unit test for garbage collection time for refresh and access tokens

internal/oidc/token/token_handler_test.go

@@ -9,8 +9,10 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base32"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -1201,7 +1203,7 @@ func requireTokenEndpointBehavior(
 		wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
 
 		requireInvalidAuthCodeStorage(t, authCode, oauthStore)
-		requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
+		requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
 		requireInvalidPKCEStorage(t, authCode, oauthStore)
 		requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
 
@@ -1215,7 +1217,7 @@ func requireTokenEndpointBehavior(
 			requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string))
 		}
 		if wantRefreshToken {
-			requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
+			requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
 		}
 
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
@@ -1450,6 +1452,7 @@ func requireValidRefreshTokenStorage(
 	storage oauth2.CoreStorage,
 	wantRequestedScopes []string,
 	wantGrantedScopes []string,
+	secrets v1.SecretInterface,
 ) {
 	t.Helper()
 
@@ -1471,6 +1474,8 @@ func requireValidRefreshTokenStorage(
 		wantGrantedScopes,
 		true,
 	)
+
+	requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
 }
 
 func requireValidAccessTokenStorage(
@@ -1479,6 +1484,7 @@ func requireValidAccessTokenStorage(
 	storage oauth2.CoreStorage,
 	wantRequestedScopes []string,
 	wantGrantedScopes []string,
+	secrets v1.SecretInterface,
 ) {
 	t.Helper()
 
@@ -1519,6 +1525,8 @@ func requireValidAccessTokenStorage(
 		wantGrantedScopes,
 		true,
 	)
+
+	requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
 }
 
 func requireInvalidAccessTokenStorage(
@@ -1681,6 +1689,24 @@ func requireValidStoredRequest(
 	require.Empty(t, session.Subject)
 }
 
+func requireGarbageCollectTimeInDelta(t *testing.T, tokenString string, typeLabel string, secrets v1.SecretInterface, wantExpirationTime time.Time, deltaTime time.Duration) {
+	t.Helper()
+	signature := getFositeDataSignature(t, tokenString)
+	signatureBytes, err := base64.RawURLEncoding.DecodeString(signature)
+	require.NoError(t, err)
+	// lower case base32 encoding insures that our secret name is valid per ValidateSecretName in k/k
+	var b32 = base32.StdEncoding.WithPadding(base32.NoPadding)
+	signatureAsValidName := strings.ToLower(b32.EncodeToString(signatureBytes))
+	secretName := fmt.Sprintf("pinniped-storage-%s-%s", typeLabel, signatureAsValidName)
+	secret, err := secrets.Get(context.Background(), secretName, metav1.GetOptions{})
+	require.NoError(t, err)
+	refreshTokenGCTimeString := secret.Annotations["storage.pinniped.dev/garbage-collect-after"]
+	refreshTokenGCTime, err := time.Parse(crud.SecretLifetimeAnnotationDateFormat, refreshTokenGCTimeString)
+	require.NoError(t, err)
+
+	testutil.RequireTimeInDelta(t, refreshTokenGCTime, wantExpirationTime, deltaTime)
+}
+
 func requireValidIDToken(
 	t *testing.T,
 	body map[string]interface{},