callback_handler.go: add test for failed upstream exchange/validation

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-11-19 09:00:41 -05:00
parent 63b8c6e4b2
commit 6c72507bca
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 27 additions and 4 deletions

View File

@ -56,7 +56,7 @@ func NewHandler(idpListGetter oidc.IDPListGetter, oauthHelper fosite.OAuth2Provi
"TODO", // TODO use the nonce value from the decoded state param here
)
if err != nil {
panic(err) // TODO
return httperr.New(http.StatusBadGateway, "error exchanging and validating upstream tokens")
}
var username string

View File

@ -5,6 +5,7 @@ package callback
import (
"context"
"errors"
"fmt"
"net/http"
"net/http/httptest"
@ -69,6 +70,17 @@ func TestCallbackEndpoint(t *testing.T) {
Scopes: []string{"other-scope1", "other-scope2"},
}
failedExchangeUpstreamOIDCIdentityProvider := testutil.TestUpstreamOIDCIdentityProvider{
Name: happyUpstreamIDPName,
ClientID: upstreamOIDCIdentityProvider.ClientID,
UsernameClaim: upstreamOIDCIdentityProvider.UsernameClaim,
GroupsClaim: upstreamOIDCIdentityProvider.GroupsClaim,
Scopes: upstreamOIDCIdentityProvider.Scopes,
ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (oidcclient.Token, map[string]interface{}, error) {
return oidcclient.Token{}, nil, errors.New("some exchange error")
},
}
var stateEncoderHashKey = []byte("fake-hash-secret")
var stateEncoderBlockKey = []byte("0123456789ABCDEF") // block encryption requires 16/24/32 bytes for AES
var cookieEncoderHashKey = []byte("fake-hash-secret2")
@ -277,7 +289,7 @@ func TestCallbackEndpoint(t *testing.T) {
},
{
name: "the CSRF cookie does not exist on request",
idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
method: http.MethodGet,
path: newRequestPath().WithState(happyState).String(),
wantStatus: http.StatusForbidden,
@ -285,7 +297,7 @@ func TestCallbackEndpoint(t *testing.T) {
},
{
name: "cookie was not signed correctly, has expired, or otherwise cannot be decoded for any reason",
idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
method: http.MethodGet,
path: newRequestPath().WithState(happyState).String(),
csrfCookie: "__Host-pinniped-csrf=this-value-was-not-signed-by-pinniped",
@ -294,13 +306,24 @@ func TestCallbackEndpoint(t *testing.T) {
},
{
name: "cookie csrf value does not match state csrf value",
idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
method: http.MethodGet,
path: newRequestPath().WithState(wrongCSRFValueState).String(),
csrfCookie: happyCSRFCookie,
wantStatus: http.StatusForbidden,
wantBody: "Forbidden: CSRF value does not match\n",
},
// Upstream exchange
{
name: "upstream auth code exchange fails",
idpListGetter: testutil.NewIDPListGetter(failedExchangeUpstreamOIDCIdentityProvider),
method: http.MethodGet,
path: newRequestPath().WithState(happyState).String(),
csrfCookie: happyCSRFCookie,
wantStatus: http.StatusBadGateway,
wantBody: "Bad Gateway: error exchanging and validating upstream tokens\n",
},
}
for _, test := range tests {
test := test