Add unit test to auth_handler_test.go for non-openid authorize requests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
c2262773e6
commit
4b8c1de647
@ -169,8 +169,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
return urlToReturn
|
return urlToReturn
|
||||||
}
|
}
|
||||||
|
|
||||||
happyGetRequestQueryMap := func(downstreamRedirectURI string) map[string]string {
|
happyGetRequestQueryMap := map[string]string{
|
||||||
return map[string]string{
|
|
||||||
"response_type": "code",
|
"response_type": "code",
|
||||||
"scope": "openid profile email",
|
"scope": "openid profile email",
|
||||||
"client_id": "pinniped-cli",
|
"client_id": "pinniped-cli",
|
||||||
@ -180,13 +179,12 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
"code_challenge_method": "S256",
|
"code_challenge_method": "S256",
|
||||||
"redirect_uri": downstreamRedirectURI,
|
"redirect_uri": downstreamRedirectURI,
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
happyGetRequestPath := pathWithQuery("/some/path", happyGetRequestQueryMap(downstreamRedirectURI))
|
happyGetRequestPath := pathWithQuery("/some/path", happyGetRequestQueryMap)
|
||||||
|
|
||||||
modifiedHappyGetRequestPath := func(queryOverrides map[string]string) string {
|
modifiedHappyGetRequestQueryMap := func(queryOverrides map[string]string) map[string]string {
|
||||||
copyOfHappyGetRequestQueryMap := map[string]string{}
|
copyOfHappyGetRequestQueryMap := map[string]string{}
|
||||||
for k, v := range happyGetRequestQueryMap(downstreamRedirectURI) {
|
for k, v := range happyGetRequestQueryMap {
|
||||||
copyOfHappyGetRequestQueryMap[k] = v
|
copyOfHappyGetRequestQueryMap[k] = v
|
||||||
}
|
}
|
||||||
for k, v := range queryOverrides {
|
for k, v := range queryOverrides {
|
||||||
@ -197,13 +195,17 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
copyOfHappyGetRequestQueryMap[k] = v
|
copyOfHappyGetRequestQueryMap[k] = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return pathWithQuery("/some/path", copyOfHappyGetRequestQueryMap)
|
return copyOfHappyGetRequestQueryMap
|
||||||
}
|
}
|
||||||
|
|
||||||
happyExpectedUpstreamStateParam := func(downstreamRedirectURI string) string {
|
modifiedHappyGetRequestPath := func(queryOverrides map[string]string) string {
|
||||||
|
return pathWithQuery("/some/path", modifiedHappyGetRequestQueryMap(queryOverrides))
|
||||||
|
}
|
||||||
|
|
||||||
|
expectedUpstreamStateParam := func(queryOverrides map[string]string) string {
|
||||||
encoded, err := happyEncoder.Encode("s",
|
encoded, err := happyEncoder.Encode("s",
|
||||||
expectedUpstreamStateParamFormat{
|
expectedUpstreamStateParamFormat{
|
||||||
P: encodeQuery(happyGetRequestQueryMap(downstreamRedirectURI)),
|
P: encodeQuery(modifiedHappyGetRequestQueryMap(queryOverrides)),
|
||||||
N: happyNonce,
|
N: happyNonce,
|
||||||
C: happyCSRF,
|
C: happyCSRF,
|
||||||
K: happyPKCE,
|
K: happyPKCE,
|
||||||
@ -214,13 +216,13 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
return encoded
|
return encoded
|
||||||
}
|
}
|
||||||
|
|
||||||
happyExpectedRedirectLocation := func(downstreamRedirectURI string) string {
|
expectedRedirectLocation := func(expectedUpstreamState string) string {
|
||||||
return urlWithQuery(upstreamAuthURL.String(), map[string]string{
|
return urlWithQuery(upstreamAuthURL.String(), map[string]string{
|
||||||
"response_type": "code",
|
"response_type": "code",
|
||||||
"access_type": "offline",
|
"access_type": "offline",
|
||||||
"scope": "scope1 scope2",
|
"scope": "scope1 scope2",
|
||||||
"client_id": "some-client-id",
|
"client_id": "some-client-id",
|
||||||
"state": happyExpectedUpstreamStateParam(downstreamRedirectURI),
|
"state": expectedUpstreamState,
|
||||||
"nonce": happyNonce,
|
"nonce": happyNonce,
|
||||||
"code_challenge": expectedUpstreamCodeChallenge,
|
"code_challenge": expectedUpstreamCodeChallenge,
|
||||||
"code_challenge_method": "S256",
|
"code_challenge_method": "S256",
|
||||||
@ -267,11 +269,11 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "text/html; charset=utf-8",
|
wantContentType: "text/html; charset=utf-8",
|
||||||
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
|
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
|
||||||
html.EscapeString(happyExpectedRedirectLocation(downstreamRedirectURI)),
|
html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(nil))),
|
||||||
"\n\n",
|
"\n\n",
|
||||||
),
|
),
|
||||||
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
||||||
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURI),
|
wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(nil)),
|
||||||
wantUpstreamStateParamInLocationHeader: true,
|
wantUpstreamStateParamInLocationHeader: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -285,12 +287,12 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
method: http.MethodPost,
|
method: http.MethodPost,
|
||||||
path: "/some/path",
|
path: "/some/path",
|
||||||
contentType: "application/x-www-form-urlencoded",
|
contentType: "application/x-www-form-urlencoded",
|
||||||
body: encodeQuery(happyGetRequestQueryMap(downstreamRedirectURI)),
|
body: encodeQuery(happyGetRequestQueryMap),
|
||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "",
|
wantContentType: "",
|
||||||
wantBodyString: "",
|
wantBodyString: "",
|
||||||
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
||||||
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURI),
|
wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(nil)),
|
||||||
wantUpstreamStateParamInLocationHeader: true,
|
wantUpstreamStateParamInLocationHeader: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -308,11 +310,15 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
wantStatus: http.StatusFound,
|
wantStatus: http.StatusFound,
|
||||||
wantContentType: "text/html; charset=utf-8",
|
wantContentType: "text/html; charset=utf-8",
|
||||||
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
|
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
|
||||||
html.EscapeString(happyExpectedRedirectLocation(downstreamRedirectURIWithDifferentPort)),
|
html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{
|
||||||
|
"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
|
||||||
|
}))),
|
||||||
"\n\n",
|
"\n\n",
|
||||||
),
|
),
|
||||||
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
||||||
wantLocationHeader: happyExpectedRedirectLocation(downstreamRedirectURIWithDifferentPort),
|
wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{
|
||||||
|
"redirect_uri": downstreamRedirectURIWithDifferentPort, // not the same port number that is registered for the client
|
||||||
|
})),
|
||||||
wantUpstreamStateParamInLocationHeader: true,
|
wantUpstreamStateParamInLocationHeader: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -481,6 +487,27 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositePromptHasNoneAndOtherValueErrorQuery),
|
wantLocationHeader: urlWithQuery(downstreamRedirectURI, fositePromptHasNoneAndOtherValueErrorQuery),
|
||||||
wantBodyString: "",
|
wantBodyString: "",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "OIDC validations are skipped when the openid scope was not requested",
|
||||||
|
issuer: issuer,
|
||||||
|
idpListGetter: newIDPListGetter(upstreamOIDCIdentityProvider),
|
||||||
|
generateCSRF: happyCSRFGenerator,
|
||||||
|
generatePKCE: happyPKCEGenerator,
|
||||||
|
generateNonce: happyNonceGenerator,
|
||||||
|
encoder: happyEncoder,
|
||||||
|
method: http.MethodGet,
|
||||||
|
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
|
||||||
|
path: modifiedHappyGetRequestPath(map[string]string{"prompt": "none login", "scope": "email"}),
|
||||||
|
wantStatus: http.StatusFound,
|
||||||
|
wantContentType: "text/html; charset=utf-8",
|
||||||
|
wantBodyString: fmt.Sprintf(`<a href="%s">Found</a>.%s`,
|
||||||
|
html.EscapeString(expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{"prompt": "none login", "scope": "email"}))),
|
||||||
|
"\n\n",
|
||||||
|
),
|
||||||
|
wantCSRFCookieHeader: happyCSRFSetCookieHeaderValue,
|
||||||
|
wantLocationHeader: expectedRedirectLocation(expectedUpstreamStateParam(map[string]string{"prompt": "none login", "scope": "email"})),
|
||||||
|
wantUpstreamStateParamInLocationHeader: true,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "state does not have enough entropy",
|
name: "state does not have enough entropy",
|
||||||
issuer: issuer,
|
issuer: issuer,
|
||||||
@ -670,7 +697,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
|||||||
"access_type": "offline",
|
"access_type": "offline",
|
||||||
"scope": "other-scope1 other-scope2",
|
"scope": "other-scope1 other-scope2",
|
||||||
"client_id": "some-other-client-id",
|
"client_id": "some-other-client-id",
|
||||||
"state": happyExpectedUpstreamStateParam(downstreamRedirectURI),
|
"state": expectedUpstreamStateParam(nil),
|
||||||
"nonce": happyNonce,
|
"nonce": happyNonce,
|
||||||
"code_challenge": expectedUpstreamCodeChallenge,
|
"code_challenge": expectedUpstreamCodeChallenge,
|
||||||
"code_challenge_method": "S256",
|
"code_challenge_method": "S256",
|
||||||
|
Loading…
Reference in New Issue
Block a user