2020-02-06 21:09:30 +03:00
|
|
|
package providers
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
"crypto/rsa"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
2020-03-14 13:14:15 +03:00
|
|
|
|
|
|
|
|
"github.com/coreos/go-oidc"
|
|
|
|
|
"github.com/dgrijalva/jwt-go"
|
2020-04-04 18:12:38 +03:00
|
|
|
"github.com/stretchr/testify/assert"
|
2020-03-14 13:14:15 +03:00
|
|
|
"golang.org/x/oauth2"
|
|
|
|
|
|
2020-09-29 19:44:42 +03:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
2020-02-06 21:09:30 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const accessToken = "access_token"
|
|
|
|
|
const refreshToken = "refresh_token"
|
|
|
|
|
const clientID = "https://test.myapp.com"
|
|
|
|
|
const secret = "secret"
|
|
|
|
|
|
|
|
|
|
type idTokenClaims struct {
|
2020-11-03 21:10:08 +03:00
|
|
|
Name string `json:"name,omitempty"`
|
|
|
|
|
Email string `json:"email,omitempty"`
|
|
|
|
|
Phone string `json:"phone_number,omitempty"`
|
|
|
|
|
Picture string `json:"picture,omitempty"`
|
|
|
|
|
Groups interface{} `json:"groups,omitempty"`
|
|
|
|
|
OtherGroups interface{} `json:"other_groups,omitempty"`
|
2020-02-06 21:09:30 +03:00
|
|
|
jwt.StandardClaims
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type redeemTokenResponse struct {
|
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
|
ExpiresIn int64 `json:"expires_in"`
|
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
|
IDToken string `json:"id_token,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var defaultIDToken idTokenClaims = idTokenClaims{
|
|
|
|
|
"Jane Dobbs",
|
|
|
|
|
"janed@me.com",
|
2020-04-28 09:46:46 +03:00
|
|
|
"+4798765432",
|
2020-02-06 21:09:30 +03:00
|
|
|
"http://mugbook.com/janed/me.jpg",
|
2020-07-28 21:42:09 +03:00
|
|
|
[]string{"test:a", "test:b"},
|
|
|
|
|
[]string{"test:c", "test:d"},
|
2020-02-06 21:09:30 +03:00
|
|
|
jwt.StandardClaims{
|
|
|
|
|
Audience: "https://test.myapp.com",
|
|
|
|
|
ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(),
|
|
|
|
|
Id: "id-some-id",
|
|
|
|
|
IssuedAt: time.Now().Unix(),
|
|
|
|
|
Issuer: "https://issuer.example.com",
|
|
|
|
|
NotBefore: 0,
|
|
|
|
|
Subject: "123456789",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-03 21:10:08 +03:00
|
|
|
var customGroupClaimIDToken idTokenClaims = idTokenClaims{
|
|
|
|
|
"Jane Dobbs",
|
|
|
|
|
"janed@me.com",
|
|
|
|
|
"+4798765432",
|
|
|
|
|
"http://mugbook.com/janed/me.jpg",
|
|
|
|
|
[]map[string]interface{}{
|
|
|
|
|
{
|
|
|
|
|
"groupId": "Admin Group Id",
|
|
|
|
|
"roles": []string{"Admin"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
[]string{"test:c", "test:d"},
|
|
|
|
|
jwt.StandardClaims{
|
|
|
|
|
Audience: "https://test.myapp.com",
|
|
|
|
|
ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(),
|
|
|
|
|
Id: "id-some-id",
|
|
|
|
|
IssuedAt: time.Now().Unix(),
|
|
|
|
|
Issuer: "https://issuer.example.com",
|
|
|
|
|
NotBefore: 0,
|
|
|
|
|
Subject: "123456789",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-28 00:51:29 +03:00
|
|
|
var minimalIDToken idTokenClaims = idTokenClaims{
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
"",
|
2020-07-28 21:42:09 +03:00
|
|
|
[]string{},
|
|
|
|
|
[]string{},
|
2020-07-28 00:51:29 +03:00
|
|
|
jwt.StandardClaims{
|
|
|
|
|
Audience: "https://test.myapp.com",
|
|
|
|
|
ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(),
|
|
|
|
|
Id: "id-some-id",
|
|
|
|
|
IssuedAt: time.Now().Unix(),
|
|
|
|
|
Issuer: "https://issuer.example.com",
|
|
|
|
|
NotBefore: 0,
|
|
|
|
|
Subject: "minimal",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-14 12:58:29 +03:00
|
|
|
type fakeKeySetStub struct{}
|
2020-02-06 21:09:30 +03:00
|
|
|
|
|
|
|
|
func (fakeKeySetStub) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {
|
|
|
|
|
decodeString, err := base64.RawURLEncoding.DecodeString(strings.Split(jwt, ".")[1])
|
2020-04-14 11:36:44 +03:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-02-06 21:09:30 +03:00
|
|
|
tokenClaims := &idTokenClaims{}
|
|
|
|
|
err = json.Unmarshal(decodeString, tokenClaims)
|
|
|
|
|
|
|
|
|
|
if err != nil || tokenClaims.Id == "this-id-fails-validation" {
|
|
|
|
|
return nil, fmt.Errorf("the validation failed for subject [%v]", tokenClaims.Subject)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return decodeString, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newOIDCProvider(serverURL *url.URL) *OIDCProvider {
|
|
|
|
|
|
|
|
|
|
providerData := &ProviderData{
|
|
|
|
|
ProviderName: "oidc",
|
|
|
|
|
ClientID: clientID,
|
|
|
|
|
ClientSecret: secret,
|
|
|
|
|
LoginURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/login/oauth/authorize"},
|
|
|
|
|
RedeemURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/login/oauth/access_token"},
|
|
|
|
|
ProfileURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/profile"},
|
|
|
|
|
ValidateURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/api"},
|
2020-11-16 05:57:48 +03:00
|
|
|
Scope: "openid profile offline_access",
|
2020-03-14 12:58:29 +03:00
|
|
|
Verifier: oidc.NewVerifier(
|
2020-02-06 21:09:30 +03:00
|
|
|
"https://issuer.example.com",
|
|
|
|
|
fakeKeySetStub{},
|
|
|
|
|
&oidc.Config{ClientID: clientID},
|
|
|
|
|
),
|
2020-11-16 05:57:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p := &OIDCProvider{
|
|
|
|
|
ProviderData: providerData,
|
2020-11-27 06:00:30 +03:00
|
|
|
EmailClaim: "email",
|
2020-02-06 21:09:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return p
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newOIDCServer(body []byte) (*url.URL, *httptest.Server) {
|
|
|
|
|
s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
|
rw.Header().Add("content-type", "application/json")
|
|
|
|
|
_, _ = rw.Write(body)
|
|
|
|
|
}))
|
|
|
|
|
u, _ := url.Parse(s.URL)
|
|
|
|
|
return u, s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newSignedTestIDToken(tokenClaims idTokenClaims) (string, error) {
|
|
|
|
|
key, _ := rsa.GenerateKey(rand.Reader, 2048)
|
|
|
|
|
standardClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, tokenClaims)
|
|
|
|
|
return standardClaims.SignedString(key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newOauth2Token() *oauth2.Token {
|
|
|
|
|
return &oauth2.Token{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
Expiry: time.Time{}.Add(time.Duration(5) * time.Second),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newTestSetup(body []byte) (*httptest.Server, *OIDCProvider) {
|
|
|
|
|
redeemURL, server := newOIDCServer(body)
|
|
|
|
|
provider := newOIDCProvider(redeemURL)
|
|
|
|
|
return server, provider
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestOIDCProviderRedeem(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
server, provider := newTestSetup(body)
|
|
|
|
|
defer server.Close()
|
|
|
|
|
|
2020-05-05 18:53:33 +03:00
|
|
|
session, err := provider.Redeem(context.Background(), provider.RedeemURL.String(), "code1234")
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Email, session.Email)
|
|
|
|
|
assert.Equal(t, accessToken, session.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, session.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, session.RefreshToken)
|
|
|
|
|
assert.Equal(t, "123456789", session.User)
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-28 09:46:46 +03:00
|
|
|
func TestOIDCProviderRedeem_custom_userid(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
server, provider := newTestSetup(body)
|
2020-11-27 06:00:30 +03:00
|
|
|
provider.EmailClaim = "phone_number"
|
2020-04-28 09:46:46 +03:00
|
|
|
defer server.Close()
|
|
|
|
|
|
2020-05-05 18:53:33 +03:00
|
|
|
session, err := provider.Redeem(context.Background(), provider.RedeemURL.String(), "code1234")
|
2020-04-28 09:46:46 +03:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Phone, session.Email)
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-27 06:00:30 +03:00
|
|
|
func TestOIDCProvider_EnrichSession(t *testing.T) {
|
|
|
|
|
const (
|
|
|
|
|
idToken = "Unchanged ID Token"
|
|
|
|
|
accessToken = "Unchanged Access Token"
|
|
|
|
|
refreshToken = "Unchanged Refresh Token"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
testCases := map[string]struct {
|
|
|
|
|
ExistingSession *sessions.SessionState
|
|
|
|
|
EmailClaim string
|
|
|
|
|
GroupsClaim string
|
|
|
|
|
ProfileJSON map[string]interface{}
|
|
|
|
|
ExpectedError error
|
|
|
|
|
ExpectedSession *sessions.SessionState
|
|
|
|
|
}{
|
|
|
|
|
"Already Populated": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "new@thing.com",
|
|
|
|
|
"groups": []string{"new", "thing"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Email": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "found@email.com",
|
|
|
|
|
"groups": []string{"new", "thing"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Email: "found@email.com",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
"Missing Email Only in Profile URL": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "found@email.com",
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Email: "found@email.com",
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Email with Custom Claim": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "weird",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"weird": "weird@claim.com",
|
|
|
|
|
"groups": []string{"new", "thing"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Email: "weird@claim.com",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Email not in Profile URL": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"groups": []string{"new", "thing"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: errors.New("neither the id_token nor the profileURL set an email"),
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "missing.email",
|
|
|
|
|
Groups: []string{"already", "populated"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Groups": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "new@thing.com",
|
|
|
|
|
"groups": []string{"new", "thing"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{"new", "thing"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Groups with Custom Claim": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: nil,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "roles",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "new@thing.com",
|
|
|
|
|
"roles": []string{"new", "thing", "roles"},
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{"new", "thing", "roles"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Groups String Profile URL Response": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "new@thing.com",
|
|
|
|
|
"groups": "singleton",
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
Groups: []string{"singleton"},
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"Missing Groups in both Claims and Profile URL": {
|
|
|
|
|
ExistingSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ProfileJSON: map[string]interface{}{
|
|
|
|
|
"email": "new@thing.com",
|
|
|
|
|
},
|
|
|
|
|
ExpectedError: nil,
|
|
|
|
|
ExpectedSession: &sessions.SessionState{
|
|
|
|
|
User: "already",
|
|
|
|
|
Email: "already@populated.com",
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for testName, tc := range testCases {
|
|
|
|
|
t.Run(testName, func(t *testing.T) {
|
|
|
|
|
jsonResp, err := json.Marshal(tc.ProfileJSON)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
server, provider := newTestSetup(jsonResp)
|
|
|
|
|
provider.ProfileURL, err = url.Parse(server.URL)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
provider.EmailClaim = tc.EmailClaim
|
|
|
|
|
provider.GroupsClaim = tc.GroupsClaim
|
|
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
err = provider.EnrichSession(context.Background(), tc.ExistingSession)
|
|
|
|
|
assert.Equal(t, tc.ExpectedError, err)
|
|
|
|
|
assert.Equal(t, *tc.ExpectedSession, *tc.ExistingSession)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-06 21:09:30 +03:00
|
|
|
func TestOIDCProviderRefreshSessionIfNeededWithoutIdToken(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
server, provider := newTestSetup(body)
|
|
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
existingSession := &sessions.SessionState{
|
|
|
|
|
AccessToken: "changeit",
|
|
|
|
|
IDToken: idToken,
|
2020-05-30 10:53:38 +03:00
|
|
|
CreatedAt: nil,
|
|
|
|
|
ExpiresOn: nil,
|
2020-02-06 21:09:30 +03:00
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
Email: "janedoe@example.com",
|
|
|
|
|
User: "11223344",
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-05 18:53:33 +03:00
|
|
|
refreshed, err := provider.RefreshSessionIfNeeded(context.Background(), existingSession)
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, refreshed, true)
|
|
|
|
|
assert.Equal(t, "janedoe@example.com", existingSession.Email)
|
|
|
|
|
assert.Equal(t, accessToken, existingSession.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, existingSession.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, existingSession.RefreshToken)
|
|
|
|
|
assert.Equal(t, "11223344", existingSession.User)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestOIDCProviderRefreshSessionIfNeededWithIdToken(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
server, provider := newTestSetup(body)
|
|
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
existingSession := &sessions.SessionState{
|
|
|
|
|
AccessToken: "changeit",
|
|
|
|
|
IDToken: "changeit",
|
2020-05-30 10:53:38 +03:00
|
|
|
CreatedAt: nil,
|
|
|
|
|
ExpiresOn: nil,
|
2020-02-06 21:09:30 +03:00
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
Email: "changeit",
|
|
|
|
|
User: "changeit",
|
|
|
|
|
}
|
2020-05-05 18:53:33 +03:00
|
|
|
refreshed, err := provider.RefreshSessionIfNeeded(context.Background(), existingSession)
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, refreshed, true)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Email, existingSession.Email)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Subject, existingSession.User)
|
|
|
|
|
assert.Equal(t, accessToken, existingSession.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, existingSession.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, existingSession.RefreshToken)
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-26 22:53:41 +03:00
|
|
|
func TestOIDCProviderCreateSessionFromToken(t *testing.T) {
|
2020-07-28 00:51:29 +03:00
|
|
|
const profileURLEmail = "janed@me.com"
|
|
|
|
|
|
|
|
|
|
testCases := map[string]struct {
|
2020-07-28 21:42:09 +03:00
|
|
|
IDToken idTokenClaims
|
|
|
|
|
GroupsClaim string
|
|
|
|
|
ExpectedUser string
|
|
|
|
|
ExpectedEmail string
|
2020-11-03 21:10:08 +03:00
|
|
|
ExpectedGroups interface{}
|
2020-07-28 00:51:29 +03:00
|
|
|
}{
|
|
|
|
|
"Default IDToken": {
|
2020-07-28 21:42:09 +03:00
|
|
|
IDToken: defaultIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ExpectedUser: defaultIDToken.Subject,
|
|
|
|
|
ExpectedEmail: defaultIDToken.Email,
|
|
|
|
|
ExpectedGroups: []string{"test:a", "test:b"},
|
2020-07-28 00:51:29 +03:00
|
|
|
},
|
2020-08-10 04:18:02 +03:00
|
|
|
"Minimal IDToken with no email claim": {
|
2020-07-28 21:42:09 +03:00
|
|
|
IDToken: minimalIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ExpectedUser: minimalIDToken.Subject,
|
|
|
|
|
ExpectedEmail: minimalIDToken.Subject,
|
|
|
|
|
ExpectedGroups: []string{},
|
|
|
|
|
},
|
|
|
|
|
"Custom Groups Claim": {
|
|
|
|
|
IDToken: defaultIDToken,
|
|
|
|
|
GroupsClaim: "other_groups",
|
|
|
|
|
ExpectedUser: defaultIDToken.Subject,
|
|
|
|
|
ExpectedEmail: defaultIDToken.Email,
|
|
|
|
|
ExpectedGroups: []string{"test:c", "test:d"},
|
2020-07-28 00:51:29 +03:00
|
|
|
},
|
2020-11-03 21:10:08 +03:00
|
|
|
"Custom Groups Claim2": {
|
|
|
|
|
IDToken: customGroupClaimIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ExpectedUser: customGroupClaimIDToken.Subject,
|
|
|
|
|
ExpectedEmail: customGroupClaimIDToken.Email,
|
|
|
|
|
ExpectedGroups: []string{"{\"groupId\":\"Admin Group Id\",\"roles\":[\"Admin\"]}"},
|
|
|
|
|
},
|
2020-07-28 00:51:29 +03:00
|
|
|
}
|
|
|
|
|
for testName, tc := range testCases {
|
|
|
|
|
t.Run(testName, func(t *testing.T) {
|
|
|
|
|
jsonResp := []byte(fmt.Sprintf(`{"email":"%s"}`, profileURLEmail))
|
|
|
|
|
server, provider := newTestSetup(jsonResp)
|
2020-07-28 21:42:09 +03:00
|
|
|
provider.GroupsClaim = tc.GroupsClaim
|
2020-07-28 00:51:29 +03:00
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
rawIDToken, err := newSignedTestIDToken(tc.IDToken)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
2020-11-16 05:57:48 +03:00
|
|
|
ss, err := provider.CreateSessionFromToken(context.Background(), rawIDToken)
|
2020-07-28 00:51:29 +03:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
2020-08-10 04:18:02 +03:00
|
|
|
assert.Equal(t, tc.ExpectedUser, ss.User)
|
|
|
|
|
assert.Equal(t, tc.ExpectedEmail, ss.Email)
|
2020-07-28 00:51:29 +03:00
|
|
|
assert.Equal(t, rawIDToken, ss.IDToken)
|
|
|
|
|
assert.Equal(t, rawIDToken, ss.AccessToken)
|
2020-07-28 21:42:09 +03:00
|
|
|
assert.Equal(t, tc.ExpectedGroups, ss.Groups)
|
2020-07-28 00:51:29 +03:00
|
|
|
assert.Equal(t, "", ss.RefreshToken)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-27 06:00:30 +03:00
|
|
|
func TestOIDCProvider_findVerifiedIDToken(t *testing.T) {
|
2020-02-06 21:09:30 +03:00
|
|
|
|
|
|
|
|
server, provider := newTestSetup([]byte(""))
|
|
|
|
|
|
|
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
token := newOauth2Token()
|
2020-03-14 12:58:29 +03:00
|
|
|
signedIDToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
tokenWithIDToken := token.WithExtra(map[string]interface{}{
|
|
|
|
|
"id_token": signedIDToken,
|
2020-02-06 21:09:30 +03:00
|
|
|
})
|
|
|
|
|
|
2020-03-14 12:58:29 +03:00
|
|
|
verifiedIDToken, err := provider.findVerifiedIDToken(context.Background(), tokenWithIDToken)
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, true, err == nil)
|
2020-04-14 11:36:44 +03:00
|
|
|
if verifiedIDToken == nil {
|
|
|
|
|
t.Fatal("verifiedIDToken is nil")
|
|
|
|
|
}
|
2020-03-14 12:58:29 +03:00
|
|
|
assert.Equal(t, defaultIDToken.Issuer, verifiedIDToken.Issuer)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Subject, verifiedIDToken.Subject)
|
2020-02-06 21:09:30 +03:00
|
|
|
|
|
|
|
|
// When the validation fails the response should be nil
|
|
|
|
|
defaultIDToken.Id = "this-id-fails-validation"
|
2020-03-14 12:58:29 +03:00
|
|
|
signedIDToken, _ = newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
tokenWithIDToken = token.WithExtra(map[string]interface{}{
|
|
|
|
|
"id_token": signedIDToken,
|
2020-02-06 21:09:30 +03:00
|
|
|
})
|
|
|
|
|
|
2020-03-14 12:58:29 +03:00
|
|
|
verifiedIDToken, err = provider.findVerifiedIDToken(context.Background(), tokenWithIDToken)
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, errors.New("failed to verify signature: the validation failed for subject [123456789]"), err)
|
2020-03-14 12:58:29 +03:00
|
|
|
assert.Equal(t, true, verifiedIDToken == nil)
|
2020-02-06 21:09:30 +03:00
|
|
|
|
|
|
|
|
// When there is no id token in the oauth token
|
2020-03-14 12:58:29 +03:00
|
|
|
verifiedIDToken, err = provider.findVerifiedIDToken(context.Background(), newOauth2Token())
|
2020-02-06 21:09:30 +03:00
|
|
|
assert.Equal(t, nil, err)
|
2020-03-14 12:58:29 +03:00
|
|
|
assert.Equal(t, true, verifiedIDToken == nil)
|
2020-02-06 21:09:30 +03:00
|
|
|
}
|
