identityProviderResponse{
					{Name: "a-some-ldap-idp", Type: "ldap", Flows: []string{"cli_password"}},
					{Name: "a-some-oidc-idp", Type: "oidc", Flows: []string{"browser_authcode"}},
					{Name: "x-some-idp", Type: "ldap", Flows: []string{"cli_password"}},
					{Name: "x-some-idp", Type: "oidc", Flows: []string{"browser_authcode"}},
					{Name: "z-some-ldap-idp", Type: "ldap", Flows: []string{"cli_password"}},
					{Name: "z-some-oidc-idp", Type: "oidc", Flows: []string{"browser_authcode", "cli_password"}},
				},
			},
			wantSecondResponseBodyJSON: &response{
				IDPs: []identityProviderResponse{
					{Name: "some-other-ldap-idp-1", Type: "ldap", Flows: []string{"cli_password"}},
					{Name: "some-other-ldap-idp-2", Type: "ldap", Flows: []string{"cli_password"}},
					{Name: "some-other-oidc-idp-1", Type: "oidc", Flows: []string{"browser_authcode", "cli_password"}},
					{Name: "some-other-oidc-idp-2", Type: "oidc", Flows: []string{"browser_authcode"}},
				},
			},
		},
		{
			name:            "bad method",
			method:          http.MethodPost,
			path:            oidc.WellKnownEndpointPath,
			wantStatus:      http.StatusMethodNotAllowed,
			wantContentType: "text/plain; charset=utf-8",
			wantBodyString:  "Method not allowed (try GET)\n",
		},
	}
	for _, test := range tests {
		test := test
		t.Run(test.name, func(t *testing.T) {
			idpLister := oidctestutil.NewUpstreamIDPListerBuilder().
				WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "z-some-oidc-idp", AllowPasswordGrant: true}).
				WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "x-some-idp"}).
				WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "a-some-ldap-idp"}).
				WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "a-some-oidc-idp"}).
				WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "z-some-ldap-idp"}).
				WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "x-some-idp"}).
				Build()

			handler := NewHandler(idpLister)
			req := httptest.NewRequest(test.method, test.path, nil)
			rsp := httptest.NewRecorder()
			handler.ServeHTTP(rsp, req)

			require.Equal(t, test.wantStatus, rsp.Code)

			require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))

			if test.wantFirstResponseBodyJSON != nil {
				wantJSON, err := json.Marshal(test.wantFirstResponseBodyJSON)
				require.NoError(t, err)
				require.JSONEq(t, string(wantJSON), rsp.Body.String())
			}

			if test.wantBodyString != "" {
				require.Equal(t, test.wantBodyString, rsp.Body.String())
			}

			// Change the list of IDPs in the cache.
			idpLister.SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{
				&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-1"},
				&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-2"},
			})
			idpLister.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
				&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-1", AllowPasswordGrant: true},
				&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-2"},
			})

			// Make the same request to the same handler instance again, and expect different results.
			rsp = httptest.NewRecorder()
			handler.ServeHTTP(rsp, req)

			require.Equal(t, test.wantStatus, rsp.Code)

			require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))

			if test.wantFirstResponseBodyJSON != nil {
				wantJSON, err := json.Marshal(test.wantSecondResponseBodyJSON)
				require.NoError(t, err)
				require.JSONEq(t, string(wantJSON), rsp.Body.String())
			}

			if test.wantBodyString != "" {
				require.Equal(t, test.wantBodyString, rsp.Body.String())
			}
		})
	}
}
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`// Copyright 2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package idpdiscovery`

			`import (`
			`"encoding/json"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`

			`"github.com/stretchr/testify/require"`

			`"go.pinniped.dev/internal/oidc"`
			`"go.pinniped.dev/internal/oidc/provider"`
			`"go.pinniped.dev/internal/testutil/oidctestutil"`
			`)`

			`func TestIDPDiscovery(t *testing.T) {`
			`tests := []struct {`
			`name string`

			`method string`
			`path string`

			`wantStatus int`
			`wantContentType string`
			`wantFirstResponseBodyJSON interface{}`
			`wantSecondResponseBodyJSON interface{}`
			`wantBodyString string`
			`}{`
			`{`
			`name: "happy path",`
			`method: http.MethodGet,`
			`path: "/some/path" + oidc.WellKnownEndpointPath,`
			`wantStatus: http.StatusOK,`
			`wantContentType: "application/json",`
			`wantFirstResponseBodyJSON: &response{`
			`IDPs: []identityProviderResponse{`
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests 2021-08-12 17:00:18 +00:00			`{Name: "a-some-ldap-idp", Type: "ldap", Flows: []string{"cli_password"}},`
			`{Name: "a-some-oidc-idp", Type: "oidc", Flows: []string{"browser_authcode"}},`
			`{Name: "x-some-idp", Type: "ldap", Flows: []string{"cli_password"}},`
			`{Name: "x-some-idp", Type: "oidc", Flows: []string{"browser_authcode"}},`
			`{Name: "z-some-ldap-idp", Type: "ldap", Flows: []string{"cli_password"}},`
			`{Name: "z-some-oidc-idp", Type: "oidc", Flows: []string{"browser_authcode", "cli_password"}},`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`},`
			`},`
			`wantSecondResponseBodyJSON: &response{`
			`IDPs: []identityProviderResponse{`
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests 2021-08-12 17:00:18 +00:00			`{Name: "some-other-ldap-idp-1", Type: "ldap", Flows: []string{"cli_password"}},`
			`{Name: "some-other-ldap-idp-2", Type: "ldap", Flows: []string{"cli_password"}},`
			`{Name: "some-other-oidc-idp-1", Type: "oidc", Flows: []string{"browser_authcode", "cli_password"}},`
			`{Name: "some-other-oidc-idp-2", Type: "oidc", Flows: []string{"browser_authcode"}},`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`},`
			`},`
			`},`
			`{`
			`name: "bad method",`
			`method: http.MethodPost,`
			`path: oidc.WellKnownEndpointPath,`
			`wantStatus: http.StatusMethodNotAllowed,`
			`wantContentType: "text/plain; charset=utf-8",`
			`wantBodyString: "Method not allowed (try GET)\n",`
			`},`
			`}`
			`for _, test := range tests {`
			`test := test`
			`t.Run(test.name, func(t *testing.T) {`
			`idpLister := oidctestutil.NewUpstreamIDPListerBuilder().`
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests 2021-08-12 17:00:18 +00:00			`WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "z-some-oidc-idp", AllowPasswordGrant: true}).`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "x-some-idp"}).`
			`WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "a-some-ldap-idp"}).`
			`WithOIDC(&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "a-some-oidc-idp"}).`
			`WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "z-some-ldap-idp"}).`
			`WithLDAP(&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "x-some-idp"}).`
			`Build()`

			`handler := NewHandler(idpLister)`
			`req := httptest.NewRequest(test.method, test.path, nil)`
			`rsp := httptest.NewRecorder()`
			`handler.ServeHTTP(rsp, req)`

			`require.Equal(t, test.wantStatus, rsp.Code)`

			`require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))`

			`if test.wantFirstResponseBodyJSON != nil {`
			`wantJSON, err := json.Marshal(test.wantFirstResponseBodyJSON)`
			`require.NoError(t, err)`
			`require.JSONEq(t, string(wantJSON), rsp.Body.String())`
			`}`

			`if test.wantBodyString != "" {`
			`require.Equal(t, test.wantBodyString, rsp.Body.String())`
			`}`

			`// Change the list of IDPs in the cache.`
			`idpLister.SetLDAPIdentityProviders([]provider.UpstreamLDAPIdentityProviderI{`
			`&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-1"},`
			`&oidctestutil.TestUpstreamLDAPIdentityProvider{Name: "some-other-ldap-idp-2"},`
			`})`
			`idpLister.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{`
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests 2021-08-12 17:00:18 +00:00			`&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-1", AllowPasswordGrant: true},`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`&oidctestutil.TestUpstreamOIDCIdentityProvider{Name: "some-other-oidc-idp-2"},`
			`})`

			`// Make the same request to the same handler instance again, and expect different results.`
			`rsp = httptest.NewRecorder()`
			`handler.ServeHTTP(rsp, req)`

			`require.Equal(t, test.wantStatus, rsp.Code)`

			`require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))`

			`if test.wantFirstResponseBodyJSON != nil {`
			`wantJSON, err := json.Marshal(test.wantSecondResponseBodyJSON)`
			`require.NoError(t, err)`
			`require.JSONEq(t, string(wantJSON), rsp.Body.String())`
			`}`

			`if test.wantBodyString != "" {`
			`require.Equal(t, test.wantBodyString, rsp.Body.String())`
			`}`
			`})`
			`}`
			`}`