func generateSignedCode(core *roll.Core, subject, scope string, app *roll.Application) (string, error) {
privateKey, err := core.RetrievePrivateKeyForApp(app.ClientID)
if err != nil {
return "", err
}
token, err := rolltoken.GenerateCode(subject, scope, app.ClientID, privateKey)
return token, err
}
func TestTokenValidCodeWithAdminScope(t *testing.T) {
core, coreConfig := NewTestCore()
ln, addr := TestServer(t, core)
defer ln.Close()
returnVal := roll.Application{
DeveloperEmail: "*****@*****.**",
ClientID: "1111-2222-3333333-4444444",
ApplicationName: "fight club",
ClientSecret: "not for browser clients",
RedirectURI: "http://localhost:3000/ab",
LoginProvider: "xtrac://localhost:9000",
}
appRepoMock := coreConfig.ApplicationRepo.(*mocks.ApplicationRepo)
appRepoMock.On("SystemRetrieveApplication", "1111-2222-3333333-4444444").Return(&returnVal, nil)
privateKey, publicKey, err := secrets.GenerateKeyPair()
assert.Nil(t, err)
secretsMock := coreConfig.SecretsRepo.(*mocks.SecretsRepo)
secretsMock.On("RetrievePrivateKeyForApp", "1111-2222-3333333-4444444").Return(privateKey, nil)
secretsMock.On("RetrievePublicKeyForApp", "1111-2222-3333333-4444444").Return(publicKey, nil)
code, err := rolltoken.GenerateCode("b-subject", "admin", returnVal.ClientID, privateKey)
assert.Nil(t, err)
resp, err := http.PostForm(addr+OAuth2TokenBaseURI,
url.Values{"grant_type": {"authorization_code"},
"client_id": {"1111-2222-3333333-4444444"},
"client_secret": {"not for browser clients"},
"redirect_uri": {"http://localhost:3000/ab"},
"code": {code}})
assert.Nil(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
body := responseAsString(t, resp)
var jsonResponse accessTokenResponse
err = json.Unmarshal([]byte(body), &jsonResponse)
assert.Nil(t, err)
assert.True(t, jsonResponse.AccessToken != "")
assert.True(t, jsonResponse.TokenType == "Bearer")
token, err := jwt.Parse(jsonResponse.AccessToken, rolltoken.GenerateKeyExtractionFunction(core.SecretsRepo))
assert.Nil(t, err)
scope, ok := token.Claims["scope"].(string)
assert.True(t, ok)
assert.Equal(t, "admin", scope)
}
func TestTokenSignedWithWrongKey(t *testing.T) {
core, coreConfig := NewTestCore()
ln, addr := TestServer(t, core)
defer ln.Close()
returnVal := roll.Application{
DeveloperEmail: "*****@*****.**",
ClientID: "1111-2222-3333333-4444444",
ApplicationName: "fight club",
ClientSecret: "not for browser clients",
RedirectURI: "http://localhost:3000/ab",
LoginProvider: "xtrac://localhost:9000",
}
appRepoMock := coreConfig.ApplicationRepo.(*mocks.ApplicationRepo)
appRepoMock.On("SystemRetrieveApplication", "1111-2222-3333333-4444444").Return(&returnVal, nil)
privateKey, publicKey, err := secrets.GenerateKeyPair()
assert.Nil(t, err)
secretsMock := coreConfig.SecretsRepo.(*mocks.SecretsRepo)
secretsMock.On("RetrievePrivateKeyForApp", "1111-2222-3333333-4444444").Return(privateKey, nil)
secretsMock.On("RetrievePublicKeyForApp", "1111-2222-3333333-4444444").Return(publicKey, nil)
otherKey, _, err := secrets.GenerateKeyPair()
assert.Nil(t, err)
code, err := rolltoken.GenerateCode("a-subject", "", returnVal.ClientID, otherKey)
assert.Nil(t, err)
resp, err := http.PostForm(addr+OAuth2TokenBaseURI,
url.Values{"grant_type": {"authorization_code"},
"client_id": {"1111-2222-3333333-4444444"},
"client_secret": {"not for browser clients"},
"redirect_uri": {"http://localhost:3000/ab"},
"code": {code}})
assert.Nil(t, err)
body := responseAsString(t, resp)
assert.True(t, strings.Contains(body, "verification error"))
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}
func TestAuthCodeUsedForAccess(t *testing.T) {
app := roll.Application{
DeveloperEmail: "*****@*****.**",
ClientID: "1111-2222-3333333-4444444",
ApplicationName: "fight club",
ClientSecret: "not for browser clients",
RedirectURI: "http://localhost:3000/ab",
LoginProvider: "xtrac://localhost:9000",
}
appRepoMock := new(mocks.ApplicationRepo)
appRepoMock.On("RetrieveApplication", "1111-2222-3333333-4444444").Return(&app, nil)
privateKey, publicKey, err := secrets.GenerateKeyPair()
assert.Nil(t, err)
secretsMock := new(mocks.SecretsRepo)
secretsMock.On("RetrievePrivateKeyForApp", "1111-2222-3333333-4444444").Return(privateKey, nil)
secretsMock.On("RetrievePublicKeyForApp", "1111-2222-3333333-4444444").Return(publicKey, nil)
adminRepo := new(mocks.AdminRepo)
token, err := rolltoken.GenerateCode("a-subject", "", app.ClientID, privateKey)
assert.Nil(t, err)
testServer := httptest.NewServer(Wrap(secretsMock, adminRepo, []string{}, echoHandler()))
defer testServer.Close()
client := http.Client{}
req, err := http.NewRequest("POST", testServer.URL, nil)
assert.Nil(t, err)
req.Header.Add("Authorization", "Bearer "+token)
resp, err := client.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}
