mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 01:07:18 +03:00
test middleware user tokens with oauth2 server user tokens (#12991)
TestMiddlewareUserToken now uses user tokens from the oauth server as well, courtesy #12929. TestMiddlewareClaimsToken is the only middleware-only (non-Client) test that switches the oauth test server back to producing claims tokens, and contains all the tests that depend on claims token semantics. These tests are in a sense exercising the oauth server rather than the middleware. The token returned by the oauth server is irrelevant for the behavior these tests are exercising, so they are merely ported to always run on user tokens. - CallbackUriOverride - LimitedCallbackStore - ClientLimitedCallbackStore - ClientNoRedirectToLogin - ClientYesRedirectToLogin - ClientAutoRedirectToLogin CHANGELOG_BEGIN CHANGELOG_END
This commit is contained in:
parent
095a017a31
commit
6bb438e855
@ -70,6 +70,7 @@ trait TestFixture
|
||||
}
|
||||
lazy protected val middlewareClientRoutes: Client.Routes =
|
||||
middlewareClient.routes(middlewareClientCallbackUri)
|
||||
protected def oauthYieldsUserTokens: Boolean = true
|
||||
override protected lazy val suiteResource: Resource[TestResources] = {
|
||||
implicit val resourceContext: ResourceContext = ResourceContext(system.dispatcher)
|
||||
new OwnedResource[ResourceContext, TestResources](
|
||||
@ -81,7 +82,7 @@ trait TestFixture
|
||||
ledgerId = ledgerId,
|
||||
jwtSecret = jwtSecret,
|
||||
clock = Some(clock),
|
||||
yieldUserTokens = false, // TODO parameterize (#12989)
|
||||
yieldUserTokens = oauthYieldsUserTokens,
|
||||
)
|
||||
)
|
||||
serverBinding <- Resources.authServerBinding(server)
|
||||
|
@ -212,64 +212,6 @@ abstract class TestMiddleware
|
||||
assert(token.tokenType == "bearer")
|
||||
}
|
||||
}
|
||||
"not authorize unauthorized parties" in {
|
||||
server.revokeParty(Party("Eve"))
|
||||
val claims = Request.Claims(actAs = List(Party("Eve")))
|
||||
val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
|
||||
for {
|
||||
resp <- Http().singleRequest(req)
|
||||
// Redirect to /authorize on authorization server
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
// Redirect to /cb on middleware
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
} yield {
|
||||
// Redirect to client callback
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
|
||||
// with error parameter set
|
||||
assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
|
||||
// Without token in cookie
|
||||
val cookie = resp.header[`Set-Cookie`]
|
||||
assert(cookie == None)
|
||||
}
|
||||
}
|
||||
"not authorize disallowed admin claims" in {
|
||||
server.revokeAdmin()
|
||||
val claims = Request.Claims(admin = true)
|
||||
val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
|
||||
for {
|
||||
resp <- Http().singleRequest(req)
|
||||
// Redirect to /authorize on authorization server
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
// Redirect to /cb on middleware
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
} yield {
|
||||
// Redirect to client callback
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
|
||||
// with error parameter set
|
||||
assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
|
||||
// Without token in cookie
|
||||
val cookie = resp.header[`Set-Cookie`]
|
||||
assert(cookie == None)
|
||||
}
|
||||
}
|
||||
}
|
||||
"the /refresh endpoint" should {
|
||||
"return a new access token" in {
|
||||
@ -320,6 +262,7 @@ abstract class TestMiddleware
|
||||
}
|
||||
|
||||
class TestMiddlewareClaimsToken extends TestMiddleware {
|
||||
override protected[this] def oauthYieldsUserTokens = false
|
||||
override protected[this] def makeJwt(
|
||||
claims: Request.Claims,
|
||||
expiresIn: Option[Duration],
|
||||
@ -376,6 +319,48 @@ class TestMiddlewareClaimsToken extends TestMiddleware {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
"the /login endpoint with an oauth server checking claims" should {
|
||||
"not authorize unauthorized parties" in {
|
||||
server.revokeParty(Party("Eve"))
|
||||
val claims = Request.Claims(actAs = List(Party("Eve")))
|
||||
ensureDisallowed(claims)
|
||||
}
|
||||
|
||||
"not authorize disallowed admin claims" in {
|
||||
server.revokeAdmin()
|
||||
val claims = Request.Claims(admin = true)
|
||||
ensureDisallowed(claims)
|
||||
}
|
||||
|
||||
def ensureDisallowed(claims: Request.Claims) = {
|
||||
val req = HttpRequest(uri = middlewareClientRoutes.loginUri(claims, None))
|
||||
for {
|
||||
resp <- Http().singleRequest(req)
|
||||
// Redirect to /authorize on authorization server
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
// Redirect to /cb on middleware
|
||||
resp <- {
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
val req = HttpRequest(uri = resp.header[Location].get.uri)
|
||||
Http().singleRequest(req)
|
||||
}
|
||||
} yield {
|
||||
// Redirect to client callback
|
||||
assert(resp.status == StatusCodes.Found)
|
||||
assert(resp.header[Location].get.uri.withQuery(Uri.Query()) == middlewareClientCallbackUri)
|
||||
// with error parameter set
|
||||
assert(resp.header[Location].get.uri.query().toMap.get("error") == Some("access_denied"))
|
||||
// Without token in cookie
|
||||
val cookie = resp.header[`Set-Cookie`]
|
||||
assert(cookie == None)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class TestMiddlewareUserToken extends TestMiddleware {
|
||||
|
@ -30,7 +30,7 @@ trait TestFixture
|
||||
lazy protected val server: Server = suiteResource.value._2
|
||||
lazy protected val serverBinding: ServerBinding = suiteResource.value._3
|
||||
lazy protected val clientBinding: ServerBinding = suiteResource.value._4
|
||||
protected def yieldUserTokens: Boolean
|
||||
protected[this] def yieldUserTokens: Boolean
|
||||
override protected lazy val suiteResource
|
||||
: Resource[(AdjustableClock, Server, ServerBinding, ServerBinding)] = {
|
||||
implicit val resourceContext: ResourceContext = ResourceContext(system.dispatcher)
|
||||
|
Loading…
Reference in New Issue
Block a user