From 55e97d90a67c4abd650539c44694e72850d84406 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Mon, 21 Nov 2016 12:16:36 -0800 Subject: [PATCH] *: add tests for the RefreshConnector --- connector/mock/connectortest.go | 44 ++++++++++-------- server/server_test.go | 81 +++++++++++++++++++++++++++++++-- 2 files changed, 102 insertions(+), 23 deletions(-) diff --git a/connector/mock/connectortest.go b/connector/mock/connectortest.go index 3f3a1ffd..167b0fb2 100644 --- a/connector/mock/connectortest.go +++ b/connector/mock/connectortest.go @@ -15,20 +15,32 @@ import ( // NewCallbackConnector returns a mock connector which requires no user interaction. It always returns // the same (fake) identity. func NewCallbackConnector() connector.Connector { - return callbackConnector{} + return &Callback{ + Identity: connector.Identity{ + UserID: "0-385-28089-0", + Username: "Kilgore Trout", + Email: "kilgore@kilgore.trout", + EmailVerified: true, + Groups: []string{"authors"}, + ConnectorData: connectorData, + }, + } } var ( - _ connector.CallbackConnector = callbackConnector{} + _ connector.CallbackConnector = &Callback{} _ connector.PasswordConnector = passwordConnector{} ) -type callbackConnector struct{} +// Callback is a connector that requires no user interaction and always returns the same identity. +type Callback struct { + // The returned identity. + Identity connector.Identity +} -func (m callbackConnector) Close() error { return nil } - -func (m callbackConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) { +// LoginURL returns the URL to redirect the user to login with. +func (m *Callback) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) { u, err := url.Parse(callbackURL) if err != nil { return "", fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err) @@ -41,20 +53,14 @@ func (m callbackConnector) LoginURL(s connector.Scopes, callbackURL, state strin var connectorData = []byte("foobar") -func (m callbackConnector) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) { - var groups []string - if s.Groups { - groups = []string{"authors"} - } +// HandleCallback parses the request and returns the user's identity +func (m *Callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) { + return m.Identity, nil +} - return connector.Identity{ - UserID: "0-385-28089-0", - Username: "Kilgore Trout", - Email: "kilgore@kilgore.trout", - EmailVerified: true, - Groups: groups, - ConnectorData: connectorData, - }, nil +// Refresh updates the identity during a refresh token request. +func (m *Callback) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { + return m.Identity, nil } // CallbackConfig holds the configuration parameters for a connector which requires no interaction. diff --git a/server/server_test.go b/server/server_test.go index b3a02fab..6db67d5c 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -132,10 +132,13 @@ func TestDiscovery(t *testing.T) { } } +// TestOAuth2CodeFlow runs integration tests against a test server. The tests stand up a server +// which requires no interaction to login, logs in through a test client, then passes the client +// and returned token to the test. func TestOAuth2CodeFlow(t *testing.T) { clientID := "testclient" clientSecret := "testclientsecret" - requestedScopes := []string{oidc.ScopeOpenID, "email", "offline_access"} + requestedScopes := []string{oidc.ScopeOpenID, "email", "profile", "groups", "offline_access"} t0 := time.Now() @@ -149,8 +152,14 @@ func TestOAuth2CodeFlow(t *testing.T) { // so tests can compute the expected "expires_in" field. idTokensValidFor := time.Second * 30 + // Connector used by the tests. + var conn *mock.Callback + tests := []struct { - name string + name string + // If specified these set of scopes will be used during the test case. + scopes []string + // handleToken provides the OAuth2 token response for the integration test. handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token) error }{ { @@ -265,7 +274,8 @@ func TestOAuth2CodeFlow(t *testing.T) { }, }, { - name: "refresh with unauthorized scopes", + name: "refresh with unauthorized scopes", + scopes: []string{"openid", "email"}, handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error { v := url.Values{} v.Add("client_id", clientID) @@ -273,7 +283,7 @@ func TestOAuth2CodeFlow(t *testing.T) { v.Add("grant_type", "refresh_token") v.Add("refresh_token", token.RefreshToken) // Request a scope that wasn't requestd initially. - v.Add("scope", strings.Join(append(requestedScopes, "profile"), " ")) + v.Add("scope", "oidc email profile") resp, err := http.PostForm(p.TokenURL, v) if err != nil { return err @@ -289,6 +299,57 @@ func TestOAuth2CodeFlow(t *testing.T) { return nil }, }, + { + // This test ensures that the connector.RefreshConnector interface is being + // used when clients request a refresh token. + name: "refresh with identity changes", + handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error { + // have to use time.Now because the OAuth2 package uses it. + token.Expiry = time.Now().Add(time.Second * -10) + if token.Valid() { + return errors.New("token shouldn't be valid") + } + + ident := connector.Identity{ + UserID: "fooid", + Username: "foo", + Email: "foo@bar.com", + EmailVerified: true, + Groups: []string{"foo", "bar"}, + } + conn.Identity = ident + + type claims struct { + Username string `json:"name"` + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + Groups []string `json:"groups"` + } + want := claims{ident.Username, ident.Email, ident.EmailVerified, ident.Groups} + + newToken, err := config.TokenSource(ctx, token).Token() + if err != nil { + return fmt.Errorf("failed to refresh token: %v", err) + } + rawIDToken, ok := newToken.Extra("id_token").(string) + if !ok { + return fmt.Errorf("no id_token in refreshed token") + } + idToken, err := p.NewVerifier(ctx).Verify(rawIDToken) + if err != nil { + return fmt.Errorf("failed to verify id token: %v", err) + } + var got claims + if err := idToken.Claims(&got); err != nil { + return fmt.Errorf("failed to unmarshal claims: %v", err) + } + + if diff := pretty.Compare(want, got); diff != "" { + return fmt.Errorf("got identity != want identity: %s", diff) + } + return nil + }, + }, } for _, tc := range tests { @@ -300,6 +361,15 @@ func TestOAuth2CodeFlow(t *testing.T) { c.Issuer = c.Issuer + "/non-root-path" c.Now = now c.IDTokensValidFor = idTokensValidFor + // Create a new mock callback connector for each test case. + conn = mock.NewCallbackConnector().(*mock.Callback) + c.Connectors = []Connector{ + { + ID: "mock", + DisplayName: "mock", + Connector: conn, + }, + } }) defer httpServer.Close() @@ -375,6 +445,9 @@ func TestOAuth2CodeFlow(t *testing.T) { Scopes: requestedScopes, RedirectURL: redirectURL, } + if len(tc.scopes) != 0 { + oauth2Config.Scopes = tc.scopes + } resp, err := http.Get(oauth2Server.URL + "/login") if err != nil {