1 files changed, 86 insertions, 1 deletions

diff --git a/app/controllers/sessions/service_test.go b/app/controllers/sessions/service_test.go
index 5f270f0..f85c9be 100644
--- a/app/controllers/sessions/service_test.go
+++ b/app/controllers/sessions/service_test.go
@@ -1,9 +1,94 @@
 package sessions
 
-import "testing"
+import (
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
+)
 
 func TestService(t *testing.T) {
+	srv := test.NewOIDCServer(t)
+	defer srv.Close()
+
+	clientID := srv.MockOIDC.Config().ClientID
+	clientSecret := srv.MockOIDC.Config().ClientSecret
+	cfg, err := oidc.New(
+		t.Context(),
+		srv.Issuer(),
+		clientID,
+		clientSecret,
+		"/session/callback",
+	)
+	require.NoError(t, err)
+	svc := NewService(cfg, http.DefaultClient)
+
 	t.Run("Exchange", func(t *testing.T) {
+		t.Run("when the csrf token is missing", func(t *testing.T) {
+			r := test.Request("GET", "/session/callback")
+			tokens, err := svc.Exchange(r)
+
+			require.Error(t, err)
+			assert.Nil(t, tokens)
+		})
+
+		t.Run("when the csrf token is invalid", func(t *testing.T) {
+			user := mockoidc.DefaultUser()
+			code := srv.CreateAuthorizationCodeFor(user)
+			nonce := pls.GenerateRandomHex(32)
+
+			r := test.Request(
+				"GET",
+				"/session/callback?code="+code+"&state=invalid",
+				test.WithCookie(cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute))),
+			)
+			tokens, err := svc.Exchange(r)
+
+			require.Error(t, err)
+			assert.Nil(t, tokens)
+		})
+
+		t.Run("with an invalid authorization code grant", func(t *testing.T) {
+			nonce := pls.GenerateRandomHex(32)
+
+			r := test.Request(
+				"GET", "/session/callback?code=invalid",
+				test.WithCookie(cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute))),
+			)
+
+			tokens, err := svc.Exchange(r)
+
+			require.Error(t, err)
+			assert.Nil(t, tokens)
+		})
+
+		t.Run("with a valid grant", func(t *testing.T) {
+			user := mockoidc.DefaultUser()
+			code := srv.CreateAuthorizationCodeFor(user)
+			nonce := pls.GenerateRandomHex(32)
+
+			r := test.Request(
+				"GET",
+				"/session/callback?code="+code+"&state="+nonce,
+				test.WithCookie(cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute))),
+			)
+
+			tokens, err := svc.Exchange(r)
 
+			require.NoError(t, err)
+			assert.NotNil(t, tokens)
+			assert.NotEmpty(t, tokens.AccessToken)
+			assert.NotEmpty(t, tokens.Expiry)
+			assert.NotEmpty(t, tokens.TokenType)
+			assert.NotEmpty(t, tokens.RefreshToken)
+			assert.NotEmpty(t, tokens.IDToken)
+		})
 	})
 }