unit test for garbage collection time for refresh and access tokens

This commit is contained in:
Margo Crawford 2021-05-12 13:55:54 -07:00
parent df0e715bb7
commit 874f938fc7

View File

@ -9,8 +9,10 @@ import (
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"encoding/base32"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -1201,7 +1203,7 @@ func requireTokenEndpointBehavior(
wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token") wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
requireInvalidAuthCodeStorage(t, authCode, oauthStore) requireInvalidAuthCodeStorage(t, authCode, oauthStore)
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
requireInvalidPKCEStorage(t, authCode, oauthStore) requireInvalidPKCEStorage(t, authCode, oauthStore)
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
@ -1215,7 +1217,7 @@ func requireTokenEndpointBehavior(
requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string)) requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string))
} }
if wantRefreshToken { if wantRefreshToken {
requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
} }
testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
@ -1450,6 +1452,7 @@ func requireValidRefreshTokenStorage(
storage oauth2.CoreStorage, storage oauth2.CoreStorage,
wantRequestedScopes []string, wantRequestedScopes []string,
wantGrantedScopes []string, wantGrantedScopes []string,
secrets v1.SecretInterface,
) { ) {
t.Helper() t.Helper()
@ -1471,6 +1474,8 @@ func requireValidRefreshTokenStorage(
wantGrantedScopes, wantGrantedScopes,
true, true,
) )
requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
} }
func requireValidAccessTokenStorage( func requireValidAccessTokenStorage(
@ -1479,6 +1484,7 @@ func requireValidAccessTokenStorage(
storage oauth2.CoreStorage, storage oauth2.CoreStorage,
wantRequestedScopes []string, wantRequestedScopes []string,
wantGrantedScopes []string, wantGrantedScopes []string,
secrets v1.SecretInterface,
) { ) {
t.Helper() t.Helper()
@ -1519,6 +1525,8 @@ func requireValidAccessTokenStorage(
wantGrantedScopes, wantGrantedScopes,
true, true,
) )
requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
} }
func requireInvalidAccessTokenStorage( func requireInvalidAccessTokenStorage(
@ -1681,6 +1689,24 @@ func requireValidStoredRequest(
require.Empty(t, session.Subject) require.Empty(t, session.Subject)
} }
func requireGarbageCollectTimeInDelta(t *testing.T, tokenString string, typeLabel string, secrets v1.SecretInterface, wantExpirationTime time.Time, deltaTime time.Duration) {
t.Helper()
signature := getFositeDataSignature(t, tokenString)
signatureBytes, err := base64.RawURLEncoding.DecodeString(signature)
require.NoError(t, err)
// lower case base32 encoding insures that our secret name is valid per ValidateSecretName in k/k
var b32 = base32.StdEncoding.WithPadding(base32.NoPadding)
signatureAsValidName := strings.ToLower(b32.EncodeToString(signatureBytes))
secretName := fmt.Sprintf("pinniped-storage-%s-%s", typeLabel, signatureAsValidName)
secret, err := secrets.Get(context.Background(), secretName, metav1.GetOptions{})
require.NoError(t, err)
refreshTokenGCTimeString := secret.Annotations["storage.pinniped.dev/garbage-collect-after"]
refreshTokenGCTime, err := time.Parse(crud.SecretLifetimeAnnotationDateFormat, refreshTokenGCTimeString)
require.NoError(t, err)
testutil.RequireTimeInDelta(t, refreshTokenGCTime, wantExpirationTime, deltaTime)
}
func requireValidIDToken( func requireValidIDToken(
t *testing.T, t *testing.T,
body map[string]interface{}, body map[string]interface{},