summaryrefslogtreecommitdiff
path: root/internal/oidc/client_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/oidc/client_test.go')
-rw-r--r--internal/oidc/client_test.go221
1 files changed, 161 insertions, 60 deletions
diff --git a/internal/oidc/client_test.go b/internal/oidc/client_test.go
index 1546644c2..a4be63346 100644
--- a/internal/oidc/client_test.go
+++ b/internal/oidc/client_test.go
@@ -7,6 +7,7 @@ import (
"github.com/ory/fosite"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
+ "gopkg.in/square/go-jose.v2"
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
@@ -15,36 +16,136 @@ import (
)
func TestNewClient(t *testing.T) {
- blankConfig := schema.OpenIDConnectClientConfiguration{}
- blankClient := NewClient(blankConfig)
- assert.Equal(t, "", blankClient.ID)
- assert.Equal(t, "", blankClient.Description)
- assert.Equal(t, "", blankClient.Description)
- assert.Len(t, blankClient.ResponseModes, 0)
-
- exampleConfig := schema.OpenIDConnectClientConfiguration{
- ID: "myapp",
- Description: "My App",
- Policy: "two_factor",
- Secret: MustDecodeSecret("$plaintext$abcdef"),
- RedirectURIs: []string{"https://google.com/callback"},
+ config := schema.OpenIDConnectClientConfiguration{}
+ client := NewClient(config)
+ assert.Equal(t, "", client.GetID())
+ assert.Equal(t, "", client.GetDescription())
+ assert.Len(t, client.GetResponseModes(), 0)
+ assert.Len(t, client.GetResponseTypes(), 1)
+ assert.Equal(t, "", client.GetSectorIdentifier())
+
+ bclient, ok := client.(*BaseClient)
+ require.True(t, ok)
+ assert.Equal(t, "", bclient.UserinfoSigningAlgorithm)
+ assert.Equal(t, SigningAlgorithmNone, client.GetUserinfoSigningAlgorithm())
+
+ _, ok = client.(*FullClient)
+ assert.False(t, ok)
+
+ config = schema.OpenIDConnectClientConfiguration{
+ ID: myclient,
+ Description: myclientdesc,
+ Policy: twofactor,
+ Secret: MustDecodeSecret(badsecret),
+ RedirectURIs: []string{examplecom},
Scopes: schema.DefaultOpenIDConnectClientConfiguration.Scopes,
ResponseTypes: schema.DefaultOpenIDConnectClientConfiguration.ResponseTypes,
GrantTypes: schema.DefaultOpenIDConnectClientConfiguration.GrantTypes,
ResponseModes: schema.DefaultOpenIDConnectClientConfiguration.ResponseModes,
}
- exampleClient := NewClient(exampleConfig)
- assert.Equal(t, "myapp", exampleClient.ID)
- require.Len(t, exampleClient.ResponseModes, 3)
- assert.Equal(t, fosite.ResponseModeFormPost, exampleClient.ResponseModes[0])
- assert.Equal(t, fosite.ResponseModeQuery, exampleClient.ResponseModes[1])
- assert.Equal(t, fosite.ResponseModeFragment, exampleClient.ResponseModes[2])
- assert.Equal(t, authorization.TwoFactor, exampleClient.Policy)
+ client = NewClient(config)
+ assert.Equal(t, myclient, client.GetID())
+ require.Len(t, client.GetResponseModes(), 1)
+ assert.Equal(t, fosite.ResponseModeFormPost, client.GetResponseModes()[0])
+ assert.Equal(t, authorization.TwoFactor, client.GetAuthorizationPolicy())
+
+ config = schema.OpenIDConnectClientConfiguration{
+ TokenEndpointAuthMethod: ClientAuthMethodClientSecretBasic,
+ }
+
+ client = NewClient(config)
+
+ fclient, ok := client.(*FullClient)
+
+ var niljwks *jose.JSONWebKeySet
+
+ require.True(t, ok)
+ assert.Equal(t, "", fclient.UserinfoSigningAlgorithm)
+ assert.Equal(t, ClientAuthMethodClientSecretBasic, fclient.TokenEndpointAuthMethod)
+ assert.Equal(t, ClientAuthMethodClientSecretBasic, fclient.GetTokenEndpointAuthMethod())
+ assert.Equal(t, SigningAlgorithmNone, client.GetUserinfoSigningAlgorithm())
+ assert.Equal(t, "", fclient.TokenEndpointAuthSigningAlgorithm)
+ assert.Equal(t, SigningAlgorithmRSAWithSHA256, fclient.GetTokenEndpointAuthSigningAlgorithm())
+ assert.Equal(t, "", fclient.RequestObjectSigningAlgorithm)
+ assert.Equal(t, "", fclient.GetRequestObjectSigningAlgorithm())
+ assert.Equal(t, "", fclient.JSONWebKeysURI)
+ assert.Equal(t, "", fclient.GetJSONWebKeysURI())
+ assert.Equal(t, niljwks, fclient.JSONWebKeys)
+ assert.Equal(t, niljwks, fclient.GetJSONWebKeys())
+ assert.Equal(t, []string(nil), fclient.RequestURIs)
+ assert.Equal(t, []string(nil), fclient.GetRequestURIs())
+}
+
+func TestBaseClient_ValidatePARPolicy(t *testing.T) {
+ testCases := []struct {
+ name string
+ client *BaseClient
+ have *fosite.Request
+ expected string
+ }{
+ {
+ "ShouldNotEnforcePAR",
+ &BaseClient{
+ EnforcePAR: false,
+ },
+ &fosite.Request{},
+ "",
+ },
+ {
+ "ShouldEnforcePARAndErrorWithoutCorrectRequestURI",
+ &BaseClient{
+ EnforcePAR: true,
+ },
+ &fosite.Request{
+ Form: map[string][]string{
+ FormParameterRequestURI: {"https://google.com"},
+ },
+ },
+ "invalid_request",
+ },
+ {
+ "ShouldEnforcePARAndErrorWithEmptyRequestURI",
+ &BaseClient{
+ EnforcePAR: true,
+ },
+ &fosite.Request{
+ Form: map[string][]string{
+ FormParameterRequestURI: {""},
+ },
+ },
+ "invalid_request",
+ },
+ {
+ "ShouldEnforcePARAndNotErrorWithCorrectRequestURI",
+ &BaseClient{
+ EnforcePAR: true,
+ },
+ &fosite.Request{
+ Form: map[string][]string{
+ FormParameterRequestURI: {urnPARPrefix + "abc"},
+ },
+ },
+ "",
+ },
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ err := tc.client.ValidatePARPolicy(tc.have, urnPARPrefix)
+
+ switch tc.expected {
+ case "":
+ assert.NoError(t, err)
+ default:
+ assert.EqualError(t, err, tc.expected)
+ }
+ })
+ }
}
func TestIsAuthenticationLevelSufficient(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
c.Policy = authorization.Bypass
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.NotAuthenticated))
@@ -68,7 +169,7 @@ func TestIsAuthenticationLevelSufficient(t *testing.T) {
}
func TestClient_GetConsentResponseBody(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
consentRequestBody := c.GetConsentResponseBody(nil)
assert.Equal(t, "", consentRequestBody.ClientID)
@@ -76,56 +177,56 @@ func TestClient_GetConsentResponseBody(t *testing.T) {
assert.Equal(t, []string(nil), consentRequestBody.Scopes)
assert.Equal(t, []string(nil), consentRequestBody.Audience)
- c.ID = "myclient"
- c.Description = "My Client"
+ c.ID = myclient
+ c.Description = myclientdesc
consent := &model.OAuth2ConsentSession{
- RequestedAudience: []string{"https://example.com"},
- RequestedScopes: []string{"openid", "groups"},
+ RequestedAudience: []string{examplecom},
+ RequestedScopes: []string{ScopeOpenID, ScopeGroups},
}
- expectedScopes := []string{"openid", "groups"}
- expectedAudiences := []string{"https://example.com"}
+ expectedScopes := []string{ScopeOpenID, ScopeGroups}
+ expectedAudiences := []string{examplecom}
consentRequestBody = c.GetConsentResponseBody(consent)
- assert.Equal(t, "myclient", consentRequestBody.ClientID)
- assert.Equal(t, "My Client", consentRequestBody.ClientDescription)
+ assert.Equal(t, myclient, consentRequestBody.ClientID)
+ assert.Equal(t, myclientdesc, consentRequestBody.ClientDescription)
assert.Equal(t, expectedScopes, consentRequestBody.Scopes)
assert.Equal(t, expectedAudiences, consentRequestBody.Audience)
}
func TestClient_GetAudience(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
audience := c.GetAudience()
assert.Len(t, audience, 0)
- c.Audience = []string{"https://example.com"}
+ c.Audience = []string{examplecom}
audience = c.GetAudience()
require.Len(t, audience, 1)
- assert.Equal(t, "https://example.com", audience[0])
+ assert.Equal(t, examplecom, audience[0])
}
func TestClient_GetScopes(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
scopes := c.GetScopes()
assert.Len(t, scopes, 0)
- c.Scopes = []string{"openid"}
+ c.Scopes = []string{ScopeOpenID}
scopes = c.GetScopes()
require.Len(t, scopes, 1)
- assert.Equal(t, "openid", scopes[0])
+ assert.Equal(t, ScopeOpenID, scopes[0])
}
func TestClient_GetGrantTypes(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
grantTypes := c.GetGrantTypes()
require.Len(t, grantTypes, 1)
- assert.Equal(t, "authorization_code", grantTypes[0])
+ assert.Equal(t, GrantTypeAuthorizationCode, grantTypes[0])
c.GrantTypes = []string{"device_code"}
@@ -135,55 +236,55 @@ func TestClient_GetGrantTypes(t *testing.T) {
}
func TestClient_Hashing(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
hashedSecret := c.GetHashedSecret()
assert.Equal(t, []byte(nil), hashedSecret)
- c.Secret = MustDecodeSecret("$plaintext$a_bad_secret")
+ c.Secret = MustDecodeSecret(badsecret)
assert.True(t, c.Secret.MatchBytes([]byte("a_bad_secret")))
}
func TestClient_GetHashedSecret(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
hashedSecret := c.GetHashedSecret()
assert.Equal(t, []byte(nil), hashedSecret)
- c.Secret = MustDecodeSecret("$plaintext$a_bad_secret")
+ c.Secret = MustDecodeSecret(badsecret)
hashedSecret = c.GetHashedSecret()
- assert.Equal(t, []byte("$plaintext$a_bad_secret"), hashedSecret)
+ assert.Equal(t, []byte(badsecret), hashedSecret)
}
func TestClient_GetID(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
id := c.GetID()
assert.Equal(t, "", id)
- c.ID = "myid"
+ c.ID = myclient
id = c.GetID()
- assert.Equal(t, "myid", id)
+ assert.Equal(t, myclient, id)
}
func TestClient_GetRedirectURIs(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
redirectURIs := c.GetRedirectURIs()
require.Len(t, redirectURIs, 0)
- c.RedirectURIs = []string{"https://example.com/oauth2/callback"}
+ c.RedirectURIs = []string{examplecom}
redirectURIs = c.GetRedirectURIs()
require.Len(t, redirectURIs, 1)
- assert.Equal(t, "https://example.com/oauth2/callback", redirectURIs[0])
+ assert.Equal(t, examplecom, redirectURIs[0])
}
func TestClient_GetResponseModes(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
responseModes := c.GetResponseModes()
require.Len(t, responseModes, 0)
@@ -202,18 +303,18 @@ func TestClient_GetResponseModes(t *testing.T) {
}
func TestClient_GetResponseTypes(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
responseTypes := c.GetResponseTypes()
require.Len(t, responseTypes, 1)
- assert.Equal(t, "code", responseTypes[0])
+ assert.Equal(t, ResponseTypeAuthorizationCodeFlow, responseTypes[0])
- c.ResponseTypes = []string{"code", "id_token"}
+ c.ResponseTypes = []string{ResponseTypeAuthorizationCodeFlow, ResponseTypeImplicitFlowIDToken}
responseTypes = c.GetResponseTypes()
require.Len(t, responseTypes, 2)
- assert.Equal(t, "code", responseTypes[0])
- assert.Equal(t, "id_token", responseTypes[1])
+ assert.Equal(t, ResponseTypeAuthorizationCodeFlow, responseTypes[0])
+ assert.Equal(t, ResponseTypeImplicitFlowIDToken, responseTypes[1])
}
func TestNewClientPKCE(t *testing.T) {
@@ -290,9 +391,9 @@ func TestNewClientPKCE(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
client := NewClient(tc.have)
- assert.Equal(t, tc.expectedEnforcePKCE, client.EnforcePKCE)
- assert.Equal(t, tc.expectedEnforcePKCEChallengeMethod, client.EnforcePKCEChallengeMethod)
- assert.Equal(t, tc.expected, client.PKCEChallengeMethod)
+ assert.Equal(t, tc.expectedEnforcePKCE, client.GetPKCEEnforcement())
+ assert.Equal(t, tc.expectedEnforcePKCEChallengeMethod, client.GetPKCEChallengeMethodEnforcement())
+ assert.Equal(t, tc.expected, client.GetPKCEChallengeMethod())
if tc.r != nil {
err := client.ValidatePKCEPolicy(tc.r)
@@ -355,7 +456,7 @@ func TestNewClientPAR(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
client := NewClient(tc.have)
- assert.Equal(t, tc.expected, client.EnforcePAR)
+ assert.Equal(t, tc.expected, client.GetPAREnforcement())
if tc.r != nil {
err := client.ValidatePARPolicy(tc.r, urnPARPrefix)
@@ -437,7 +538,7 @@ func TestNewClientResponseModes(t *testing.T) {
}
func TestClient_IsPublic(t *testing.T) {
- c := Client{}
+ c := &FullClient{BaseClient: &BaseClient{}}
assert.False(t, c.IsPublic())