func TestCreateGetFindDelete(t *testing.T) { require.Nil(t, store.Create(connection)) c, err := store.Get(connection.ID) require.Nil(t, err) require.Equal(t, connection, c) c, err = store.FindByRemoteSubject("google", "peterson") require.Nil(t, err) require.Equal(t, connection, c) cs, err := store.FindAllByLocalSubject("peter") require.Nil(t, err) require.Equal(t, connection, cs[0]) require.Nil(t, store.Delete(connection.ID)) _, err = store.Get(connection.ID) require.NotNil(t, err) }
func TestCreateGetDeleteGet(t *testing.T) { for k, c := range []test{ {subject: "peter", token: jwt.Token{Valid: false}, policies: []policy.Policy{policies["fail"]}, createData: data["fail"], statusCreate: http.StatusUnauthorized}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["fail"]}, createData: data["fail"], statusCreate: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"]}, createData: data["ok-max"], statusCreate: http.StatusOK, statusGet: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"]}, createData: data["fail"], statusCreate: http.StatusBadRequest}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"]}, createData: data["fail-validation"], statusCreate: http.StatusBadRequest}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"], policies["pass-get"]}, createData: data["ok-zac"], statusCreate: http.StatusOK, statusGet: http.StatusOK, statusDelete: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-all"]}, createData: data["ok-steve"], statusCreate: http.StatusOK, statusGet: http.StatusOK, statusDelete: http.StatusAccepted, statusGetAfterDelete: http.StatusNotFound}, } { func() { handler := &Handler{s: store, m: mw} router := mux.NewRouter() handler.SetRoutes(router, mockAuthorization(c)) ts := httptest.NewServer(router) defer ts.Close() request := gorequest.New() connectionsURL := fmt.Sprintf("%s/oauth2/connections?subject=%s", ts.URL, c.subject) resp, body, _ := request.Post(connectionsURL).Send(*c.createData).End() require.Equal(t, c.statusCreate, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } var conn DefaultConnection assert.Nil(t, json.Unmarshal([]byte(body), &conn)) resp, body, _ = request.Get(connectionsURL).End() require.Equal(t, c.statusGet, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } resp, body, _ = request.Get(fmt.Sprintf("%s/oauth2/connections/%s", ts.URL, conn.ID)).End() require.Equal(t, c.statusGet, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } resp, body, _ = request.Post(connectionsURL).Send(*c.createData).End() require.Equal(t, http.StatusInternalServerError, resp.StatusCode, "case %d: %s", k, body) resp, body, _ = request.Delete(fmt.Sprintf("%s/oauth2/connections/%s", ts.URL, conn.ID)).End() require.Equal(t, c.statusDelete, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusAccepted { return } resp, body, _ = request.Get(fmt.Sprintf("%s/oauth2/connections/%s", ts.URL, conn.ID)).End() require.Equal(t, c.statusGetAfterDelete, resp.StatusCode, "case %d: %s", k, body) resp, body, _ = request.Delete(fmt.Sprintf("%s/oauth2/connections/%s", ts.URL, conn.ID)).End() require.Equal(t, http.StatusNotFound, resp.StatusCode, "case %d: %s", k, body) }() } }
func TestCreateGetDeleteGet(t *testing.T) { for k, c := range []test{ {subject: "peter", token: jwt.Token{Valid: false}, policies: []policy.Policy{policies["fail"]}, createData: payload{RedirectURIs: "redir"}, statusCreate: http.StatusUnauthorized}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["fail"]}, createData: payload{RedirectURIs: "redir"}, statusCreate: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"]}, createData: payload{RedirectURIs: "redir"}, statusCreate: http.StatusOK, statusGet: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-create"], policies["pass-get"]}, createData: payload{RedirectURIs: "redir"}, statusCreate: http.StatusOK, statusGet: http.StatusOK, statusDelete: http.StatusForbidden}, {subject: "peter", token: jwt.Token{Valid: true}, policies: []policy.Policy{policies["pass-all"]}, createData: payload{RedirectURIs: "redir"}, statusCreate: http.StatusOK, statusGet: http.StatusOK, statusDelete: http.StatusAccepted, statusGetAfterDelete: http.StatusNotFound}, } { func() { handler := &Handler{s: store, m: mw} router := mux.NewRouter() handler.SetRoutes(router, mockAuthorization(c)) ts := httptest.NewServer(router) defer ts.Close() request := gorequest.New() resp, body, _ := request.Post(ts.URL + "/clients").Send(c.createData).End() require.Equal(t, c.statusCreate, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } var client payload json.Unmarshal([]byte(body), &client) resp, body, _ = request.Get(ts.URL + "/clients/" + client.ID).End() require.Equal(t, c.statusGet, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } resp, body, _ = request.Delete(ts.URL + "/clients/" + client.ID).End() require.Equal(t, c.statusDelete, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusAccepted { return } resp, body, _ = request.Get(ts.URL + "/clients/" + client.ID).End() require.Equal(t, c.statusGetAfterDelete, resp.StatusCode, "case %d: %s", k, body) }() } }
func TestCreateGetDelete(t *testing.T) { for k, c := range []test{ test{ subject: "peter", token: &jwt.Token{Valid: false}, expected: result{create: http.StatusUnauthorized, get: 0, delete: 0}, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, policies: policies["empty"], expected: result{create: http.StatusForbidden, get: 0, delete: 0}, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, policies: policies["empty"], expected: result{create: http.StatusForbidden, get: 0, delete: 0}, }, test{ subject: "max", token: &jwt.Token{Valid: true}, policies: policies["empty"], expected: result{create: http.StatusForbidden, get: 0, delete: 0}, }, test{ subject: "max", token: &jwt.Token{Valid: true}, payload: payload{}, policies: policies["allow-create"], expected: result{ create: http.StatusForbidden, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@foobar.com", Data: "{}"}, policies: policies["allow-create"], expected: result{ create: http.StatusBadRequest, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@foobar.com", Password: "******", Data: "{}"}, policies: policies["allow-create"], expected: result{ create: http.StatusBadRequest, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: "notemail", Password: "******", Data: "{}"}, policies: policies["allow-create"], expected: result{ create: http.StatusBadRequest, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@bar.com", Password: "", Data: "{}"}, policies: policies["allow-create"], expected: result{ create: http.StatusBadRequest, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@bar.com", Password: "******", Data: "not json"}, policies: policies["allow-create"], expected: result{ create: http.StatusBadRequest, get: 0, delete: 0, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@bar.com", Password: "******", Data: "{}"}, policies: policies["allow-create"], expected: result{ create: http.StatusOK, get: http.StatusForbidden, delete: http.StatusForbidden, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@bar.com", Password: "******", Data: "{}"}, policies: policies["allow-create-get"], expected: result{ create: http.StatusOK, get: http.StatusOK, delete: http.StatusForbidden, }, }, test{ subject: "peter", token: &jwt.Token{Valid: true}, payload: payload{Email: uuid.New() + "@bar.com", Password: "******", Data: "{}"}, policies: policies["allow-all"], expected: result{ create: http.StatusOK, get: http.StatusOK, delete: http.StatusAccepted, }, }, } { router := mux.NewRouter() hd.SetRoutes(router, mock(c)) ts := httptest.NewServer(router) defer ts.Close() t.Logf(ts.URL + "/accounts") request := gorequest.New() resp, body, _ := request.Post(ts.URL + "/accounts").Send(c.payload).End() require.Equal(t, c.expected.create, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } user := assertAccount(t, c, body) resp, body, _ = request.Get(ts.URL + "/accounts/" + user.GetID()).End() require.Equal(t, c.expected.get, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusOK { return } user = assertAccount(t, c, body) resp, body, _ = request.Delete(ts.URL + "/accounts/" + user.GetID()).End() require.Equal(t, c.expected.delete, resp.StatusCode, "case %d: %s", k, body) if resp.StatusCode != http.StatusAccepted { return } resp, body, _ = request.Get(ts.URL + "/accounts/" + user.GetID()).End() require.Equal(t, http.StatusNotFound, resp.StatusCode, "case %d: %s", k, body) } }
func TestSignAndVerify(t *testing.T) { for i, c := range []struct { private []byte public []byte header map[string]interface{} claims map[string]interface{} valid bool signOk bool }{ { []byte(""), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{"nbf": time.Now().Add(time.Hour)}, false, false, }, { []byte(TestCertificates[0][1]), []byte(""), map[string]interface{}{"foo": "bar"}, map[string]interface{}{"nbf": time.Now().Add(time.Hour)}, false, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{"nbf": time.Now().Add(-time.Hour)}, false, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{"nbf": time.Now().Add(time.Hour)}, false, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{"exp": time.Now().Add(-time.Hour)}, false, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{ "nbf": time.Now().Add(-time.Hour), "iat": time.Now().Add(-time.Hour), "exp": time.Now().Add(time.Hour), }, true, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{ "nbf": time.Now().Add(-time.Hour), }, false, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{ "exp": time.Now().Add(time.Hour), }, true, true, }, { []byte(TestCertificates[0][1]), []byte(TestCertificates[1][1]), map[string]interface{}{"foo": "bar"}, map[string]interface{}{}, false, true, }, } { j := New(c.private, c.public) data, err := j.SignToken(c.claims, c.header) if c.signOk { require.Nil(t, err, "Case %d", i) } else { require.NotNil(t, err, "Case %d", i) } tok, err := j.VerifyToken([]byte(data)) if c.valid { require.Nil(t, err, "Case %d", i) require.Equal(t, c.valid, tok.Valid, "Case %d", i) } else { require.NotNil(t, err, "Case %d", i) } } }
func TestIntrospect(t *testing.T) { router := mux.NewRouter() handler.SetRoutes(router) ts := httptest.NewServer(router) defer ts.Close() config := configs["working"] user := logins["working"] clientConfig := clientcredentials.Config{ ClientID: config.ClientID, ClientSecret: config.ClientSecret, TokenURL: ts.URL + config.Endpoint.TokenURL, Scopes: config.Scopes, } config.Endpoint = oauth2.Endpoint{AuthURL: ts.URL + "/oauth2/auth", TokenURL: ts.URL + "/oauth2/token"} access, _ := clientConfig.Token(oauth2.NoContext) verify, _ := config.PasswordCredentialsToken(oauth2.NoContext, user.Username, user.Password) for k, c := range []*struct { accessToken string code int pass bool }{ {"Bearer " + verify.AccessToken, http.StatusOK, true}, {"", http.StatusUnauthorized, false}, {"Bearer ", http.StatusUnauthorized, false}, {"Bearer invalid", http.StatusForbidden, false}, {"Bearer invalid", http.StatusForbidden, false}, {"Bearer invalid", http.StatusForbidden, false}, // {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.e30.FvuwHdEjgGxPAyVUb-eqtiPl2gycU9WOHNzwpFKcpdN_QkXkBUxU3qFl3lLBaMzIuP_GjXLXcJZFhyQ2Ne3kfWuZSGLmob0Og8B4lAy7CA7iwpji2R3aUcwBwbJ41IJa__F8fMRz0dRDwhyrBKD-9y4TfV_-yZuzBZxq0UdjX6IdpzsdetphBSIZkPij5MY3thRwC-X_gXyIXi4-G2_CjRrV5lCGnPJrDbLqPCYqS71wK9NEsz_B8p5ENmwad8vZe4fEFR7XsqJrhPjbEVGeLpzSz0AOGp4G1iyvv1sdu4M3Y8KSSGYnZ8lXNGyi8QeUr374Y6XgJ5N5TVLWI2cMxg", http.StatusForbidden, false}, // "exp": "2012-04-23T18:25:43.511Z" {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDEyLTA0LTIzVDE4OjI1OjQzLjUxMVoifQ.YPCfgNDs-UT6vNqh6095cXiMe0jcA9HjHuLi6hK6YBPsEHwHFniFGXAYt1PpPabBHAz7lQQ8zZao6LrVXkfz7PLbeQZl3KY0SUb-Wb0eEDjX4naEdm20whrYMZQ36VcTMT-FsGk5MB-nIYKq3iX6FMhumV8StjpC0jrM14488lPwLXihC1uITQBNVFEyXV_emhfuyojWEcEq899oE_vVRd7pTOmIhU8dFEAonoLZyPTKzSfvqaurPeySA5ttA-TTMTxZNzGVxWV4cwYHlhTXfS57zoSF_EN_PULTqMepUe8RC9AFnwyvNAa5e4nxQG5yO6b7cUGa0vSCD5FPbNBh-w", http.StatusForbidden, false}, // { // "exp": "2099-04-23T18:25:43.511Z", // "nbf": "2099-04-23T18:25:43.511Z" // } {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJuYmYiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoifQ.hCuvBuiwEjjTbL8NMfEe6exDaRUeQIHodTNc5uBdY1lxmJWfFPh2zykuEvinqTprQe2CPRmL3Dk6jX3pcnigg7IjMX-EZueOnJc229gwjmJJiIGuUJOV3bLc-0xQ3cu6FCRc2NgOEh6Nq6Jh8G7ko4Du4gGrFsn97kbzAUYyns98T8442p0YXdQF-KVCc87fCkdr6OTsbfomy7jUDLCWptyJqREOoBll-nzyFWTxGHgoH_DmHft64SwvsvRafqZv9Q48bRzr857ps6OjEPncjRTriAsJa-p7aPKO2e7LXLKpopcaNwC09RNteAO4XPc2_M-IrYf6a02UzgSmOkIZUg", http.StatusForbidden, false}, // { // "exp": "2099-04-23T18:25:43.511Z", // "iat": "2000-04-23T18:25:43.511Z", // "nbf": "2099-04-23T18:25:43.511Z" // } {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJpYXQiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJuYmYiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoifQ.WtRurXoCy4kHPxnaL5ccPaeHIaDogXRFE6mqyF8nVTSsv6E7FaJg4IiYylxa44ty8GRMYn7c2CSyQefTVauqjJm8b0Rpu4biIeyCQRzwTZZzqZbc6irdWYsJu4DkwfAU0yP2EaLEtQOG3scnDpmtyCp7NvDAi8XlVeytOSHjqyJMWzqO_z5eU4e2Ap-3wkLo4P9_W1W3Tx_V0xQR2VaOXtVjEa_VS36rAMBy6WAvYQrYNlvBAA6OBfqg2uvKUfmEoE6MchkFxHFTSGBmI2boDfF2XGlyLn0di7gIBG-udXDv_zaVp4BtuswygTskV5d2i3pvLGP6UuJJhc7VVOAoPw", http.StatusForbidden, false}, // { // "exp": "2099-04-23T18:25:43.511Z", // "iat": "2000-04-23T18:25:43.511Z", // "nbf": "2000-04-23T18:25:43.511Z", // "aud": "wrong-audience" // } {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJpYXQiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJuYmYiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJhdWQiOiJ3cm9uZy1hdWRpZW5jZSJ9.rF4JqVpawgHcg_H2hAAsEI2GUxzxCote4pUlruK9hLF-Dv-YSeEmMcFBhfxgsFuDCJotUCG6v8EhwI4u2wxGQHzLz70a-0AEZLQBccCfF_V4qAk8B7M5z2fO7xtEy8RkB2pZKCHbJ1f_6MSM_EyV6r4oiwedveBSsLKcjDhWE3_wExmtmtZaujJy53gR8Wh7BnUt6pl95_d7OMFjGEp1C_N0f3xd9SizIZ-qlIwHiX4xLHtvTZIjdmfyzXxPm_MK_aMOXmX0F6DQn5tgMzAggEdKSD6YdU8HM256zLQeddczrrDI5P3SASiBJ6MCUM4AzbvoFuFAilQi0WzpLpmlJw", http.StatusOK, false}, // { // "exp": "2099-04-23T18:25:43.511Z", // "iat": "2000-04-23T18:25:43.511Z", // "nbf": "2000-04-23T18:25:43.511Z", // "aud": "tests" // } {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJpYXQiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJuYmYiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJhdWQiOiJ0ZXN0cyJ9.NQZCoKU2qoC-_VFi-_8fQDzObeQrnld9wyaqF0jYHL_wqROn5VumCDVl1oxMN7g-L9wqo5U-xUXf1HS_Ae6CLDFlkbd6dI-h1_l7_ALn_L_GoxQsEo2lQUDQ-Q4eqlLabc764cTYFXd5EwcsZMHWs5ZFCeMOv3exfeTmg8E9e1FiyuTuKVjvMxL-ZCh113nzXEGFr6GRzqjL6VSnJPDX0Pv78R9tnL6CqWbCuDBlIPOccbpWLuWF0yKjV-OyvcWpjkLIVtAbrimi3A7cNUI_V3EJm9Y4tr8e6hv9zViPNbhycmqvOp-vur2k64PrzeMcbuj7TFRCJg2V3moPJF3NtQ", http.StatusOK, true}, // { // "exp": "2099-04-23T18:25:43.511Z", // "iat": "2000-04-23T18:25:43.511Z", // "nbf": "2000-04-23T18:25:43.511Z", // "aud": "tests" // } {"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDk5LTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJpYXQiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJuYmYiOiIyMDAwLTA0LTIzVDE4OjI1OjQzLjUxMVoiLCJhdWQiOiJ0ZXN0cyJ9.NQZCoKU2qoC-_VFi-_8fQDzObeQrnld9wyaqF0jYHL_wqROn5VumCDVl1oxMN7g-L9wqo5U-xUXf1HS_Ae6CLDFlkbd6dI-h1_l7_ALn_L_GoxQsEo2lQUDQ-Q4eqlLabc764cTYFXd5EwcsZMHWs5ZFCeMOv3exfeTmg8E9e1FiyuTuKVjvMxL-ZCh113nzXEGFr6GRzqjL6VSnJPDX0Pv78R9tnL6CqWbCuDBlIPOccbpWLuWF0yKjV-OyvcWpjkLIVtAbrimi3A7cNUI_V3EJm9Y4tr8e6hv9zViPNbhycmqvOp-vur2k64PrzeMcbuj7TFRCJg2V3moPJF3NtQ", http.StatusOK, true}, } { client := &http.Client{} form := url.Values{} form.Add("token", access.AccessToken) req, _ := http.NewRequest("POST", ts.URL+"/oauth2/introspect", strings.NewReader(form.Encode())) if c.accessToken != "" { req.Header.Add("Authorization", c.accessToken) } res, _ := client.Do(req) body, _ := ioutil.ReadAll(res.Body) require.Equal(t, c.code, res.StatusCode, "Case %d: %s", k, body) if res.StatusCode != http.StatusOK { continue } var result map[string]interface{} require.Nil(t, json.Unmarshal(body, &result)) assert.Equal(t, c.pass, result["active"].(bool), "Case %d", k) } }