djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up TestTokenExchange a bit. 

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-12-09 14:49:44 -06:00
parent f90b5d48de
commit 3e6ebab389
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
1 changed files with 30 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
internal/oidc/token/token_handler_test.go
View File

@ -667,6 +667,19 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
} }
func TestTokenExchange(t *testing.T) { func TestTokenExchange(t *testing.T) {
successfulAuthCodeExchange := tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
}
doValidAuthCodeExchange := authcodeExchangeInputs{
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: successfulAuthCodeExchange,
}
tests := []struct { tests := []struct {
name string name string
@ -680,50 +693,20 @@ func TestTokenExchange(t *testing.T) {
}{ }{
{ {
name: "happy path", name: "happy path",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
wantStatus: http.StatusOK, wantStatus: http.StatusOK,
}, },
{ {
name: "missing audience", name: "missing audience",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "", requestedAudience: "",
wantStatus: http.StatusBadRequest, wantStatus: http.StatusBadRequest,
wantResponseBodyContains: "missing audience parameter", wantResponseBodyContains: "missing audience parameter",
}, },
{ {
name: "missing subject_token", name: "missing subject_token",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyRequestParams: func(t *testing.T, params url.Values) { modifyRequestParams: func(t *testing.T, params url.Values) {
params.Del("subject_token") params.Del("subject_token")
@ -733,17 +716,7 @@ func TestTokenExchange(t *testing.T) {
}, },
{ {
name: "wrong subject_token_type", name: "wrong subject_token_type",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyRequestParams: func(t *testing.T, params url.Values) { modifyRequestParams: func(t *testing.T, params url.Values) {
params.Set("subject_token_type", "invalid") params.Set("subject_token_type", "invalid")
@ -753,17 +726,7 @@ func TestTokenExchange(t *testing.T) {
}, },
{ {
name: "wrong requested_token_type", name: "wrong requested_token_type",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyRequestParams: func(t *testing.T, params url.Values) { modifyRequestParams: func(t *testing.T, params url.Values) {
params.Set("requested_token_type", "invalid") params.Set("requested_token_type", "invalid")
@ -773,17 +736,7 @@ func TestTokenExchange(t *testing.T) {
}, },
{ {
name: "unsupported RFC8693 parameter", name: "unsupported RFC8693 parameter",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyRequestParams: func(t *testing.T, params url.Values) { modifyRequestParams: func(t *testing.T, params url.Values) {
params.Set("resource", "some-resource-parameter-value") params.Set("resource", "some-resource-parameter-value")
@ -793,17 +746,7 @@ func TestTokenExchange(t *testing.T) {
}, },
{ {
name: "bogus access token", name: "bogus access token",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyRequestParams: func(t *testing.T, params url.Values) { modifyRequestParams: func(t *testing.T, params url.Values) {
params.Set("subject_token", "some-bogus-value") params.Set("subject_token", "some-bogus-value")
@ -813,17 +756,7 @@ func TestTokenExchange(t *testing.T) {
}, },
{ {
name: "valid access token, but deleted from storage", name: "valid access token, but deleted from storage",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: doValidAuthCodeExchange,
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) { modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) {
parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".") parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
@ -858,12 +791,7 @@ func TestTokenExchange(t *testing.T) {
}, },
// Fail to fetch a JWK signing key after the authcode exchange has happened. // Fail to fetch a JWK signing key after the authcode exchange has happened.
makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce, makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce,
want: tokenEndpointResponseExpectedValues{ want: successfulAuthCodeExchange,
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
},
}, },
requestedAudience: "some-workload-cluster", requestedAudience: "some-workload-cluster",
wantStatus: http.StatusServiceUnavailable, wantStatus: http.StatusServiceUnavailable,