feat: start to build a session controller to interact with an oidc provider

2 files changed, 77 insertions, 0 deletions

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
new file mode 100644
index 0000000..9340ab6
--- /dev/null
+++ b/app/controllers/sessions/controller.go
@@ -0,0 +1,26 @@
+package sessions
+
+import (
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
+
+type Controller struct {
+	cfg *oauth2.Config
+}
+
+func New(cfg *oauth2.Config) *Controller {
+	return &Controller{cfg: cfg}
+}
+
+func (c *Controller) MountTo(mux *http.ServeMux) {
+	mux.HandleFunc("GET /session/new", c.New)
+}
+
+func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusFound)
+
+	url := c.cfg.AuthCodeURL("csrf-token", oauth2.SetAuthURLParam("audience", "sparklelab.example.com"))
+	http.Redirect(w, r, url, http.StatusFound)
+}
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
new file mode 100644
index 0000000..eeafd60
--- /dev/null
+++ b/app/controllers/sessions/controller_test.go
@@ -0,0 +1,51 @@
+package sessions
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+	"golang.org/x/oauth2"
+)
+
+func TestSessions(t *testing.T) {
+	cfg := &oauth2.Config{
+		ClientID:    "client_id",
+		RedirectURL: "https://sparklelab.example.com/callback",
+		Scopes:      []string{"openid"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://gitlab.com/oauth/authorize",
+			TokenURL: "https://gitlab.com/oauth/token",
+		},
+	}
+
+	controller := New(cfg)
+	mux := http.NewServeMux()
+	controller.MountTo(mux)
+
+	t.Run("GET /", func(t *testing.T) {
+		t.Run("Without an authenticated session", func(t *testing.T) {
+			t.Run("redirect to the OIDC Provider", func(t *testing.T) {
+				r, w := test.RequestResponse("GET", "/session/new")
+
+				mux.ServeHTTP(w, r)
+
+				require.Equal(t, http.StatusFound, w.Code)
+				require.NotEmpty(t, w.Header().Get("Location"))
+				redirectURL, err := url.Parse(w.Header().Get("Location"))
+				require.NoError(t, err)
+				assert.Equal(t, "https", redirectURL.Scheme)
+				assert.Equal(t, "gitlab.com", redirectURL.Host)
+				assert.Equal(t, "/oauth/authorize", redirectURL.Path)
+				assert.NotEmpty(t, redirectURL.Query().Get("state"))
+				assert.Equal(t, "client_id", redirectURL.Query().Get("client_id"))
+				assert.Equal(t, "openid", redirectURL.Query().Get("scope"))
+				assert.Equal(t, "https://sparklelab.example.com/callback", redirectURL.Query().Get("redirect_uri"))
+				assert.Equal(t, "code", redirectURL.Query().Get("response_type"))
+			})
+		})
+	})
+}