feat: connect the sessions controller to oidc provider

author: mo khan <mo@mokhan.ca> 2025-04-14 15:53:32 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-14 15:53:32 -0600
commit: b12eb55fdb603290e3bc62880f6e9dff538571de (patch)
tree: a9cfde922e251391f0618f9837d7b63a94156664 /app/controllers/sessions
parent: bb577738ac0359f8c8da0902b5c18af789ddf29d (diff)
2 files changed, 42 insertions, 27 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index c75e204..1a709de 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -3,19 +3,16 @@ package sessions
 import (
 	"net/http"
 
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"golang.org/x/oauth2"
 )
 
 type Controller struct {
-	audience string
-	cfg      *oauth2.Config
+	cfg *oidc.OpenID
 }
 
-func New(cfg *oauth2.Config, audience string) *Controller {
-	return &Controller{
-		audience: audience,
-		cfg:      cfg,
-	}
+func New(cfg *oidc.OpenID) *Controller {
+	return &Controller{cfg: cfg}
 }
 
 func (c *Controller) MountTo(mux *http.ServeMux) {
@@ -25,6 +22,6 @@ func (c *Controller) MountTo(mux *http.ServeMux) {
 func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusFound)
 
-	url := c.cfg.AuthCodeURL("csrf-token", oauth2.SetAuthURLParam("audience", c.audience))
+	url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo"))
 	http.Redirect(w, r, url, http.StatusFound)
 }
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 51536a4..5018e0c 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -2,31 +2,50 @@ package sessions
 
 import (
 	"net/http"
+	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/xlgmokha/x/pkg/serde"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
-	"golang.org/x/oauth2"
 )
 
 func TestSessions(t *testing.T) {
-	audience := "https://sparklelab.example.com"
-	cfg := &oauth2.Config{
-		ClientID:     "client_id",
-		ClientSecret: "client_secret",
-		RedirectURL:  audience + "/callback",
-		Scopes:       []string{"openid"},
-		Endpoint: oauth2.Endpoint{
-			AuthStyle:     oauth2.AuthStyleAutoDetect,
-			AuthURL:       "https://gitlab.com/oauth/authorize",
-			DeviceAuthURL: "https://gitlab.com/oauth/authorize",
-			TokenURL:      "https://gitlab.com/oauth/token",
-		},
+	srv := httptest.NewServer(nil)
+	srv.Config = &http.Server{
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			require.Equal(t, "/.well-known/openid-configuration", r.URL.Path)
+			require.NoError(t, serde.ToJSON(w, &oidc.Metadata{
+				AuthorizationEndpoint:             srv.URL + "/oauth/authorize",
+				ClaimsSupported:                   []string{"aud"},
+				CodeChallengeMethodsSupported:     []string{"plain"},
+				DeviceAuthorizationEndpoint:       srv.URL + "/device/authorize",
+				IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+				Issuer:                            srv.URL,
+				JWKSURI:                           srv.URL + "/jwks",
+				MFAChallengeEndpoint:              srv.URL + "/mfa",
+				RegistrationEndpoint:              srv.URL + "/users/new",
+				RequestURIParameterSupported:      false,
+				ResponseModesSupported:            []string{"query"},
+				ResponseTypeSupported:             []string{"code"},
+				RevocationEndpoint:                srv.URL + "/revoke",
+				ScopesSupported:                   []string{"oidc"},
+				SubjectTypesSupported:             []string{"public"},
+				TokenEndpoint:                     srv.URL + "/token",
+				TokenEndpointAuthMethodsSupported: []string{"client_secret_post"},
+				UserInfoEndpoint:                  srv.URL + "/users/me",
+			}))
+		}),
 	}
+	defer srv.Close()
 
-	controller := New(cfg, audience)
+	cfg, err := oidc.New(t.Context(), srv.URL, "client_id", "client_secret", "callback_url")
+	require.NoError(t, err)
+	controller := New(cfg)
 	mux := http.NewServeMux()
 	controller.MountTo(mux)
 
@@ -41,14 +60,13 @@ func TestSessions(t *testing.T) {
 				require.NotEmpty(t, w.Header().Get("Location"))
 				redirectURL, err := url.Parse(w.Header().Get("Location"))
 				require.NoError(t, err)
-				assert.Equal(t, "https", redirectURL.Scheme)
-				assert.Equal(t, "gitlab.com", redirectURL.Host)
+				assert.Equal(t, strings.TrimPrefix(srv.URL, "http://"), redirectURL.Host)
 				assert.Equal(t, "/oauth/authorize", redirectURL.Path)
 				assert.NotEmpty(t, redirectURL.Query().Get("state"))
 				assert.Equal(t, "client_id", redirectURL.Query().Get("client_id"))
-				assert.Equal(t, "openid", redirectURL.Query().Get("scope"))
-				assert.Equal(t, audience, redirectURL.Query().Get("audience"))
-				assert.Equal(t, cfg.RedirectURL, redirectURL.Query().Get("redirect_uri"))
+				assert.Equal(t, "openid profile email", redirectURL.Query().Get("scope"))
+				assert.Equal(t, "todo", redirectURL.Query().Get("audience"))
+				assert.Equal(t, cfg.Config.RedirectURL, redirectURL.Query().Get("redirect_uri"))
 				assert.Equal(t, "code", redirectURL.Query().Get("response_type"))
 			})
 		})
author	mo khan <mo@mokhan.ca>	2025-04-14 15:53:32 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-14 15:53:32 -0600
commit	b12eb55fdb603290e3bc62880f6e9dff538571de (patch)
tree	a9cfde922e251391f0618f9837d7b63a94156664 /app/controllers/sessions
parent	bb577738ac0359f8c8da0902b5c18af789ddf29d (diff)