dex/server/server_test.go

package server

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"net/http"
	"net/http/httptest"
	"net/http/httputil"
	"testing"
	"time"

	"github.com/ericchiang/oidc"
	"golang.org/x/net/context"
	"golang.org/x/oauth2"

	"github.com/coreos/poke/connector/mock"
	"github.com/coreos/poke/storage"
	"github.com/coreos/poke/storage/memory"
)

func mustLoad(s string) *rsa.PrivateKey {
	block, _ := pem.Decode([]byte(s))
	if block == nil {
		panic("no pem data found")
	}
	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
		panic(err)
	}
	return key
}

var testKey = mustLoad(`-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArmoiX5G36MKPiVGS1sicruEaGRrbhPbIKOf97aGGQRjXVngo
Knwd2L4T9CRyABgQm3tLHHcT5crODoy46wX2g9onTZWViWWuhJ5wxXNmUbCAPWHb
j9SunW53WuLYZ/IJLNZt5XYCAFPjAakWp8uMuuDwWo5EyFaw85X3FSMhVmmaYDd0
cn+1H4+NS/52wX7tWmyvGUNJ8lzjFAnnOtBJByvkyIC7HDphkLQV4j//sMNY1mPX
HbsYgFv2J/LIJtkjdYO2UoDhZG3Gvj16fMy2JE2owA8IX4/s+XAmA2PiTfd0J5b4
drAKEcdDl83G6L3depEkTkfvp0ZLsh9xupAvIwIDAQABAoIBABKGgWonPyKA7+AF
AxS/MC0/CZebC6/+ylnV8lm4K1tkuRKdJp8EmeL4pYPsDxPFepYZLWwzlbB1rxdK
iSWld36fwEb0WXLDkxrQ/Wdrj3Wjyqs6ZqjLTVS5dAH6UEQSKDlT+U5DD4lbX6RA
goCGFUeQNtdXfyTMWHU2+4yKM7NKzUpczFky+0d10Mg0ANj3/4IILdr3hqkmMSI9
1TB9ksWBXJxt3nGxAjzSFihQFUlc231cey/HhYbvAX5fN0xhLxOk88adDcdXE7br
3Ser1q6XaaFQSMj4oi1+h3RAT9MUjJ6johEqjw0PbEZtOqXvA1x5vfFdei6SqgKn
Am3BspkCgYEA2lIiKEkT/Je6ZH4Omhv9atbGoBdETAstL3FnNQjkyVau9f6bxQkl
4/sz985JpaiasORQBiTGY8JDT/hXjROkut91agi2Vafhr29L/mto7KZglfDsT4b2
9z/EZH8wHw7eYhvdoBbMbqNDSI8RrGa4mpLpuN+E0wsFTzSZEL+QMQUCgYEAzIQh
xnreQvDAhNradMqLmxRpayn1ORaPReD4/off+mi7hZRLKtP0iNgEVEWHJ6HEqqi1
r38XAc8ap/lfOVMar2MLyCFOhYspdHZ+TGLZfr8gg/Fzeq9IRGKYadmIKVwjMeyH
REPqg1tyrvMOE0HI5oqkko8JTDJ0OyVC0Vc6+AcCgYAqCzkywugLc/jcU35iZVOH
WLdFq1Vmw5w/D7rNdtoAgCYPj6nV5y4Z2o2mgl6ifXbU7BMRK9Hc8lNeOjg6HfdS
WahV9DmRA1SuIWPkKjE5qczd81i+9AHpmakrpWbSBF4FTNKAewOBpwVVGuBPcDTK
59IE3V7J+cxa9YkotYuCNQKBgCwGla7AbHBEm2z+H+DcaUktD7R+B8gOTzFfyLoi
Tdj+CsAquDO0BQQgXG43uWySql+CifoJhc5h4v8d853HggsXa0XdxaWB256yk2Wm
MePTCRDePVm/ufLetqiyp1kf+IOaw1Oyux0j5oA62mDS3Iikd+EE4Z+BjPvefY/L
E2qpAoGAZo5Wwwk7q8b1n9n/ACh4LpE+QgbFdlJxlfFLJCKstl37atzS8UewOSZj
FDWV28nTP9sqbtsmU8Tem2jzMvZ7C/Q0AuDoKELFUpux8shm8wfIhyaPnXUGZoAZ
Np4vUwMSYV5mopESLWOg3loBxKyLGFtgGKVCjGiQvy6zISQ4fQo=
-----END RSA PRIVATE KEY-----`)

func newTestServer() (*httptest.Server, *Server) {
	var server *Server
	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		server.ServeHTTP(w, r)
	}))
	config := Config{
		Issuer:  s.URL,
		Storage: memory.New(),
		Connectors: []Connector{
			{
				ID:          "mock",
				DisplayName: "Mock",
				Connector:   mock.New(),
			},
		},
	}
	var err error
	if server, err = newServer(config, staticRotationStrategy(testKey)); err != nil {
		panic(err)
	}
	server.skipApproval = true // Don't prompt for approval, just immediately redirect with code.
	return s, server
}

func TestNewTestServer(t *testing.T) {
	newTestServer()
}

func TestDiscovery(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	httpServer, _ := newTestServer()
	defer httpServer.Close()

	p, err := oidc.NewProvider(ctx, httpServer.URL)
	if err != nil {
		t.Fatalf("failed to get provider: %v", err)
	}
	required := []struct {
		name, val string
	}{
		{"issuer", p.Issuer},
		{"authorization_endpoint", p.AuthURL},
		{"token_endpoint", p.TokenURL},
		{"jwks_uri", p.JWKSURL},
	}
	for _, field := range required {
		if field.val == "" {
			t.Errorf("server discovery is missing required field %q", field.name)
		}
	}
}

func TestOAuth2Flow(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	httpServer, s := newTestServer()
	defer httpServer.Close()

	p, err := oidc.NewProvider(ctx, httpServer.URL)
	if err != nil {
		t.Fatalf("failed to get provider: %v", err)
	}

	var (
		reqDump, respDump []byte
		gotCode           bool
		state             = "a_state"
	)
	defer func() {
		if !gotCode {
			t.Errorf("never got a code in callback\n%s\n%s", reqDump, respDump)
		}
	}()

	var oauth2Config *oauth2.Config
	oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.URL.Path == "/callback" {
			q := r.URL.Query()
			if errType := q.Get("error"); errType != "" {
				if desc := q.Get("error_description"); desc != "" {
					t.Errorf("got error from server %s: %s", errType, desc)
				} else {
					t.Errorf("got error from server %s", errType)
				}
				w.WriteHeader(http.StatusInternalServerError)
				return
			}

			if code := q.Get("code"); code != "" {
				gotCode = true
				token, err := oauth2Config.Exchange(ctx, code)
				if err != nil {
					t.Errorf("failed to exchange code for token: %v", err)
					return
				}
				idToken, ok := token.Extra("id_token").(string)
				if !ok {
					t.Errorf("no id token found: %v", err)
					return
				}
				// TODO(ericchiang): validate id token
				_ = idToken

				token.Expiry = time.Now().Add(time.Second * -10)
				if token.Valid() {
					t.Errorf("token shouldn't be valid")
				}

				newToken, err := oauth2Config.TokenSource(ctx, token).Token()
				if err != nil {
					t.Errorf("failed to refresh token: %v", err)
					return
				}
				if token.RefreshToken == newToken.RefreshToken {
					t.Errorf("old refresh token was the same as the new token %q", token.RefreshToken)
				}
			}
			if gotState := q.Get("state"); gotState != state {
				t.Errorf("state did not match, want=%q got=%q", state, gotState)
			}
			w.WriteHeader(http.StatusOK)
			return
		}
		http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusSeeOther)
	}))

	defer oauth2Server.Close()

	redirectURL := oauth2Server.URL + "/callback"
	client := storage.Client{
		ID:           "testclient",
		Secret:       "testclientsecret",
		RedirectURIs: []string{redirectURL},
	}
	if err := s.storage.CreateClient(client); err != nil {
		t.Fatalf("failed to create client: %v", err)
	}

	oauth2Config = &oauth2.Config{
		ClientID:     client.ID,
		ClientSecret: client.Secret,
		Endpoint:     p.Endpoint(),
		Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "offline_access"},
		RedirectURL:  redirectURL,
	}

	resp, err := http.Get(oauth2Server.URL + "/login")
	if err != nil {
		t.Fatalf("get failed: %v", err)
	}
	if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {
		t.Fatal(err)
	}
	if respDump, err = httputil.DumpResponse(resp, true); err != nil {
		t.Fatal(err)
	}
}
initial commit 2016-07-25 20:00:28 +00:00			`package server`

			`import (`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"net/http"`
			`"net/http/httptest"`
			`"net/http/httputil"`
			`"testing"`
			`"time"`

			`"github.com/ericchiang/oidc"`
			`"golang.org/x/net/context"`
			`"golang.org/x/oauth2"`

			`"github.com/coreos/poke/connector/mock"`
			`"github.com/coreos/poke/storage"`
			`"github.com/coreos/poke/storage/memory"`
			`)`

			`func mustLoad(s string) *rsa.PrivateKey {`
			`block, _ := pem.Decode([]byte(s))`
			`if block == nil {`
			`panic("no pem data found")`
			`}`
			`key, err := x509.ParsePKCS1PrivateKey(block.Bytes)`
			`if err != nil {`
			`panic(err)`
			`}`
			`return key`
			`}`

			var testKey = mustLoad(`-----BEGIN RSA PRIVATE KEY-----
			`MIIEogIBAAKCAQEArmoiX5G36MKPiVGS1sicruEaGRrbhPbIKOf97aGGQRjXVngo`
			`Knwd2L4T9CRyABgQm3tLHHcT5crODoy46wX2g9onTZWViWWuhJ5wxXNmUbCAPWHb`
			`j9SunW53WuLYZ/IJLNZt5XYCAFPjAakWp8uMuuDwWo5EyFaw85X3FSMhVmmaYDd0`
			`cn+1H4+NS/52wX7tWmyvGUNJ8lzjFAnnOtBJByvkyIC7HDphkLQV4j//sMNY1mPX`
			`HbsYgFv2J/LIJtkjdYO2UoDhZG3Gvj16fMy2JE2owA8IX4/s+XAmA2PiTfd0J5b4`
			`drAKEcdDl83G6L3depEkTkfvp0ZLsh9xupAvIwIDAQABAoIBABKGgWonPyKA7+AF`
			`AxS/MC0/CZebC6/+ylnV8lm4K1tkuRKdJp8EmeL4pYPsDxPFepYZLWwzlbB1rxdK`
			`iSWld36fwEb0WXLDkxrQ/Wdrj3Wjyqs6ZqjLTVS5dAH6UEQSKDlT+U5DD4lbX6RA`
			`goCGFUeQNtdXfyTMWHU2+4yKM7NKzUpczFky+0d10Mg0ANj3/4IILdr3hqkmMSI9`
			`1TB9ksWBXJxt3nGxAjzSFihQFUlc231cey/HhYbvAX5fN0xhLxOk88adDcdXE7br`
			`3Ser1q6XaaFQSMj4oi1+h3RAT9MUjJ6johEqjw0PbEZtOqXvA1x5vfFdei6SqgKn`
			`Am3BspkCgYEA2lIiKEkT/Je6ZH4Omhv9atbGoBdETAstL3FnNQjkyVau9f6bxQkl`
			`4/sz985JpaiasORQBiTGY8JDT/hXjROkut91agi2Vafhr29L/mto7KZglfDsT4b2`
			`9z/EZH8wHw7eYhvdoBbMbqNDSI8RrGa4mpLpuN+E0wsFTzSZEL+QMQUCgYEAzIQh`
			`xnreQvDAhNradMqLmxRpayn1ORaPReD4/off+mi7hZRLKtP0iNgEVEWHJ6HEqqi1`
			`r38XAc8ap/lfOVMar2MLyCFOhYspdHZ+TGLZfr8gg/Fzeq9IRGKYadmIKVwjMeyH`
			`REPqg1tyrvMOE0HI5oqkko8JTDJ0OyVC0Vc6+AcCgYAqCzkywugLc/jcU35iZVOH`
			`WLdFq1Vmw5w/D7rNdtoAgCYPj6nV5y4Z2o2mgl6ifXbU7BMRK9Hc8lNeOjg6HfdS`
			`WahV9DmRA1SuIWPkKjE5qczd81i+9AHpmakrpWbSBF4FTNKAewOBpwVVGuBPcDTK`
			`59IE3V7J+cxa9YkotYuCNQKBgCwGla7AbHBEm2z+H+DcaUktD7R+B8gOTzFfyLoi`
			`Tdj+CsAquDO0BQQgXG43uWySql+CifoJhc5h4v8d853HggsXa0XdxaWB256yk2Wm`
			`MePTCRDePVm/ufLetqiyp1kf+IOaw1Oyux0j5oA62mDS3Iikd+EE4Z+BjPvefY/L`
			`E2qpAoGAZo5Wwwk7q8b1n9n/ACh4LpE+QgbFdlJxlfFLJCKstl37atzS8UewOSZj`
			`FDWV28nTP9sqbtsmU8Tem2jzMvZ7C/Q0AuDoKELFUpux8shm8wfIhyaPnXUGZoAZ`
			`Np4vUwMSYV5mopESLWOg3loBxKyLGFtgGKVCjGiQvy6zISQ4fQo=`
			-----END RSA PRIVATE KEY-----`)

			`func newTestServer() (httptest.Server, Server) {`
			`var server *Server`
			`s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`server.ServeHTTP(w, r)`
			`}))`
			`config := Config{`
			`Issuer: s.URL,`
			`Storage: memory.New(),`
			`Connectors: []Connector{`
			`{`
			`ID: "mock",`
			`DisplayName: "Mock",`
			`Connector: mock.New(),`
			`},`
			`},`
			`}`
			`var err error`
			`if server, err = newServer(config, staticRotationStrategy(testKey)); err != nil {`
			`panic(err)`
			`}`
			`server.skipApproval = true // Don't prompt for approval, just immediately redirect with code.`
			`return s, server`
			`}`

			`func TestNewTestServer(t *testing.T) {`
			`newTestServer()`
			`}`

			`func TestDiscovery(t *testing.T) {`
			`ctx, cancel := context.WithCancel(context.Background())`
			`defer cancel()`

			`httpServer, _ := newTestServer()`
			`defer httpServer.Close()`

			`p, err := oidc.NewProvider(ctx, httpServer.URL)`
			`if err != nil {`
			`t.Fatalf("failed to get provider: %v", err)`
			`}`
			`required := []struct {`
			`name, val string`
			`}{`
			`{"issuer", p.Issuer},`
			`{"authorization_endpoint", p.AuthURL},`
			`{"token_endpoint", p.TokenURL},`
			`{"jwks_uri", p.JWKSURL},`
			`}`
			`for _, field := range required {`
			`if field.val == "" {`
			`t.Errorf("server discovery is missing required field %q", field.name)`
			`}`
			`}`
			`}`

			`func TestOAuth2Flow(t *testing.T) {`
			`ctx, cancel := context.WithCancel(context.Background())`
			`defer cancel()`

			`httpServer, s := newTestServer()`
			`defer httpServer.Close()`

			`p, err := oidc.NewProvider(ctx, httpServer.URL)`
			`if err != nil {`
			`t.Fatalf("failed to get provider: %v", err)`
			`}`

			`var (`
			`reqDump, respDump []byte`
			`gotCode bool`
			`state = "a_state"`
			`)`
			`defer func() {`
			`if !gotCode {`
			`t.Errorf("never got a code in callback\n%s\n%s", reqDump, respDump)`
			`}`
			`}()`

			`var oauth2Config *oauth2.Config`
			`oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.URL.Path == "/callback" {`
			`q := r.URL.Query()`
			`if errType := q.Get("error"); errType != "" {`
			`if desc := q.Get("error_description"); desc != "" {`
			`t.Errorf("got error from server %s: %s", errType, desc)`
			`} else {`
			`t.Errorf("got error from server %s", errType)`
			`}`
			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

			`if code := q.Get("code"); code != "" {`
			`gotCode = true`
			`token, err := oauth2Config.Exchange(ctx, code)`
			`if err != nil {`
			`t.Errorf("failed to exchange code for token: %v", err)`
			`return`
			`}`
			`idToken, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`t.Errorf("no id token found: %v", err)`
			`return`
			`}`
			`// TODO(ericchiang): validate id token`
			`_ = idToken`

			`token.Expiry = time.Now().Add(time.Second * -10)`
			`if token.Valid() {`
			`t.Errorf("token shouldn't be valid")`
			`}`

			`newToken, err := oauth2Config.TokenSource(ctx, token).Token()`
			`if err != nil {`
			`t.Errorf("failed to refresh token: %v", err)`
			`return`
			`}`
			`if token.RefreshToken == newToken.RefreshToken {`
			`t.Errorf("old refresh token was the same as the new token %q", token.RefreshToken)`
			`}`
			`}`
			`if gotState := q.Get("state"); gotState != state {`
			`t.Errorf("state did not match, want=%q got=%q", state, gotState)`
			`}`
			`w.WriteHeader(http.StatusOK)`
			`return`
			`}`
			`http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusSeeOther)`
			`}))`

			`defer oauth2Server.Close()`

			`redirectURL := oauth2Server.URL + "/callback"`
			`client := storage.Client{`
			`ID: "testclient",`
			`Secret: "testclientsecret",`
			`RedirectURIs: []string{redirectURL},`
			`}`
			`if err := s.storage.CreateClient(client); err != nil {`
			`t.Fatalf("failed to create client: %v", err)`
			`}`

			`oauth2Config = &oauth2.Config{`
			`ClientID: client.ID,`
			`ClientSecret: client.Secret,`
			`Endpoint: p.Endpoint(),`
			`Scopes: []string{oidc.ScopeOpenID, "profile", "email", "offline_access"},`
			`RedirectURL: redirectURL,`
			`}`

			`resp, err := http.Get(oauth2Server.URL + "/login")`
			`if err != nil {`
			`t.Fatalf("get failed: %v", err)`
			`}`
			`if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {`
			`t.Fatal(err)`
			`}`
			`if respDump, err = httputil.DumpResponse(resp, true); err != nil {`
			`t.Fatal(err)`
			`}`
			`}`