func TestOIDCDiscoverySecureConnection(t *testing.T) { // Verify that plain HTTP issuer URL is forbidden. op := oidctesting.NewOIDCProvider(t) srv := httptest.NewServer(op.Mux) defer srv.Close() op.PCFG = oidc.ProviderConfig{ Issuer: oidctesting.MustParseURL(srv.URL), KeysEndpoint: oidctesting.MustParseURL(srv.URL + "/keys"), } expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http") _, err := New(OIDCOptions{srv.URL, "client-foo", "", "sub", "", 0, 0}) if !reflect.DeepEqual(err, expectErr) { t.Errorf("Expecting %v, but got %v", expectErr, err) } // Verify the cert/key pair works. cert1 := path.Join(os.TempDir(), "oidc-cert-1") key1 := path.Join(os.TempDir(), "oidc-key-1") cert2 := path.Join(os.TempDir(), "oidc-cert-2") key2 := path.Join(os.TempDir(), "oidc-key-2") defer os.Remove(cert1) defer os.Remove(key1) defer os.Remove(cert2) defer os.Remove(key2) oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert1, key1) oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert2, key2) // Create a TLS server using cert/key pair 1. tlsSrv, err := op.ServeTLSWithKeyPair(cert1, key1) if err != nil { t.Fatalf("Cannot start server: %v", err) } defer tlsSrv.Close() op.PCFG = oidc.ProviderConfig{ Issuer: oidctesting.MustParseURL(tlsSrv.URL), KeysEndpoint: oidctesting.MustParseURL(tlsSrv.URL + "/keys"), } // Create a client using cert2, should fail. _, err = New(OIDCOptions{tlsSrv.URL, "client-foo", cert2, "sub", "", 0, 0}) if err == nil { t.Fatalf("Expecting error, but got nothing") } }
func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) { var err error expectErr := fmt.Errorf("failed to fetch provider config after 0 retries") cert := path.Join(os.TempDir(), "oidc-cert") key := path.Join(os.TempDir(), "oidc-key") defer os.Remove(cert) defer os.Remove(key) oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert, key) op := oidctesting.NewOIDCProvider(t) srv, err := op.ServeTLSWithKeyPair(cert, key) if err != nil { t.Fatalf("Cannot start server %v", err) } defer srv.Close() op.PCFG = oidc.ProviderConfig{ Issuer: oidctesting.MustParseURL(srv.URL), // An invalid ProviderConfig. Keys endpoint is required. } _, err = New(OIDCOptions{srv.URL, "client-foo", cert, "sub", "", 0, 0}) if !reflect.DeepEqual(err, expectErr) { t.Errorf("Expecting %v, but got %v", expectErr, err) } }