Exemple #1
0
func TestOIDCDiscoverySecureConnection(t *testing.T) {
	// Verify that plain HTTP issuer URL is forbidden.
	op := oidctesting.NewOIDCProvider(t)
	srv := httptest.NewServer(op.Mux)
	defer srv.Close()

	op.PCFG = oidc.ProviderConfig{
		Issuer:       oidctesting.MustParseURL(srv.URL),
		KeysEndpoint: oidctesting.MustParseURL(srv.URL + "/keys"),
	}

	expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http")

	_, err := New(OIDCOptions{srv.URL, "client-foo", "", "sub", "", 0, 0})
	if !reflect.DeepEqual(err, expectErr) {
		t.Errorf("Expecting %v, but got %v", expectErr, err)
	}

	// Verify the cert/key pair works.
	cert1 := path.Join(os.TempDir(), "oidc-cert-1")
	key1 := path.Join(os.TempDir(), "oidc-key-1")
	cert2 := path.Join(os.TempDir(), "oidc-cert-2")
	key2 := path.Join(os.TempDir(), "oidc-key-2")

	defer os.Remove(cert1)
	defer os.Remove(key1)
	defer os.Remove(cert2)
	defer os.Remove(key2)

	oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert1, key1)
	oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert2, key2)

	// Create a TLS server using cert/key pair 1.
	tlsSrv, err := op.ServeTLSWithKeyPair(cert1, key1)
	if err != nil {
		t.Fatalf("Cannot start server: %v", err)
	}
	defer tlsSrv.Close()

	op.PCFG = oidc.ProviderConfig{
		Issuer:       oidctesting.MustParseURL(tlsSrv.URL),
		KeysEndpoint: oidctesting.MustParseURL(tlsSrv.URL + "/keys"),
	}

	// Create a client using cert2, should fail.
	_, err = New(OIDCOptions{tlsSrv.URL, "client-foo", cert2, "sub", "", 0, 0})
	if err == nil {
		t.Fatalf("Expecting error, but got nothing")
	}

}
Exemple #2
0
func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
	var err error
	expectErr := fmt.Errorf("failed to fetch provider config after 0 retries")

	cert := path.Join(os.TempDir(), "oidc-cert")
	key := path.Join(os.TempDir(), "oidc-key")

	defer os.Remove(cert)
	defer os.Remove(key)

	oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert, key)

	op := oidctesting.NewOIDCProvider(t)
	srv, err := op.ServeTLSWithKeyPair(cert, key)
	if err != nil {
		t.Fatalf("Cannot start server %v", err)
	}
	defer srv.Close()

	op.PCFG = oidc.ProviderConfig{
		Issuer: oidctesting.MustParseURL(srv.URL), // An invalid ProviderConfig. Keys endpoint is required.
	}

	_, err = New(OIDCOptions{srv.URL, "client-foo", cert, "sub", "", 0, 0})
	if !reflect.DeepEqual(err, expectErr) {
		t.Errorf("Expecting %v, but got %v", expectErr, err)
	}
}