Skip to content
Snippets Groups Projects
oauth2_test.go 4.11 KiB
Newer Older
  • Learn to ignore specific revisions
  • Eric Chiang's avatar
    Eric Chiang committed
    package server
    
    
    import (
    	"context"
    	"net/http/httptest"
    	"net/url"
    	"testing"
    
    
    	jose "gopkg.in/square/go-jose.v2"
    
    
    	"github.com/coreos/dex/storage"
    )
    
    func TestParseAuthorizationRequest(t *testing.T) {
    	tests := []struct {
    		name                   string
    		clients                []storage.Client
    		supportedResponseTypes []string
    
    		queryParams map[string]string
    
    		wantErr bool
    	}{
    		{
    			name: "normal request",
    			clients: []storage.Client{
    				{
    					ID:           "foo",
    					RedirectURIs: []string{"https://example.com/foo"},
    				},
    			},
    			supportedResponseTypes: []string{"code"},
    			queryParams: map[string]string{
    				"client_id":     "foo",
    				"redirect_uri":  "https://example.com/foo",
    				"response_type": "code",
    				"scope":         "openid email profile",
    			},
    		},
    		{
    			name: "invalid client id",
    			clients: []storage.Client{
    				{
    					ID:           "foo",
    					RedirectURIs: []string{"https://example.com/foo"},
    				},
    			},
    			supportedResponseTypes: []string{"code"},
    			queryParams: map[string]string{
    				"client_id":     "bar",
    				"redirect_uri":  "https://example.com/foo",
    				"response_type": "code",
    				"scope":         "openid email profile",
    			},
    			wantErr: true,
    		},
    		{
    			name: "invalid redirect uri",
    			clients: []storage.Client{
    				{
    					ID:           "bar",
    					RedirectURIs: []string{"https://example.com/bar"},
    				},
    			},
    			supportedResponseTypes: []string{"code"},
    			queryParams: map[string]string{
    				"client_id":     "bar",
    				"redirect_uri":  "https://example.com/foo",
    				"response_type": "code",
    				"scope":         "openid email profile",
    			},
    			wantErr: true,
    		},
    		{
    			name: "implicit flow",
    			clients: []storage.Client{
    				{
    					ID:           "bar",
    					RedirectURIs: []string{"https://example.com/bar"},
    				},
    			},
    			supportedResponseTypes: []string{"code", "id_token", "token"},
    			queryParams: map[string]string{
    				"client_id":     "bar",
    				"redirect_uri":  "https://example.com/bar",
    				"response_type": "code id_token",
    				"scope":         "openid email profile",
    			},
    		},
    		{
    			name: "unsupported response type",
    			clients: []storage.Client{
    				{
    					ID:           "bar",
    					RedirectURIs: []string{"https://example.com/bar"},
    				},
    			},
    			supportedResponseTypes: []string{"code"},
    			queryParams: map[string]string{
    				"client_id":     "bar",
    				"redirect_uri":  "https://example.com/bar",
    				"response_type": "code id_token",
    				"scope":         "openid email profile",
    			},
    			wantErr: true,
    		},
    		{
    			name: "only token response type",
    			clients: []storage.Client{
    				{
    					ID:           "bar",
    					RedirectURIs: []string{"https://example.com/bar"},
    				},
    			},
    			supportedResponseTypes: []string{"code", "id_token", "token"},
    			queryParams: map[string]string{
    				"client_id":     "bar",
    				"redirect_uri":  "https://example.com/bar",
    				"response_type": "token",
    				"scope":         "openid email profile",
    			},
    			wantErr: true,
    		},
    	}
    
    	for _, tc := range tests {
    		func() {
    			ctx, cancel := context.WithCancel(context.Background())
    			defer cancel()
    
    			httpServer, server := newTestServer(ctx, t, func(c *Config) {
    				c.SupportedResponseTypes = tc.supportedResponseTypes
    				c.Storage = storage.WithStaticClients(c.Storage, tc.clients)
    			})
    			defer httpServer.Close()
    
    			params := url.Values{}
    			for k, v := range tc.queryParams {
    				params.Set(k, v)
    			}
    
    			req := httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
    			_, err := server.parseAuthorizationRequest(req)
    			if err != nil && !tc.wantErr {
    				t.Errorf("%s: %v", tc.name, err)
    			}
    			if err == nil && tc.wantErr {
    				t.Errorf("%s: expected error", tc.name)
    			}
    		}()
    	}
    }
    
    
    const (
    	// at_hash value and access_token returned by Google.
    	googleAccessTokenHash = "piwt8oCH-K2D9pXlaS1Y-w"
    	googleAccessToken     = "ya29.CjHSA1l5WUn8xZ6HanHFzzdHdbXm-14rxnC7JHch9eFIsZkQEGoWzaYG4o7k5f6BnPLj"
    	googleSigningAlg      = jose.RS256
    )
    
    func TestAccessTokenHash(t *testing.T) {
    	atHash, err := accessTokenHash(googleSigningAlg, googleAccessToken)
    	if err != nil {
    		t.Fatal(err)
    	}
    	if atHash != googleAccessTokenHash {
    		t.Errorf("expected %q got %q", googleAccessTokenHash, atHash)
    	}
    }