Clean up TestTokenExchange a bit.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer
parent
f90b5d48de
commit
3e6ebab389
@ -667,6 +667,19 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestTokenExchange(t *testing.T) {
|
func TestTokenExchange(t *testing.T) {
|
||||||
|
successfulAuthCodeExchange := tokenEndpointResponseExpectedValues{
|
||||||
|
wantStatus: http.StatusOK,
|
||||||
|
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
||||||
|
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
||||||
|
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
||||||
|
}
|
||||||
|
|
||||||
|
doValidAuthCodeExchange := authcodeExchangeInputs{
|
||||||
|
modifyAuthRequest: func(authRequest *http.Request) {
|
||||||
|
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
||||||
|
},
|
||||||
|
want: successfulAuthCodeExchange,
|
||||||
|
}
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
|
||||||
@ -679,51 +692,21 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains string
|
wantResponseBodyContains string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "happy path",
|
name: "happy path",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
wantStatus: http.StatusOK,
|
wantStatus: http.StatusOK,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "missing audience",
|
name: "missing audience",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "",
|
requestedAudience: "",
|
||||||
wantStatus: http.StatusBadRequest,
|
wantStatus: http.StatusBadRequest,
|
||||||
wantResponseBodyContains: "missing audience parameter",
|
wantResponseBodyContains: "missing audience parameter",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "missing subject_token",
|
name: "missing subject_token",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyRequestParams: func(t *testing.T, params url.Values) {
|
modifyRequestParams: func(t *testing.T, params url.Values) {
|
||||||
params.Del("subject_token")
|
params.Del("subject_token")
|
||||||
@ -732,18 +715,8 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains: "missing subject_token parameter",
|
wantResponseBodyContains: "missing subject_token parameter",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "wrong subject_token_type",
|
name: "wrong subject_token_type",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyRequestParams: func(t *testing.T, params url.Values) {
|
modifyRequestParams: func(t *testing.T, params url.Values) {
|
||||||
params.Set("subject_token_type", "invalid")
|
params.Set("subject_token_type", "invalid")
|
||||||
@ -752,18 +725,8 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains: `unsupported subject_token_type parameter value`,
|
wantResponseBodyContains: `unsupported subject_token_type parameter value`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "wrong requested_token_type",
|
name: "wrong requested_token_type",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyRequestParams: func(t *testing.T, params url.Values) {
|
modifyRequestParams: func(t *testing.T, params url.Values) {
|
||||||
params.Set("requested_token_type", "invalid")
|
params.Set("requested_token_type", "invalid")
|
||||||
@ -772,18 +735,8 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains: `unsupported requested_token_type parameter value`,
|
wantResponseBodyContains: `unsupported requested_token_type parameter value`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "unsupported RFC8693 parameter",
|
name: "unsupported RFC8693 parameter",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyRequestParams: func(t *testing.T, params url.Values) {
|
modifyRequestParams: func(t *testing.T, params url.Values) {
|
||||||
params.Set("resource", "some-resource-parameter-value")
|
params.Set("resource", "some-resource-parameter-value")
|
||||||
@ -792,18 +745,8 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains: `unsupported parameter resource`,
|
wantResponseBodyContains: `unsupported parameter resource`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bogus access token",
|
name: "bogus access token",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyRequestParams: func(t *testing.T, params url.Values) {
|
modifyRequestParams: func(t *testing.T, params url.Values) {
|
||||||
params.Set("subject_token", "some-bogus-value")
|
params.Set("subject_token", "some-bogus-value")
|
||||||
@ -812,18 +755,8 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
wantResponseBodyContains: `Invalid token format`,
|
wantResponseBodyContains: `Invalid token format`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "valid access token, but deleted from storage",
|
name: "valid access token, but deleted from storage",
|
||||||
authcodeExchange: authcodeExchangeInputs{
|
authcodeExchange: doValidAuthCodeExchange,
|
||||||
modifyAuthRequest: func(authRequest *http.Request) {
|
|
||||||
authRequest.Form.Set("scope", "openid pinniped.sts.unrestricted")
|
|
||||||
},
|
|
||||||
want: tokenEndpointResponseExpectedValues{
|
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) {
|
modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, pendingRequest *http.Request) {
|
||||||
parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
|
parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
|
||||||
@ -858,12 +791,7 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
},
|
},
|
||||||
// Fail to fetch a JWK signing key after the authcode exchange has happened.
|
// Fail to fetch a JWK signing key after the authcode exchange has happened.
|
||||||
makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce,
|
makeOathHelper: makeOauthHelperWithJWTKeyThatWorksOnlyOnce,
|
||||||
want: tokenEndpointResponseExpectedValues{
|
want: successfulAuthCodeExchange,
|
||||||
wantStatus: http.StatusOK,
|
|
||||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "expires_in", "scope"},
|
|
||||||
wantRequestedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
wantGrantedScopes: []string{"openid", "pinniped.sts.unrestricted"},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
requestedAudience: "some-workload-cluster",
|
requestedAudience: "some-workload-cluster",
|
||||||
wantStatus: http.StatusServiceUnavailable,
|
wantStatus: http.StatusServiceUnavailable,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user