cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pkg/client: Add integration tests for request aware cookie handling.

Browse source 
Adds a new type `cookieSpec` which is accepted as an argument to
`RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with
`wrapServer` true/false and with two cookie handlers, one static and one
request aware.

The request aware handler extracts encryption keys from a secret using a
salt from a "login_id" cookie.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
This commit is contained in:
Mark Laing 2025-06-06 09:45:46 +01:00
parent 4c7a5c5700
commit 6e7ee79a68
No known key found for this signature in database
GPG key ID: D9277AD9F18400E0
1 changed files with 71 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

82
pkg/client/integration_test.go
View file

@ -3,6 +3,9 @@ package client_test
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/hkdf"
cryptoRand "crypto/rand"
"crypto/sha256"
"fmt" "fmt"
"io" "io"
"log/slog" "log/slog"
@ -18,6 +21,8 @@ import (
"testing" "testing"
"time" "time"
"github.com/google/uuid"
"github.com/gorilla/securecookie"
"github.com/jeremija/gosubmit" "github.com/jeremija/gosubmit"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -42,6 +47,15 @@ var Logger = slog.New(
var CTX context.Context var CTX context.Context
type cookieSpec struct {
cookieHandler *httphelper.CookieHandler
extraCookies []*http.Cookie
}
var defaultCookieSpec = cookieSpec{
cookieHandler: httphelper.NewCookieHandler([]byte("test1234test1234"), []byte("test1234test1234"), httphelper.WithUnsecure()),
}
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
os.Exit(func() int { os.Exit(func() int {
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT) ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT)
@ -53,14 +67,57 @@ func TestMain(m *testing.M) {
} }
func TestRelyingPartySession(t *testing.T) { func TestRelyingPartySession(t *testing.T) {
for _, wrapServer := range []bool{false, true} { secret := make([]byte, 512)
t.Run(fmt.Sprint("wrapServer ", wrapServer), func(t *testing.T) { _, _ = cryptoRand.Read(secret)
testRelyingPartySession(t, wrapServer) hashFunc := sha256.New
}) requestAwareCookieHandler := httphelper.NewRequestAwareCookieHandler(func(r *http.Request) (*securecookie.SecureCookie, error) {
loginIDCookie, err := r.Cookie("login_id")
require.NoError(t, err)
loginID, err := uuid.Parse(loginIDCookie.Value)
require.NoError(t, err)
prk, err := hkdf.Extract(hashFunc, secret, loginID[:])
require.NoError(t, err)
hash, err := hkdf.Expand(hashFunc, prk, "INTEGRITY", 64)
require.NoError(t, err)
block, err := hkdf.Expand(hashFunc, prk, "ENCRYPTION", 32)
require.NoError(t, err)
return securecookie.New(hash, block), nil
}, httphelper.WithUnsecure())
loginID := uuid.New()
loginIDCookie := &http.Cookie{
Name: "login_id",
Value: loginID.String(),
Secure: false,
SameSite: http.SameSiteLaxMode,
Path: "/",
}
cookieCases := []cookieSpec{
defaultCookieSpec,
{
cookieHandler: requestAwareCookieHandler,
extraCookies: []*http.Cookie{
loginIDCookie,
},
},
}
for _, cookieCase := range cookieCases {
for _, wrapServer := range []bool{false, true} {
t.Run(fmt.Sprint("wrapServer ", wrapServer, " requestAwareCookieHandler ", cookieCase.cookieHandler.IsRequestAware()), func(t *testing.T) {
testRelyingPartySession(t, wrapServer, cookieCase)
})
}
} }
} }
func testRelyingPartySession(t *testing.T, wrapServer bool) { func testRelyingPartySession(t *testing.T, wrapServer bool, cookieSpec cookieSpec) {
t.Log("------- start example OP ------") t.Log("------- start example OP ------")
targetURL := "http://local-site" targetURL := "http://local-site"
exampleStorage := storage.NewStorage(storage.NewUserStore(targetURL)) exampleStorage := storage.NewStorage(storage.NewUserStore(targetURL))
@ -74,7 +131,7 @@ func testRelyingPartySession(t *testing.T, wrapServer bool) {
clientID := t.Name() + "-" + strconv.FormatInt(seed.Int63(), 25) clientID := t.Name() + "-" + strconv.FormatInt(seed.Int63(), 25)
t.Log("------- run authorization code flow ------") t.Log("------- run authorization code flow ------")
provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, "secret") provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, "secret", cookieSpec)
t.Log("------- refresh tokens ------") t.Log("------- refresh tokens ------")
@ -220,7 +277,7 @@ func testResourceServerTokenExchange(t *testing.T, wrapServer bool) {
clientSecret := "secret" clientSecret := "secret"
t.Log("------- run authorization code flow ------") t.Log("------- run authorization code flow ------")
provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, clientSecret) provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, clientSecret, defaultCookieSpec)
resourceServer, err := rs.NewResourceServerClientCredentials(CTX, opServer.URL, clientID, clientSecret) resourceServer, err := rs.NewResourceServerClientCredentials(CTX, opServer.URL, clientID, clientSecret)
require.NoError(t, err, "new resource server") require.NoError(t, err, "new resource server")
@ -275,7 +332,7 @@ func testResourceServerTokenExchange(t *testing.T, wrapServer bool) {
require.Nil(t, tokenExchangeResponse, "token exchange response") require.Nil(t, tokenExchangeResponse, "token exchange response")
} }
func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, clientSecret string) (provider rp.RelyingParty, tokens *oidc.Tokens[*oidc.IDTokenClaims]) { func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, clientSecret string, cookieSpec cookieSpec) (provider rp.RelyingParty, tokens *oidc.Tokens[*oidc.IDTokenClaims]) {
targetURL := "http://local-site" targetURL := "http://local-site"
localURL, err := url.Parse(targetURL + "/login?requestID=1234") localURL, err := url.Parse(targetURL + "/login?requestID=1234")
require.NoError(t, err, "local url") require.NoError(t, err, "local url")
@ -294,8 +351,6 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID,
} }
t.Log("------- create RP ------") t.Log("------- create RP ------")
key := []byte("test1234test1234")
cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())
provider, err = rp.NewRelyingPartyOIDC( provider, err = rp.NewRelyingPartyOIDC(
CTX, CTX,
opServer.URL, opServer.URL,
@ -303,7 +358,7 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID,
clientSecret, clientSecret,
targetURL, targetURL,
[]string{"openid", "email", "profile", "offline_access"}, []string{"openid", "email", "profile", "offline_access"},
rp.WithPKCE(cookieHandler), rp.WithPKCE(cookieSpec.cookieHandler),
rp.WithAuthStyle(oauth2.AuthStyleInHeader), rp.WithAuthStyle(oauth2.AuthStyleInHeader),
rp.WithVerifierOpts( rp.WithVerifierOpts(
rp.WithIssuedAtOffset(5*time.Second), rp.WithIssuedAtOffset(5*time.Second),
@ -317,6 +372,11 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID,
state := "state-" + strconv.FormatInt(seed.Int63(), 25) state := "state-" + strconv.FormatInt(seed.Int63(), 25)
capturedW := httptest.NewRecorder() capturedW := httptest.NewRecorder()
get := httptest.NewRequest("GET", localURL.String(), nil) get := httptest.NewRequest("GET", localURL.String(), nil)
for _, cookie := range cookieSpec.extraCookies {
get.AddCookie(cookie)
http.SetCookie(capturedW, cookie)
}
rp.AuthURLHandler(func() string { return state }, provider, rp.AuthURLHandler(func() string { return state }, provider,
rp.WithPromptURLParam("Hello, World!", "Goodbye, World!"), rp.WithPromptURLParam("Hello, World!", "Goodbye, World!"),
rp.WithURLParam("custom", "param"), rp.WithURLParam("custom", "param"),