1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
package middleware
import (
"context"
"net/http"
"os"
"testing"
"time"
"github.com/oauth2-proxy/mockoidc"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/xlgmokha/x/pkg/log"
"github.com/xlgmokha/x/pkg/x"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
"golang.org/x/oauth2"
)
func TestIDToken(t *testing.T) {
srv := test.NewOIDCServer(t)
defer srv.Close()
client := &http.Client{Transport: &web.Transport{Logger: log.New(os.Stdout, log.Fields{})}}
cfg := srv.MockOIDC.Config()
ctx := context.WithValue(t.Context(), oauth2.HTTPClient, client)
openID, err := oidc.New(
ctx,
srv.Issuer(),
cfg.ClientID,
cfg.ClientSecret,
"https://example.com/oauth/callback",
)
require.NoError(t, err)
middleware := IDToken(openID)
t.Run("when an active session cookie is provided", func(t *testing.T) {
t.Run("attaches the token to the request context", func(t *testing.T) {
user := mockoidc.DefaultUser()
token, rawIDToken := srv.CreateTokensFor(user)
tokens := &oidc.Tokens{Token: token, IDToken: oidc.RawToken(rawIDToken)}
encoded := x.Must(tokens.ToBase64String())
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
token := key.IDToken.From(r.Context())
require.NotNil(t, token)
assert.Equal(t, user.Subject, token.Subject)
w.WriteHeader(http.StatusTeapot)
}))
r, w := test.RequestResponse(
"GET",
"/example",
test.WithCookie(cookie.New("session", encoded, time.Now().Add(1*time.Hour))),
)
server.ServeHTTP(w, r)
assert.Equal(t, http.StatusTeapot, w.Code)
})
})
t.Run("when an invalid session cookie is provided", func(t *testing.T) {
t.Run("forwards the request", func(t *testing.T) {
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
require.Nil(t, key.IDToken.From(r.Context()))
w.WriteHeader(http.StatusTeapot)
}))
r, w := test.RequestResponse(
"GET",
"/example",
test.WithCookie(cookie.New("session", "invalid", time.Now().Add(1*time.Hour))),
)
server.ServeHTTP(w, r)
assert.Equal(t, http.StatusTeapot, w.Code)
})
})
t.Run("when no cookies are provided", func(t *testing.T) {
t.Run("forwards the request", func(t *testing.T) {
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
require.Nil(t, key.IDToken.From(r.Context()))
w.WriteHeader(http.StatusTeapot)
}))
r, w := test.RequestResponse("GET", "/example")
server.ServeHTTP(w, r)
assert.Equal(t, http.StatusTeapot, w.Code)
})
})
}
|
