parent
fa8f98acac
commit
9b8ab3bdc6
7 changed files with 347 additions and 83 deletions
|
@ -51,6 +51,9 @@ func main() {
|
|||
|
||||
enableClientRegistration := fs.Bool("enable-client-registration", false, "Allow dynamic registration of clients")
|
||||
|
||||
// Client credentials administration
|
||||
apiUseClientCredentials := fs.Bool("api-use-client-credentials", false, "Forces API to authenticate using client credentials instead of ID token. Clients must be 'admin clients' to use the API.")
|
||||
|
||||
noDB := fs.Bool("no-db", false, "manage entities in-process w/o any encryption, used only for single-node testing")
|
||||
|
||||
// UI-related:
|
||||
|
@ -146,6 +149,7 @@ func main() {
|
|||
IssuerLogoURL: *issuerLogoURL,
|
||||
EnableRegistration: *enableRegistration,
|
||||
EnableClientRegistration: *enableClientRegistration,
|
||||
EnableClientCredentialAccess: *apiUseClientCredentials,
|
||||
RegisterOnFirstLogin: *registerOnFirstLogin,
|
||||
}
|
||||
|
||||
|
|
|
@ -84,6 +84,12 @@ var (
|
|||
userGoodToken = makeUserToken(testIssuerURL,
|
||||
"ID-1", testClientID, time.Hour*1, testPrivKey)
|
||||
|
||||
clientToken = makeClientToken(testIssuerURL,
|
||||
testClientID, time.Hour*1, testPrivKey)
|
||||
|
||||
badClientToken = makeClientToken(testIssuerURL,
|
||||
userBadClientID, time.Hour*1, testPrivKey)
|
||||
|
||||
userBadTokenNotAdmin = makeUserToken(testIssuerURL,
|
||||
"ID-2", testClientID, time.Hour*1, testPrivKey)
|
||||
|
||||
|
@ -97,7 +103,7 @@ var (
|
|||
"ID-4", testClientID, time.Hour*1, testPrivKey)
|
||||
)
|
||||
|
||||
func makeUserAPITestFixtures() *userAPITestFixtures {
|
||||
func makeUserAPITestFixtures(clientCredsFlag bool) *userAPITestFixtures {
|
||||
f := &userAPITestFixtures{}
|
||||
|
||||
dbMap, _, _, um := makeUserObjects(userUsers, userPasswords)
|
||||
|
@ -157,8 +163,8 @@ func makeUserAPITestFixtures() *userAPITestFixtures {
|
|||
f.emailer = &testEmailer{}
|
||||
um.Clock = clock
|
||||
|
||||
api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local")
|
||||
usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager)
|
||||
api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local", clientCredsFlag)
|
||||
usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager, clientCredsFlag)
|
||||
f.hSrv = httptest.NewServer(usrSrv.HTTPHandler())
|
||||
|
||||
f.trans = &tokenHandlerTransport{
|
||||
|
@ -180,48 +186,89 @@ func TestGetUser(t *testing.T) {
|
|||
token string
|
||||
|
||||
errCode int
|
||||
|
||||
clientCredsFlag bool
|
||||
}{
|
||||
{
|
||||
id: "ID-1",
|
||||
|
||||
token: userGoodToken,
|
||||
errCode: 0,
|
||||
}, {
|
||||
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
id: "ID-1",
|
||||
|
||||
token: clientToken,
|
||||
errCode: 0,
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
id: "ID-1",
|
||||
|
||||
token: badClientToken,
|
||||
errCode: http.StatusForbidden,
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
id: "ID-1",
|
||||
|
||||
token: clientToken,
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
id: "NOONE",
|
||||
|
||||
token: userGoodToken,
|
||||
errCode: http.StatusNotFound,
|
||||
|
||||
clientCredsFlag: false,
|
||||
}, {
|
||||
id: "ID-1",
|
||||
|
||||
token: userBadTokenNotAdmin,
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
}, {
|
||||
id: "ID-1",
|
||||
|
||||
token: userBadTokenExpired,
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
}, {
|
||||
id: "ID-1",
|
||||
|
||||
token: userBadTokenDisabled,
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
}, {
|
||||
id: "ID-1",
|
||||
|
||||
token: "",
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
}, {
|
||||
id: "ID-1",
|
||||
|
||||
token: "gibberish",
|
||||
errCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
func() {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(tt.clientCredsFlag)
|
||||
f.trans.Token = tt.token
|
||||
|
||||
defer f.close()
|
||||
|
@ -318,7 +365,7 @@ func TestListUsers(t *testing.T) {
|
|||
|
||||
for i, tt := range tests {
|
||||
func() {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(false)
|
||||
defer f.close()
|
||||
f.trans.Token = tt.token
|
||||
|
||||
|
@ -382,6 +429,8 @@ func TestCreateUser(t *testing.T) {
|
|||
|
||||
wantResponse schema.UserCreateResponse
|
||||
wantCode int
|
||||
|
||||
clientCredsFlag bool
|
||||
}{
|
||||
{
|
||||
|
||||
|
@ -409,6 +458,53 @@ func TestCreateUser(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
|
||||
req: schema.UserCreateRequest{
|
||||
User: &schema.User{
|
||||
Email: "newuser@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
CreatedAt: clock.Now().Format(time.RFC3339),
|
||||
},
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
token: clientToken,
|
||||
|
||||
wantResponse: schema.UserCreateResponse{
|
||||
EmailSent: true,
|
||||
User: &schema.User{
|
||||
Email: "newuser@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
CreatedAt: clock.Now().Format(time.RFC3339),
|
||||
},
|
||||
},
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
|
||||
req: schema.UserCreateRequest{
|
||||
User: &schema.User{
|
||||
Email: "newuser@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
CreatedAt: clock.Now().Format(time.RFC3339),
|
||||
},
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
token: badClientToken,
|
||||
|
||||
wantCode: http.StatusForbidden,
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
|
||||
// Duplicate email
|
||||
|
@ -488,6 +584,28 @@ func TestCreateUser(t *testing.T) {
|
|||
|
||||
wantCode: http.StatusUnauthorized,
|
||||
},
|
||||
{
|
||||
|
||||
req: schema.UserCreateRequest{
|
||||
User: &schema.User{
|
||||
Email: "newuser@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
CreatedAt: clock.Now().Format(time.RFC3339),
|
||||
},
|
||||
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
// make sure that the endpoint is protected, but don't exhaustively
|
||||
// try every variation like in TestGetUser
|
||||
token: clientToken,
|
||||
|
||||
wantCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
req: schema.UserCreateRequest{
|
||||
User: &schema.User{
|
||||
|
@ -507,7 +625,7 @@ func TestCreateUser(t *testing.T) {
|
|||
}
|
||||
for i, tt := range tests {
|
||||
func() {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(tt.clientCredsFlag)
|
||||
defer f.close()
|
||||
f.trans.Token = tt.token
|
||||
f.emailer.cantEmail = tt.cantEmail
|
||||
|
@ -588,7 +706,7 @@ func TestDisableUser(t *testing.T) {
|
|||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(false)
|
||||
|
||||
usr, err := f.client.Users.Get(tt.id).Do()
|
||||
if err != nil {
|
||||
|
@ -625,7 +743,7 @@ func TestRefreshTokenEndpoints(t *testing.T) {
|
|||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(false)
|
||||
list, err := f.client.RefreshClient.List(tt.userID).Do()
|
||||
if err != nil {
|
||||
t.Errorf("case %d: list clients: %v", i, err)
|
||||
|
@ -666,6 +784,8 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
|
||||
wantResponse schema.ResendEmailInvitationResponse
|
||||
wantCode int
|
||||
|
||||
clientCredsFlag bool
|
||||
}{
|
||||
{
|
||||
|
||||
|
@ -687,6 +807,36 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
userID: "ID-3",
|
||||
email: "Email-3@example.com",
|
||||
token: clientToken,
|
||||
|
||||
wantResponse: schema.ResendEmailInvitationResponse{
|
||||
EmailSent: true,
|
||||
},
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
|
||||
req: schema.ResendEmailInvitationRequest{
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
userID: "ID-3",
|
||||
email: "Email-3@example.com",
|
||||
token: badClientToken,
|
||||
|
||||
wantCode: http.StatusForbidden,
|
||||
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
|
||||
req: schema.ResendEmailInvitationRequest{
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
userID: "ID-3",
|
||||
email: "Email-3@example.com",
|
||||
cantEmail: true,
|
||||
|
@ -747,6 +897,19 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
userID: "ID-3",
|
||||
email: "Email-3@example.com",
|
||||
token: clientToken,
|
||||
|
||||
wantCode: http.StatusUnauthorized,
|
||||
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
req: schema.ResendEmailInvitationRequest{
|
||||
RedirectURL: testRedirectURL.String(),
|
||||
},
|
||||
|
||||
userID: "ID-3",
|
||||
email: "Email-3@example.com",
|
||||
token: userBadTokenExpired,
|
||||
|
@ -778,7 +941,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
}
|
||||
for i, tt := range tests {
|
||||
func() {
|
||||
f := makeUserAPITestFixtures()
|
||||
f := makeUserAPITestFixtures(tt.clientCredsFlag)
|
||||
defer f.close()
|
||||
f.trans.Token = tt.token
|
||||
f.emailer.cantEmail = tt.cantEmail
|
||||
|
@ -869,6 +1032,10 @@ func (t *testEmailer) SendInviteEmail(email string, redirectURL url.URL, clientI
|
|||
return retURL, nil
|
||||
}
|
||||
|
||||
func makeClientToken(issuerURL url.URL, clientID string, expires time.Duration, privKey *key.PrivateKey) string {
|
||||
return makeUserToken(issuerURL, clientID, clientID, expires, privKey)
|
||||
}
|
||||
|
||||
func makeUserToken(issuerURL url.URL, userID, clientID string, expires time.Duration, privKey *key.PrivateKey) string {
|
||||
|
||||
signer := key.NewPrivateKeySet([]*key.PrivateKey{testPrivKey},
|
||||
|
|
|
@ -39,6 +39,7 @@ type ServerConfig struct {
|
|||
StateConfig StateConfigurer
|
||||
EnableRegistration bool
|
||||
EnableClientRegistration bool
|
||||
EnableClientCredentialAccess bool
|
||||
RegisterOnFirstLogin bool
|
||||
}
|
||||
|
||||
|
@ -80,6 +81,7 @@ func (cfg *ServerConfig) Server() (*Server, error) {
|
|||
|
||||
EnableRegistration: cfg.EnableRegistration,
|
||||
EnableClientRegistration: cfg.EnableClientRegistration,
|
||||
EnableClientCredentialAccess: cfg.EnableClientCredentialAccess,
|
||||
RegisterOnFirstLogin: cfg.RegisterOnFirstLogin,
|
||||
}
|
||||
|
||||
|
|
|
@ -95,6 +95,7 @@ type Server struct {
|
|||
|
||||
EnableRegistration bool
|
||||
EnableClientRegistration bool
|
||||
EnableClientCredentialAccess bool
|
||||
RegisterOnFirstLogin bool
|
||||
|
||||
dbMap *gorp.DbMap
|
||||
|
@ -300,8 +301,8 @@ func (s *Server) HTTPHandler() http.Handler {
|
|||
apiBasePath := path.Join(httpPathAPI, APIVersion)
|
||||
registerDiscoveryResource(apiBasePath, mux)
|
||||
|
||||
usersAPI := usersapi.NewUsersAPI(s.UserManager, s.ClientManager, s.RefreshTokenRepo, s.UserEmailer, s.localConnectorID)
|
||||
handler := NewUserMgmtServer(usersAPI, s.JWTVerifierFactory(), s.UserManager, s.ClientManager).HTTPHandler()
|
||||
usersAPI := usersapi.NewUsersAPI(s.UserManager, s.ClientManager, s.RefreshTokenRepo, s.UserEmailer, s.localConnectorID, s.EnableClientCredentialAccess)
|
||||
handler := NewUserMgmtServer(usersAPI, s.JWTVerifierFactory(), s.UserManager, s.ClientManager, s.EnableClientCredentialAccess).HTTPHandler()
|
||||
|
||||
handleStripPrefix(apiBasePath+"/", handler)
|
||||
|
||||
|
|
|
@ -39,14 +39,16 @@ type UserMgmtServer struct {
|
|||
jwtvFactory JWTVerifierFactory
|
||||
um *usermanager.UserManager
|
||||
cm *clientmanager.ClientManager
|
||||
allowClientCredsAuth bool
|
||||
}
|
||||
|
||||
func NewUserMgmtServer(userMgmtAPI *api.UsersAPI, jwtvFactory JWTVerifierFactory, um *usermanager.UserManager, cm *clientmanager.ClientManager) *UserMgmtServer {
|
||||
func NewUserMgmtServer(userMgmtAPI *api.UsersAPI, jwtvFactory JWTVerifierFactory, um *usermanager.UserManager, cm *clientmanager.ClientManager, allowClientCredsAuth bool) *UserMgmtServer {
|
||||
return &UserMgmtServer{
|
||||
api: userMgmtAPI,
|
||||
jwtvFactory: jwtvFactory,
|
||||
um: um,
|
||||
cm: cm,
|
||||
allowClientCredsAuth: allowClientCredsAuth,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -92,7 +94,7 @@ func (s *UserMgmtServer) authAPIHandle(handle authedHandle, requiresAdmin bool)
|
|||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
if creds.User.Disabled || (requiresAdmin && !creds.User.Admin) {
|
||||
if !s.allowClientCredsAuth && (creds.User.Disabled || (requiresAdmin && !creds.User.Admin)) {
|
||||
s.writeError(w, api.ErrorUnauthorized)
|
||||
return
|
||||
}
|
||||
|
@ -299,6 +301,20 @@ func (s *UserMgmtServer) getCreds(r *http.Request, requiresAdmin bool) (api.Cred
|
|||
return api.Creds{}, api.ErrorUnauthorized
|
||||
}
|
||||
|
||||
if s.allowClientCredsAuth && (len(clientIDs) == 1) && (sub == clientIDs[0]) {
|
||||
isAdmin, err := s.cm.IsDexAdmin(clientIDs[0])
|
||||
if err != nil {
|
||||
log.Errorf("userMgmtServer: GetCreds err: %q", err)
|
||||
return api.Creds{}, err
|
||||
}
|
||||
if requiresAdmin && !isAdmin {
|
||||
return api.Creds{}, api.ErrorForbidden
|
||||
}
|
||||
return api.Creds{
|
||||
ClientIDs: clientIDs,
|
||||
}, nil
|
||||
}
|
||||
|
||||
usr, err := s.um.Get(sub)
|
||||
if err != nil {
|
||||
if err == user.ErrorNotFound {
|
||||
|
|
|
@ -91,6 +91,7 @@ type UsersAPI struct {
|
|||
clientManager *clientmanager.ClientManager
|
||||
refreshRepo refresh.RefreshTokenRepo
|
||||
emailer Emailer
|
||||
allowClientCreds bool
|
||||
}
|
||||
|
||||
type Emailer interface {
|
||||
|
@ -104,19 +105,19 @@ type Creds struct {
|
|||
}
|
||||
|
||||
// TODO(ericchiang): Don't pass a dbMap. See #385.
|
||||
func NewUsersAPI(userManager *usermanager.UserManager, clientManager *clientmanager.ClientManager, refreshRepo refresh.RefreshTokenRepo, emailer Emailer, localConnectorID string) *UsersAPI {
|
||||
func NewUsersAPI(userManager *usermanager.UserManager, clientManager *clientmanager.ClientManager, refreshRepo refresh.RefreshTokenRepo, emailer Emailer, localConnectorID string, allowClientCreds bool) *UsersAPI {
|
||||
return &UsersAPI{
|
||||
userManager: userManager,
|
||||
refreshRepo: refreshRepo,
|
||||
clientManager: clientManager,
|
||||
localConnectorID: localConnectorID,
|
||||
emailer: emailer,
|
||||
allowClientCreds: allowClientCreds,
|
||||
}
|
||||
}
|
||||
|
||||
func (u *UsersAPI) GetUser(creds Creds, id string) (schema.User, error) {
|
||||
log.Infof("userAPI: GetUser")
|
||||
|
||||
if !u.Authorize(creds) {
|
||||
return schema.User{}, ErrorUnauthorized
|
||||
}
|
||||
|
@ -312,6 +313,11 @@ func (u *UsersAPI) RevokeRefreshTokensForClient(creds Creds, userID, clientID st
|
|||
}
|
||||
|
||||
func (u *UsersAPI) Authorize(creds Creds) bool {
|
||||
if u.allowClientCreds {
|
||||
if creds.User.ID == "" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return creds.User.Admin && !creds.User.Disabled
|
||||
}
|
||||
|
||||
|
|
|
@ -63,6 +63,14 @@ var (
|
|||
ClientIDs: []string{goodClientID},
|
||||
}
|
||||
|
||||
clientCreds = Creds{
|
||||
User: user.User{
|
||||
ID: "",
|
||||
Admin: false,
|
||||
},
|
||||
ClientIDs: []string{goodClientID},
|
||||
}
|
||||
|
||||
badCreds = Creds{
|
||||
User: user.User{
|
||||
ID: "ID-2",
|
||||
|
@ -103,7 +111,7 @@ var (
|
|||
}
|
||||
)
|
||||
|
||||
func makeTestFixtures() (*UsersAPI, *testEmailer) {
|
||||
func makeTestFixtures(clientCredsFlag bool) (*UsersAPI, *testEmailer) {
|
||||
dbMap := db.NewMemDB()
|
||||
ur := func() user.UserRepo {
|
||||
repo, err := db.NewUserRepoFromUsers(dbMap, []user.UserWithRemoteIdentities{
|
||||
|
@ -223,7 +231,7 @@ func makeTestFixtures() (*UsersAPI, *testEmailer) {
|
|||
}
|
||||
|
||||
emailer := &testEmailer{}
|
||||
api := NewUsersAPI(mgr, clientManager, refreshRepo, emailer, "local")
|
||||
api := NewUsersAPI(mgr, clientManager, refreshRepo, emailer, "local", clientCredsFlag)
|
||||
return api, emailer
|
||||
|
||||
}
|
||||
|
@ -233,29 +241,39 @@ func TestGetUser(t *testing.T) {
|
|||
creds Creds
|
||||
id string
|
||||
wantErr error
|
||||
clientCredsFlag bool
|
||||
}{
|
||||
{
|
||||
creds: goodCreds,
|
||||
id: "ID-1",
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: badCreds,
|
||||
id: "ID-1",
|
||||
wantErr: ErrorUnauthorized,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
id: "NO_ID",
|
||||
wantErr: ErrorResourceNotFound,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: credsWithMultipleAudiences,
|
||||
id: "ID-1",
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: clientCreds,
|
||||
id: "ID-1",
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
api, _ := makeTestFixtures()
|
||||
api, _ := makeTestFixtures(tt.clientCredsFlag)
|
||||
usr, err := api.GetUser(tt.creds, tt.id)
|
||||
if tt.wantErr != nil {
|
||||
if err != tt.wantErr {
|
||||
|
@ -309,7 +327,7 @@ func TestListUsers(t *testing.T) {
|
|||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
api, _ := makeTestFixtures()
|
||||
api, _ := makeTestFixtures(false)
|
||||
|
||||
gotIDs := [][]string{}
|
||||
var next string
|
||||
|
@ -346,6 +364,8 @@ func TestCreateUser(t *testing.T) {
|
|||
redirURL url.URL
|
||||
cantEmail bool
|
||||
|
||||
clientCredsFlag bool
|
||||
|
||||
wantResponse schema.UserCreateResponse
|
||||
wantClientID string
|
||||
wantErr error
|
||||
|
@ -371,6 +391,30 @@ func TestCreateUser(t *testing.T) {
|
|||
},
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: clientCreds,
|
||||
usr: schema.User{
|
||||
Email: "newuser01@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
},
|
||||
redirURL: validRedirURL,
|
||||
|
||||
wantResponse: schema.UserCreateResponse{
|
||||
EmailSent: true,
|
||||
User: &schema.User{
|
||||
Email: "newuser01@example.com",
|
||||
DisplayName: "New User",
|
||||
EmailVerified: true,
|
||||
Admin: false,
|
||||
CreatedAt: clock.Now().Format(time.RFC3339),
|
||||
},
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
creds: credsWithMultipleAudiences,
|
||||
|
@ -393,6 +437,7 @@ func TestCreateUser(t *testing.T) {
|
|||
},
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -416,6 +461,7 @@ func TestCreateUser(t *testing.T) {
|
|||
ResetPasswordLink: resetPasswordURL.String(),
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -440,11 +486,12 @@ func TestCreateUser(t *testing.T) {
|
|||
redirURL: validRedirURL,
|
||||
|
||||
wantErr: ErrorUnauthorized,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
api, emailer := makeTestFixtures()
|
||||
api, emailer := makeTestFixtures(tt.clientCredsFlag)
|
||||
emailer.cantEmail = tt.cantEmail
|
||||
|
||||
response, err := api.CreateUser(tt.creds, tt.usr, tt.redirURL)
|
||||
|
@ -528,7 +575,7 @@ func TestDisableUsers(t *testing.T) {
|
|||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
api, _ := makeTestFixtures()
|
||||
api, _ := makeTestFixtures(false)
|
||||
_, err := api.DisableUser(goodCreds, tt.id, tt.disable)
|
||||
if err != nil {
|
||||
t.Fatalf("case %d: unexpected error: %v", i, err)
|
||||
|
@ -552,6 +599,8 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
redirURL url.URL
|
||||
cantEmail bool
|
||||
|
||||
clientCredsFlag bool
|
||||
|
||||
wantResponse schema.ResendEmailInvitationResponse
|
||||
wantErr error
|
||||
wantClientID string
|
||||
|
@ -566,6 +615,19 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
EmailSent: true,
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: clientCreds,
|
||||
userID: "ID-1",
|
||||
email: "id1@example.com",
|
||||
redirURL: validRedirURL,
|
||||
|
||||
wantResponse: schema.ResendEmailInvitationResponse{
|
||||
EmailSent: true,
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: true,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -579,6 +641,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
ResetPasswordLink: resetPasswordURL.String(),
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: credsWithMultipleAudiences,
|
||||
|
@ -592,6 +655,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
ResetPasswordLink: resetPasswordURL.String(),
|
||||
},
|
||||
wantClientID: goodClientID,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: badCreds,
|
||||
|
@ -600,6 +664,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
redirURL: validRedirURL,
|
||||
|
||||
wantErr: ErrorUnauthorized,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -608,6 +673,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
redirURL: url.URL{Host: "scammers.com"},
|
||||
|
||||
wantErr: ErrorInvalidRedirectURL,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -616,6 +682,7 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
redirURL: validRedirURL,
|
||||
|
||||
wantErr: ErrorVerifiedEmail,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
{
|
||||
creds: goodCreds,
|
||||
|
@ -624,11 +691,12 @@ func TestResendEmailInvitation(t *testing.T) {
|
|||
redirURL: validRedirURL,
|
||||
|
||||
wantErr: ErrorResourceNotFound,
|
||||
clientCredsFlag: false,
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
api, emailer := makeTestFixtures()
|
||||
api, emailer := makeTestFixtures(tt.clientCredsFlag)
|
||||
emailer.cantEmail = tt.cantEmail
|
||||
|
||||
response, err := api.ResendEmailInvitation(tt.creds, tt.userID, tt.redirURL)
|
||||
|
@ -670,7 +738,7 @@ func TestRevokeRefreshToken(t *testing.T) {
|
|||
{"ID-2", goodClientID, []string{goodClientID}, []string{}},
|
||||
}
|
||||
|
||||
api, _ := makeTestFixtures()
|
||||
api, _ := makeTestFixtures(false)
|
||||
|
||||
listClientsWithRefreshTokens := func(creds Creds, userID string) ([]string, error) {
|
||||
clients, err := api.ListClientsWithRefreshTokens(creds, userID)
|
||||
|
|
Reference in a new issue