func TestIssueImplicitToken(t *testing.T) {
ctrl := gomock.NewController(t)
resp := internal.NewMockAuthorizeResponder(ctrl)
defer ctrl.Finish()
httpreq := &http.Request{}
ar := fosite.NewAuthorizeRequest()
ar.Form = url.Values{"nonce": {"111111111111"}}
ar.SetSession(&DefaultSession{Claims: &jwt.IDTokenClaims{
Subject: "peter",
}, Headers: &jwt.Headers{}})
resp.EXPECT().AddFragment("id_token", gomock.Any())
h := &IDTokenHandleHelper{IDTokenStrategy: strat}
err := h.IssueImplicitIDToken(nil, httpreq, ar, resp)
assert.Nil(t, err, "%s", err)
}
func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
aresp := fosite.NewAuthorizeResponse()
areq := fosite.NewAuthorizeRequest()
httpreq := &http.Request{Form: url.Values{}}
h := OpenIDConnectHybridHandler{
AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{
AuthorizeCodeStrategy: hmacStrategy,
AccessTokenLifespan: time.Hour,
AuthCodeLifespan: time.Hour,
AccessTokenStrategy: hmacStrategy,
AuthorizeCodeGrantStorage: storage.NewMemoryStore(),
},
AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
AccessTokenLifespan: time.Hour,
AccessTokenStrategy: hmacStrategy,
AccessTokenStorage: storage.NewMemoryStore(),
},
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: idStrategy,
},
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
check func()
expectErr error
}{
{
description: "should not do anything because not a hybrid request",
setup: func() {},
},
{
description: "should not do anything because not a hybrid request",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "id_token"}
},
},
{
description: "should fail because session not given",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "code"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code", "implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
areq.GrantedScopes = fosite.Arguments{"openid"}
},
expectErr: ErrInvalidSession,
},
{
description: "should fail because client missing response types",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token", "code", "id_token"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
areq.Session = &defaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
DefaultSession: new(fosite.DefaultSession),
}
},
expectErr: fosite.ErrInvalidGrant,
},
{
description: "should fail because nonce was not set",
setup: func() {
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code", "implicit"},
ResponseTypes: fosite.Arguments{"token", "code", "id_token"},
Scopes: []string{"openid"},
}
},
expectErr: fosite.ErrInsufficientEntropy,
},
{
description: "should fail because nonce was not set",
setup: func() {
areq.Form.Add("nonce", "some-foobar-nonce-win")
},
},
{
description: "should pass",
setup: func() {},
check: func() {
assert.NotEmpty(t, aresp.GetFragment().Get("id_token"))
assert.NotEmpty(t, aresp.GetFragment().Get("code"))
assert.NotEmpty(t, aresp.GetFragment().Get("access_token"))
},
},
} {
c.setup()
err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
if c.check != nil {
c.check()
}
}
}
func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockAuthorizeCodeGrantStorage(ctrl)
ach := internal.NewMockAccessTokenStrategy(ctrl)
rch := internal.NewMockRefreshTokenStrategy(ctrl)
auch := internal.NewMockAuthorizeCodeStrategy(ctrl)
aresp := internal.NewMockAccessResponder(ctrl)
//mockcl := internal.NewMockClient(ctrl)
defer ctrl.Finish()
areq := fosite.NewAccessRequest(new(fosite.DefaultSession))
httpreq := &http.Request{PostForm: url.Values{}}
authreq := fosite.NewAuthorizeRequest()
areq.Session = new(fosite.DefaultSession)
h := AuthorizeExplicitGrantHandler{
AuthorizeCodeGrantStorage: store,
AuthorizeCodeStrategy: auch,
AccessTokenStrategy: ach,
RefreshTokenStrategy: rch,
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should fail because not responsible",
expectErr: fosite.ErrUnknownRequest,
setup: func() {
areq.GrantTypes = fosite.Arguments{"123"}
},
},
{
description: "should fail because authcode not found",
setup: func() {
areq.GrantTypes = fosite.Arguments{"authorization_code"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code"},
}
httpreq.PostForm.Add("code", "authcode")
auch.EXPECT().AuthorizeCodeSignature("authcode").AnyTimes().Return("authsig")
store.EXPECT().GetAuthorizeCodeSession(nil, "authsig", gomock.Any()).Return(nil, fosite.ErrNotFound)
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because validation failed",
setup: func() {
store.EXPECT().GetAuthorizeCodeSession(nil, "authsig", gomock.Any()).AnyTimes().Return(authreq, nil)
auch.EXPECT().ValidateAuthorizeCode(nil, areq, "authcode").Return(errors.New(""))
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should fail because access token generation failed",
setup: func() {
authreq.GrantedScopes = []string{"offline"}
auch.EXPECT().ValidateAuthorizeCode(nil, areq, "authcode").AnyTimes().Return(nil)
ach.EXPECT().GenerateAccessToken(nil, areq).Return("", "", errors.New("error"))
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because refresh token generation failed",
setup: func() {
ach.EXPECT().GenerateAccessToken(nil, areq).AnyTimes().Return("access.ats", "ats", nil)
rch.EXPECT().GenerateRefreshToken(nil, areq).Return("", "", errors.New("error"))
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because persisting failed",
setup: func() {
rch.EXPECT().GenerateRefreshToken(nil, areq).AnyTimes().Return("refresh.rts", "rts", nil)
store.EXPECT().PersistAuthorizeCodeGrantSession(nil, "authsig", "ats", "rts", areq).Return(errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should pass",
setup: func() {
areq.GrantedScopes = fosite.Arguments{"foo", "offline"}
store.EXPECT().PersistAuthorizeCodeGrantSession(nil, "authsig", "ats", "rts", areq).Return(nil)
aresp.EXPECT().SetAccessToken("access.ats")
aresp.EXPECT().SetTokenType("bearer")
aresp.EXPECT().SetExtra("refresh_token", "refresh.rts")
aresp.EXPECT().SetExpiresIn(gomock.Any())
aresp.EXPECT().SetScopes(areq.GrantedScopes)
},
},
} {
c.setup()
err := h.PopulateTokenEndpointResponse(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockAuthorizeCodeGrantStorage(ctrl)
ach := internal.NewMockAuthorizeCodeStrategy(ctrl)
defer ctrl.Finish()
authreq := fosite.NewAuthorizeRequest()
areq := fosite.NewAccessRequest(nil)
httpreq := &http.Request{PostForm: url.Values{}}
areq.Session = new(fosite.DefaultSession)
authreq.Session = new(fosite.DefaultSession)
h := AuthorizeExplicitGrantHandler{
AuthorizeCodeGrantStorage: store,
AuthorizeCodeStrategy: ach,
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should fail because not responsible",
expectErr: fosite.ErrUnknownRequest,
setup: func() {
areq.GrantTypes = fosite.Arguments{"12345678"} // grant_type REQUIRED. Value MUST be set to "authorization_code".
},
},
{
description: "should fail because authcode could not be retrieved (1)",
setup: func() {
areq.GrantTypes = fosite.Arguments{"authorization_code"} // grant_type REQUIRED. Value MUST be set to "authorization_code".
httpreq.PostForm = url.Values{"code": {"foo.bar"}}
ach.EXPECT().AuthorizeCodeSignature("foo.bar").AnyTimes().Return("bar")
store.EXPECT().GetAuthorizeCodeSession(nil, "bar", gomock.Any()).Return(nil, fosite.ErrNotFound)
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should fail because authcode validation failed",
setup: func() {
store.EXPECT().GetAuthorizeCodeSession(nil, "bar", gomock.Any()).AnyTimes().Return(authreq, nil)
ach.EXPECT().ValidateAuthorizeCode(nil, areq, "foo.bar").Return(errors.New(""))
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should fail because client mismatch",
setup: func() {
ach.EXPECT().ValidateAuthorizeCode(nil, areq, "foo.bar").AnyTimes().Return(nil)
areq.Client = &fosite.DefaultClient{ID: "foo"}
authreq.Scopes = fosite.Arguments{"a", "b"}
authreq.Client = &fosite.DefaultClient{ID: "bar"}
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should fail because redirect uri not provided",
setup: func() {
authreq.Form.Add("redirect_uri", "request-redir")
authreq.Client = &fosite.DefaultClient{ID: "foo"}
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should pass (2)",
setup: func() {
httpreq.PostForm = url.Values{"code": []string{"foo.bar"}}
authreq.Form.Del("redirect_uri")
authreq.RequestedAt = time.Now().Add(time.Hour)
},
},
} {
c.setup()
err := h.HandleTokenEndpointRequest(nil, httpreq, areq)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
func TestExplicit_PopulateTokenEndpointResponse(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockOpenIDConnectRequestStorage(ctrl)
defer ctrl.Finish()
session := &DefaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
}
aresp := fosite.NewAccessResponse()
areq := fosite.NewAccessRequest(session)
httpreq := &http.Request{PostForm: url.Values{}}
h := &OpenIDConnectExplicitHandler{
OpenIDConnectRequestStorage: store,
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: j,
},
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should fail because invalid response type",
setup: func() {},
expectErr: fosite.ErrUnknownRequest,
},
{
description: "should fail because lookup returns not found",
setup: func() {
areq.GrantTypes = fosite.Arguments{"authorization_code"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"authorization_code"},
ResponseTypes: fosite.Arguments{"id_token"},
}
areq.Form.Set("code", "foobar")
store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(nil, ErrNoSessionFound)
},
expectErr: fosite.ErrUnknownRequest,
},
{
description: "should fail because lookup fails",
setup: func() {
areq.GrantTypes = fosite.Arguments{"authorization_code"}
store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(nil, errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because missing scope in original request",
setup: func() {
areq.GrantTypes = fosite.Arguments{"authorization_code"}
store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(fosite.NewAuthorizeRequest(), nil)
},
expectErr: fosite.ErrMisconfiguration,
},
{
description: "should pass",
setup: func() {
r := fosite.NewAuthorizeRequest()
r.Session = areq.Session
r.GrantedScopes = fosite.Arguments{"openid"}
r.Form.Set("nonce", "1111111111111111")
store.EXPECT().GetOpenIDConnectSession(nil, gomock.Any(), areq).AnyTimes().Return(r, nil)
},
},
} {
c.setup()
err := h.PopulateTokenEndpointResponse(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
func TestAuthorizeImplicit_EndpointHandler(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockAccessTokenStorage(ctrl)
chgen := internal.NewMockAccessTokenStrategy(ctrl)
aresp := internal.NewMockAuthorizeResponder(ctrl)
defer ctrl.Finish()
areq := fosite.NewAuthorizeRequest()
httpreq := &http.Request{Form: url.Values{}}
areq.Session = new(fosite.DefaultSession)
h := AuthorizeImplicitGrantTypeHandler{
AccessTokenStorage: store,
AccessTokenStrategy: chgen,
AccessTokenLifespan: time.Hour,
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should pass because not responsible for handling the response type",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"a"}
},
},
{
description: "should fail because access token generation failed",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"token"}
areq.Client = &fosite.DefaultClient{
GrantTypes: fosite.Arguments{"implicit"},
ResponseTypes: fosite.Arguments{"token"},
}
chgen.EXPECT().GenerateAccessToken(nil, areq).Return("", "", errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because persistance failed",
setup: func() {
chgen.EXPECT().GenerateAccessToken(nil, areq).AnyTimes().Return("access.ats", "ats", nil)
store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).Return(errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should pass",
setup: func() {
areq.State = "state"
areq.GrantedScopes = fosite.Arguments{"scope"}
store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).AnyTimes().Return(nil)
aresp.EXPECT().AddFragment("access_token", "access.ats")
aresp.EXPECT().AddFragment("expires_in", gomock.Any())
aresp.EXPECT().AddFragment("token_type", "bearer")
aresp.EXPECT().AddFragment("state", "state")
aresp.EXPECT().AddFragment("scope", "scope")
},
expectErr: nil,
},
} {
c.setup()
err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
func TestExplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockOpenIDConnectRequestStorage(ctrl)
aresp := internal.NewMockAuthorizeResponder(ctrl)
defer ctrl.Finish()
areq := fosite.NewAuthorizeRequest()
httpreq := &http.Request{Form: url.Values{}}
h := &OpenIDConnectExplicitHandler{
OpenIDConnectRequestStorage: store,
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: j,
},
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should pass because not responsible for handling an empty response type",
setup: func() {
areq.ResponseTypes = fosite.Arguments{""}
},
},
{
description: "should pass because scope openid is not set",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"code"}
areq.Client = &fosite.DefaultClient{
ResponseTypes: fosite.Arguments{"code", "id_token"},
}
areq.Scopes = fosite.Arguments{""}
},
},
{
description: "should fail because no code set",
setup: func() {
areq.GrantedScopes = fosite.Arguments{"openid"}
areq.Form.Set("nonce", "11111111111111111111111111111")
aresp.EXPECT().GetCode().Return("")
},
expectErr: fosite.ErrMisconfiguration,
},
{
description: "should fail because lookup fails",
setup: func() {
aresp.EXPECT().GetCode().AnyTimes().Return("codeexample")
store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).Return(errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should pass",
setup: func() {
store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).AnyTimes().Return(nil)
},
},
} {
c.setup()
err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockAuthorizeCodeGrantStorage(ctrl)
chgen := internal.NewMockAuthorizeCodeStrategy(ctrl)
aresp := internal.NewMockAuthorizeResponder(ctrl)
defer ctrl.Finish()
areq := fosite.NewAuthorizeRequest()
httpreq := &http.Request{Form: url.Values{}}
areq.Session = new(fosite.DefaultSession)
h := AuthorizeExplicitGrantHandler{
AuthorizeCodeGrantStorage: store,
AuthorizeCodeStrategy: chgen,
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
for k, c := range []struct {
description string
setup func()
expectErr error
}{
{
description: "should pass because not responsible for handling an empty response type",
setup: func() {
areq.ResponseTypes = fosite.Arguments{""}
},
},
{
description: "should pass because not responsible for handling an invalid response type",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"foo"}
},
},
{
description: "should fail because redirect uri is not https",
setup: func() {
areq.ResponseTypes = fosite.Arguments{"code"}
areq.Client = &fosite.DefaultClient{ResponseTypes: fosite.Arguments{"code"}}
areq.RedirectURI, _ = url.Parse("http://asdf.de/cb")
},
expectErr: fosite.ErrInvalidRequest,
},
{
description: "should fail because authorize code generation failed",
setup: func() {
areq.RedirectURI, _ = url.Parse("https://foobar.com/cb")
chgen.EXPECT().GenerateAuthorizeCode(nil, areq).Return("", "", errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should fail because could not presist authorize code session",
setup: func() {
chgen.EXPECT().GenerateAuthorizeCode(nil, areq).AnyTimes().Return("someauthcode.authsig", "authsig", nil)
store.EXPECT().CreateAuthorizeCodeSession(nil, "authsig", areq).Return(errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should pass",
setup: func() {
areq.GrantedScopes = fosite.Arguments{"a", "b"}
areq.State = "superstate"
store.EXPECT().CreateAuthorizeCodeSession(nil, "authsig", areq).Return(nil)
aresp.EXPECT().AddQuery("code", "someauthcode.authsig")
aresp.EXPECT().AddQuery("scope", strings.Join(areq.GrantedScopes, " "))
aresp.EXPECT().AddQuery("state", areq.State)
},
},
} {
c.setup()
err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
}
