From 85b67f254c95ede55c938aee162c229558d66fbe Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 13 Dec 2022 17:03:19 -0800 Subject: [PATCH] Add more assertion to token_handler_test.go for token exchange exp claim --- internal/oidc/token/token_handler_test.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index 971f8f4b..0ea559b5 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -1433,6 +1433,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn // at and expires at dates which are newer than the old tokens. time.Sleep(1 * time.Second) + approxRequestTime := time.Now() subject.ServeHTTP(rsp, req) t.Logf("response: %#v", rsp) t.Logf("response body: %q", rsp.Body.String()) @@ -1518,6 +1519,16 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn requireClaimsAreNotEqual(t, "iat", claimsOfFirstIDToken, tokenClaims) // issued at require.Greater(t, tokenClaims["iat"], claimsOfFirstIDToken["iat"]) + // Assert that the timestamps in the token are approximately as expected. + expiresAtAsFloat, ok := tokenClaims["exp"].(float64) + require.True(t, ok, "expected exp claim to be a float64") + expiresAt := time.Unix(int64(expiresAtAsFloat), 0) + testutil.RequireTimeInDelta(t, approxRequestTime.UTC().Add(idTokenExpirationSeconds*time.Second), expiresAt, timeComparisonFudge) + issuedAtAsFloat, ok := tokenClaims["iat"].(float64) + require.True(t, ok, "expected iat claim to be a float64") + issuedAt := time.Unix(int64(issuedAtAsFloat), 0) + testutil.RequireTimeInDelta(t, approxRequestTime.UTC(), issuedAt, timeComparisonFudge) + // Assert that nothing in storage has been modified. newSecrets, err := secrets.List(context.Background(), metav1.ListOptions{}) require.NoError(t, err)