func TestIssueImplicitToken(t *testing.T) { ctrl := gomock.NewController(t) resp := internal.NewMockAuthorizeResponder(ctrl) defer ctrl.Finish() httpreq := &http.Request{} ar := fosite.NewAuthorizeRequest() ar.Form = url.Values{"nonce": {"111111111111"}} ar.SetSession(&DefaultSession{Claims: &jwt.IDTokenClaims{ Subject: "peter", }, Headers: &jwt.Headers{}}) resp.EXPECT().AddFragment("id_token", gomock.Any()) h := &IDTokenHandleHelper{IDTokenStrategy: strat} err := h.IssueImplicitIDToken(nil, httpreq, ar, resp) assert.Nil(t, err, "%s", err) }
func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() aresp := fosite.NewAuthorizeResponse() areq := fosite.NewAuthorizeRequest() httpreq := &http.Request{Form: url.Values{}} h := OpenIDConnectHybridHandler{ AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{ AuthorizeCodeStrategy: hmacStrategy, AccessTokenLifespan: time.Hour, AuthCodeLifespan: time.Hour, AccessTokenStrategy: hmacStrategy, AuthorizeCodeGrantStorage: storage.NewMemoryStore(), }, AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{ AccessTokenLifespan: time.Hour, AccessTokenStrategy: hmacStrategy, AccessTokenStorage: storage.NewMemoryStore(), }, IDTokenHandleHelper: &IDTokenHandleHelper{ IDTokenStrategy: idStrategy, }, ScopeStrategy: fosite.HierarchicScopeStrategy, } for k, c := range []struct { description string setup func() check func() expectErr error }{ { description: "should not do anything because not a hybrid request", setup: func() {}, }, { description: "should not do anything because not a hybrid request", setup: func() { areq.ResponseTypes = fosite.Arguments{"token", "id_token"} }, }, { description: "should fail because session not given", setup: func() { areq.ResponseTypes = fosite.Arguments{"token", "code"} areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"authorization_code", "implicit"}, ResponseTypes: fosite.Arguments{"token", "code", "id_token"}, Scopes: []string{"openid"}, } areq.GrantedScopes = fosite.Arguments{"openid"} }, expectErr: ErrInvalidSession, }, { description: "should fail because client missing response types", setup: func() { areq.ResponseTypes = fosite.Arguments{"token", "code", "id_token"} areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"implicit"}, ResponseTypes: fosite.Arguments{"token", "code", "id_token"}, Scopes: []string{"openid"}, } areq.Session = &defaultSession{ Claims: &jwt.IDTokenClaims{ Subject: "peter", }, Headers: &jwt.Headers{}, DefaultSession: new(fosite.DefaultSession), } }, expectErr: fosite.ErrInvalidGrant, }, { description: "should fail because nonce was not set", setup: func() { areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"authorization_code", "implicit"}, ResponseTypes: fosite.Arguments{"token", "code", "id_token"}, Scopes: []string{"openid"}, } }, expectErr: fosite.ErrInsufficientEntropy, }, { description: "should fail because nonce was not set", setup: func() { areq.Form.Add("nonce", "some-foobar-nonce-win") }, }, { description: "should pass", setup: func() {}, check: func() { assert.NotEmpty(t, aresp.GetFragment().Get("id_token")) assert.NotEmpty(t, aresp.GetFragment().Get("code")) assert.NotEmpty(t, aresp.GetFragment().Get("access_token")) }, }, } { c.setup() err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) if c.check != nil { c.check() } } }
func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockAuthorizeCodeGrantStorage(ctrl) ach := internal.NewMockAccessTokenStrategy(ctrl) rch := internal.NewMockRefreshTokenStrategy(ctrl) auch := internal.NewMockAuthorizeCodeStrategy(ctrl) aresp := internal.NewMockAccessResponder(ctrl) //mockcl := internal.NewMockClient(ctrl) defer ctrl.Finish() areq := fosite.NewAccessRequest(new(fosite.DefaultSession)) httpreq := &http.Request{PostForm: url.Values{}} authreq := fosite.NewAuthorizeRequest() areq.Session = new(fosite.DefaultSession) h := AuthorizeExplicitGrantHandler{ AuthorizeCodeGrantStorage: store, AuthorizeCodeStrategy: auch, AccessTokenStrategy: ach, RefreshTokenStrategy: rch, ScopeStrategy: fosite.HierarchicScopeStrategy, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should fail because not responsible", expectErr: fosite.ErrUnknownRequest, setup: func() { areq.GrantTypes = fosite.Arguments{"123"} }, }, { description: "should fail because authcode not found", setup: func() { areq.GrantTypes = fosite.Arguments{"authorization_code"} areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"authorization_code"}, } httpreq.PostForm.Add("code", "authcode") auch.EXPECT().AuthorizeCodeSignature("authcode").AnyTimes().Return("authsig") store.EXPECT().GetAuthorizeCodeSession(nil, "authsig", gomock.Any()).Return(nil, fosite.ErrNotFound) }, expectErr: fosite.ErrServerError, }, { description: "should fail because validation failed", setup: func() { store.EXPECT().GetAuthorizeCodeSession(nil, "authsig", gomock.Any()).AnyTimes().Return(authreq, nil) auch.EXPECT().ValidateAuthorizeCode(nil, areq, "authcode").Return(errors.New("")) }, expectErr: fosite.ErrInvalidRequest, }, { description: "should fail because access token generation failed", setup: func() { authreq.GrantedScopes = []string{"offline"} auch.EXPECT().ValidateAuthorizeCode(nil, areq, "authcode").AnyTimes().Return(nil) ach.EXPECT().GenerateAccessToken(nil, areq).Return("", "", errors.New("error")) }, expectErr: fosite.ErrServerError, }, { description: "should fail because refresh token generation failed", setup: func() { ach.EXPECT().GenerateAccessToken(nil, areq).AnyTimes().Return("access.ats", "ats", nil) rch.EXPECT().GenerateRefreshToken(nil, areq).Return("", "", errors.New("error")) }, expectErr: fosite.ErrServerError, }, { description: "should fail because persisting failed", setup: func() { rch.EXPECT().GenerateRefreshToken(nil, areq).AnyTimes().Return("refresh.rts", "rts", nil) store.EXPECT().PersistAuthorizeCodeGrantSession(nil, "authsig", "ats", "rts", areq).Return(errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should pass", setup: func() { areq.GrantedScopes = fosite.Arguments{"foo", "offline"} store.EXPECT().PersistAuthorizeCodeGrantSession(nil, "authsig", "ats", "rts", areq).Return(nil) aresp.EXPECT().SetAccessToken("access.ats") aresp.EXPECT().SetTokenType("bearer") aresp.EXPECT().SetExtra("refresh_token", "refresh.rts") aresp.EXPECT().SetExpiresIn(gomock.Any()) aresp.EXPECT().SetScopes(areq.GrantedScopes) }, }, } { c.setup() err := h.PopulateTokenEndpointResponse(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }
func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockAuthorizeCodeGrantStorage(ctrl) ach := internal.NewMockAuthorizeCodeStrategy(ctrl) defer ctrl.Finish() authreq := fosite.NewAuthorizeRequest() areq := fosite.NewAccessRequest(nil) httpreq := &http.Request{PostForm: url.Values{}} areq.Session = new(fosite.DefaultSession) authreq.Session = new(fosite.DefaultSession) h := AuthorizeExplicitGrantHandler{ AuthorizeCodeGrantStorage: store, AuthorizeCodeStrategy: ach, ScopeStrategy: fosite.HierarchicScopeStrategy, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should fail because not responsible", expectErr: fosite.ErrUnknownRequest, setup: func() { areq.GrantTypes = fosite.Arguments{"12345678"} // grant_type REQUIRED. Value MUST be set to "authorization_code". }, }, { description: "should fail because authcode could not be retrieved (1)", setup: func() { areq.GrantTypes = fosite.Arguments{"authorization_code"} // grant_type REQUIRED. Value MUST be set to "authorization_code". httpreq.PostForm = url.Values{"code": {"foo.bar"}} ach.EXPECT().AuthorizeCodeSignature("foo.bar").AnyTimes().Return("bar") store.EXPECT().GetAuthorizeCodeSession(nil, "bar", gomock.Any()).Return(nil, fosite.ErrNotFound) }, expectErr: fosite.ErrInvalidRequest, }, { description: "should fail because authcode validation failed", setup: func() { store.EXPECT().GetAuthorizeCodeSession(nil, "bar", gomock.Any()).AnyTimes().Return(authreq, nil) ach.EXPECT().ValidateAuthorizeCode(nil, areq, "foo.bar").Return(errors.New("")) }, expectErr: fosite.ErrInvalidRequest, }, { description: "should fail because client mismatch", setup: func() { ach.EXPECT().ValidateAuthorizeCode(nil, areq, "foo.bar").AnyTimes().Return(nil) areq.Client = &fosite.DefaultClient{ID: "foo"} authreq.Scopes = fosite.Arguments{"a", "b"} authreq.Client = &fosite.DefaultClient{ID: "bar"} }, expectErr: fosite.ErrInvalidRequest, }, { description: "should fail because redirect uri not provided", setup: func() { authreq.Form.Add("redirect_uri", "request-redir") authreq.Client = &fosite.DefaultClient{ID: "foo"} }, expectErr: fosite.ErrInvalidRequest, }, { description: "should pass (2)", setup: func() { httpreq.PostForm = url.Values{"code": []string{"foo.bar"}} authreq.Form.Del("redirect_uri") authreq.RequestedAt = time.Now().Add(time.Hour) }, }, } { c.setup() err := h.HandleTokenEndpointRequest(nil, httpreq, areq) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }
func TestExplicit_PopulateTokenEndpointResponse(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockOpenIDConnectRequestStorage(ctrl) defer ctrl.Finish() session := &DefaultSession{ Claims: &jwt.IDTokenClaims{ Subject: "peter", }, Headers: &jwt.Headers{}, } aresp := fosite.NewAccessResponse() areq := fosite.NewAccessRequest(session) httpreq := &http.Request{PostForm: url.Values{}} h := &OpenIDConnectExplicitHandler{ OpenIDConnectRequestStorage: store, IDTokenHandleHelper: &IDTokenHandleHelper{ IDTokenStrategy: j, }, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should fail because invalid response type", setup: func() {}, expectErr: fosite.ErrUnknownRequest, }, { description: "should fail because lookup returns not found", setup: func() { areq.GrantTypes = fosite.Arguments{"authorization_code"} areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"authorization_code"}, ResponseTypes: fosite.Arguments{"id_token"}, } areq.Form.Set("code", "foobar") store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(nil, ErrNoSessionFound) }, expectErr: fosite.ErrUnknownRequest, }, { description: "should fail because lookup fails", setup: func() { areq.GrantTypes = fosite.Arguments{"authorization_code"} store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(nil, errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should fail because missing scope in original request", setup: func() { areq.GrantTypes = fosite.Arguments{"authorization_code"} store.EXPECT().GetOpenIDConnectSession(nil, "foobar", areq).Return(fosite.NewAuthorizeRequest(), nil) }, expectErr: fosite.ErrMisconfiguration, }, { description: "should pass", setup: func() { r := fosite.NewAuthorizeRequest() r.Session = areq.Session r.GrantedScopes = fosite.Arguments{"openid"} r.Form.Set("nonce", "1111111111111111") store.EXPECT().GetOpenIDConnectSession(nil, gomock.Any(), areq).AnyTimes().Return(r, nil) }, }, } { c.setup() err := h.PopulateTokenEndpointResponse(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }
func TestAuthorizeImplicit_EndpointHandler(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockAccessTokenStorage(ctrl) chgen := internal.NewMockAccessTokenStrategy(ctrl) aresp := internal.NewMockAuthorizeResponder(ctrl) defer ctrl.Finish() areq := fosite.NewAuthorizeRequest() httpreq := &http.Request{Form: url.Values{}} areq.Session = new(fosite.DefaultSession) h := AuthorizeImplicitGrantTypeHandler{ AccessTokenStorage: store, AccessTokenStrategy: chgen, AccessTokenLifespan: time.Hour, ScopeStrategy: fosite.HierarchicScopeStrategy, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should pass because not responsible for handling the response type", setup: func() { areq.ResponseTypes = fosite.Arguments{"a"} }, }, { description: "should fail because access token generation failed", setup: func() { areq.ResponseTypes = fosite.Arguments{"token"} areq.Client = &fosite.DefaultClient{ GrantTypes: fosite.Arguments{"implicit"}, ResponseTypes: fosite.Arguments{"token"}, } chgen.EXPECT().GenerateAccessToken(nil, areq).Return("", "", errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should fail because persistance failed", setup: func() { chgen.EXPECT().GenerateAccessToken(nil, areq).AnyTimes().Return("access.ats", "ats", nil) store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).Return(errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should pass", setup: func() { areq.State = "state" areq.GrantedScopes = fosite.Arguments{"scope"} store.EXPECT().CreateAccessTokenSession(nil, "ats", areq).AnyTimes().Return(nil) aresp.EXPECT().AddFragment("access_token", "access.ats") aresp.EXPECT().AddFragment("expires_in", gomock.Any()) aresp.EXPECT().AddFragment("token_type", "bearer") aresp.EXPECT().AddFragment("state", "state") aresp.EXPECT().AddFragment("scope", "scope") }, expectErr: nil, }, } { c.setup() err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }
func TestExplicit_HandleAuthorizeEndpointRequest(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockOpenIDConnectRequestStorage(ctrl) aresp := internal.NewMockAuthorizeResponder(ctrl) defer ctrl.Finish() areq := fosite.NewAuthorizeRequest() httpreq := &http.Request{Form: url.Values{}} h := &OpenIDConnectExplicitHandler{ OpenIDConnectRequestStorage: store, IDTokenHandleHelper: &IDTokenHandleHelper{ IDTokenStrategy: j, }, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should pass because not responsible for handling an empty response type", setup: func() { areq.ResponseTypes = fosite.Arguments{""} }, }, { description: "should pass because scope openid is not set", setup: func() { areq.ResponseTypes = fosite.Arguments{"code"} areq.Client = &fosite.DefaultClient{ ResponseTypes: fosite.Arguments{"code", "id_token"}, } areq.Scopes = fosite.Arguments{""} }, }, { description: "should fail because no code set", setup: func() { areq.GrantedScopes = fosite.Arguments{"openid"} areq.Form.Set("nonce", "11111111111111111111111111111") aresp.EXPECT().GetCode().Return("") }, expectErr: fosite.ErrMisconfiguration, }, { description: "should fail because lookup fails", setup: func() { aresp.EXPECT().GetCode().AnyTimes().Return("codeexample") store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).Return(errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should pass", setup: func() { store.EXPECT().CreateOpenIDConnectSession(nil, "codeexample", areq).AnyTimes().Return(nil) }, }, } { c.setup() err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }
func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) { ctrl := gomock.NewController(t) store := internal.NewMockAuthorizeCodeGrantStorage(ctrl) chgen := internal.NewMockAuthorizeCodeStrategy(ctrl) aresp := internal.NewMockAuthorizeResponder(ctrl) defer ctrl.Finish() areq := fosite.NewAuthorizeRequest() httpreq := &http.Request{Form: url.Values{}} areq.Session = new(fosite.DefaultSession) h := AuthorizeExplicitGrantHandler{ AuthorizeCodeGrantStorage: store, AuthorizeCodeStrategy: chgen, ScopeStrategy: fosite.HierarchicScopeStrategy, } for k, c := range []struct { description string setup func() expectErr error }{ { description: "should pass because not responsible for handling an empty response type", setup: func() { areq.ResponseTypes = fosite.Arguments{""} }, }, { description: "should pass because not responsible for handling an invalid response type", setup: func() { areq.ResponseTypes = fosite.Arguments{"foo"} }, }, { description: "should fail because redirect uri is not https", setup: func() { areq.ResponseTypes = fosite.Arguments{"code"} areq.Client = &fosite.DefaultClient{ResponseTypes: fosite.Arguments{"code"}} areq.RedirectURI, _ = url.Parse("http://asdf.de/cb") }, expectErr: fosite.ErrInvalidRequest, }, { description: "should fail because authorize code generation failed", setup: func() { areq.RedirectURI, _ = url.Parse("https://foobar.com/cb") chgen.EXPECT().GenerateAuthorizeCode(nil, areq).Return("", "", errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should fail because could not presist authorize code session", setup: func() { chgen.EXPECT().GenerateAuthorizeCode(nil, areq).AnyTimes().Return("someauthcode.authsig", "authsig", nil) store.EXPECT().CreateAuthorizeCodeSession(nil, "authsig", areq).Return(errors.New("")) }, expectErr: fosite.ErrServerError, }, { description: "should pass", setup: func() { areq.GrantedScopes = fosite.Arguments{"a", "b"} areq.State = "superstate" store.EXPECT().CreateAuthorizeCodeSession(nil, "authsig", areq).Return(nil) aresp.EXPECT().AddQuery("code", "someauthcode.authsig") aresp.EXPECT().AddQuery("scope", strings.Join(areq.GrantedScopes, " ")) aresp.EXPECT().AddQuery("state", areq.State) }, }, } { c.setup() err := h.HandleAuthorizeEndpointRequest(nil, httpreq, areq, aresp) assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr) t.Logf("Passed test case %d", k) } }