dex/server/auth_middleware_test.go

package server

import (
	"fmt"
	"net/http"
	"net/http/httptest"
	"net/url"
	"testing"
	"time"

	"github.com/coreos/dex/client"
	clientmanager "github.com/coreos/dex/client/manager"
	"github.com/coreos/dex/db"
	"github.com/coreos/go-oidc/jose"
	"github.com/coreos/go-oidc/key"
	"github.com/coreos/go-oidc/oidc"
)

type staticHandler struct{}

func (h staticHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	w.WriteHeader(http.StatusOK)
}

func TestClientToken(t *testing.T) {
	now := time.Now()
	tomorrow := now.Add(24 * time.Hour)
	clientMetadata := oidc.ClientMetadata{
		RedirectURIs: []url.URL{
			{Scheme: "https", Host: "authn.example.com", Path: "/callback"},
		},
	}

	dbm := db.NewMemDB()
	clientRepo := db.NewClientRepo(dbm)
	clientManager := clientmanager.NewClientManager(clientRepo, db.TransactionFactory(dbm), clientmanager.ManagerOptions{})
	cli := client.Client{
		Metadata: clientMetadata,
	}
	creds, err := clientManager.New(cli)
	if err != nil {
		t.Fatalf("Failed to create client: %v", err)
	}
	validClientID := creds.ID

	privKey, err := key.GeneratePrivateKey()
	if err != nil {
		t.Fatalf("Failed to generate private key, error=%v", err)
	}
	signer := privKey.Signer()
	pubKey := *key.NewPublicKey(privKey.JWK())

	validIss := "https://example.com"

	makeToken := func(iss, sub, aud string, iat, exp time.Time) string {
		claims := oidc.NewClaims(iss, sub, aud, iat, exp)
		jwt, err := jose.NewSignedJWT(claims, signer)
		if err != nil {
			t.Fatalf("Failed to generate JWT, error=%v", err)
		}
		return jwt.Encode()
	}

	validJWT := makeToken(validIss, validClientID, validClientID, now, tomorrow)
	invalidJWT := makeToken("", "", "", now, tomorrow)

	tests := []struct {
		keys     []key.PublicKey
		manager  *clientmanager.ClientManager
		header   string
		wantCode int
	}{
		// valid token
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientManager,
			header:   fmt.Sprintf("BEARER %s", validJWT),
			wantCode: http.StatusOK,
		},
		// invalid token
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientManager,
			header:   fmt.Sprintf("BEARER %s", invalidJWT),
			wantCode: http.StatusUnauthorized,
		},
		// empty header
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientManager,
			header:   "",
			wantCode: http.StatusUnauthorized,
		},
		// unparsable token
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientManager,
			header:   "BEARER xxx",
			wantCode: http.StatusUnauthorized,
		},
		// no verification keys
		{
			keys:     []key.PublicKey{},
			manager:  clientManager,
			header:   fmt.Sprintf("BEARER %s", validJWT),
			wantCode: http.StatusUnauthorized,
		},
		// nil repo
		{
			keys:     []key.PublicKey{pubKey},
			manager:  nil,
			header:   fmt.Sprintf("BEARER %s", validJWT),
			wantCode: http.StatusUnauthorized,
		},
		// empty repo
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientmanager.NewClientManager(db.NewClientRepo(db.NewMemDB()), db.TransactionFactory(db.NewMemDB()), clientmanager.ManagerOptions{}),
			header:   fmt.Sprintf("BEARER %s", validJWT),
			wantCode: http.StatusUnauthorized,
		},
		// client not in repo
		{
			keys:     []key.PublicKey{pubKey},
			manager:  clientManager,
			header:   fmt.Sprintf("BEARER %s", makeToken(validIss, "DOESNT-EXIST", "DOESNT-EXIST", now, tomorrow)),
			wantCode: http.StatusUnauthorized,
		},
	}

	for i, tt := range tests {
		w := httptest.NewRecorder()
		mw := &clientTokenMiddleware{
			issuerURL: validIss,
			ciManager: tt.manager,
			keysFunc: func() ([]key.PublicKey, error) {
				return tt.keys, nil
			},
			next: staticHandler{},
		}
		req := &http.Request{
			Header: http.Header{
				"Authorization": []string{tt.header},
			},
		}

		mw.ServeHTTP(w, req)
		if tt.wantCode != w.Code {
			t.Errorf("case %d: invalid response code, want=%d, got=%d", i, tt.wantCode, w.Code)
		}
	}
}

func TestGetClientIDFromAuthorizedRequest(t *testing.T) {
	now := time.Now()
	tomorrow := now.Add(24 * time.Hour)

	privKey, err := key.GeneratePrivateKey()
	if err != nil {
		t.Fatalf("Failed to generate private key, error=%v", err)
	}

	signer := privKey.Signer()

	makeToken := func(iss, sub, aud string, iat, exp time.Time) string {
		claims := oidc.NewClaims(iss, sub, aud, iat, exp)
		jwt, err := jose.NewSignedJWT(claims, signer)
		if err != nil {
			t.Fatalf("Failed to generate JWT, error=%v", err)
		}
		return jwt.Encode()
	}

	tests := []struct {
		header     string
		wantClient string
		wantErr    bool
	}{
		{
			header:     fmt.Sprintf("BEARER %s", makeToken("iss", "CLIENT_ID", "", now, tomorrow)),
			wantClient: "CLIENT_ID",
			wantErr:    false,
		},
		{
			header:  fmt.Sprintf("BEARER %s", makeToken("iss", "", "", now, tomorrow)),
			wantErr: true,
		},
	}

	for i, tt := range tests {
		req := &http.Request{
			Header: http.Header{
				"Authorization": []string{tt.header},
			},
		}
		gotClient, err := getClientIDFromAuthorizedRequest(req)
		if tt.wantErr {
			if err == nil {
				t.Errorf("case %d: want non-nil err", i)
			}
			continue
		}

		if err != nil {
			t.Errorf("case %d: got err: %q", i, err)
			continue
		}

		if gotClient != tt.wantClient {
			t.Errorf("case %d: want=%v, got=%v", i, tt.wantClient, gotClient)
		}
	}
}
*: move original project to dex 2015-08-18 05:57:27 +05:30			`package server`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/http/httptest"`
*: remove in memory client repo The DB implementation expects secrets to be base64 encoded blobs. Because of this a bunch of tests broke moving to sqlite. A lot of this commit is fixing those tests. 2016-02-10 04:36:07 +05:30			`"net/url"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"testing"`
			`"time"`

client manager: accept full client when creating 2016-05-20 05:40:42 +05:30			`"github.com/coreos/dex/client"`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`clientmanager "github.com/coreos/dex/client/manager"`
*: remove in memory client repo The DB implementation expects secrets to be base64 encoded blobs. Because of this a bunch of tests broke moving to sqlite. A lot of this commit is fixing those tests. 2016-02-10 04:36:07 +05:30			`"github.com/coreos/dex/db"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"github.com/coreos/go-oidc/jose"`
			`"github.com/coreos/go-oidc/key"`
			`"github.com/coreos/go-oidc/oidc"`
			`)`

			`type staticHandler struct{}`

			`func (h staticHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
			`w.WriteHeader(http.StatusOK)`
			`}`

			`func TestClientToken(t *testing.T) {`
			`now := time.Now()`
			`tomorrow := now.Add(24 * time.Hour)`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`clientMetadata := oidc.ClientMetadata{`
			`RedirectURIs: []url.URL{`
			`{Scheme: "https", Host: "authn.example.com", Path: "/callback"},`
*: remove in memory client repo The DB implementation expects secrets to be base64 encoded blobs. Because of this a bunch of tests broke moving to sqlite. A lot of this commit is fixing those tests. 2016-02-10 04:36:07 +05:30			`},`
			`}`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30
			`dbm := db.NewMemDB()`
			`clientRepo := db.NewClientRepo(dbm)`
			`clientManager := clientmanager.NewClientManager(clientRepo, db.TransactionFactory(dbm), clientmanager.ManagerOptions{})`
client manager: accept full client when creating 2016-05-20 05:40:42 +05:30			`cli := client.Client{`
			`Metadata: clientMetadata,`
			`}`
			`creds, err := clientManager.New(cli)`
*: remove in memory client repo The DB implementation expects secrets to be base64 encoded blobs. Because of this a bunch of tests broke moving to sqlite. A lot of this commit is fixing those tests. 2016-02-10 04:36:07 +05:30			`if err != nil {`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`t.Fatalf("Failed to create client: %v", err)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`validClientID := creds.ID`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`privKey, err := key.GeneratePrivateKey()`
			`if err != nil {`
			`t.Fatalf("Failed to generate private key, error=%v", err)`
			`}`
			`signer := privKey.Signer()`
			`pubKey := *key.NewPublicKey(privKey.JWK())`

			`validIss := "https://example.com"`

			`makeToken := func(iss, sub, aud string, iat, exp time.Time) string {`
			`claims := oidc.NewClaims(iss, sub, aud, iat, exp)`
			`jwt, err := jose.NewSignedJWT(claims, signer)`
			`if err != nil {`
			`t.Fatalf("Failed to generate JWT, error=%v", err)`
			`}`
			`return jwt.Encode()`
			`}`

			`validJWT := makeToken(validIss, validClientID, validClientID, now, tomorrow)`
			`invalidJWT := makeToken("", "", "", now, tomorrow)`

			`tests := []struct {`
			`keys []key.PublicKey`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager *clientmanager.ClientManager`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header string`
			`wantCode int`
			`}{`
			`// valid token`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", validJWT),`
			`wantCode: http.StatusOK,`
			`},`
			`// invalid token`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", invalidJWT),`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// empty header`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: "",`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// unparsable token`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: "BEARER xxx",`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// no verification keys`
			`{`
			`keys: []key.PublicKey{},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", validJWT),`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// nil repo`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: nil,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", validJWT),`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// empty repo`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientmanager.NewClientManager(db.NewClientRepo(db.NewMemDB()), db.TransactionFactory(db.NewMemDB()), clientmanager.ManagerOptions{}),`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", validJWT),`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`// client not in repo`
			`{`
			`keys: []key.PublicKey{pubKey},`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`manager: clientManager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`header: fmt.Sprintf("BEARER %s", makeToken(validIss, "DOESNT-EXIST", "DOESNT-EXIST", now, tomorrow)),`
			`wantCode: http.StatusUnauthorized,`
			`},`
			`}`

			`for i, tt := range tests {`
			`w := httptest.NewRecorder()`
			`mw := &clientTokenMiddleware{`
			`issuerURL: validIss,`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`ciManager: tt.manager,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`keysFunc: func() ([]key.PublicKey, error) {`
			`return tt.keys, nil`
			`},`
			`next: staticHandler{},`
			`}`
			`req := &http.Request{`
			`Header: http.Header{`
			`"Authorization": []string{tt.header},`
			`},`
			`}`

			`mw.ServeHTTP(w, req)`
			`if tt.wantCode != w.Code {`
			`t.Errorf("case %d: invalid response code, want=%d, got=%d", i, tt.wantCode, w.Code)`
			`}`
			`}`
			`}`

			`func TestGetClientIDFromAuthorizedRequest(t *testing.T) {`
			`now := time.Now()`
			`tomorrow := now.Add(24 * time.Hour)`

			`privKey, err := key.GeneratePrivateKey()`
			`if err != nil {`
			`t.Fatalf("Failed to generate private key, error=%v", err)`
			`}`

			`signer := privKey.Signer()`

			`makeToken := func(iss, sub, aud string, iat, exp time.Time) string {`
			`claims := oidc.NewClaims(iss, sub, aud, iat, exp)`
			`jwt, err := jose.NewSignedJWT(claims, signer)`
			`if err != nil {`
			`t.Fatalf("Failed to generate JWT, error=%v", err)`
			`}`
			`return jwt.Encode()`
			`}`

			`tests := []struct {`
			`header string`
			`wantClient string`
			`wantErr bool`
			`}{`
			`{`
			`header: fmt.Sprintf("BEARER %s", makeToken("iss", "CLIENT_ID", "", now, tomorrow)),`
			`wantClient: "CLIENT_ID",`
			`wantErr: false,`
			`},`
			`{`
			`header: fmt.Sprintf("BEARER %s", makeToken("iss", "", "", now, tomorrow)),`
			`wantErr: true,`
			`},`
			`}`

			`for i, tt := range tests {`
			`req := &http.Request{`
			`Header: http.Header{`
			`"Authorization": []string{tt.header},`
			`},`
			`}`
			`gotClient, err := getClientIDFromAuthorizedRequest(req)`
			`if tt.wantErr {`
			`if err == nil {`
			`t.Errorf("case %d: want non-nil err", i)`
			`}`
			`continue`
			`}`

			`if err != nil {`
			`t.Errorf("case %d: got err: %q", i, err)`
			`continue`
			`}`

			`if gotClient != tt.wantClient {`
			`t.Errorf("case %d: want=%v, got=%v", i, tt.wantClient, gotClient)`
			`}`
			`}`
			`}`