djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Also check that the authcode storage is around for a while

Browse Source
This commit is contained in:
Margo Crawford 2021-05-12 14:22:14 -07:00
parent 874f938fc7
commit b391d5ae02
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/oidc/token/token_handler_test.go
View File

@ -577,7 +577,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
require.JSONEq(t, fositeReusedAuthCodeErrorBody, reusedAuthcodeResponse.Body.String()) require.JSONEq(t, fositeReusedAuthCodeErrorBody, reusedAuthcodeResponse.Body.String())
// This was previously invalidated by the first request, so it remains invalidated // This was previously invalidated by the first request, so it remains invalidated
requireInvalidAuthCodeStorage(t, authCode, oauthStore) requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets)
// Has now invalidated the access token that was previously handed out by the first request // Has now invalidated the access token that was previously handed out by the first request
requireInvalidAccessTokenStorage(t, parsedResponseBody, oauthStore) requireInvalidAccessTokenStorage(t, parsedResponseBody, oauthStore)
// This was previously invalidated by the first request, so it remains invalidated // This was previously invalidated by the first request, so it remains invalidated
@ -1202,7 +1202,7 @@ func requireTokenEndpointBehavior(
wantIDToken := contains(test.wantSuccessBodyFields, "id_token") wantIDToken := contains(test.wantSuccessBodyFields, "id_token")
wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token") wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
requireInvalidAuthCodeStorage(t, authCode, oauthStore) requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets)
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets) requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets)
requireInvalidPKCEStorage(t, authCode, oauthStore) requireInvalidPKCEStorage(t, authCode, oauthStore)
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes)
@ -1438,12 +1438,15 @@ func requireInvalidAuthCodeStorage(
t *testing.T, t *testing.T,
code string, code string,
storage oauth2.CoreStorage, storage oauth2.CoreStorage,
secrets v1.SecretInterface,
) { ) {
t.Helper() t.Helper()
// Make sure we have invalidated this auth code. // Make sure we have invalidated this auth code.
_, err := storage.GetAuthorizeCodeSession(context.Background(), getFositeDataSignature(t, code), nil) _, err := storage.GetAuthorizeCodeSession(context.Background(), getFositeDataSignature(t, code), nil)
require.True(t, errors.Is(err, fosite.ErrInvalidatedAuthorizeCode)) require.True(t, errors.Is(err, fosite.ErrInvalidatedAuthorizeCode))
// make sure that its still around in storage so if someone tries to use it again we invalidate everything
requireGarbageCollectTimeInDelta(t, code, "authcode", secrets, time.Now().Add(9*time.Hour).Add(10*time.Minute), 30*time.Second)
} }
func requireValidRefreshTokenStorage( func requireValidRefreshTokenStorage(