fix: handle single aud string claim, extract en/decoder interface, comments (#51)

* en/decoding abstraction * some comments * fix token validation and error messages * fix: audience mapping (single aud string) * fix tests with VerifyIdToken * reformat imports * go mod tidy * Update pkg/oidc/authorization.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update pkg/oidc/authorization.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update pkg/op/authrequest_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix capitalization Co-authored-by: Silvan <silvan.reusser@gmail.com>
2020-09-07 12:32:35 +02:00 · 2020-09-07 12:32:35 +02:00 · abd3b6f521
commit abd3b6f521
parent 822ffb581f
24 changed files with 381 additions and 139 deletions
--- a/pkg/op/authrequest_test.go
+++ b/pkg/op/authrequest_test.go
@ -3,66 +3,140 @@ package op_test
 import (
 	"net/http"
 	"net/http/httptest"
-	"strings"
+	"net/url"
+	"reflect"
 	"testing"

+	"github.com/gorilla/schema"
 	"github.com/stretchr/testify/require"

 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/op"
 	"github.com/caos/oidc/pkg/op/mock"
 	"github.com/caos/oidc/pkg/rp"
+	"github.com/caos/oidc/pkg/utils"
 )

-func TestAuthorize(t *testing.T) {
-	// testCallback := func(t *testing.T, clienID string) callbackHandler {
-	// 	return func(authReq *oidc.AuthRequest, client oidc.Client, w http.ResponseWriter, r *http.Request) {
-	// 		// require.Equal(t, clientID, client.)
-	// 	}
-	// }
-	// testErr := func(t *testing.T, expected error) errorHandler {
-	// 	return func(w http.ResponseWriter, r *http.Request, authReq *oidc.AuthRequest, err error) {
-	// 		require.Equal(t, expected, err)
-	// 	}
-	// }
+//
+//TOOD: tests will be implemented in branch for service accounts
+//func TestAuthorize(t *testing.T) {
+//	// testCallback := func(t *testing.T, clienID string) callbackHandler {
+//	// 	return func(authReq *oidc.AuthRequest, client oidc.Client, w http.ResponseWriter, r *http.Request) {
+//	// 		// require.Equal(t, clientID, client.)
+//	// 	}
+//	// }
+//	// testErr := func(t *testing.T, expected error) errorHandler {
+//	// 	return func(w http.ResponseWriter, r *http.Request, authReq *oidc.AuthRequest, err error) {
+//	// 		require.Equal(t, expected, err)
+//	// 	}
+//	// }
+//	type args struct {
+//		w          http.ResponseWriter
+//		r          *http.Request
+//		authorizer op.Authorizer
+//	}
+//	tests := []struct {
+//		name string
+//		args args
+//	}{
+//		{
+//			"parsing fails",
+//			args{
+//				httptest.NewRecorder(),
+//				&http.Request{Method: "POST", Body: nil},
+//				mock.NewAuthorizerExpectValid(t, true),
+//				// testCallback(t, ""),
+//				// testErr(t, ErrInvalidRequest("cannot parse form")),
+//			},
+//		},
+//		{
+//			"decoding fails",
+//			args{
+//				httptest.NewRecorder(),
+//				func() *http.Request {
+//					r := httptest.NewRequest("POST", "/authorize", strings.NewReader("client_id=foo"))
+//					r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+//					return r
+//				}(),
+//				mock.NewAuthorizerExpectValid(t, true),
+//				// testCallback(t, ""),
+//				// testErr(t, ErrInvalidRequest("cannot parse auth request")),
+//			},
+//		},
+//		// {"decoding fails", args{httptest.NewRecorder(), &http.Request{}, mock.NewAuthorizerExpectValid(t), nil, testErr(t, nil)}},
+//	}
+//	for _, tt := range tests {
+//		t.Run(tt.name, func(t *testing.T) {
+//			op.Authorize(tt.args.w, tt.args.r, tt.args.authorizer)
+//		})
+//	}
+//}
+
+func TestParseAuthorizeRequest(t *testing.T) {
 	type args struct {
-		w          http.ResponseWriter
-		r          *http.Request
-		authorizer op.Authorizer
+		r       *http.Request
+		decoder utils.Decoder
+	}
+	type res struct {
+		want *oidc.AuthRequest
+		err  bool
 	}
 	tests := []struct {
 		name string
 		args args
+		res  res
 	}{
 		{
-			"parsing fails",
+			"parsing form error",
 			args{
-				httptest.NewRecorder(),
-				&http.Request{Method: "POST", Body: nil},
-				mock.NewAuthorizerExpectValid(t, true),
-				// testCallback(t, ""),
-				// testErr(t, ErrInvalidRequest("cannot parse form")),
+				&http.Request{URL: &url.URL{RawQuery: "invalid=%%param"}},
+				schema.NewDecoder(),
+			},
+			res{
+				nil,
+				true,
 			},
 		},
 		{
-			"decoding fails",
+			"decoding error",
 			args{
-				httptest.NewRecorder(),
-				func() *http.Request {
-					r := httptest.NewRequest("POST", "/authorize", strings.NewReader("client_id=foo"))
-					r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-					return r
+				&http.Request{URL: &url.URL{RawQuery: "unknown=value"}},
+				func() utils.Decoder {
+					decoder := schema.NewDecoder()
+					decoder.IgnoreUnknownKeys(false)
+					return decoder
 				}(),
-				mock.NewAuthorizerExpectValid(t, true),
-				// testCallback(t, ""),
-				// testErr(t, ErrInvalidRequest("cannot parse auth request")),
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"parsing ok",
+			args{
+				&http.Request{URL: &url.URL{RawQuery: "scope=openid"}},
+				func() utils.Decoder {
+					decoder := schema.NewDecoder()
+					decoder.IgnoreUnknownKeys(false)
+					return decoder
+				}(),
+			},
+			res{
+				&oidc.AuthRequest{Scopes: oidc.Scopes{"openid"}},
+				false,
 			},
 		},
-		// {"decoding fails", args{httptest.NewRecorder(), &http.Request{}, mock.NewAuthorizerExpectValid(t), nil, testErr(t, nil)}},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			op.Authorize(tt.args.w, tt.args.r, tt.args.authorizer)
+			got, err := op.ParseAuthorizeRequest(tt.args.r, tt.args.decoder)
+			if (err != nil) != tt.res.err {
+				t.Errorf("ParseAuthorizeRequest() error = %v, wantErr %v", err, tt.res.err)
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("ParseAuthorizeRequest() got = %v, want %v", got, tt.res.want)
+			}
 		})
 	}
 }