callback_handler.go: add a test for invalid state auth params

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-11-19 08:41:44 -05:00
parent 652ea6bd2a
commit ffdb7fa795
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 25 additions and 4 deletions

View File

@ -36,7 +36,7 @@ func NewHandler(idpListGetter oidc.IDPListGetter, oauthHelper fosite.OAuth2Provi
downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
if err != nil {
panic(err) // TODO
return httperr.New(http.StatusBadRequest, "error reading state's downstream auth params")
}
// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().

View File

@ -96,6 +96,7 @@ func TestCallbackEndpoint(t *testing.T) {
happyCSRF := "test-csrf"
happyPKCE := "test-pkce"
happyNonce := "test-nonce"
happyStateVersion := "1"
happyState, err := happyStateCodec.Encode("s",
testutil.ExpectedUpstreamStateParamFormat{
@ -103,7 +104,7 @@ func TestCallbackEndpoint(t *testing.T) {
N: happyNonce,
C: happyCSRF,
K: happyPKCE,
V: "1",
V: happyStateVersion,
},
)
require.NoError(t, err)
@ -114,7 +115,7 @@ func TestCallbackEndpoint(t *testing.T) {
N: happyNonce,
C: "wrong-csrf-value",
K: happyPKCE,
V: "1",
V: happyStateVersion,
},
)
require.NoError(t, err)
@ -125,7 +126,18 @@ func TestCallbackEndpoint(t *testing.T) {
N: happyNonce,
C: happyCSRF,
K: happyPKCE,
V: "wrong-version",
V: "wrong-state-version",
},
)
require.NoError(t, err)
wrongDownstreamAuthParamsState, err := happyStateCodec.Encode("s",
testutil.ExpectedUpstreamStateParamFormat{
P: "these-is-not-a-valid-url-query-%z",
N: happyNonce,
C: happyCSRF,
K: happyPKCE,
V: happyStateVersion,
},
)
require.NoError(t, err)
@ -224,6 +236,15 @@ func TestCallbackEndpoint(t *testing.T) {
wantStatus: http.StatusUnprocessableEntity,
wantBody: "Unprocessable Entity: state format version is invalid\n",
},
{
name: "state's downstream auth params element is invalid",
idpListGetter: testutil.NewIDPListGetter(upstreamOIDCIdentityProvider),
method: http.MethodGet,
path: newRequestPath().WithState(wrongDownstreamAuthParamsState).String(),
csrfCookie: happyCSRFCookie,
wantStatus: http.StatusBadRequest,
wantBody: "Bad Request: error reading state's downstream auth params\n",
},
{
name: "the UpstreamOIDCProvider CRD has been deleted",
idpListGetter: testutil.NewIDPListGetter(otherUpstreamOIDCIdentityProvider),