test/e2e_test.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

package main

import (
	"bytes"
	"context"
	"net/http"
	"net/url"
	"strings"
	"testing"
	"time"

	"github.com/playwright-community/playwright-go"
	"github.com/stretchr/testify/assert"
	"github.com/xlgmokha/x/pkg/env"
	"github.com/xlgmokha/x/pkg/serde"
	"github.com/xlgmokha/x/pkg/x"
	"golang.org/x/oauth2"
)

func TestAuthx(t *testing.T) {
	_ = playwright.Install()

	pw := x.Must(playwright.Run())
	browser := x.Must(pw.Chromium.Launch(playwright.BrowserTypeLaunchOptions{
		Headless: playwright.Bool(env.Fetch("HEADLESS", "true") == "true"),
		SlowMo:   playwright.Float(1000),
	}))
	page := x.Must(browser.NewPage())

	client := &http.Client{Timeout: 2 * time.Second}

	defer func() {
		x.Check(browser.Close())
		x.Check(pw.Stop())
	}()

	t.Run("SAML", func(t *testing.T) {
		t.Run("IdP", func(t *testing.T) {
			t.Run("metadata.xml", func(t *testing.T) {
				response := x.Must(http.Get("http://idp.example.com:8080/saml/metadata.xml"))
				assert.Equal(t, http.StatusOK, response.StatusCode)
			})
		})

		t.Run("SP", func(t *testing.T) {
			t.Run("metadata.xml", func(t *testing.T) {
				response := x.Must(http.Get("http://ui.example.com:8080/saml/metadata.xml"))
				assert.Equal(t, http.StatusOK, response.StatusCode)
			})

			t.Run("ACS", func(t *testing.T) {
				x.Must(page.Goto("http://ui.example.com:8080/saml/new"))
				action := x.Must(page.Locator("#idp-form").GetAttribute("action"))
				assert.Equal(t, "http://idp.example.com:8080/saml/new", action)
				assert.NoError(t, page.Locator("#submit-button").Click())

				action = x.Must(page.Locator("#postback-form").GetAttribute("action"))
				assert.Equal(t, "http://ui.example.com:8080/saml/assertions", action)
				assert.NoError(t, page.Locator("#submit-button").Click())
				assert.Contains(t, x.Must(page.Content()), "Received SAML Response")
			})
		})
	})

	t.Run("OIDC", func(t *testing.T) {
		t.Run("login", func(t *testing.T) {
			x.Must(page.Goto("http://ui.example.com:8080/oidc/new"))
			assert.Contains(t, page.URL(), "http://idp.example.com:8080/oauth/authorize")
			assert.NoError(t, page.Locator("#submit-button").Click())

			assert.Contains(t, page.URL(), "http://ui.example.com:8080/oauth/callback")
			content := x.Must(page.Locator("pre").First().InnerText())
			item := x.Must(serde.FromJSON[oauth2.Token](strings.NewReader(content)))
			assert.NotEmpty(t, item.AccessToken)
			assert.Equal(t, "Bearer", item.TokenType)
			assert.NotEmpty(t, item.RefreshToken)

			response := x.Must(http.Get("http://api.example.com:8080/projects.json"))
			assert.Equal(t, http.StatusOK, response.StatusCode)
			projects := x.Must(serde.FromJSON[[]map[string]string](response.Body))
			assert.NotNil(t, projects)

			io := bytes.NewBuffer(nil)
			assert.NoError(t, serde.ToJSON(io, map[string]string{"name": "example"}))
			request := x.Must(http.NewRequestWithContext(t.Context(), "POST", "http://api.example.com:8080/projects", io))
			request.Header.Add("Authorization", "Bearer "+item.AccessToken)
			response = x.Must(client.Do(request))
			assert.Equal(t, http.StatusCreated, response.StatusCode)
			project := x.Must(serde.FromJSON[map[string]string](response.Body))
			assert.Equal(t, "example", project["name"])
		})
	})

	t.Run("OAuth", func(t *testing.T) {
		conf := &oauth2.Config{
			ClientID:     "client_id",
			ClientSecret: "client_secret",
			Scopes:       []string{"openid"},
			Endpoint: oauth2.Endpoint{
				TokenURL: "http://idp.example.com:8080/oauth/token",
				AuthURL:  "http://idp.example.com:8080/oauth/authorize",
			},
		}

		t.Run("authorization code grant", func(t *testing.T) {
			authURL := conf.AuthCodeURL(
				"state",
				oauth2.SetAuthURLParam("client_id", "client_id"),
				oauth2.SetAuthURLParam("scope", "openid"),
				oauth2.SetAuthURLParam("redirect_uri", "http://example.org/oauth/callback"),
				oauth2.SetAuthURLParam("response_type", "code"),
				oauth2.SetAuthURLParam("response_mode", "fragment"),
			)
			x.Must(page.Goto(authURL))
			assert.NoError(t, page.Locator("#submit-button").Click())

			uri := x.Must(url.Parse(page.URL()))
			values := x.Must(url.ParseQuery(uri.Fragment))
			code := values.Get("code")

			ctx := t.Context()
			ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
			credentials := x.Must(conf.Exchange(ctx, code))
			assert.NotEmpty(t, credentials.AccessToken)
			assert.Equal(t, "Bearer", credentials.TokenType)
			assert.NotEmpty(t, credentials.RefreshToken)

			t.Run("token is usable against REST API", func(t *testing.T) {
				client := conf.Client(ctx, credentials)
				response := x.Must(client.Get("http://api.example.com:8080/projects.json"))
				assert.Equal(t, http.StatusOK, response.StatusCode)
				projects := x.Must(serde.FromJSON[[]map[string]string](response.Body))
				assert.NotNil(t, projects)

				io := bytes.NewBuffer(nil)
				assert.NoError(t, serde.ToJSON(io, map[string]string{"name": "foo"}))
				response = x.Must(client.Post("http://api.example.com:8080/projects", "application/json", io))
				assert.Equal(t, http.StatusCreated, response.StatusCode)
				project := x.Must(serde.FromJSON[map[string]string](response.Body))
				assert.Equal(t, "foo", project["name"])
			})
		})
	})
}