func TestCreateGetDeleteOpenIDConnectSession(t *testing.T) {
ctx := context.Background()
for k, m := range clientManagers {
_, err := m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{})
pkg.AssertError(t, true, err, "%s", k)
err = m.CreateOpenIDConnectSession(ctx, "4321", &defaultRequest)
pkg.AssertError(t, false, err, "%s", k)
time.Sleep(100 * time.Millisecond)
res, err := m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{
Session: &testSession{},
})
pkg.RequireError(t, false, err, "%s", k)
c.AssertObjectKeysEqual(t, &defaultRequest, res, "Scopes", "GrantedScopes", "Form", "Session")
err = m.DeleteOpenIDConnectSession(ctx, "4321")
pkg.AssertError(t, false, err, "%s", k)
time.Sleep(100 * time.Millisecond)
_, err = m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{})
pkg.AssertError(t, true, err, "%s", k)
}
}
func TestCreateGetDelete(t *testing.T) {
for _, c := range cases {
err := s.Create(c)
assert.Nil(t, err)
get, err := s.Get(c.GetID())
assert.Nil(t, err)
pkg.AssertObjectKeysEqual(t, c, get, "Description", "Subjects", "Resources", "Effect", "Permissions")
assert.Equal(t, len(c.Conditions), len(get.GetConditions()))
//assert.True(t, reflect.DeepEqual(c, get), "%v does not equal %v", c, get)
}
for _, c := range cases {
assert.Nil(t, s.Delete(c.GetID()))
_, err := s.Get(c.GetID())
assert.NotNil(t, err)
}
}
func TestCreateGetDelete(t *testing.T) {
for k, s := range managers {
for _, c := range managerPolicies {
err := s.Create(c)
assert.Nil(t, err, "%s: %s", k, err)
time.Sleep(time.Millisecond * 100)
get, err := s.Get(c.GetID())
assert.Nil(t, err, "%s: %s", k, err)
pkg.AssertObjectKeysEqual(t, c, get, "Description", "Subjects", "Resources", "Effect", "Actions")
assert.EqualValues(t, c.Conditions, get.GetConditions(), "%s", k)
}
for _, c := range managerPolicies {
assert.Nil(t, s.Delete(c.GetID()), k)
_, err := s.Get(c.GetID())
assert.NotNil(t, err, "%s: %s", k, err)
}
}
}
func TestNewAccessRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockStorage(ctrl)
client := internal.NewMockClient(ctrl)
handler := internal.NewMockTokenEndpointHandler(ctrl)
hasher := internal.NewMockHasher(ctrl)
defer ctrl.Finish()
fosite := &Fosite{Store: store, Hasher: hasher}
for k, c := range []struct {
header http.Header
form url.Values
mock func()
method string
expectErr error
expect *AccessRequest
handlers TokenEndpointHandlers
}{
{
header: http.Header{},
expectErr: ErrInvalidRequest,
method: "POST",
mock: func() {},
},
{
header: http.Header{},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {},
expectErr: ErrInvalidRequest,
},
{
header: http.Header{},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
"client_id": {"foo"},
},
expectErr: ErrInvalidRequest,
mock: func() {},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(nil, errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "GET",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidRequest,
mock: func() {},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(nil, errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrServerError,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
},
handlers: TokenEndpointHandlers{"a": handler},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrUnsupportedGrantType,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
},
handlers: TokenEndpointHandlers{"a": handler},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrUnsupportedGrantType,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester, _ interface{}) {
a.SetGrantTypeHandled("bar")
}).Return(nil)
},
handlers: TokenEndpointHandlers{"a": handler},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester, _ interface{}) {
a.SetGrantTypeHandled("foo")
a.SetScopes([]string{"asdfasdf"})
}).Return(nil)
},
handlers: TokenEndpointHandlers{"a": handler},
expectErr: ErrInvalidScope,
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester, _ interface{}) {
a.SetGrantTypeHandled("foo")
a.SetScopes([]string{DefaultRequiredScopeName})
}).Return(nil)
},
handlers: TokenEndpointHandlers{"a": handler},
expect: &AccessRequest{
GrantType: "foo",
HandledGrantType: []string{"foo"},
Client: client,
},
},
} {
r := &http.Request{
Header: c.header,
PostForm: c.form,
Form: c.form,
Method: c.method,
}
c.mock()
ctx := NewContext()
fosite.TokenEndpointHandlers = c.handlers
ar, err := fosite.NewAccessRequest(ctx, r, &struct{}{})
is := errors.Is(c.expectErr, err)
assert.True(t, is, "%d\nwant: %s \ngot: %s", k, c.expectErr, err)
if !is {
t.Logf("Error occured: %s", err.(*errors.Error).ErrorStack())
}
if err == nil {
pkg.AssertObjectKeysEqual(t, c.expect, ar, "GrantType", "Client")
assert.NotNil(t, ar.GetRequestedAt())
}
t.Logf("Passed test case %d", k)
}
}
// Should pass
//
// * https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Terminology
// The OAuth 2.0 specification allows for registration of space-separated response_type parameter values.
// If a Response Type contains one of more space characters (%20), it is compared as a space-delimited list of
// values in which the order of values does not matter.
func TestNewAuthorizeRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := NewMockStorage(ctrl)
defer ctrl.Finish()
redir, _ := url.Parse("https://foo.bar/cb")
for k, c := range []struct {
desc string
conf *Fosite
r *http.Request
query url.Values
expectedError error
mock func()
expect *AuthorizeRequest
}{
/* empty request */
{
desc: "empty request fails",
conf: &Fosite{Store: store},
r: &http.Request{},
expectedError: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Any()).Return(nil, errors.New("foo"))
},
},
/* invalid redirect uri */
{
desc: "invalid redirect uri fails",
conf: &Fosite{Store: store},
query: url.Values{"redirect_uri": []string{"invalid"}},
expectedError: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Any()).Return(nil, errors.New("foo"))
},
},
/* invalid client */
{
desc: "invalid client fails",
conf: &Fosite{Store: store},
query: url.Values{"redirect_uri": []string{"https://foo.bar/cb"}},
expectedError: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Any()).Return(nil, errors.New("foo"))
},
},
/* redirect client mismatch */
{
desc: "client and request redirects mismatch",
conf: &Fosite{Store: store},
query: url.Values{
"client_id": []string{"1234"},
},
expectedError: ErrInvalidRequest,
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"invalid"}}, nil)
},
},
/* redirect client mismatch */
{
desc: "client and request redirects mismatch",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": []string{""},
"client_id": []string{"1234"},
},
expectedError: ErrInvalidRequest,
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"invalid"}}, nil)
},
},
/* redirect client mismatch */
{
desc: "client and request redirects mismatch",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": []string{"https://foo.bar/cb"},
"client_id": []string{"1234"},
},
expectedError: ErrInvalidRequest,
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"invalid"}}, nil)
},
},
/* no state */
{
desc: "no state",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": []string{"https://foo.bar/cb"},
"client_id": []string{"1234"},
"response_type": []string{"code"},
},
expectedError: ErrInvalidState,
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
},
/* short state */
{
desc: "short state",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": {"https://foo.bar/cb"},
"client_id": {"1234"},
"response_type": {"code"},
"state": {"short"},
},
expectedError: ErrInvalidState,
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
},
/* success case */
{
desc: "should pass",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": {"https://foo.bar/cb"},
"client_id": {"1234"},
"response_type": {"code"},
"state": {"strong-state"},
"scope": {"foo bar"},
},
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
expectedError: ErrInvalidScope,
},
{
desc: "should not pass because hybrid flow is not active",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": {"https://foo.bar/cb"},
"client_id": {"1234"},
"response_type": {"code token"},
"state": {"strong-state"},
"scope": {DefaultRequiredScopeName + " foo bar"},
},
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
expectedError: ErrInvalidRequest,
},
{
desc: "should not pass because hybrid flow is not active",
conf: &Fosite{Store: store},
query: url.Values{
"redirect_uri": {"https://foo.bar/cb"},
"client_id": {"1234"},
"response_type": {"code"},
"state": {"strong-state"},
"scope": {DefaultRequiredScopeName + " foo bar"},
},
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
expect: &AuthorizeRequest{
RedirectURI: redir,
ResponseTypes: []string{"code"},
State: "strong-state",
Request: Request{
Scopes: []string{DefaultRequiredScopeName, "foo", "bar"},
Client: &SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}},
},
},
},
{
desc: "should pass",
conf: &Fosite{Store: store, AllowHybridFlow: true},
query: url.Values{
"redirect_uri": {"https://foo.bar/cb"},
"client_id": {"1234"},
"response_type": {"code token"},
"state": {"strong-state"},
"scope": {DefaultRequiredScopeName + " foo bar"},
},
mock: func() {
store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
},
expect: &AuthorizeRequest{
RedirectURI: redir,
ResponseTypes: []string{"code", "token"},
State: "strong-state",
Request: Request{
Client: &SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}},
Scopes: []string{DefaultRequiredScopeName, "foo", "bar"},
},
},
},
} {
t.Logf("Joining test case %d", k)
c.mock()
if c.r == nil {
c.r = &http.Request{Header: http.Header{}}
if c.query != nil {
c.r.URL = &url.URL{RawQuery: c.query.Encode()}
}
}
ar, err := c.conf.NewAuthorizeRequest(context.Background(), c.r)
assert.Equal(t, c.expectedError == nil, err == nil, "%d: %s\n%s", k, c.desc, err)
if c.expectedError != nil {
assert.Equal(t, err.Error(), c.expectedError.Error(), "%d: %s\n%s", k, c.desc, err)
} else {
pkg.AssertObjectKeysEqual(t, c.expect, ar, "ResponseTypes", "Scopes", "Client", "RedirectURI", "State")
assert.NotNil(t, ar.GetRequestedAt())
}
t.Logf("Passed test case %d", k)
}
}
func TestCreateAndGetCases(t *testing.T) {
a := uuid.New()
b := uuid.New()
for _, c := range []struct {
p account.CreateAccountRequest
pass bool
find bool
}{
{
p: account.CreateAccountRequest{
ID: a,
Username: "******",
Password: "******",
Data: `{"foo": "bar"}`,
},
pass: true, find: true,
},
{
p: account.CreateAccountRequest{
ID: a,
Username: "******",
Password: "******",
Data: `{"foo": "bar"}`,
},
pass: false, find: true,
},
{
p: account.CreateAccountRequest{
ID: b,
Username: "******",
Password: "******",
Data: `{"foo": "bar"}`,
},
pass: false, find: false,
},
{
p: account.CreateAccountRequest{
ID: uuid.New(),
Username: uuid.New(),
Password: "******",
Data: "",
},
pass: true, find: true,
},
} {
result, err := store.Create(c.p)
if c.pass {
assert.Nil(t, err)
pkg.AssertObjectKeysEqual(t, c.p, result, "ID", "Username")
result, err = store.Get(c.p.ID)
assert.Equal(t, c.find, err == nil)
if !c.find {
continue
}
pkg.AssertObjectKeysEqual(t, c.p, result, "ID", "Username")
} else {
assert.NotNil(t, err)
result, err = store.Get(c.p.ID)
assert.Equal(t, c.find, err == nil)
if !c.find {
continue
}
pkg.AssertObjectKeysEqual(t, c.p, result, "ID", "Username")
}
}
}
func TestNewAccessRequest(t *testing.T) {
ctrl := gomock.NewController(t)
store := internal.NewMockStorage(ctrl)
client := internal.NewMockClient(ctrl)
handler := internal.NewMockTokenEndpointHandler(ctrl)
hasher := internal.NewMockHasher(ctrl)
defer ctrl.Finish()
fosite := &Fosite{Store: store, Hasher: hasher}
for k, c := range []struct {
header http.Header
form url.Values
mock func()
method string
expectErr error
expect *AccessRequest
handlers TokenEndpointHandlers
}{
{
header: http.Header{},
expectErr: ErrInvalidRequest,
method: "POST",
mock: func() {},
},
{
header: http.Header{},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {},
expectErr: ErrInvalidRequest,
},
{
header: http.Header{},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
"client_id": {"foo"},
},
expectErr: ErrInvalidRequest,
mock: func() {},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(nil, errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "GET",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidRequest,
mock: func() {},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(nil, errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrInvalidClient,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().IsPublic().Return(false)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New(""))
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
expectErr: ErrServerError,
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().IsPublic().Return(false)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
},
handlers: TokenEndpointHandlers{handler},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().IsPublic().Return(false)
client.EXPECT().GetHashedSecret().Return([]byte("foo"))
hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
},
handlers: TokenEndpointHandlers{handler},
expect: &AccessRequest{
GrantTypes: Arguments{"foo"},
Request: Request{
Client: client,
},
},
},
{
header: http.Header{
"Authorization": {basicAuth("foo", "bar")},
},
method: "POST",
form: url.Values{
"grant_type": {"foo"},
},
mock: func() {
store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
client.EXPECT().IsPublic().Return(true)
handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
},
handlers: TokenEndpointHandlers{handler},
expect: &AccessRequest{
GrantTypes: Arguments{"foo"},
Request: Request{
Client: client,
},
},
},
} {
r := &http.Request{
Header: c.header,
PostForm: c.form,
Form: c.form,
Method: c.method,
}
c.mock()
ctx := NewContext()
fosite.TokenEndpointHandlers = c.handlers
ar, err := fosite.NewAccessRequest(ctx, r, new(DefaultSession))
assert.True(t, errors.Cause(err) == c.expectErr, "%d\nwant: %s \ngot: %s", k, c.expectErr, err)
if err != nil {
t.Logf("Error occured: %v", err)
} else {
pkg.AssertObjectKeysEqual(t, c.expect, ar, "GrantTypes", "Client")
assert.NotNil(t, ar.GetRequestedAt())
}
t.Logf("Passed test case %d", k)
}
}