test middleware user tokens with oauth2 server user tokens (#12991)

TestMiddlewareUserToken now uses user tokens from the oauth server as well, courtesy #12929. TestMiddlewareClaimsToken is the only middleware-only (non-Client) test that switches the oauth test server back to producing claims tokens, and contains all the tests that depend on claims token semantics. These tests are in a sense exercising the oauth server rather than the middleware. The token returned by the oauth server is irrelevant for the behavior these tests are exercising, so they are merely ported to always run on user tokens. - CallbackUriOverride - LimitedCallbackStore - ClientLimitedCallbackStore - ClientNoRedirectToLogin - ClientYesRedirectToLogin - ClientAutoRedirectToLogin CHANGELOG_BEGIN CHANGELOG_END
2024-09-20 01:07:18 +03:00 · 2022-02-22 11:08:15 -05:00 · 2022-02-22 11:08:15 -05:00 · 6bb438e855
commit 6bb438e855
parent 095a017a31
3 changed files with 46 additions and 60 deletions
--- a/triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestFixture.scala
+++ b/triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestFixture.scala
@ -70,6 +70,7 @@ trait TestFixture
  }
  lazy protected val middlewareClientRoutes: Client.Routes =
    middlewareClient.routes(middlewareClientCallbackUri)
+  protected def oauthYieldsUserTokens: Boolean = true
  override protected lazy val suiteResource: Resource[TestResources] = {
    implicit val resourceContext: ResourceContext = ResourceContext(system.dispatcher)
    new OwnedResource[ResourceContext, TestResources](
@ -81,7 +82,7 @@ trait TestFixture
            ledgerId = ledgerId,
            jwtSecret = jwtSecret,
            clock = Some(clock),
-            yieldUserTokens = false, // TODO parameterize (#12989)
+            yieldUserTokens = oauthYieldsUserTokens,
          )
        )
        serverBinding <- Resources.authServerBinding(server)
--- a/triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
+++ b/triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
@ -212,64 +212,6 @@ abstract class TestMiddleware
        assert(token.tokenType == "bearer")
      }
    }
-    "not authorize unauthorized parties" in {
-      server.revokeParty(Party("Eve"))
-      val claims = Request.Claims(actAs = List(Party("Eve")))
-      val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
-      for {
-        resp <- Http().singleRequest(req)
-        // Redirect to /authorize on authorization server
-        resp <- {
-          assert(resp.status == StatusCodes.Found)
-          val req = HttpRequest(uri = resp.header[Location].get.uri)
-          Http().singleRequest(req)
-        }
-        // Redirect to /cb on middleware
-        resp <- {
-          assert(resp.status == StatusCodes.Found)
-          val req = HttpRequest(uri = resp.header[Location].get.uri)
-          Http().singleRequest(req)
-        }
-      } yield {
-        // Redirect to client callback
-        assert(resp.status == StatusCodes.Found)
-        assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
-        // with error parameter set
-        assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
-        // Without token in cookie
-        val cookie = resp.header[`Set-Cookie`]
-        assert(cookie == None)
-      }
-    }
-    "not authorize disallowed admin claims" in {
-      server.revokeAdmin()
-      val claims = Request.Claims(admin = true)
-      val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
-      for {
-        resp <- Http().singleRequest(req)
-        // Redirect to /authorize on authorization server
-        resp <- {
-          assert(resp.status == StatusCodes.Found)
-          val req = HttpRequest(uri = resp.header[Location].get.uri)
-          Http().singleRequest(req)
-        }
-        // Redirect to /cb on middleware
-        resp <- {
-          assert(resp.status == StatusCodes.Found)
-          val req = HttpRequest(uri = resp.header[Location].get.uri)
-          Http().singleRequest(req)
-        }
-      } yield {
-        // Redirect to client callback
-        assert(resp.status == StatusCodes.Found)
-        assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
-        // with error parameter set
-        assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
-        // Without token in cookie
-        val cookie = resp.header[`Set-Cookie`]
-        assert(cookie == None)
-      }
-    }
  }
  "the /refresh endpoint" should {
    "return a new access token" in {
@ -320,6 +262,7 @@ abstract class TestMiddleware
 }

 class TestMiddlewareClaimsToken extends TestMiddleware {
+  override protected[this] def oauthYieldsUserTokens = false
  override protected[this] def makeJwt(
      claims: Request.Claims,
      expiresIn: Option[Duration],
@ -376,6 +319,48 @@ class TestMiddlewareClaimsToken extends TestMiddleware {
      }
    }
  }
+
+  "the /login endpoint with an oauth server checking claims" should {
+    "not authorize unauthorized parties" in {
+      server.revokeParty(Party("Eve"))
+      val claims = Request.Claims(actAs = List(Party("Eve")))
+      ensureDisallowed(claims)
+    }
+
+    "not authorize disallowed admin claims" in {
+      server.revokeAdmin()
+      val claims = Request.Claims(admin = true)
+      ensureDisallowed(claims)
+    }
+
+    def ensureDisallowed(claims: Request.Claims) = {
+      val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
+      for {
+        resp <- Http().singleRequest(req)
+        // Redirect to /authorize on authorization server
+        resp <- {
+          assert(resp.status == StatusCodes.Found)
+          val req = HttpRequest(uri = resp.header[Location].get.uri)
+          Http().singleRequest(req)
+        }
+        // Redirect to /cb on middleware
+        resp <- {
+          assert(resp.status == StatusCodes.Found)
+          val req = HttpRequest(uri = resp.header[Location].get.uri)
+          Http().singleRequest(req)
+        }
+      } yield {
+        // Redirect to client callback
+        assert(resp.status == StatusCodes.Found)
+        assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
+        // with error parameter set
+        assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
+        // Without token in cookie
+        val cookie = resp.header[`Set-Cookie`]
+        assert(cookie == None)
+      }
+    }
+  }
 }

 class TestMiddlewareUserToken extends TestMiddleware {
--- a/triggers/service/auth/src/test/scala/com/daml/auth/oauth2/test/server/TestFixture.scala
+++ b/triggers/service/auth/src/test/scala/com/daml/auth/oauth2/test/server/TestFixture.scala
@ -30,7 +30,7 @@ trait TestFixture
  lazy protected val server: Server = suiteResource.value._2
  lazy protected val serverBinding: ServerBinding = suiteResource.value._3
  lazy protected val clientBinding: ServerBinding = suiteResource.value._4
-  protected def yieldUserTokens: Boolean
+  protected[this] def yieldUserTokens: Boolean
  override protected lazy val suiteResource
      : Resource[(AdjustableClock, Server, ServerBinding, ServerBinding)] = {
    implicit val resourceContext: ResourceContext = ResourceContext(system.dispatcher)