func newAPIDriver(pcfg oidc.ProviderConfig, creds oidc.ClientCredentials) (driver, error) { ccfg := oidc.ClientConfig{ ProviderConfig: pcfg, Credentials: creds, } oc, err := oidc.NewClient(ccfg) if err != nil { return nil, err } trans := &oidc.AuthenticatedTransport{ TokenRefresher: &oidc.ClientCredsTokenRefresher{ Issuer: pcfg.Issuer, OIDCClient: oc, }, RoundTripper: http.DefaultTransport, } hc := &http.Client{Transport: trans} svc, err := schema.NewWithBasePath(hc, pcfg.Issuer) if err != nil { return nil, err } return &apiDriver{svc: svc}, nil }
func makeUserAPITestFixtures() *userAPITestFixtures { f := &userAPITestFixtures{} _, _, um := makeUserObjects(userUsers, userPasswords) cir := client.NewClientIdentityRepo([]oidc.ClientIdentity{ oidc.ClientIdentity{ Credentials: oidc.ClientCredentials{ ID: testClientID, Secret: testClientSecret, }, Metadata: oidc.ClientMetadata{ RedirectURLs: []url.URL{ testRedirectURL, }, }, }, oidc.ClientIdentity{ Credentials: oidc.ClientCredentials{ ID: userBadClientID, Secret: "secret", }, Metadata: oidc.ClientMetadata{ RedirectURLs: []url.URL{ testRedirectURL, }, }, }, }) cir.SetDexAdmin(testClientID, true) noop := func() error { return nil } keysFunc := func() []key.PublicKey { return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())} } jwtvFactory := func(clientID string) oidc.JWTVerifier { return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc) } f.emailer = &testEmailer{} api := api.NewUsersAPI(um, cir, f.emailer, "local") usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, cir) f.hSrv = httptest.NewServer(usrSrv.HTTPHandler()) f.trans = &tokenHandlerTransport{ Handler: usrSrv.HTTPHandler(), Token: userGoodToken, } hc := &http.Client{ Transport: f.trans, } f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL) return f }
func makeUserAPITestFixtures(clientCredsFlag bool) *userAPITestFixtures { f := &userAPITestFixtures{} dbMap, _, _, um := makeUserObjects(userUsers, userPasswords) clients := []client.LoadableClient{ { Client: client.Client{ Credentials: oidc.ClientCredentials{ ID: testClientID, Secret: testClientSecret, }, Metadata: oidc.ClientMetadata{ RedirectURIs: []url.URL{ testRedirectURL, }, }, }, }, { Client: client.Client{ Credentials: oidc.ClientCredentials{ ID: userBadClientID, Secret: base64.URLEncoding.EncodeToString([]byte("secret")), }, Metadata: oidc.ClientMetadata{ RedirectURIs: []url.URL{ testBadRedirectURL, }, }, }, }, } _, clientManager, err := makeClientRepoAndManager(dbMap, clients) if err != nil { panic("Failed to create client identity manager: " + err.Error()) } clientManager.SetDexAdmin(testClientID, true) noop := func() error { return nil } keysFunc := func() []key.PublicKey { return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())} } jwtvFactory := func(clientID string) oidc.JWTVerifier { return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc) } refreshRepo := db.NewRefreshTokenRepo(dbMap) for _, user := range userUsers { if _, err := refreshRepo.Create(user.User.ID, testClientID, "", append([]string{"offline_access"}, oidc.DefaultScope...)); err != nil { panic("Failed to create refresh token: " + err.Error()) } } f.emailer = &testEmailer{} um.Clock = clock api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local", clientCredsFlag) usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager, clientCredsFlag) f.hSrv = httptest.NewServer(usrSrv.HTTPHandler()) f.trans = &tokenHandlerTransport{ Handler: usrSrv.HTTPHandler(), Token: userGoodToken, } hc := &http.Client{ Transport: f.trans, } f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL) return f }
func makeUserAPITestFixtures() *userAPITestFixtures { f := &userAPITestFixtures{} dbMap, _, _, um := makeUserObjects(userUsers, userPasswords) clients := []client.Client{ client.Client{ Credentials: oidc.ClientCredentials{ ID: testClientID, Secret: testClientSecret, }, Metadata: oidc.ClientMetadata{ RedirectURIs: []url.URL{ testRedirectURL, }, }, }, client.Client{ Credentials: oidc.ClientCredentials{ ID: userBadClientID, Secret: base64.URLEncoding.EncodeToString([]byte("secret")), }, Metadata: oidc.ClientMetadata{ RedirectURIs: []url.URL{ testBadRedirectURL, }, }, }, } clientIDGenerator := func(hostport string) (string, error) { return hostport, nil } secGen := func() ([]byte, error) { return []byte(testClientSecret), nil } clientRepo := db.NewClientRepo(dbMap) clientManager, err := manager.NewClientManagerFromClients(clientRepo, db.TransactionFactory(dbMap), clients, manager.ManagerOptions{ClientIDGenerator: clientIDGenerator, SecretGenerator: secGen}) if err != nil { panic("Failed to create client identity manager: " + err.Error()) } clientManager.SetDexAdmin(testClientID, true) noop := func() error { return nil } keysFunc := func() []key.PublicKey { return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())} } jwtvFactory := func(clientID string) oidc.JWTVerifier { return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc) } refreshRepo := db.NewRefreshTokenRepo(dbMap) for _, user := range userUsers { if _, err := refreshRepo.Create(user.User.ID, testClientID); err != nil { panic("Failed to create refresh token: " + err.Error()) } } f.emailer = &testEmailer{} um.Clock = clock api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local") usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager) f.hSrv = httptest.NewServer(usrSrv.HTTPHandler()) f.trans = &tokenHandlerTransport{ Handler: usrSrv.HTTPHandler(), Token: userGoodToken, } hc := &http.Client{ Transport: f.trans, } f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL) return f }
func TestClientCreate(t *testing.T) { ci := client.Client{ // Credentials are for reference, they are actually generated by the client manager Credentials: oidc.ClientCredentials{ ID: "authn.example.com", Secret: base64.URLEncoding.EncodeToString([]byte("secret")), }, Metadata: oidc.ClientMetadata{ RedirectURIs: []url.URL{ {Scheme: "https://", Host: "authn.example.com", Path: "/callback"}, }, }, } cis := []client.Client{ci} srv, err := mockServer(cis) if err != nil { t.Fatalf("Unexpected error setting up server: %v", err) } oidcClient, err := mockClient(srv, ci) if err != nil { t.Fatalf("Unexpected error setting up OIDC client: %v", err) } tok, err := oidcClient.ClientCredsToken([]string{"openid"}) if err != nil { t.Fatalf("Failed getting client token: %v", err) } callbackURL := "http://example.com/oidc/callback" trans := &tokenHandlerTransport{ Handler: srv.HTTPHandler(), Token: tok.Encode(), } hc := &http.Client{ Transport: trans, } iss := srv.IssuerURL.String() svc, err := schema.NewWithBasePath(hc, iss) if err != nil { t.Fatalf("Failed creating API service client: %v", err) } newClientInput := &schema.Client{ RedirectURIs: []string{callbackURL, "http://example.com"}, } call := svc.Clients.Create(newClientInput) newClient, err := call.Do() if err != nil { t.Fatalf("Call to create client API failed: %v", err) } if newClient.Id == "" { t.Error("Expected non-empty Client ID") } if newClient.Secret == "" { t.Error("Expected non-empty Client Secret") } meta, err := srv.ClientManager.Metadata(newClient.Id) if err != nil { t.Errorf("Error looking up client metadata: %v", err) } else if meta == nil { t.Error("Expected new client to exist in repo") } gotURLs := make([]string, len(meta.RedirectURIs)) for i, u := range meta.RedirectURIs { gotURLs[i] = u.String() } if !reflect.DeepEqual(newClientInput.RedirectURIs, gotURLs) { t.Errorf("Callback URL mismatch, want=%s, got=%s", newClientInput.RedirectURIs, gotURLs) } }