func TestKeycloakAuthorizationRedirect(t *testing.T) { resource.Require(t, resource.UnitTest) rw := httptest.NewRecorder() u := &url.URL{ Path: fmt.Sprintf("/api/login/authorize"), } req, err := http.NewRequest("GET", u.String(), nil) if err != nil { panic("invalid test " + err.Error()) // bug } // The user clicks login while on ALM UI. // Therefore the referer would be an ALM URL. refererUrl := "https://alm-url.example.org/path" req.Header.Add("referer", refererUrl) prms := url.Values{} ctx := context.Background() goaCtx := goa.NewContext(goa.WithAction(ctx, "LoginTest"), rw, req, prms) authorizeCtx, err := app.NewAuthorizeLoginContext(goaCtx, goa.New("LoginService")) if err != nil { panic("invalid test data " + err.Error()) // bug } err = loginService.Perform(authorizeCtx) assert.Equal(t, 307, rw.Code) assert.Contains(t, rw.Header().Get("Location"), configuration.GetKeycloakEndpointAuth()) }
func TestInvalidState(t *testing.T) { resource.Require(t, resource.UnitTest) // Setup request context rw := httptest.NewRecorder() u := &url.URL{ Path: fmt.Sprintf("/api/login/authorize"), } req, err := http.NewRequest("GET", u.String(), nil) if err != nil { panic("invalid test " + err.Error()) // bug } // The OAuth 'state' is sent as a query parameter by calling /api/login/authorize?code=_SOME_CODE_&state=_SOME_STATE_ // The request originates from Keycloak after a valid authorization by the end user. // This is not where the redirection should happen on failure. refererKeyclaokUrl := "https://keycloak-url.example.org/path-of-login" req.Header.Add("referer", refererKeyclaokUrl) prms := url.Values{ "state": {}, "code": {"doesnt_matter_what_is_here"}, } ctx := context.Background() goaCtx := goa.NewContext(goa.WithAction(ctx, "LoginTest"), rw, req, prms) authorizeCtx, err := app.NewAuthorizeLoginContext(goaCtx, goa.New("LoginService")) if err != nil { panic("invalid test data " + err.Error()) // bug } err = loginService.Perform(authorizeCtx) assert.Equal(t, 401, rw.Code) }
func TestInvalidOAuthAuthorizationCode(t *testing.T) { // When a valid referrer talks to our system and provides // an invalid OAuth2.0 code, the access token exchange // fails. In such a scenario, there is response redirection // to the valid referer, ie, the URL where the request originated from. // Currently, this should be something like https://demo.almighty.org/somepage/ resource.Require(t, resource.UnitTest) // Setup request context rw := httptest.NewRecorder() u := &url.URL{ Path: fmt.Sprintf("/api/login/authorize"), } req, err := http.NewRequest("GET", u.String(), nil) if err != nil { panic("invalid test " + err.Error()) // bug } // The user clicks login while on ALM UI. // Therefore the referer would be an ALM URL. refererUrl := "https://alm-url.example.org/path" req.Header.Add("referer", refererUrl) prms := url.Values{} ctx := context.Background() goaCtx := goa.NewContext(goa.WithAction(ctx, "LoginTest"), rw, req, prms) authorizeCtx, err := app.NewAuthorizeLoginContext(goaCtx, goa.New("LoginService")) if err != nil { panic("invalid test data " + err.Error()) // bug } err = loginService.Perform(authorizeCtx) assert.Equal(t, 307, rw.Code) // redirect to keycloak login page. locationString := rw.HeaderMap["Location"][0] locationUrl, err := url.Parse(locationString) if err != nil { t.Fatal("Redirect URL is in a wrong format ", err) } t.Log(locationString) allQueryParameters := locationUrl.Query() // Avoiding panics. assert.NotNil(t, allQueryParameters) assert.NotNil(t, allQueryParameters["state"][0]) returnedState := allQueryParameters["state"][0] prms = url.Values{ "state": {returnedState}, "code": {"INVALID_OAUTH2.0_CODE"}, } ctx = context.Background() rw = httptest.NewRecorder() req, err = http.NewRequest("GET", u.String(), nil) // The OAuth code is sent as a query parameter by calling /api/login/authorize?code=_SOME_CODE_&state=_SOME_STATE_ // The request originates from Keycloak after a valid authorization by the end user. // This is not where the redirection should happen on failure. refererKeycloakUrl := "https://keycloak-url.example.org/path-of-login" req.Header.Add("referer", refererKeycloakUrl) if err != nil { panic("invalid test " + err.Error()) // bug } goaCtx = goa.NewContext(goa.WithAction(ctx, "LoginTest"), rw, req, prms) authorizeCtx, err = app.NewAuthorizeLoginContext(goaCtx, goa.New("LoginService")) err = loginService.Perform(authorizeCtx) locationString = rw.HeaderMap["Location"][0] locationUrl, err = url.Parse(locationString) if err != nil { t.Fatal("Redirect URL is in a wrong format ", err) } t.Log(locationString) allQueryParameters = locationUrl.Query() assert.Equal(t, 307, rw.Code) // redirect to ALM page where login was clicked. // Avoiding panics. assert.NotNil(t, allQueryParameters) assert.NotNil(t, allQueryParameters["error"]) assert.Equal(t, allQueryParameters["error"][0], InvalidCodeError) returnedErrorReason := allQueryParameters["error"][0] assert.NotEmpty(t, returnedErrorReason) assert.NotContains(t, locationString, refererKeycloakUrl) assert.Contains(t, locationString, refererUrl) }