ContainerImage.Pinniped/internal/oidc/discovery/discovery_test.go

124 lines
3.5 KiB
Go
Raw Normal View History

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package discovery
import (
"encoding/json"
"net/http"
"net/http/httptest"
"net/url"
"testing"
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/oidc"
"go.pinniped.dev/internal/oidc/issuerprovider"
)
func TestDiscovery(t *testing.T) {
tests := []struct {
name string
issuer *url.URL
method string
path string
wantStatus int
wantContentType string
wantBody interface{}
}{
{
name: "nil issuer",
method: http.MethodGet,
path: oidc.WellKnownURLPath,
wantStatus: http.StatusNotFound,
wantBody: map[string]string{
"error": "OIDC discovery not available (unknown issuer)",
},
},
{
name: "root path mismatch",
issuer: must(url.Parse("https://some-issuer.com/some/path")),
method: http.MethodGet,
path: "/some/other/path" + oidc.WellKnownURLPath,
wantStatus: http.StatusNotFound,
wantBody: map[string]string{
"error": "OIDC discovery not available (unknown issuer)",
},
},
{
name: "well-known path mismatch",
issuer: must(url.Parse("https://some-issuer.com/some/path")),
method: http.MethodGet,
path: "/some/path/that/is/not/the/well-known/path",
wantStatus: http.StatusNotFound,
wantBody: map[string]string{
"error": "OIDC discovery not available (unknown issuer)",
},
},
{
name: "issuer path matches",
issuer: must(url.Parse("https://some-issuer.com/some/path")),
method: http.MethodGet,
path: "/some/path" + oidc.WellKnownURLPath,
wantStatus: http.StatusOK,
wantContentType: "application/json",
wantBody: &Metadata{
Issuer: "https://some-issuer.com/some/path",
AuthorizationEndpoint: "https://some-issuer.com/some/path/oauth2/v0/auth",
TokenEndpoint: "https://some-issuer.com/some/path/oauth2/v0/token",
JWKSURI: "https://some-issuer.com/some/path/jwks.json",
ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValuesSupported: []string{"RS256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
ScopesSupported: []string{"openid", "offline"},
ClaimsSupported: []string{"groups"},
},
},
{
name: "bad method",
issuer: must(url.Parse("https://some-issuer.com")),
method: http.MethodPost,
path: oidc.WellKnownURLPath,
wantStatus: http.StatusMethodNotAllowed,
wantBody: map[string]string{
"error": "Method not allowed (try GET)",
},
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
p := issuerprovider.New()
p.SetIssuer(test.issuer)
handler := New(p)
req := httptest.NewRequest(test.method, test.path, nil)
rsp := httptest.NewRecorder()
handler.ServeHTTP(rsp, req)
require.Equal(t, test.wantStatus, rsp.Code)
if test.wantContentType != "" {
require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))
}
if test.wantBody != nil {
wantJSON, err := json.Marshal(test.wantBody)
require.NoError(t, err)
require.JSONEq(t, string(wantJSON), rsp.Body.String())
}
})
}
}
func must(u *url.URL, err error) *url.URL {
if err != nil {
panic(err)
}
return u
}