Adjust some expectations about the state and nonce lengths

This commit is contained in:
Ryan Richard 2020-12-11 17:39:58 -08:00
parent 2a19dd0d2e
commit 020fbcf190
5 changed files with 21 additions and 16 deletions

View File

@ -32,8 +32,11 @@ func TestAuthorizationEndpoint(t *testing.T) {
downstreamIssuer = "https://my-downstream-issuer.com/some-path" downstreamIssuer = "https://my-downstream-issuer.com/some-path"
downstreamRedirectURI = "http://127.0.0.1/callback" downstreamRedirectURI = "http://127.0.0.1/callback"
downstreamRedirectURIWithDifferentPort = "http://127.0.0.1:42/callback" downstreamRedirectURIWithDifferentPort = "http://127.0.0.1:42/callback"
happyState = "8b-state"
) )
require.Len(t, happyState, 8, "we expect fosite to allow 8 byte state params, so we want to test that boundary case")
var ( var (
fositeInvalidClientErrorBody = here.Doc(` fositeInvalidClientErrorBody = here.Doc(`
{ {
@ -59,42 +62,42 @@ func TestAuthorizationEndpoint(t *testing.T) {
"error": "invalid_request", "error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nParameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nParameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
"error_hint": "Parameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.", "error_hint": "Parameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeMissingCodeChallengeErrorQuery = map[string]string{ fositeMissingCodeChallengeErrorQuery = map[string]string{
"error": "invalid_request", "error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must include a code_challenge when performing the authorize code flow, but it is missing.", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must include a code_challenge when performing the authorize code flow, but it is missing.",
"error_hint": "Clients must include a code_challenge when performing the authorize code flow, but it is missing.", "error_hint": "Clients must include a code_challenge when performing the authorize code flow, but it is missing.",
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeMissingCodeChallengeMethodErrorQuery = map[string]string{ fositeMissingCodeChallengeMethodErrorQuery = map[string]string{
"error": "invalid_request", "error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must use code_challenge_method=S256, plain is not allowed.", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must use code_challenge_method=S256, plain is not allowed.",
"error_hint": "Clients must use code_challenge_method=S256, plain is not allowed.", "error_hint": "Clients must use code_challenge_method=S256, plain is not allowed.",
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeInvalidCodeChallengeErrorQuery = map[string]string{ fositeInvalidCodeChallengeErrorQuery = map[string]string{
"error": "invalid_request", "error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe code_challenge_method is not supported, use S256 instead.", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe code_challenge_method is not supported, use S256 instead.",
"error_hint": "The code_challenge_method is not supported, use S256 instead.", "error_hint": "The code_challenge_method is not supported, use S256 instead.",
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeUnsupportedResponseTypeErrorQuery = map[string]string{ fositeUnsupportedResponseTypeErrorQuery = map[string]string{
"error": "unsupported_response_type", "error": "unsupported_response_type",
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\".", "error_description": "The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\".",
"error_hint": `The client is not allowed to request response_type "unsupported".`, "error_hint": `The client is not allowed to request response_type "unsupported".`,
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeInvalidScopeErrorQuery = map[string]string{ fositeInvalidScopeErrorQuery = map[string]string{
"error": "invalid_scope", "error": "invalid_scope",
"error_description": "The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\".", "error_description": "The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\".",
"error_hint": `The OAuth 2.0 Client is not allowed to request scope "tuna".`, "error_hint": `The OAuth 2.0 Client is not allowed to request scope "tuna".`,
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
fositeInvalidStateErrorQuery = map[string]string{ fositeInvalidStateErrorQuery = map[string]string{
@ -108,7 +111,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
"error": "unsupported_response_type", "error": "unsupported_response_type",
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter.", "error_description": "The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter.",
"error_hint": `The request is missing the "response_type"" parameter.`, "error_hint": `The request is missing the "response_type"" parameter.`,
"state": "some-state-value-that-is-32-byte", "state": happyState,
} }
) )
@ -131,7 +134,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
happyCSRF := "test-csrf" happyCSRF := "test-csrf"
happyPKCE := "test-pkce" happyPKCE := "test-pkce"
happyNonce := "test-nonce-that-is-32-bytes-long" happyNonce := "test-nonce"
happyCSRFGenerator := func() (csrftoken.CSRFToken, error) { return csrftoken.CSRFToken(happyCSRF), nil } happyCSRFGenerator := func() (csrftoken.CSRFToken, error) { return csrftoken.CSRFToken(happyCSRF), nil }
happyPKCEGenerator := func() (pkce.Code, error) { return pkce.Code(happyPKCE), nil } happyPKCEGenerator := func() (pkce.Code, error) { return pkce.Code(happyPKCE), nil }
happyNonceGenerator := func() (nonce.Nonce, error) { return nonce.Nonce(happyNonce), nil } happyNonceGenerator := func() (nonce.Nonce, error) { return nonce.Nonce(happyNonce), nil }
@ -177,7 +180,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
"response_type": "code", "response_type": "code",
"scope": "openid profile email", "scope": "openid profile email",
"client_id": "pinniped-cli", "client_id": "pinniped-cli",
"state": "some-state-value-that-is-32-byte", "state": happyState,
"nonce": "some-nonce-value", "nonce": "some-nonce-value",
"code_challenge": "some-challenge", "code_challenge": "some-challenge",
"code_challenge_method": "S256", "code_challenge_method": "S256",

View File

@ -48,7 +48,7 @@ const (
happyUpstreamRedirectURI = "https://example.com/callback" happyUpstreamRedirectURI = "https://example.com/callback"
happyDownstreamState = "some-downstream-state-with-at-least-32-bytes" happyDownstreamState = "8b-state"
happyDownstreamCSRF = "test-csrf" happyDownstreamCSRF = "test-csrf"
happyDownstreamPKCE = "test-pkce" happyDownstreamPKCE = "test-pkce"
happyDownstreamNonce = "test-nonce" happyDownstreamNonce = "test-nonce"
@ -84,6 +84,8 @@ var (
) )
func TestCallbackEndpoint(t *testing.T) { func TestCallbackEndpoint(t *testing.T) {
require.Len(t, happyDownstreamState, 8, "we expect fosite to allow 8 byte state params, so we want to test that boundary case")
otherUpstreamOIDCIdentityProvider := oidctestutil.TestUpstreamOIDCIdentityProvider{ otherUpstreamOIDCIdentityProvider := oidctestutil.TestUpstreamOIDCIdentityProvider{
Name: "other-upstream-idp-name", Name: "other-upstream-idp-name",
ClientID: "other-some-client-id", ClientID: "other-some-client-id",

View File

@ -30,7 +30,7 @@ func TestDynamicOpenIDConnectECDSAStrategy(t *testing.T) {
clientID = "some-client-id" clientID = "some-client-id"
goodSubject = "some-subject" goodSubject = "some-subject"
goodUsername = "some-username" goodUsername = "some-username"
goodNonce = "some-nonce-that-is-at-least-32-characters-to-meet-entropy-requirements" goodNonce = "some-nonce-value-with-enough-bytes-to-exceed-min-allowed"
) )
ecPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ecPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

View File

@ -142,7 +142,7 @@ func TestManager(t *testing.T) {
actualLocationQueryParams := parsedLocation.Query() actualLocationQueryParams := parsedLocation.Query()
r.Contains(actualLocationQueryParams, "code") r.Contains(actualLocationQueryParams, "code")
r.Equal("openid", actualLocationQueryParams.Get("scope")) r.Equal("openid", actualLocationQueryParams.Get("scope"))
r.Equal("some-state-value-that-is-32-byte", actualLocationQueryParams.Get("state")) r.Equal("some-state-value-with-enough-bytes-to-exceed-min-allowed", actualLocationQueryParams.Get("state"))
// Make sure that we wired up the callback endpoint to use kube storage for fosite sessions. // Make sure that we wired up the callback endpoint to use kube storage for fosite sessions.
r.Equal(len(kubeClient.Actions()), numberOfKubeActionsBeforeThisRequest+3, r.Equal(len(kubeClient.Actions()), numberOfKubeActionsBeforeThisRequest+3,
@ -293,8 +293,8 @@ func TestManager(t *testing.T) {
"response_type": []string{"code"}, "response_type": []string{"code"},
"scope": []string{"openid profile email"}, "scope": []string{"openid profile email"},
"client_id": []string{downstreamClientID}, "client_id": []string{downstreamClientID},
"state": []string{"some-state-value-that-is-32-byte"}, "state": []string{"some-state-value-with-enough-bytes-to-exceed-min-allowed"},
"nonce": []string{"some-nonce-value-that-is-at-least-32-bytes"}, "nonce": []string{"some-nonce-value-with-enough-bytes-to-exceed-min-allowed"},
"code_challenge": []string{testutil.SHA256(downstreamPKCECodeVerifier)}, "code_challenge": []string{testutil.SHA256(downstreamPKCECodeVerifier)},
"code_challenge_method": []string{"S256"}, "code_challenge_method": []string{"S256"},
"redirect_uri": []string{downstreamRedirectURL}, "redirect_uri": []string{downstreamRedirectURL},

View File

@ -52,7 +52,7 @@ const (
goodClient = "pinniped-cli" goodClient = "pinniped-cli"
goodRedirectURI = "http://127.0.0.1/callback" goodRedirectURI = "http://127.0.0.1/callback"
goodPKCECodeVerifier = "some-pkce-verifier-that-must-be-at-least-43-characters-to-meet-entropy-requirements" goodPKCECodeVerifier = "some-pkce-verifier-that-must-be-at-least-43-characters-to-meet-entropy-requirements"
goodNonce = "some-nonce-that-is-at-least-32-characters-to-meet-entropy-requirements" goodNonce = "some-nonce-value-with-enough-bytes-to-exceed-min-allowed"
goodSubject = "some-subject" goodSubject = "some-subject"
goodUsername = "some-username" goodUsername = "some-username"
@ -213,7 +213,7 @@ var (
"response_type": {"code"}, "response_type": {"code"},
"scope": {"openid profile email"}, "scope": {"openid profile email"},
"client_id": {goodClient}, "client_id": {goodClient},
"state": {"some-state-value-that-is-32-byte"}, "state": {"some-state-value-with-enough-bytes-to-exceed-min-allowed"},
"nonce": {goodNonce}, "nonce": {goodNonce},
"code_challenge": {testutil.SHA256(goodPKCECodeVerifier)}, "code_challenge": {testutil.SHA256(goodPKCECodeVerifier)},
"code_challenge_method": {"S256"}, "code_challenge_method": {"S256"},