1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
package sessions
import (
"encoding/base64"
"encoding/json"
"net/http"
"net/url"
"testing"
"github.com/oauth2-proxy/mockoidc"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/xlgmokha/x/pkg/x"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
)
func TestSessions(t *testing.T) {
srv := test.NewOIDCServer(t)
defer srv.Close()
cfg, err := oidc.New(
t.Context(),
srv.Issuer(),
srv.MockOIDC.Config().ClientID,
srv.MockOIDC.Config().ClientSecret,
"callback_url",
)
require.NoError(t, err)
controller := New(cfg, http.DefaultClient)
mux := http.NewServeMux()
controller.MountTo(mux)
t.Run("GET /session/new", func(t *testing.T) {
t.Run("without an authenticated session", func(t *testing.T) {
t.Run("redirect to the OIDC Provider", func(t *testing.T) {
r, w := test.RequestResponse("GET", "/session/new")
mux.ServeHTTP(w, r)
require.Equal(t, http.StatusFound, w.Code)
require.NotEmpty(t, w.Header().Get("Location"))
redirectURL, err := url.Parse(w.Header().Get("Location"))
require.NoError(t, err)
assert.Equal(t, srv.AuthorizationEndpoint(), redirectURL.Scheme+"://"+redirectURL.Host+redirectURL.Path)
assert.NotEmpty(t, redirectURL.Query().Get("state"))
assert.Equal(t, srv.MockOIDC.Config().ClientID, redirectURL.Query().Get("client_id"))
assert.Equal(t, "openid profile email", redirectURL.Query().Get("scope"))
assert.Equal(t, "todo", redirectURL.Query().Get("audience"))
assert.Equal(t, cfg.Config.RedirectURL, redirectURL.Query().Get("redirect_uri"))
assert.Equal(t, "code", redirectURL.Query().Get("response_type"))
})
t.Run("generates a CSRF token", func(t *testing.T) {})
})
t.Run("with an active authenicated session", func(t *testing.T) {})
t.Run("with an expired authenicated session", func(t *testing.T) {})
})
t.Run("GET /session/callback", func(t *testing.T) {
t.Run("with an invalid csrf token", func(t *testing.T) {})
t.Run("with an invalid authorization code grant", func(t *testing.T) {
r, w := test.RequestResponse("GET", "/session/callback?code=invalid")
mux.ServeHTTP(w, r)
assert.Equal(t, http.StatusBadRequest, w.Code)
})
t.Run("with a valid authorization code grant", func(t *testing.T) {
user := mockoidc.DefaultUser()
code := srv.CreateAuthorizationCodeFor(user)
r, w := test.RequestResponse("GET", "/session/callback?code="+code)
mux.ServeHTTP(w, r)
cookies, err := http.ParseCookie(w.Header().Get("Set-Cookie"))
require.NoError(t, err)
cookie := x.Find(cookies, func(item *http.Cookie) bool {
return item.Name == "session"
})
require.NotZero(t, cookie)
data, err := base64.URLEncoding.DecodeString(cookie.Value)
require.NoError(t, err)
tokens := map[string]interface{}{}
require.NoError(t, json.Unmarshal(data, &tokens))
t.Run("stores the id token in a session cookie", func(t *testing.T) {
assert.NotEmpty(t, tokens["id_token"])
})
t.Run("stores the access token in a session cookie", func(t *testing.T) {
assert.NotEmpty(t, tokens["access_token"])
assert.Equal(t, "bearer", tokens["token_type"])
})
t.Run("stores the refresh token in a session cookie", func(t *testing.T) {
assert.NotEmpty(t, tokens["refresh_token"])
})
t.Run("redirects to the homepage", func(t *testing.T) {
require.Equal(t, http.StatusFound, w.Code)
assert.Equal(t, "/dashboard", w.Header().Get("Location"))
})
})
})
}
|
