Refactor auth_handler_test.go's creation of paths and urls to use helpers
This commit is contained in:
parent
8a7e22e63e
commit
0045ce4286
@ -49,33 +49,33 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
}
|
}
|
||||||
`)
|
`)
|
||||||
|
|
||||||
fositeUnsupportedResponseTypeErrorQuery = url.Values{
|
fositeUnsupportedResponseTypeErrorQuery = map[string]string{
|
||||||
"error": []string{"unsupported_response_type"},
|
"error": "unsupported_response_type",
|
||||||
"error_description": []string{"The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\"."},
|
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\".",
|
||||||
"error_hint": []string{`The client is not allowed to request response_type "unsupported".`},
|
"error_hint": `The client is not allowed to request response_type "unsupported".`,
|
||||||
"state": []string{"some-state-value"},
|
"state": "some-state-value",
|
||||||
}.Encode()
|
}
|
||||||
|
|
||||||
fositeInvalidScopeErrorQuery = url.Values{
|
fositeInvalidScopeErrorQuery = map[string]string{
|
||||||
"error": []string{"invalid_scope"},
|
"error": "invalid_scope",
|
||||||
"error_description": []string{"The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\"."},
|
"error_description": "The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\".",
|
||||||
"error_hint": []string{`The OAuth 2.0 Client is not allowed to request scope "tuna".`},
|
"error_hint": `The OAuth 2.0 Client is not allowed to request scope "tuna".`,
|
||||||
"state": []string{"some-state-value"},
|
"state": "some-state-value",
|
||||||
}.Encode()
|
}
|
||||||
|
|
||||||
fositeInvalidStateErrorQuery = url.Values{
|
fositeInvalidStateErrorQuery = map[string]string{
|
||||||
"error": []string{"invalid_state"},
|
"error": "invalid_state",
|
||||||
"error_description": []string{"The state is missing or does not have enough characters and is therefore considered too weak\n\nRequest parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy."},
|
"error_description": "The state is missing or does not have enough characters and is therefore considered too weak\n\nRequest parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy.",
|
||||||
"error_hint": []string{`Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.`},
|
"error_hint": `Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.`,
|
||||||
"state": []string{"short"},
|
"state": "short",
|
||||||
}.Encode()
|
}
|
||||||
|
|
||||||
fositeMissingResponseTypeErrorQuery = url.Values{
|
fositeMissingResponseTypeErrorQuery = map[string]string{
|
||||||
"error": []string{"unsupported_response_type"},
|
"error": "unsupported_response_type",
|
||||||
"error_description": []string{"The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter."},
|
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter.",
|
||||||
"error_hint": []string{`The request is missing the "response_type"" parameter.`},
|
"error_hint": `The request is missing the "response_type"" parameter.`,
|
||||||
"state": []string{"some-state-value"},
|
"state": "some-state-value",
|
||||||
}.Encode()
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
upstreamAuthURL, err := url.Parse("https://some-upstream-idp:8443/auth")
|
upstreamAuthURL, err := url.Parse("https://some-upstream-idp:8443/auth")
|
||||||
@ -113,10 +113,66 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
// $ echo -n test-pkce | shasum -a 256 | cut -d" " -f1 | xxd -r -p | base64 | cut -d"=" -f1
|
// $ echo -n test-pkce | shasum -a 256 | cut -d" " -f1 | xxd -r -p | base64 | cut -d"=" -f1
|
||||||
expectedCodeChallenge := "VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g"
|
expectedCodeChallenge := "VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g"
|
||||||
|
|
||||||
happyGetRequestPath := fmt.Sprintf(
|
pathWithQuery := func(path string, query map[string]string) string {
|
||||||
"/some/path?response_type=code&scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
|
values := url.Values{}
|
||||||
url.QueryEscape("openid profile email"),
|
for k, v := range query {
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
values[k] = []string{v}
|
||||||
|
}
|
||||||
|
pathToReturn := fmt.Sprintf("%s?%s", path, values.Encode())
|
||||||
|
require.NotRegexp(t, "^http", pathToReturn, "pathWithQuery helper was used to create a URL")
|
||||||
|
return pathToReturn
|
||||||
|
}
|
||||||
|
|
||||||
|
urlWithQuery := func(baseURL string, query map[string]string) string {
|
||||||
|
values := url.Values{}
|
||||||
|
for k, v := range query {
|
||||||
|
values[k] = []string{v}
|
||||||
|
}
|
||||||
|
urlToReturn := fmt.Sprintf("%s?%s", baseURL, values.Encode())
|
||||||
|
_, err := url.Parse(urlToReturn)
|
||||||
|
require.NoError(t, err, "urlWithQuery helper was used to create an illegal URL")
|
||||||
|
return urlToReturn
|
||||||
|
}
|
||||||
|
|
||||||
|
happyGetRequestQueryMap := map[string]string{
|
||||||
|
"response_type": "code",
|
||||||
|
"scope": "openid profile email",
|
||||||
|
"client_id": "pinniped-cli",
|
||||||
|
"state": "some-state-value",
|
||||||
|
"nonce": "some-nonce-value",
|
||||||
|
"redirect_uri": downstreamRedirectURI,
|
||||||
|
}
|
||||||
|
|
||||||
|
happyGetRequestPath := pathWithQuery("/some/path", happyGetRequestQueryMap)
|
||||||
|
|
||||||
|
modifiedHappyGetRequestPath := func(queryOverrides map[string]string) string {
|
||||||
|
copyOfHappyGetRequestQueryMap := map[string]string{}
|
||||||
|
for k, v := range happyGetRequestQueryMap {
|
||||||
|
copyOfHappyGetRequestQueryMap[k] = v
|
||||||
|
}
|
||||||
|
for k, v := range queryOverrides {
|
||||||
|
_, hasKey := copyOfHappyGetRequestQueryMap[k]
|
||||||
|
if v == "" && hasKey {
|
||||||
|
delete(copyOfHappyGetRequestQueryMap, k)
|
||||||
|
} else {
|
||||||
|
copyOfHappyGetRequestQueryMap[k] = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return pathWithQuery("/some/path", copyOfHappyGetRequestQueryMap)
|
||||||
|
}
|
||||||
|
|
||||||
|
happyGetRequestExpectedRedirectLocation := urlWithQuery(upstreamAuthURL.String(),
|
||||||
|
map[string]string{
|
||||||
|
"response_type": "code",
|
||||||
|
"access_type": "offline",
|
||||||
|
"scope": "scope1 scope2",
|
||||||
|
"client_id": "some-client-id",
|
||||||
|
"state": "test-state",
|
||||||
|
"nonce": "test-nonce",
|
||||||
|
"code_challenge": expectedCodeChallenge,
|
||||||
|
"code_challenge_method": "S256",
|
||||||
|
"redirect_uri": issuer + "/callback/some-idp",
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
type testCase struct {
|
type testCase struct {
|
||||||
@ -152,20 +208,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "text/html; charset=utf-8",
|
wantContentType: "text/html; charset=utf-8",
|
||||||
wantBodyString: "",
|
wantBodyString: "",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s",
|
wantLocationHeader: happyGetRequestExpectedRedirectLocation,
|
||||||
upstreamAuthURL.String(),
|
|
||||||
url.Values{
|
|
||||||
"response_type": []string{"code"},
|
|
||||||
"access_type": []string{"offline"},
|
|
||||||
"scope": []string{"scope1 scope2"},
|
|
||||||
"client_id": []string{"some-client-id"},
|
|
||||||
"state": []string{"test-state"},
|
|
||||||
"nonce": []string{"test-nonce"},
|
|
||||||
"code_challenge": []string{expectedCodeChallenge},
|
|
||||||
"code_challenge_method": []string{"S256"},
|
|
||||||
"redirect_uri": []string{issuer + "/callback/some-idp"},
|
|
||||||
}.Encode(),
|
|
||||||
),
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "happy path using POST",
|
name: "happy path using POST",
|
||||||
@ -187,20 +230,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "",
|
wantContentType: "",
|
||||||
wantBodyString: "",
|
wantBodyString: "",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s",
|
wantLocationHeader: happyGetRequestExpectedRedirectLocation,
|
||||||
upstreamAuthURL.String(),
|
|
||||||
url.Values{
|
|
||||||
"response_type": []string{"code"},
|
|
||||||
"access_type": []string{"offline"},
|
|
||||||
"scope": []string{"scope1 scope2"},
|
|
||||||
"client_id": []string{"some-client-id"},
|
|
||||||
"state": []string{"test-state"},
|
|
||||||
"nonce": []string{"test-nonce"},
|
|
||||||
"code_challenge": []string{expectedCodeChallenge},
|
|
||||||
"code_challenge_method": []string{"S256"},
|
|
||||||
"redirect_uri": []string{issuer + "/callback/some-idp"},
|
|
||||||
}.Encode(),
|
|
||||||
),
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "downstream client does not exist",
|
name: "downstream client does not exist",
|
||||||
@ -210,11 +240,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"client_id": "invalid-client"}),
|
||||||
"/some/path?response_type=code&scope=%s&client_id=invalid-client&state=some-state-value&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusUnauthorized,
|
wantStatus: http.StatusUnauthorized,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantBodyJSON: fositeInvalidClientErrorBody,
|
wantBodyJSON: fositeInvalidClientErrorBody,
|
||||||
@ -227,11 +253,9 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{
|
||||||
"/some/path?response_type=code&scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
|
"redirect_uri": "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client",
|
||||||
url.QueryEscape("openid profile email"),
|
}),
|
||||||
url.QueryEscape("http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client"),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusBadRequest,
|
wantStatus: http.StatusBadRequest,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantBodyJSON: fositeInvalidRedirectURIErrorBody,
|
wantBodyJSON: fositeInvalidRedirectURIErrorBody,
|
||||||
@ -244,14 +268,10 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"response_type": "unsupported"}),
|
||||||
"/some/path?response_type=unsupported&scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s", downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery),
|
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeUnsupportedResponseTypeErrorQuery),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "downstream scopes do not match what is configured for client",
|
name: "downstream scopes do not match what is configured for client",
|
||||||
@ -261,14 +281,10 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"scope": "openid profile email tuna"}),
|
||||||
"/some/path?response_type=code&scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email tuna"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s", downstreamRedirectURI, fositeInvalidScopeErrorQuery),
|
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeInvalidScopeErrorQuery),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "missing response type in request",
|
name: "missing response type in request",
|
||||||
@ -278,14 +294,10 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"response_type": ""}),
|
||||||
"/some/path?scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s", downstreamRedirectURI, fositeMissingResponseTypeErrorQuery),
|
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeMissingResponseTypeErrorQuery),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "missing client id in request",
|
name: "missing client id in request",
|
||||||
@ -295,11 +307,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"client_id": ""}),
|
||||||
"/some/path?response_type=code&scope=%s&state=some-state-value&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusUnauthorized,
|
wantStatus: http.StatusUnauthorized,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantBodyJSON: fositeInvalidClientErrorBody,
|
wantBodyJSON: fositeInvalidClientErrorBody,
|
||||||
@ -312,14 +320,10 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
generatePKCE: happyPKCEGenerator,
|
generatePKCE: happyPKCEGenerator,
|
||||||
generateNonce: happyNonceGenerator,
|
generateNonce: happyNonceGenerator,
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: fmt.Sprintf(
|
path: modifiedHappyGetRequestPath(map[string]string{"state": "short"}),
|
||||||
"/some/path?response_type=code&scope=%s&client_id=pinniped-cli&state=short&redirect_uri=%s",
|
|
||||||
url.QueryEscape("openid profile email"),
|
|
||||||
url.QueryEscape(downstreamRedirectURI),
|
|
||||||
),
|
|
||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "application/json; charset=utf-8",
|
wantContentType: "application/json; charset=utf-8",
|
||||||
wantLocationHeader: fmt.Sprintf("%s?%s", downstreamRedirectURI, fositeInvalidStateErrorQuery),
|
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositeInvalidStateErrorQuery),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "error while generating state",
|
name: "error while generating state",
|
||||||
@ -363,7 +367,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "no upstream providers are configured",
|
name: "no upstream providers are configured",
|
||||||
issuer: issuer,
|
issuer: issuer,
|
||||||
idpListGetter: newIDPListGetter(),
|
idpListGetter: newIDPListGetter(), // empty
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: happyGetRequestPath,
|
path: happyGetRequestPath,
|
||||||
wantStatus: http.StatusUnprocessableEntity,
|
wantStatus: http.StatusUnprocessableEntity,
|
||||||
@ -373,7 +377,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
{
|
{
|
||||||
name: "too many upstream providers are configured",
|
name: "too many upstream providers are configured",
|
||||||
issuer: issuer,
|
issuer: issuer,
|
||||||
idpListGetter: newIDPListGetter(upstreamOIDCIdentityProvider, upstreamOIDCIdentityProvider),
|
idpListGetter: newIDPListGetter(upstreamOIDCIdentityProvider, upstreamOIDCIdentityProvider), // more than one not allowed
|
||||||
method: http.MethodGet,
|
method: http.MethodGet,
|
||||||
path: happyGetRequestPath,
|
path: happyGetRequestPath,
|
||||||
wantStatus: http.StatusUnprocessableEntity,
|
wantStatus: http.StatusUnprocessableEntity,
|
||||||
@ -463,19 +467,18 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
test.idpListGetter.SetIDPList([]provider.UpstreamOIDCIdentityProvider{newProviderSettings})
|
test.idpListGetter.SetIDPList([]provider.UpstreamOIDCIdentityProvider{newProviderSettings})
|
||||||
|
|
||||||
// Update the expectations of the test case to match the new upstream IDP settings.
|
// Update the expectations of the test case to match the new upstream IDP settings.
|
||||||
test.wantLocationHeader = fmt.Sprintf("%s?%s",
|
test.wantLocationHeader = urlWithQuery(upstreamAuthURL.String(),
|
||||||
upstreamAuthURL.String(),
|
map[string]string{
|
||||||
url.Values{
|
"response_type": "code",
|
||||||
"response_type": []string{"code"},
|
"access_type": "offline",
|
||||||
"access_type": []string{"offline"},
|
"scope": "other-scope1 other-scope2",
|
||||||
"scope": []string{"other-scope1 other-scope2"},
|
"client_id": "some-other-client-id",
|
||||||
"client_id": []string{"some-other-client-id"},
|
"state": "test-state",
|
||||||
"state": []string{"test-state"},
|
"nonce": "test-nonce",
|
||||||
"nonce": []string{"test-nonce"},
|
"code_challenge": expectedCodeChallenge,
|
||||||
"code_challenge": []string{expectedCodeChallenge},
|
"code_challenge_method": "S256",
|
||||||
"code_challenge_method": []string{"S256"},
|
"redirect_uri": issuer + "/callback/some-other-idp",
|
||||||
"redirect_uri": []string{issuer + "/callback/some-other-idp"},
|
},
|
||||||
}.Encode(),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Run again on the same instance of the subject with the modified upstream IDP settings and the
|
// Run again on the same instance of the subject with the modified upstream IDP settings and the
|
||||||
|
Loading…
Reference in New Issue
Block a user