fix: check code presence

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh 2021-01-25 18:50:36 +04:00
parent 123185c456
commit d6b5105d9b
2 changed files with 91 additions and 55 deletions

View File

@ -805,6 +805,11 @@ func (s *Server) handleAuthCode(w http.ResponseWriter, r *http.Request, client s
code := r.PostFormValue("code") code := r.PostFormValue("code")
redirectURI := r.PostFormValue("redirect_uri") redirectURI := r.PostFormValue("redirect_uri")
if code == "" {
s.tokenErrHelper(w, errInvalidRequest, `Required param: code.`, http.StatusBadRequest)
return
}
authCode, err := s.storage.GetAuthCode(code) authCode, err := s.storage.GetAuthCode(code)
if err != nil || s.now().After(authCode.Expiry) || authCode.ClientID != client.ID { if err != nil || s.now().After(authCode.Expiry) || authCode.ClientID != client.ID {
if err != storage.ErrNotFound { if err != storage.ErrNotFound {

View File

@ -208,69 +208,100 @@ func TestConnectorLoginDoesNotAllowToChangeConnectorForAuthRequest(t *testing.T)
} }
} }
// TestHandleCodeReuse checks that it is forbidden to use same code twice // TestHandleAuthCode checks that it is forbidden to use same code twice
func TestHandleCodeReuse(t *testing.T) { func TestHandleAuthCode(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background()) tests := []struct {
defer cancel() name string
handleCode func(*testing.T, context.Context, *oauth2.Config, string)
}{
{
name: "Code Reuse should return invalid_grant",
handleCode: func(t *testing.T, ctx context.Context, oauth2Config *oauth2.Config, code string) {
_, err := oauth2Config.Exchange(ctx, code)
require.NoError(t, err)
httpServer, s := newTestServer(ctx, t, func(c *Config) { c.Issuer += "/non-root-path" }) _, err = oauth2Config.Exchange(ctx, code)
defer httpServer.Close() require.Error(t, err)
p, err := oidc.NewProvider(ctx, httpServer.URL) oauth2Err, ok := err.(*oauth2.RetrieveError)
require.NoError(t, err) require.True(t, ok)
var oauth2Client oauth2Client var errResponse struct{ Error string }
oauth2Client.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { err = json.Unmarshal(oauth2Err.Body, &errResponse)
if r.URL.Path != "/callback" { require.NoError(t, err)
http.Redirect(w, r, oauth2Client.config.AuthCodeURL(""), http.StatusSeeOther)
return
}
q := r.URL.Query() // invalid_grant must be returned for invalid values
require.Equal(t, q.Get("error"), "", q.Get("error_description")) // https://tools.ietf.org/html/rfc6749#section-5.2
require.Equal(t, errInvalidGrant, errResponse.Error)
},
},
{
name: "No Code should return invalid_request",
handleCode: func(t *testing.T, ctx context.Context, oauth2Config *oauth2.Config, _ string) {
_, err := oauth2Config.Exchange(ctx, "")
require.Error(t, err)
if code := q.Get("code"); code != "" { oauth2Err, ok := err.(*oauth2.RetrieveError)
_, err := oauth2Client.config.Exchange(ctx, code) require.True(t, ok)
require.NoError(t, err)
_, err = oauth2Client.config.Exchange(ctx, code) var errResponse struct{ Error string }
require.Error(t, err) err = json.Unmarshal(oauth2Err.Body, &errResponse)
require.NoError(t, err)
oauth2Err, ok := err.(*oauth2.RetrieveError) require.Equal(t, errInvalidRequest, errResponse.Error)
require.True(t, ok) },
},
var errResponse struct{ Error string }
err = json.Unmarshal(oauth2Err.Body, &errResponse)
require.NoError(t, err)
// invalid_grant must be returned for invalid values
// https://tools.ietf.org/html/rfc6749#section-5.2
require.Equal(t, errInvalidGrant, errResponse.Error)
}
w.WriteHeader(http.StatusOK)
}))
defer oauth2Client.server.Close()
redirectURL := oauth2Client.server.URL + "/callback"
client := storage.Client{
ID: "testclient",
Secret: "testclientsecret",
RedirectURIs: []string{redirectURL},
}
err = s.storage.CreateClient(client)
require.NoError(t, err)
oauth2Client.config = &oauth2.Config{
ClientID: client.ID,
ClientSecret: client.Secret,
Endpoint: p.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "email", "offline_access"},
RedirectURL: redirectURL,
} }
resp, err := http.Get(oauth2Client.server.URL + "/login") for _, tc := range tests {
require.NoError(t, err) t.Run(tc.name, func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
resp.Body.Close() httpServer, s := newTestServer(ctx, t, func(c *Config) { c.Issuer += "/non-root-path" })
defer httpServer.Close()
p, err := oidc.NewProvider(ctx, httpServer.URL)
require.NoError(t, err)
var oauth2Client oauth2Client
oauth2Client.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/callback" {
http.Redirect(w, r, oauth2Client.config.AuthCodeURL(""), http.StatusSeeOther)
return
}
q := r.URL.Query()
require.Equal(t, q.Get("error"), "", q.Get("error_description"))
code := q.Get("code")
tc.handleCode(t, ctx, oauth2Client.config, code)
w.WriteHeader(http.StatusOK)
}))
defer oauth2Client.server.Close()
redirectURL := oauth2Client.server.URL + "/callback"
client := storage.Client{
ID: "testclient",
Secret: "testclientsecret",
RedirectURIs: []string{redirectURL},
}
err = s.storage.CreateClient(client)
require.NoError(t, err)
oauth2Client.config = &oauth2.Config{
ClientID: client.ID,
ClientSecret: client.Secret,
Endpoint: p.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "email", "offline_access"},
RedirectURL: redirectURL,
}
resp, err := http.Get(oauth2Client.server.URL + "/login")
require.NoError(t, err)
resp.Body.Close()
})
}
} }