func TestNewIntrospectionRequest(t *testing.T) {
ctrl := gomock.NewController(t)
validator := internal.NewMockTokenIntrospector(ctrl)
defer ctrl.Finish()
f := compose.ComposeAllEnabled(new(compose.Config), storage.NewMemoryStore(), []byte{}, nil).(*Fosite)
httpreq := &http.Request{
Method: "POST",
Header: http.Header{},
Form: url.Values{},
}
for k, c := range []struct {
description string
setup func()
expectErr error
isActive bool
}{
{
description: "should fail",
setup: func() {
},
expectErr: ErrInvalidRequest,
},
{
description: "should pass",
setup: func() {
f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
httpreq = &http.Request{
Method: "POST",
Header: http.Header{
"Authorization": []string{"bearer some-token"},
},
PostForm: url.Values{
"token": []string{"introspect-token"},
},
}
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
validator.EXPECT().IntrospectToken(nil, "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New(""))
},
isActive: false,
},
{
description: "should pass",
setup: func() {
f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
httpreq = &http.Request{
Method: "POST",
Header: http.Header{
"Authorization": []string{"bearer some-token"},
},
PostForm: url.Values{
"token": []string{"introspect-token"},
},
}
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
validator.EXPECT().IntrospectToken(nil, "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
},
isActive: true,
},
} {
c.setup()
res, err := f.NewIntrospectionRequest(nil, httpreq, nil)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
if res != nil {
assert.Equal(t, c.isActive, res.IsActive())
}
t.Logf("Passed test case %d", k)
}
}
func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
aresp := fosite.NewAuthorizeResponse()
areq := fosite.NewAuthorizeRequest()
httpreq := &http.Request{Form: url.Values{}}
h := OpenIDConnectHybridHandler{
AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{
AuthorizeCodeStrategy: hmacStrategy,
AccessTokenLifespan: time.Hour,
AuthCodeLifespan: time.Hour,
AccessTokenStrategy: hmacStrategy,
AuthorizeCodeGrantStorage: storage.NewMemoryStore(),
},
AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
AccessTokenLifespan: time.Hour,
AccessTokenStrategy: hmacStrategy,
AccessTokenStorage: storage.NewMemoryStore(),
},
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: idStrategy,
},
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
check func()
expectErr error
}{
{
description: "should not do anything because not a hybrid request",
setup: func() {},
},
{
description: "should not do anything because not a hybrid request",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "id_token"}
},
},
{
description: "should fail because session not given",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "code"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code", "implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
areq.GrantedScopes = fosite.Arguments{"openid"}
},
expectErr: ErrInvalidSession,
},
{
description: "should fail because client missing response types",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "code", "id_token"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
areq.Session = &defaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
DefaultSession: new(fosite.DefaultSession),
}
},
expectErr: fosite.ErrInvalidGrant,
},
{
description: "should fail because nonce was not set",
setup: func() {
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code", "implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
},
expectErr: fosite.ErrInsufficientEntropy,
},
{
description: "should fail because nonce was not set",
setup: func() {
areq.Form.Add("nonce", "some-foobar-nonce-win")
},
},
{
description: "should pass",
setup: func() {},
check: func() {
assert.NotEmpty(t, aresp.GetFragment().Get("id_token"))
assert.NotEmpty(t, aresp.GetFragment().Get("code"))
assert.NotEmpty(t, aresp.GetFragment().Get("access_token"))
},
},
} {
c.setup()
err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
if c.check != nil {
c.check()
}
}
}
func TestIntrospect(t *testing.T) {
ctrl := gomock.NewController(t)
validator := internal.NewMockTokenIntrospector(ctrl)
defer ctrl.Finish()
f := compose.ComposeAllEnabled(new(compose.Config), storage.NewMemoryStore(), []byte{}, nil).(*Fosite)
httpreq := &http.Request{
Header: http.Header{
"Authorization": []string{"bearer some-token"},
},
Form: url.Values{},
}
for k, c := range []struct {
description string
scopes []string
setup func()
expectErr error
}{
{
description: "should fail",
scopes: []string{},
setup: func() {
},
expectErr: ErrRequestUnauthorized,
},
{
description: "should fail",
scopes: []string{"foo"},
setup: func() {
f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrUnknownRequest)
},
expectErr: ErrRequestUnauthorized,
},
{
description: "should fail",
scopes: []string{"foo"},
setup: func() {
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrInvalidClient)
},
expectErr: ErrInvalidClient,
},
{
description: "should pass",
setup: func() {
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Do(func(ctx context.Context, _ string, _ TokenType, accessRequest AccessRequester, _ []string) {
accessRequest.(*AccessRequest).GrantedScopes = []string{"bar"}
}).Return(nil)
},
},
{
description: "should pass",
scopes: []string{"bar"},
setup: func() {
validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Do(func(ctx context.Context, _ string, _ TokenType, accessRequest AccessRequester, _ []string) {
accessRequest.(*AccessRequest).GrantedScopes = []string{"bar"}
}).Return(nil)
},
},
} {
c.setup()
_, err := f.IntrospectToken(nil, AccessTokenFromRequest(httpreq), AccessToken, nil, c.scopes...)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
