ContainerImage.Pinniped/internal/oidc/oidctestutil/oidc.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package oidctestutil

import (
	"context"
	"net/url"

	"golang.org/x/oauth2"

	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/pkg/oidcclient/nonce"
	"go.pinniped.dev/pkg/oidcclient/oidctypes"
	"go.pinniped.dev/pkg/oidcclient/pkce"
)

// Test helpers for the OIDC package.

// ExchangeAuthcodeAndValidateTokenArgs is a POGO (plain old go object?) used to spy on calls to
// TestUpstreamOIDCIdentityProvider.ExchangeAuthcodeAndValidateTokensFunc().
type ExchangeAuthcodeAndValidateTokenArgs struct {
	Ctx                  context.Context
	Authcode             string
	PKCECodeVerifier     pkce.Code
	ExpectedIDTokenNonce nonce.Nonce
	RedirectURI          string
}

type TestUpstreamOIDCIdentityProvider struct {
	Name                                  string
	ClientID                              string
	AuthorizationURL                      url.URL
	UsernameClaim                         string
	GroupsClaim                           string
	Scopes                                []string
	ExchangeAuthcodeAndValidateTokensFunc func(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
	) (oidctypes.Token, map[string]interface{}, error)

	exchangeAuthcodeAndValidateTokensCallCount int
	exchangeAuthcodeAndValidateTokensArgs      []*ExchangeAuthcodeAndValidateTokenArgs
}

func (u *TestUpstreamOIDCIdentityProvider) GetName() string {
	return u.Name
}

func (u *TestUpstreamOIDCIdentityProvider) GetClientID() string {
	return u.ClientID
}

func (u *TestUpstreamOIDCIdentityProvider) GetAuthorizationURL() *url.URL {
	return &u.AuthorizationURL
}

func (u *TestUpstreamOIDCIdentityProvider) GetScopes() []string {
	return u.Scopes
}

func (u *TestUpstreamOIDCIdentityProvider) GetUsernameClaim() string {
	return u.UsernameClaim
}

func (u *TestUpstreamOIDCIdentityProvider) GetGroupsClaim() string {
	return u.GroupsClaim
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(
	ctx context.Context,
	authcode string,
	pkceCodeVerifier pkce.Code,
	expectedIDTokenNonce nonce.Nonce,
	redirectURI string,
) (oidctypes.Token, map[string]interface{}, error) {
	if u.exchangeAuthcodeAndValidateTokensArgs == nil {
		u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)
	}
	u.exchangeAuthcodeAndValidateTokensCallCount++
	u.exchangeAuthcodeAndValidateTokensArgs = append(u.exchangeAuthcodeAndValidateTokensArgs, &ExchangeAuthcodeAndValidateTokenArgs{
		Ctx:                  ctx,
		Authcode:             authcode,
		PKCECodeVerifier:     pkceCodeVerifier,
		ExpectedIDTokenNonce: expectedIDTokenNonce,
		RedirectURI:          redirectURI,
	})
	return u.ExchangeAuthcodeAndValidateTokensFunc(ctx, authcode, pkceCodeVerifier, expectedIDTokenNonce)
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensCallCount() int {
	return u.exchangeAuthcodeAndValidateTokensCallCount
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensArgs(call int) *ExchangeAuthcodeAndValidateTokenArgs {
	if u.exchangeAuthcodeAndValidateTokensArgs == nil {
		u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)
	}
	return u.exchangeAuthcodeAndValidateTokensArgs[call]
}

func (u *TestUpstreamOIDCIdentityProvider) ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error) {
	panic("implement me")
}

func NewIDPListGetter(upstreamOIDCIdentityProviders ...*TestUpstreamOIDCIdentityProvider) provider.DynamicUpstreamIDPProvider {
	idpProvider := provider.NewDynamicUpstreamIDPProvider()
	upstreams := make([]provider.UpstreamOIDCIdentityProviderI, len(upstreamOIDCIdentityProviders))
	for i := range upstreamOIDCIdentityProviders {
		upstreams[i] = provider.UpstreamOIDCIdentityProviderI(upstreamOIDCIdentityProviders[i])
	}
	idpProvider.SetIDPList(upstreams)
	return idpProvider
}

// Declare a separate type from the production code to ensure that the state param's contents was serialized
// in the format that we expect, with the json keys that we expect, etc. This also ensure that the order of
// the serialized fields is the same, which doesn't really matter expect that we can make simpler equality
// assertions about the redirect URL in this test.
type ExpectedUpstreamStateParamFormat struct {
	P string `json:"p"`
	U string `json:"u"`
	N string `json:"n"`
	C string `json:"c"`
	K string `json:"k"`
	V string `json:"v"`
}
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-20 01:57:07 +00:00			`package oidctestutil`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`import (`
			`"context"`
			`"net/url"`

Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`"golang.org/x/oauth2"`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"go.pinniped.dev/internal/oidc/provider"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/nonce"`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`"go.pinniped.dev/pkg/oidcclient/oidctypes"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/pkce"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`)`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00
			`// Test helpers for the OIDC package.`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`// ExchangeAuthcodeAndValidateTokenArgs is a POGO (plain old go object?) used to spy on calls to`
			`// TestUpstreamOIDCIdentityProvider.ExchangeAuthcodeAndValidateTokensFunc().`
			`type ExchangeAuthcodeAndValidateTokenArgs struct {`
			`Ctx context.Context`
			`Authcode string`
			`PKCECodeVerifier pkce.Code`
			`ExpectedIDTokenNonce nonce.Nonce`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`RedirectURI string`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`}`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`type TestUpstreamOIDCIdentityProvider struct {`
			`Name string`
			`ClientID string`
			`AuthorizationURL url.URL`
			`UsernameClaim string`
			`GroupsClaim string`
			`Scopes []string`
			`ExchangeAuthcodeAndValidateTokensFunc func(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`) (oidctypes.Token, map[string]interface{}, error)`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00
			`exchangeAuthcodeAndValidateTokensCallCount int`
			`exchangeAuthcodeAndValidateTokensArgs []*ExchangeAuthcodeAndValidateTokenArgs`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetName() string {`
			`return u.Name`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetClientID() string {`
			`return u.ClientID`
			`}`

			`func (u TestUpstreamOIDCIdentityProvider) GetAuthorizationURL() url.URL {`
			`return &u.AuthorizationURL`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetScopes() []string {`
			`return u.Scopes`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetUsernameClaim() string {`
			`return u.UsernameClaim`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetGroupsClaim() string {`
			`return u.GroupsClaim`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`redirectURI string,`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`) (oidctypes.Token, map[string]interface{}, error) {`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`if u.exchangeAuthcodeAndValidateTokensArgs == nil {`
			`u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)`
			`}`
			`u.exchangeAuthcodeAndValidateTokensCallCount++`
			`u.exchangeAuthcodeAndValidateTokensArgs = append(u.exchangeAuthcodeAndValidateTokensArgs, &ExchangeAuthcodeAndValidateTokenArgs{`
			`Ctx: ctx,`
			`Authcode: authcode,`
			`PKCECodeVerifier: pkceCodeVerifier,`
			`ExpectedIDTokenNonce: expectedIDTokenNonce,`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`RedirectURI: redirectURI,`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`})`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`return u.ExchangeAuthcodeAndValidateTokensFunc(ctx, authcode, pkceCodeVerifier, expectedIDTokenNonce)`
			`}`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensCallCount() int {`
			`return u.exchangeAuthcodeAndValidateTokensCallCount`
			`}`

			`func (u TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensArgs(call int) ExchangeAuthcodeAndValidateTokenArgs {`
			`if u.exchangeAuthcodeAndValidateTokensArgs == nil {`
			`u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)`
			`}`
			`return u.exchangeAuthcodeAndValidateTokensArgs[call]`
			`}`

Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`func (u TestUpstreamOIDCIdentityProvider) ValidateToken(ctx context.Context, tok oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error) {`
			`panic("implement me")`
			`}`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`func NewIDPListGetter(upstreamOIDCIdentityProviders ...*TestUpstreamOIDCIdentityProvider) provider.DynamicUpstreamIDPProvider {`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`idpProvider := provider.NewDynamicUpstreamIDPProvider()`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`upstreams := make([]provider.UpstreamOIDCIdentityProviderI, len(upstreamOIDCIdentityProviders))`
			`for i := range upstreamOIDCIdentityProviders {`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`upstreams[i] = provider.UpstreamOIDCIdentityProviderI(upstreamOIDCIdentityProviders[i])`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`
			`idpProvider.SetIDPList(upstreams)`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`return idpProvider`
			`}`

			`// Declare a separate type from the production code to ensure that the state param's contents was serialized`
			`// in the format that we expect, with the json keys that we expect, etc. This also ensure that the order of`
			`// the serialized fields is the same, which doesn't really matter expect that we can make simpler equality`
			`// assertions about the redirect URL in this test.`
			`type ExpectedUpstreamStateParamFormat struct {`
			P string `json:"p"`
Use /callback (without IDP name) path for callback endpoint (part 1) This is much nicer UX for an administrator installing a UpstreamOIDCProvider CRD. They don't have to guess as hard at what the callback endpoint path should be for their UpstreamOIDCProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-20 21:14:45 +00:00			U string `json:"u"`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			N string `json:"n"`
			C string `json:"c"`
			K string `json:"k"`
			V string `json:"v"`
			`}`