Add unit test to auth_handler_test.go for non-openid authorize requests

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Ryan Richard 2020-11-11 13:13:57 -08:00 committed by Andrew Keesler
parent c2262773e6
commit 4b8c1de647

View File

@ -169,8 +169,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
return urlToReturn return urlToReturn
} }
happyGetRequestQueryMap := func(downstreamRedirectURI string) map[string]string { happyGetRequestQueryMap := map[string]string{
return map[string]string{
"response_type": "code", "response_type": "code",
"scope": "openid profile email", "scope": "openid profile email",
"client_id": "pinniped-cli", "client_id": "pinniped-cli",
@ -180,13 +179,12 @@ func TestAuthorizationEndpoint(t *testing.T) {
"code_challenge_method": "S256", "code_challenge_method": "S256",
"redirect_uri": downstreamRedirectURI, "redirect_uri": downstreamRedirectURI,
} }
}
happyGetRequestPath := pathWithQuery("/some/path", happyGetRequestQueryMap(downstreamRedirectURI)) happyGetRequestPath := pathWithQuery("/some/path", happyGetRequestQueryMap)
modifiedHappyGetRequestPath := func(queryOverrides map[string]string) string { modifiedHappyGetRequestQueryMap := func(queryOverrides map[string]string) map[string]string {
copyOfHappyGetRequestQueryMap := map[string]string{} copyOfHappyGetRequestQueryMap := map[string]string{}
for k, v := range happyGetRequestQueryMap(downstreamRedirectURI) { for k, v := range happyGetRequestQueryMap {
copyOfHappyGetRequestQueryMap[k] = v copyOfHappyGetRequestQueryMap[k] = v
} }
for k, v := range queryOverrides { for k, v := range queryOverrides {
@ -197,13 +195,17 @@ func TestAuthorizationEndpoint(t *testing.T) {
copyOfHappyGetRequestQueryMap[k] = v copyOfHappyGetRequestQueryMap[k] = v
} }
} }
return pathWithQuery("/some/path", copyOfHappyGetRequestQueryMap) return copyOfHappyGetRequestQueryMap
} }
happyExpectedUpstreamStateParam := func(downstreamRedirectURI string) string { modifiedHappyGetRequestPath := func(queryOverrides map[string]string) string {
return pathWithQuery("/some/path", modifiedHappyGetRequestQueryMap(queryOverrides))
}
expectedUpstreamStateParam := func(queryOverrides map[string]string) string {
encoded, err := happyEncoder.Encode("s", encoded, err := happyEncoder.Encode("s",
expectedUpstreamStateParamFormat{ expectedUpstreamStateParamFormat{
P: encodeQuery(happyGetRequestQueryMap(downstreamRedirectURI)), P: encodeQuery(modifiedHappyGetRequestQueryMap(queryOverrides)),
N: happyNonce, N: happyNonce,
C: happyCSRF, C: happyCSRF,
K: happyPKCE, K: happyPKCE,
@ -214,13 +216,13 @@ func TestAuthorizationEndpoint(t *testing.T) {
return encoded return encoded
} }
happyExpectedRedirectLocation := func(downstreamRedirectURI string) string { expectedRedirectLocation := func(expectedUpstreamState string) string {
return urlWithQuery(upstreamAuthURL.String(), map[string]string{ return urlWithQuery(upstreamAuthURL.String(), map[string]string{
"response_type": "code", "response_type": "code",
"access_type": "offline", "access_type": "offline",
"scope": "scope1 scope2", "scope": "scope1 scope2",
"client_id": "some-client-id", "client_id": "some-client-id",
"state": happyExpectedUpstreamStateParam(downstreamRedirectURI), "state": expectedUpstreamState,
"nonce": happyNonce, "nonce": happyNonce,
"code_challenge": expectedUpstreamCodeChallenge, "code_challenge": expectedUpstreamCodeChallenge,
"code_challenge_method": "S256", "code_challenge_method": "S256",
@ -267,11 +269,11 @@ func TestAuthorizationEndpoint(t *testing.T) {
wantStatus: http.StatusFound, wantStatus: http.StatusFound,
wantContentType: "text/html; charset=utf-8", wantContentType: "text/html; charset=utf-8",
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`, wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
html.EscapeString(happyExpectedRedirectLocation(downstreamRedirectURI)), html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(nil))),
"\n\n", "\n\n",
), ),
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue, wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURI), wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(nil)),
wantUpstreamStateParamInLocationHeader: true, wantUpstreamStateParamInLocationHeader: true,
}, },
{ {
@ -285,12 +287,12 @@ func TestAuthorizationEndpoint(t *testing.T) {
method: http.MethodPost, method: http.MethodPost,
path: "/some/path", path: "/some/path",
contentType: "application/x-www-form-urlencoded", contentType: "application/x-www-form-urlencoded",
body: encodeQuery(happyGetRequestQueryMap(downstreamRedirectURI)), body: encodeQuery(happyGetRequestQueryMap),
wantStatus: http.StatusFound, wantStatus: http.StatusFound,
wantContentType: "", wantContentType: "",
wantBodyString: "", wantBodyString: "",
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue, wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURI), wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(nil)),
wantUpstreamStateParamInLocationHeader: true, wantUpstreamStateParamInLocationHeader: true,
}, },
{ {
@ -308,11 +310,15 @@ func TestAuthorizationEndpoint(t *testing.T) {
wantStatus: http.StatusFound, wantStatus: http.StatusFound,
wantContentType: "text/html; charset=utf-8", wantContentType: "text/html; charset=utf-8",
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`, wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
html.EscapeString(happyExpectedRedirectLocation(downstreamRedirectURIWithDifferentPort)), html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{
"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
}))),
"\n\n", "\n\n",
), ),
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue, wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURIWithDifferentPort), wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{
"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
})),
wantUpstreamStateParamInLocationHeader: true, wantUpstreamStateParamInLocationHeader: true,
}, },
{ {
@ -481,6 +487,27 @@ func TestAuthorizationEndpoint(t *testing.T) {
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositePromptHasNoneAndOtherValueErrorQuery), wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositePromptHasNoneAndOtherValueErrorQuery),
wantBodyString: "", wantBodyString: "",
}, },
{
name: "OIDC validations are skipped when the openid scope was not requested",
issuer: issuer,
idpListGetter: newIDPListGetter(upstreamOIDCIdentityProvider),
generateCSRF: happyCSRFGenerator,
generatePKCE: happyPKCEGenerator,
generateNonce: happyNonceGenerator,
encoder: happyEncoder,
method: http.MethodGet,
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
path: modifiedHappyGetRequestPath(map[string]string{"prompt": "none login", "scope": "email"}),
wantStatus: http.StatusFound,
wantContentType: "text/html; charset=utf-8",
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{"prompt": "none login", "scope": "email"}))),
"\n\n",
),
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{"prompt": "none login", "scope": "email"})),
wantUpstreamStateParamInLocationHeader: true,
},
{ {
name: "state does not have enough entropy", name: "state does not have enough entropy",
issuer: issuer, issuer: issuer,
@ -670,7 +697,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
"access_type": "offline", "access_type": "offline",
"scope": "other-scope1 other-scope2", "scope": "other-scope1 other-scope2",
"client_id": "some-other-client-id", "client_id": "some-other-client-id",
"state": happyExpectedUpstreamStateParam(downstreamRedirectURI), "state": expectedUpstreamStateParam(nil),
"nonce": happyNonce, "nonce": happyNonce,
"code_challenge": expectedUpstreamCodeChallenge, "code_challenge": expectedUpstreamCodeChallenge,
"code_challenge_method": "S256", "code_challenge_method": "S256",