unit test for garbage collection time for refresh and access tokens
This commit is contained in:
parent
df0e715bb7
commit
874f938fc7
@ -9,8 +9,10 @@ import (
|
|||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
|
"encoding/base32"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -1201,7 +1203,7 @@ func requireTokenEndpointBehavior(
|
|||||||
wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
|
wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
|
||||||
|
|
||||||
requireInvalidAuthCodeStorage(t, authCode, oauthStore)
|
requireInvalidAuthCodeStorage(t, authCode, oauthStore)
|
||||||
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
|
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
|
||||||
requireInvalidPKCEStorage(t, authCode, oauthStore)
|
requireInvalidPKCEStorage(t, authCode, oauthStore)
|
||||||
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
|
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
|
||||||
|
|
||||||
@ -1215,7 +1217,7 @@ func requireTokenEndpointBehavior(
|
|||||||
requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string))
|
requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string))
|
||||||
}
|
}
|
||||||
if wantRefreshToken {
|
if wantRefreshToken {
|
||||||
requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
|
requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
|
||||||
}
|
}
|
||||||
|
|
||||||
testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
|
testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
|
||||||
@ -1450,6 +1452,7 @@ func requireValidRefreshTokenStorage(
|
|||||||
storage oauth2.CoreStorage,
|
storage oauth2.CoreStorage,
|
||||||
wantRequestedScopes []string,
|
wantRequestedScopes []string,
|
||||||
wantGrantedScopes []string,
|
wantGrantedScopes []string,
|
||||||
|
secrets v1.SecretInterface,
|
||||||
) {
|
) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
@ -1471,6 +1474,8 @@ func requireValidRefreshTokenStorage(
|
|||||||
wantGrantedScopes,
|
wantGrantedScopes,
|
||||||
true,
|
true,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
|
||||||
}
|
}
|
||||||
|
|
||||||
func requireValidAccessTokenStorage(
|
func requireValidAccessTokenStorage(
|
||||||
@ -1479,6 +1484,7 @@ func requireValidAccessTokenStorage(
|
|||||||
storage oauth2.CoreStorage,
|
storage oauth2.CoreStorage,
|
||||||
wantRequestedScopes []string,
|
wantRequestedScopes []string,
|
||||||
wantGrantedScopes []string,
|
wantGrantedScopes []string,
|
||||||
|
secrets v1.SecretInterface,
|
||||||
) {
|
) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
@ -1519,6 +1525,8 @@ func requireValidAccessTokenStorage(
|
|||||||
wantGrantedScopes,
|
wantGrantedScopes,
|
||||||
true,
|
true,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute)
|
||||||
}
|
}
|
||||||
|
|
||||||
func requireInvalidAccessTokenStorage(
|
func requireInvalidAccessTokenStorage(
|
||||||
@ -1681,6 +1689,24 @@ func requireValidStoredRequest(
|
|||||||
require.Empty(t, session.Subject)
|
require.Empty(t, session.Subject)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func requireGarbageCollectTimeInDelta(t *testing.T, tokenString string, typeLabel string, secrets v1.SecretInterface, wantExpirationTime time.Time, deltaTime time.Duration) {
|
||||||
|
t.Helper()
|
||||||
|
signature := getFositeDataSignature(t, tokenString)
|
||||||
|
signatureBytes, err := base64.RawURLEncoding.DecodeString(signature)
|
||||||
|
require.NoError(t, err)
|
||||||
|
// lower case base32 encoding insures that our secret name is valid per ValidateSecretName in k/k
|
||||||
|
var b32 = base32.StdEncoding.WithPadding(base32.NoPadding)
|
||||||
|
signatureAsValidName := strings.ToLower(b32.EncodeToString(signatureBytes))
|
||||||
|
secretName := fmt.Sprintf("pinniped-storage-%s-%s", typeLabel, signatureAsValidName)
|
||||||
|
secret, err := secrets.Get(context.Background(), secretName, metav1.GetOptions{})
|
||||||
|
require.NoError(t, err)
|
||||||
|
refreshTokenGCTimeString := secret.Annotations["storage.pinniped.dev/garbage-collect-after"]
|
||||||
|
refreshTokenGCTime, err := time.Parse(crud.SecretLifetimeAnnotationDateFormat, refreshTokenGCTimeString)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
testutil.RequireTimeInDelta(t, refreshTokenGCTime, wantExpirationTime, deltaTime)
|
||||||
|
}
|
||||||
|
|
||||||
func requireValidIDToken(
|
func requireValidIDToken(
|
||||||
t *testing.T,
|
t *testing.T,
|
||||||
body map[string]interface{},
|
body map[string]interface{},
|
||||||
|
Loading…
Reference in New Issue
Block a user