callback_handler.go: add test for failed upstream exchange/validation

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:00:41 -05:00 · 2020-11-19 09:00:41 -05:00 · 6c72507bca
commit 6c72507bca
parent 63b8c6e4b2
2 changed files with 27 additions and 4 deletions
--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/oidc/callback/callback_handler.go
@ -56,7 +56,7 @@ func NewHandler(idpListGetter oidc.IDPListGetter, oauthHelper fosite.OAuth2Provi
 			"TODO", // TODO use the nonce value from the decoded state param here
 		)
 		if err != nil {
-			panic(err) // TODO
+			return httperr.New(http.StatusBadGateway, "error exchanging and validating upstream tokens")
 		}
 		var username string
--- a/internal/oidc/callback/callback_handler_test.go
+++ b/internal/oidc/callback/callback_handler_test.go
@ -5,6 +5,7 @@ package callback
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@ -69,6 +70,17 @@ func TestCallbackEndpoint(t *testing.T) {
 		Scopes:   []string{"other-scope1", "other-scope2"},
 	}
 	failedExchangeUpstreamOIDCIdentityProvider := testutil.TestUpstreamOIDCIdentityProvider{
 		Name:          happyUpstreamIDPName,
 		ClientID:      upstreamOIDCIdentityProvider.ClientID,
 		UsernameClaim: upstreamOIDCIdentityProvider.UsernameClaim,
 		GroupsClaim:   upstreamOIDCIdentityProvider.GroupsClaim,
 		Scopes:        upstreamOIDCIdentityProvider.Scopes,
 		ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (oidcclient.Token, map[string]interface{}, error) {
 			return oidcclient.Token{}, nil, errors.New("some exchange error")
 		},
 	}
 	var stateEncoderHashKey = []byte("fake-hash-secret")
 	var stateEncoderBlockKey = []byte("0123456789ABCDEF") // block encryption requires 16/24/32 bytes for AES
 	var cookieEncoderHashKey = []byte("fake-hash-secret2")
@ -277,7 +289,7 @@ func TestCallbackEndpoint(t *testing.T) {
 		},
 		{
 			name:          "the CSRF cookie does not exist on request",
-			idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
+			idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
 			method:        http.MethodGet,
 			path:          newRequestPath().WithState(happyState).String(),
 			wantStatus:    http.StatusForbidden,
@ -285,7 +297,7 @@ func TestCallbackEndpoint(t *testing.T) {
 		},
 		{
 			name:          "cookie was not signed correctly, has expired, or otherwise cannot be decoded for any reason",
-			idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
+			idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
 			method:        http.MethodGet,
 			path:          newRequestPath().WithState(happyState).String(),
 			csrfCookie:    "__Host-pinniped-csrf=this-value-was-not-signed-by-pinniped",
@ -294,13 +306,24 @@ func TestCallbackEndpoint(t *testing.T) {
 		},
 		{
 			name:          "cookie csrf value does not match state csrf value",
-			idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),
+			idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
 			method:        http.MethodGet,
 			path:          newRequestPath().WithState(wrongCSRFValueState).String(),
 			csrfCookie:    happyCSRFCookie,
 			wantStatus:    http.StatusForbidden,
 			wantBody:      "Forbidden: CSRF value does not match\n",
 		},
 		// Upstream exchange
 		{
 			name:          "upstream auth code exchange fails",
 			idpListGetter: testutil.NewIDPListGetter(failedExchangeUpstreamOIDCIdentityProvider),
 			method:        http.MethodGet,
 			path:          newRequestPath().WithState(happyState).String(),
 			csrfCookie:    happyCSRFCookie,
 			wantStatus:    http.StatusBadGateway,
 			wantBody:      "Bad Gateway: error exchanging and validating upstream tokens\n",
 		},
 	}
 	for _, test := range tests {
 		test := test