551229a986
feat: Add refresh token expiration and rotation settings
1649 lines
48 KiB
Go
1649 lines
48 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"reflect"
|
|
"sort"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
gosundheit "github.com/AppsFlyer/go-sundheit"
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
"github.com/kylelemons/godebug/pretty"
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
"github.com/sirupsen/logrus"
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/oauth2"
|
|
jose "gopkg.in/square/go-jose.v2"
|
|
|
|
"github.com/dexidp/dex/connector"
|
|
"github.com/dexidp/dex/connector/mock"
|
|
"github.com/dexidp/dex/storage"
|
|
"github.com/dexidp/dex/storage/memory"
|
|
)
|
|
|
|
func mustLoad(s string) *rsa.PrivateKey {
|
|
block, _ := pem.Decode([]byte(s))
|
|
if block == nil {
|
|
panic("no pem data found")
|
|
}
|
|
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return key
|
|
}
|
|
|
|
var testKey = mustLoad(`-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEogIBAAKCAQEArmoiX5G36MKPiVGS1sicruEaGRrbhPbIKOf97aGGQRjXVngo
|
|
Knwd2L4T9CRyABgQm3tLHHcT5crODoy46wX2g9onTZWViWWuhJ5wxXNmUbCAPWHb
|
|
j9SunW53WuLYZ/IJLNZt5XYCAFPjAakWp8uMuuDwWo5EyFaw85X3FSMhVmmaYDd0
|
|
cn+1H4+NS/52wX7tWmyvGUNJ8lzjFAnnOtBJByvkyIC7HDphkLQV4j//sMNY1mPX
|
|
HbsYgFv2J/LIJtkjdYO2UoDhZG3Gvj16fMy2JE2owA8IX4/s+XAmA2PiTfd0J5b4
|
|
drAKEcdDl83G6L3depEkTkfvp0ZLsh9xupAvIwIDAQABAoIBABKGgWonPyKA7+AF
|
|
AxS/MC0/CZebC6/+ylnV8lm4K1tkuRKdJp8EmeL4pYPsDxPFepYZLWwzlbB1rxdK
|
|
iSWld36fwEb0WXLDkxrQ/Wdrj3Wjyqs6ZqjLTVS5dAH6UEQSKDlT+U5DD4lbX6RA
|
|
goCGFUeQNtdXfyTMWHU2+4yKM7NKzUpczFky+0d10Mg0ANj3/4IILdr3hqkmMSI9
|
|
1TB9ksWBXJxt3nGxAjzSFihQFUlc231cey/HhYbvAX5fN0xhLxOk88adDcdXE7br
|
|
3Ser1q6XaaFQSMj4oi1+h3RAT9MUjJ6johEqjw0PbEZtOqXvA1x5vfFdei6SqgKn
|
|
Am3BspkCgYEA2lIiKEkT/Je6ZH4Omhv9atbGoBdETAstL3FnNQjkyVau9f6bxQkl
|
|
4/sz985JpaiasORQBiTGY8JDT/hXjROkut91agi2Vafhr29L/mto7KZglfDsT4b2
|
|
9z/EZH8wHw7eYhvdoBbMbqNDSI8RrGa4mpLpuN+E0wsFTzSZEL+QMQUCgYEAzIQh
|
|
xnreQvDAhNradMqLmxRpayn1ORaPReD4/off+mi7hZRLKtP0iNgEVEWHJ6HEqqi1
|
|
r38XAc8ap/lfOVMar2MLyCFOhYspdHZ+TGLZfr8gg/Fzeq9IRGKYadmIKVwjMeyH
|
|
REPqg1tyrvMOE0HI5oqkko8JTDJ0OyVC0Vc6+AcCgYAqCzkywugLc/jcU35iZVOH
|
|
WLdFq1Vmw5w/D7rNdtoAgCYPj6nV5y4Z2o2mgl6ifXbU7BMRK9Hc8lNeOjg6HfdS
|
|
WahV9DmRA1SuIWPkKjE5qczd81i+9AHpmakrpWbSBF4FTNKAewOBpwVVGuBPcDTK
|
|
59IE3V7J+cxa9YkotYuCNQKBgCwGla7AbHBEm2z+H+DcaUktD7R+B8gOTzFfyLoi
|
|
Tdj+CsAquDO0BQQgXG43uWySql+CifoJhc5h4v8d853HggsXa0XdxaWB256yk2Wm
|
|
MePTCRDePVm/ufLetqiyp1kf+IOaw1Oyux0j5oA62mDS3Iikd+EE4Z+BjPvefY/L
|
|
E2qpAoGAZo5Wwwk7q8b1n9n/ACh4LpE+QgbFdlJxlfFLJCKstl37atzS8UewOSZj
|
|
FDWV28nTP9sqbtsmU8Tem2jzMvZ7C/Q0AuDoKELFUpux8shm8wfIhyaPnXUGZoAZ
|
|
Np4vUwMSYV5mopESLWOg3loBxKyLGFtgGKVCjGiQvy6zISQ4fQo=
|
|
-----END RSA PRIVATE KEY-----`)
|
|
|
|
var logger = &logrus.Logger{
|
|
Out: os.Stderr,
|
|
Formatter: &logrus.TextFormatter{DisableColors: true},
|
|
Level: logrus.DebugLevel,
|
|
}
|
|
|
|
func newTestServer(ctx context.Context, t *testing.T, updateConfig func(c *Config)) (*httptest.Server, *Server) {
|
|
var server *Server
|
|
s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
server.ServeHTTP(w, r)
|
|
}))
|
|
|
|
config := Config{
|
|
Issuer: s.URL,
|
|
Storage: memory.New(logger),
|
|
Web: WebConfig{
|
|
Dir: "../web",
|
|
},
|
|
Logger: logger,
|
|
PrometheusRegistry: prometheus.NewRegistry(),
|
|
HealthChecker: gosundheit.New(),
|
|
}
|
|
if updateConfig != nil {
|
|
updateConfig(&config)
|
|
}
|
|
s.URL = config.Issuer
|
|
|
|
connector := storage.Connector{
|
|
ID: "mock",
|
|
Type: "mockCallback",
|
|
Name: "Mock",
|
|
ResourceVersion: "1",
|
|
}
|
|
if err := config.Storage.CreateConnector(connector); err != nil {
|
|
t.Fatalf("create connector: %v", err)
|
|
}
|
|
|
|
var err error
|
|
if server, err = newServer(ctx, config, staticRotationStrategy(testKey)); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
server.skipApproval = true // Don't prompt for approval, just immediately redirect with code.
|
|
|
|
// Default rotation policy
|
|
if server.refreshTokenPolicy == nil {
|
|
server.refreshTokenPolicy, err = NewRefreshTokenPolicy(logger, false, "", "", "")
|
|
if err != nil {
|
|
t.Fatalf("failed to prepare rotation policy: %v", err)
|
|
}
|
|
server.refreshTokenPolicy.now = config.Now
|
|
}
|
|
|
|
return s, server
|
|
}
|
|
|
|
func newTestServerMultipleConnectors(ctx context.Context, t *testing.T, updateConfig func(c *Config)) (*httptest.Server, *Server) {
|
|
var server *Server
|
|
s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
server.ServeHTTP(w, r)
|
|
}))
|
|
|
|
config := Config{
|
|
Issuer: s.URL,
|
|
Storage: memory.New(logger),
|
|
Web: WebConfig{
|
|
Dir: "../web",
|
|
},
|
|
Logger: logger,
|
|
PrometheusRegistry: prometheus.NewRegistry(),
|
|
}
|
|
if updateConfig != nil {
|
|
updateConfig(&config)
|
|
}
|
|
s.URL = config.Issuer
|
|
|
|
connector := storage.Connector{
|
|
ID: "mock",
|
|
Type: "mockCallback",
|
|
Name: "Mock",
|
|
ResourceVersion: "1",
|
|
}
|
|
connector2 := storage.Connector{
|
|
ID: "mock2",
|
|
Type: "mockCallback",
|
|
Name: "Mock",
|
|
ResourceVersion: "1",
|
|
}
|
|
if err := config.Storage.CreateConnector(connector); err != nil {
|
|
t.Fatalf("create connector: %v", err)
|
|
}
|
|
if err := config.Storage.CreateConnector(connector2); err != nil {
|
|
t.Fatalf("create connector: %v", err)
|
|
}
|
|
|
|
var err error
|
|
if server, err = newServer(ctx, config, staticRotationStrategy(testKey)); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
server.skipApproval = true // Don't prompt for approval, just immediately redirect with code.
|
|
return s, server
|
|
}
|
|
|
|
func TestNewTestServer(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
newTestServer(ctx, t, nil)
|
|
}
|
|
|
|
func TestDiscovery(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, _ := newTestServer(ctx, t, func(c *Config) {
|
|
c.Issuer += "/non-root-path"
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var got map[string]*json.RawMessage
|
|
if err := p.Claims(&got); err != nil {
|
|
t.Fatalf("failed to decode claims: %v", err)
|
|
}
|
|
|
|
required := []string{
|
|
"issuer",
|
|
"authorization_endpoint",
|
|
"token_endpoint",
|
|
"jwks_uri",
|
|
"userinfo_endpoint",
|
|
}
|
|
for _, field := range required {
|
|
if _, ok := got[field]; !ok {
|
|
t.Errorf("server discovery is missing required field %q", field)
|
|
}
|
|
}
|
|
}
|
|
|
|
type oauth2Tests struct {
|
|
clientID string
|
|
tests []test
|
|
}
|
|
|
|
type test struct {
|
|
name string
|
|
// If specified these set of scopes will be used during the test case.
|
|
scopes []string
|
|
// handleToken provides the OAuth2 token response for the integration test.
|
|
handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token, *mock.Callback) error
|
|
|
|
// extra parameters to pass when requesting auth_code
|
|
authCodeOptions []oauth2.AuthCodeOption
|
|
|
|
// extra parameters to pass when retrieving id token
|
|
retrieveTokenOptions []oauth2.AuthCodeOption
|
|
|
|
// define an error response, when the test expects an error on the auth endpoint
|
|
authError *OAuth2ErrorResponse
|
|
|
|
// define an error response, when the test expects an error on the token endpoint
|
|
tokenError ErrorResponse
|
|
}
|
|
|
|
// Defines an expected error by HTTP Status Code and
|
|
// the OAuth2 error int the response json
|
|
type ErrorResponse struct {
|
|
Error string
|
|
StatusCode int
|
|
}
|
|
|
|
// https://tools.ietf.org/html/rfc6749#section-5.2
|
|
type OAuth2ErrorResponse struct {
|
|
Error string `json:"error"`
|
|
ErrorDescription string `json:"error_description"`
|
|
ErrorURI string `json:"error_uri"`
|
|
}
|
|
|
|
func makeOAuth2Tests(clientID string, clientSecret string, now func() time.Time) oauth2Tests {
|
|
requestedScopes := []string{oidc.ScopeOpenID, "email", "profile", "groups", "offline_access"}
|
|
|
|
// Used later when configuring test servers to set how long id_tokens will be valid for.
|
|
//
|
|
// The actual value of 30s is completely arbitrary. We just need to set a value
|
|
// so tests can compute the expected "expires_in" field.
|
|
idTokensValidFor := time.Second * 30
|
|
|
|
oidcConfig := &oidc.Config{SkipClientIDCheck: true}
|
|
|
|
basicIDTokenVerify := func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
idToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
return fmt.Errorf("no id token found")
|
|
}
|
|
if _, err := p.Verifier(oidcConfig).Verify(ctx, idToken); err != nil {
|
|
return fmt.Errorf("failed to verify id token: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
return oauth2Tests{
|
|
clientID: clientID,
|
|
tests: []test{
|
|
{
|
|
name: "verify ID Token",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
idToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
return fmt.Errorf("no id token found")
|
|
}
|
|
if _, err := p.Verifier(oidcConfig).Verify(ctx, idToken); err != nil {
|
|
return fmt.Errorf("failed to verify id token: %v", err)
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "fetch userinfo",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
ui, err := p.UserInfo(ctx, config.TokenSource(ctx, token))
|
|
if err != nil {
|
|
return fmt.Errorf("failed to fetch userinfo: %v", err)
|
|
}
|
|
if conn.Identity.Email != ui.Email {
|
|
return fmt.Errorf("expected email to be %v, got %v", conn.Identity.Email, ui.Email)
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "verify id token and oauth2 token expiry",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
expectedExpiry := now().Add(idTokensValidFor)
|
|
|
|
timeEq := func(t1, t2 time.Time, within time.Duration) bool {
|
|
return t1.Sub(t2) < within
|
|
}
|
|
|
|
if !timeEq(token.Expiry, expectedExpiry, time.Second) {
|
|
return fmt.Errorf("expected expired_in to be %s, got %s", expectedExpiry, token.Expiry)
|
|
}
|
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
return fmt.Errorf("no id token found")
|
|
}
|
|
idToken, err := p.Verifier(oidcConfig).Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to verify id token: %v", err)
|
|
}
|
|
if !timeEq(idToken.Expiry, expectedExpiry, time.Second) {
|
|
return fmt.Errorf("expected id token expiry to be %s, got %s", expectedExpiry, token.Expiry)
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "verify at_hash",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
return fmt.Errorf("no id token found")
|
|
}
|
|
idToken, err := p.Verifier(oidcConfig).Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to verify id token: %v", err)
|
|
}
|
|
|
|
var claims struct {
|
|
AtHash string `json:"at_hash"`
|
|
}
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
return fmt.Errorf("failed to decode raw claims: %v", err)
|
|
}
|
|
if claims.AtHash == "" {
|
|
return errors.New("no at_hash value in id_token")
|
|
}
|
|
wantAtHash, err := accessTokenHash(jose.RS256, token.AccessToken)
|
|
if err != nil {
|
|
return fmt.Errorf("computed expected at hash: %v", err)
|
|
}
|
|
if wantAtHash != claims.AtHash {
|
|
return fmt.Errorf("expected at_hash=%q got=%q", wantAtHash, claims.AtHash)
|
|
}
|
|
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "refresh token",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
// have to use time.Now because the OAuth2 package uses it.
|
|
token.Expiry = time.Now().Add(time.Second * -10)
|
|
if token.Valid() {
|
|
return errors.New("token shouldn't be valid")
|
|
}
|
|
|
|
newToken, err := config.TokenSource(ctx, token).Token()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to refresh token: %v", err)
|
|
}
|
|
if token.RefreshToken == newToken.RefreshToken {
|
|
return fmt.Errorf("old refresh token was the same as the new token %q", token.RefreshToken)
|
|
}
|
|
|
|
if _, err := config.TokenSource(ctx, token).Token(); err == nil {
|
|
return errors.New("was able to redeem the same refresh token twice")
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "refresh with explicit scopes",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
v := url.Values{}
|
|
v.Add("client_id", clientID)
|
|
v.Add("client_secret", clientSecret)
|
|
v.Add("grant_type", "refresh_token")
|
|
v.Add("refresh_token", token.RefreshToken)
|
|
v.Add("scope", strings.Join(requestedScopes, " "))
|
|
resp, err := http.PostForm(p.Endpoint().TokenURL, v)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
dump, err := httputil.DumpResponse(resp, true)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return fmt.Errorf("unexpected response: %s", dump)
|
|
}
|
|
if resp.Header.Get("Cache-Control") != "no-store" {
|
|
return fmt.Errorf("cache-control header doesn't included in token response")
|
|
}
|
|
if resp.Header.Get("Pragma") != "no-cache" {
|
|
return fmt.Errorf("pragma header doesn't included in token response")
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "refresh with extra spaces",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
v := url.Values{}
|
|
v.Add("client_id", clientID)
|
|
v.Add("client_secret", clientSecret)
|
|
v.Add("grant_type", "refresh_token")
|
|
v.Add("refresh_token", token.RefreshToken)
|
|
|
|
// go-oidc adds an additional space before scopes when refreshing.
|
|
// Since we support that client we choose to be more relaxed about
|
|
// scope parsing, disregarding extra whitespace.
|
|
v.Add("scope", " "+strings.Join(requestedScopes, " "))
|
|
resp, err := http.PostForm(p.Endpoint().TokenURL, v)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
dump, err := httputil.DumpResponse(resp, true)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return fmt.Errorf("unexpected response: %s", dump)
|
|
}
|
|
if resp.Header.Get("Cache-Control") != "no-store" {
|
|
return fmt.Errorf("cache-control header doesn't included in token response")
|
|
}
|
|
if resp.Header.Get("Pragma") != "no-cache" {
|
|
return fmt.Errorf("pragma header doesn't included in token response")
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
name: "refresh with unauthorized scopes",
|
|
scopes: []string{"openid", "email"},
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
v := url.Values{}
|
|
v.Add("client_id", clientID)
|
|
v.Add("client_secret", clientSecret)
|
|
v.Add("grant_type", "refresh_token")
|
|
v.Add("refresh_token", token.RefreshToken)
|
|
// Request a scope that wasn't requested initially.
|
|
v.Add("scope", "oidc email profile")
|
|
resp, err := http.PostForm(p.Endpoint().TokenURL, v)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode == http.StatusOK {
|
|
dump, err := httputil.DumpResponse(resp, true)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return fmt.Errorf("unexpected response: %s", dump)
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
// This test ensures that the connector.RefreshConnector interface is being
|
|
// used when clients request a refresh token.
|
|
name: "refresh with identity changes",
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
// have to use time.Now because the OAuth2 package uses it.
|
|
token.Expiry = time.Now().Add(time.Second * -10)
|
|
if token.Valid() {
|
|
return errors.New("token shouldn't be valid")
|
|
}
|
|
|
|
ident := connector.Identity{
|
|
UserID: "fooid",
|
|
Username: "foo",
|
|
Email: "foo@bar.com",
|
|
EmailVerified: true,
|
|
Groups: []string{"foo", "bar"},
|
|
}
|
|
conn.Identity = ident
|
|
|
|
type claims struct {
|
|
Username string `json:"name"`
|
|
Email string `json:"email"`
|
|
EmailVerified bool `json:"email_verified"`
|
|
Groups []string `json:"groups"`
|
|
}
|
|
want := claims{ident.Username, ident.Email, ident.EmailVerified, ident.Groups}
|
|
|
|
newToken, err := config.TokenSource(ctx, token).Token()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to refresh token: %v", err)
|
|
}
|
|
rawIDToken, ok := newToken.Extra("id_token").(string)
|
|
if !ok {
|
|
return fmt.Errorf("no id_token in refreshed token")
|
|
}
|
|
idToken, err := p.Verifier(oidcConfig).Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to verify id token: %v", err)
|
|
}
|
|
var got claims
|
|
if err := idToken.Claims(&got); err != nil {
|
|
return fmt.Errorf("failed to unmarshal claims: %v", err)
|
|
}
|
|
|
|
if diff := pretty.Compare(want, got); diff != "" {
|
|
return fmt.Errorf("got identity != want identity: %s", diff)
|
|
}
|
|
return nil
|
|
},
|
|
},
|
|
{
|
|
// This test ensures that PKCE work in "plain" mode (no code_challenge_method specified)
|
|
name: "PKCE with plain",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "challenge123"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "challenge123"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
},
|
|
{
|
|
// This test ensures that PKCE works in "S256" mode
|
|
name: "PKCE with S256",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "lyyl-X4a69qrqgEfUL8wodWic3Be9ZZ5eovBgIKKi-w"),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "challenge123"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
},
|
|
{
|
|
// This test ensures that PKCE does fail with wrong code_verifier in "plain" mode
|
|
name: "PKCE with plain and wrong code_verifier",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "challenge123"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "challenge124"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
tokenError: ErrorResponse{
|
|
Error: errInvalidGrant,
|
|
StatusCode: http.StatusBadRequest,
|
|
},
|
|
},
|
|
{
|
|
// This test ensures that PKCE fail with wrong code_verifier in "S256" mode
|
|
name: "PKCE with S256 and wrong code_verifier",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "lyyl-X4a69qrqgEfUL8wodWic3Be9ZZ5eovBgIKKi-w"),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "challenge124"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
tokenError: ErrorResponse{
|
|
Error: errInvalidGrant,
|
|
StatusCode: http.StatusBadRequest,
|
|
},
|
|
},
|
|
{
|
|
// Ensure that, when PKCE flow started on /auth
|
|
// we stay in PKCE flow on /token
|
|
name: "PKCE flow expected on /token",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "lyyl-X4a69qrqgEfUL8wodWic3Be9ZZ5eovBgIKKi-w"),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
// No PKCE call on /token
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
tokenError: ErrorResponse{
|
|
Error: errInvalidGrant,
|
|
StatusCode: http.StatusBadRequest,
|
|
},
|
|
},
|
|
{
|
|
// Ensure that when no PKCE flow was started on /auth
|
|
// we cannot switch to PKCE on /token
|
|
name: "No PKCE flow started on /auth",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
// No PKCE call on /auth
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "challenge123"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
tokenError: ErrorResponse{
|
|
Error: errInvalidRequest,
|
|
StatusCode: http.StatusBadRequest,
|
|
},
|
|
},
|
|
{
|
|
// Make sure that, when we start with "S256" on /auth, we cannot downgrade to "plain" on /token
|
|
name: "PKCE with S256 and try to downgrade to plain",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_challenge", "lyyl-X4a69qrqgEfUL8wodWic3Be9ZZ5eovBgIKKi-w"),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
|
},
|
|
retrieveTokenOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("code_verifier", "lyyl-X4a69qrqgEfUL8wodWic3Be9ZZ5eovBgIKKi-w"),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "plain"),
|
|
},
|
|
handleToken: basicIDTokenVerify,
|
|
tokenError: ErrorResponse{
|
|
Error: errInvalidGrant,
|
|
StatusCode: http.StatusBadRequest,
|
|
},
|
|
},
|
|
{
|
|
name: "Request parameter in authorization query",
|
|
authCodeOptions: []oauth2.AuthCodeOption{
|
|
oauth2.SetAuthURLParam("request", "anything"),
|
|
},
|
|
authError: &OAuth2ErrorResponse{
|
|
Error: errRequestNotSupported,
|
|
ErrorDescription: "Server does not support request parameter.",
|
|
},
|
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token, conn *mock.Callback) error {
|
|
return nil
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
// TestOAuth2CodeFlow runs integration tests against a test server. The tests stand up a server
|
|
// which requires no interaction to login, logs in through a test client, then passes the client
|
|
// and returned token to the test.
|
|
func TestOAuth2CodeFlow(t *testing.T) {
|
|
clientID := "testclient"
|
|
clientSecret := "testclientsecret"
|
|
requestedScopes := []string{oidc.ScopeOpenID, "email", "profile", "groups", "offline_access"}
|
|
|
|
t0 := time.Now()
|
|
|
|
// Always have the time function used by the server return the same time so
|
|
// we can predict expected values of "expires_in" fields exactly.
|
|
now := func() time.Time { return t0 }
|
|
|
|
// Used later when configuring test servers to set how long id_tokens will be valid for.
|
|
//
|
|
// The actual value of 30s is completely arbitrary. We just need to set a value
|
|
// so tests can compute the expected "expires_in" field.
|
|
idTokensValidFor := time.Second * 30
|
|
|
|
// Connector used by the tests.
|
|
var conn *mock.Callback
|
|
|
|
tests := makeOAuth2Tests(clientID, clientSecret, now)
|
|
for _, tc := range tests.tests {
|
|
func() {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
// Setup a dex server.
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
c.Issuer += "/non-root-path"
|
|
c.Now = now
|
|
c.IDTokensValidFor = idTokensValidFor
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
mockConn := s.connectors["mock"]
|
|
conn = mockConn.Connector.(*mock.Callback)
|
|
|
|
// Query server's provider metadata.
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var (
|
|
// If the OAuth2 client didn't get a response, we need
|
|
// to print the requests the user saw.
|
|
gotCode bool
|
|
reqDump, respDump []byte // Auth step, not token.
|
|
state = "a_state"
|
|
)
|
|
defer func() {
|
|
if !gotCode && tc.authError == nil {
|
|
t.Errorf("never got a code in callback\n%s\n%s", reqDump, respDump)
|
|
}
|
|
}()
|
|
|
|
// Setup OAuth2 client.
|
|
var oauth2Config *oauth2.Config
|
|
oauth2Client := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/callback" {
|
|
// User is visiting app first time. Redirect to dex.
|
|
http.Redirect(w, r, oauth2Config.AuthCodeURL(state, tc.authCodeOptions...), http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// User is at '/callback' so they were just redirected _from_ dex.
|
|
q := r.URL.Query()
|
|
|
|
// Did dex return an error?
|
|
if errType := q.Get("error"); errType != "" {
|
|
description := q.Get("error_description")
|
|
|
|
if tc.authError == nil {
|
|
if description != "" {
|
|
t.Errorf("got error from server %s: %s", errType, description)
|
|
} else {
|
|
t.Errorf("got error from server %s", errType)
|
|
}
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
require.Equal(t, *tc.authError, OAuth2ErrorResponse{Error: errType, ErrorDescription: description})
|
|
return
|
|
}
|
|
|
|
// Grab code, exchange for token.
|
|
if code := q.Get("code"); code != "" {
|
|
gotCode = true
|
|
token, err := oauth2Config.Exchange(ctx, code, tc.retrieveTokenOptions...)
|
|
if tc.tokenError.StatusCode != 0 {
|
|
checkErrorResponse(err, t, tc)
|
|
return
|
|
}
|
|
|
|
if err != nil {
|
|
t.Errorf("failed to exchange code for token: %v", err)
|
|
return
|
|
}
|
|
err = tc.handleToken(ctx, p, oauth2Config, token, conn)
|
|
if err != nil {
|
|
t.Errorf("%s: %v", tc.name, err)
|
|
}
|
|
return
|
|
}
|
|
|
|
// Ensure state matches.
|
|
if gotState := q.Get("state"); gotState != state {
|
|
t.Errorf("state did not match, want=%q got=%q", state, gotState)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
defer oauth2Client.Close()
|
|
|
|
// Register the client above with dex.
|
|
redirectURL := oauth2Client.URL + "/callback"
|
|
client := storage.Client{
|
|
ID: clientID,
|
|
Secret: clientSecret,
|
|
RedirectURIs: []string{redirectURL},
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
// Create the OAuth2 config.
|
|
oauth2Config = &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: requestedScopes,
|
|
RedirectURL: redirectURL,
|
|
}
|
|
if len(tc.scopes) != 0 {
|
|
oauth2Config.Scopes = tc.scopes
|
|
}
|
|
|
|
// Login!
|
|
//
|
|
// 1. First request to client, redirects to dex.
|
|
// 2. Dex "logs in" the user, redirects to client with "code".
|
|
// 3. Client exchanges "code" for "token" (id_token, refresh_token, etc.).
|
|
// 4. Test is run with OAuth2 token response.
|
|
//
|
|
resp, err := http.Get(oauth2Client.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if respDump, err = httputil.DumpResponse(resp, true); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}()
|
|
}
|
|
}
|
|
|
|
func TestOAuth2ImplicitFlow(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
// Enable support for the implicit flow.
|
|
c.SupportedResponseTypes = []string{"code", "token", "id_token"}
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var (
|
|
reqDump, respDump []byte
|
|
gotIDToken bool
|
|
state = "a_state"
|
|
nonce = "a_nonce"
|
|
)
|
|
defer func() {
|
|
if !gotIDToken {
|
|
t.Errorf("never got a id token in fragment\n%s\n%s", reqDump, respDump)
|
|
}
|
|
}()
|
|
|
|
var oauth2Config *oauth2.Config
|
|
oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/callback" {
|
|
q := r.URL.Query()
|
|
if errType := q.Get("error"); errType != "" {
|
|
if desc := q.Get("error_description"); desc != "" {
|
|
t.Errorf("got error from server %s: %s", errType, desc)
|
|
} else {
|
|
t.Errorf("got error from server %s", errType)
|
|
}
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
// Fragment is checked by the client since net/http servers don't preserve URL fragments.
|
|
// E.g.
|
|
//
|
|
// r.URL.Fragment
|
|
//
|
|
// Will always be empty.
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
u := oauth2Config.AuthCodeURL(state, oauth2.SetAuthURLParam("response_type", "id_token token"), oidc.Nonce(nonce))
|
|
http.Redirect(w, r, u, http.StatusSeeOther)
|
|
}))
|
|
|
|
defer oauth2Server.Close()
|
|
|
|
redirectURL := oauth2Server.URL + "/callback"
|
|
client := storage.Client{
|
|
ID: "testclient",
|
|
Secret: "testclientsecret",
|
|
RedirectURIs: []string{redirectURL},
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
idTokenVerifier := p.Verifier(&oidc.Config{
|
|
ClientID: client.ID,
|
|
})
|
|
|
|
oauth2Config = &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email", "offline_access"},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
|
|
checkIDToken := func(u *url.URL) error {
|
|
if u.Fragment == "" {
|
|
return fmt.Errorf("url has no fragment: %s", u)
|
|
}
|
|
v, err := url.ParseQuery(u.Fragment)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to parse fragment: %v", err)
|
|
}
|
|
rawIDToken := v.Get("id_token")
|
|
if rawIDToken == "" {
|
|
return errors.New("no id_token in fragment")
|
|
}
|
|
idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to verify id_token: %v", err)
|
|
}
|
|
if idToken.Nonce != nonce {
|
|
return fmt.Errorf("failed to verify id_token: nonce was %v, but want %v", idToken.Nonce, nonce)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
httpClient := &http.Client{
|
|
// net/http servers don't preserve URL fragments when passing the request to
|
|
// handlers. The only way to get at that values is to check the redirect on
|
|
// the client side.
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
if len(via) > 10 {
|
|
return errors.New("too many redirects")
|
|
}
|
|
|
|
// If we're being redirected back to the client server, inspect the URL fragment
|
|
// for an ID Token.
|
|
u := req.URL.String()
|
|
if strings.HasPrefix(u, oauth2Server.URL) {
|
|
if err := checkIDToken(req.URL); err == nil {
|
|
gotIDToken = true
|
|
} else {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
|
|
resp, err := httpClient.Get(oauth2Server.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if respDump, err = httputil.DumpResponse(resp, true); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestCrossClientScopes(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
c.Issuer += "/non-root-path"
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var (
|
|
reqDump, respDump []byte
|
|
gotCode bool
|
|
state = "a_state"
|
|
)
|
|
defer func() {
|
|
if !gotCode {
|
|
t.Errorf("never got a code in callback\n%s\n%s", reqDump, respDump)
|
|
}
|
|
}()
|
|
|
|
testClientID := "testclient"
|
|
peerID := "peer"
|
|
|
|
var oauth2Config *oauth2.Config
|
|
oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/callback" {
|
|
q := r.URL.Query()
|
|
if errType := q.Get("error"); errType != "" {
|
|
if desc := q.Get("error_description"); desc != "" {
|
|
t.Errorf("got error from server %s: %s", errType, desc)
|
|
} else {
|
|
t.Errorf("got error from server %s", errType)
|
|
}
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if code := q.Get("code"); code != "" {
|
|
gotCode = true
|
|
token, err := oauth2Config.Exchange(ctx, code)
|
|
if err != nil {
|
|
t.Errorf("failed to exchange code for token: %v", err)
|
|
return
|
|
}
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
t.Errorf("no id token found: %v", err)
|
|
return
|
|
}
|
|
idToken, err := p.Verifier(&oidc.Config{ClientID: testClientID}).Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
t.Errorf("failed to parse ID Token: %v", err)
|
|
return
|
|
}
|
|
|
|
sort.Strings(idToken.Audience)
|
|
expAudience := []string{peerID, testClientID}
|
|
if !reflect.DeepEqual(idToken.Audience, expAudience) {
|
|
t.Errorf("expected audience %q, got %q", expAudience, idToken.Audience)
|
|
}
|
|
}
|
|
if gotState := q.Get("state"); gotState != state {
|
|
t.Errorf("state did not match, want=%q got=%q", state, gotState)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusSeeOther)
|
|
}))
|
|
|
|
defer oauth2Server.Close()
|
|
|
|
redirectURL := oauth2Server.URL + "/callback"
|
|
client := storage.Client{
|
|
ID: testClientID,
|
|
Secret: "testclientsecret",
|
|
RedirectURIs: []string{redirectURL},
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
peer := storage.Client{
|
|
ID: peerID,
|
|
Secret: "foobar",
|
|
TrustedPeers: []string{"testclient"},
|
|
}
|
|
|
|
if err := s.storage.CreateClient(peer); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
oauth2Config = &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: []string{
|
|
oidc.ScopeOpenID, "profile", "email",
|
|
"audience:server:client_id:" + client.ID,
|
|
"audience:server:client_id:" + peer.ID,
|
|
},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
|
|
resp, err := http.Get(oauth2Server.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if respDump, err = httputil.DumpResponse(resp, true); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestCrossClientScopesWithAzpInAudienceByDefault(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
c.Issuer += "/non-root-path"
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var (
|
|
reqDump, respDump []byte
|
|
gotCode bool
|
|
state = "a_state"
|
|
)
|
|
defer func() {
|
|
if !gotCode {
|
|
t.Errorf("never got a code in callback\n%s\n%s", reqDump, respDump)
|
|
}
|
|
}()
|
|
|
|
testClientID := "testclient"
|
|
peerID := "peer"
|
|
|
|
var oauth2Config *oauth2.Config
|
|
oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/callback" {
|
|
q := r.URL.Query()
|
|
if errType := q.Get("error"); errType != "" {
|
|
if desc := q.Get("error_description"); desc != "" {
|
|
t.Errorf("got error from server %s: %s", errType, desc)
|
|
} else {
|
|
t.Errorf("got error from server %s", errType)
|
|
}
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if code := q.Get("code"); code != "" {
|
|
gotCode = true
|
|
token, err := oauth2Config.Exchange(ctx, code)
|
|
if err != nil {
|
|
t.Errorf("failed to exchange code for token: %v", err)
|
|
return
|
|
}
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
t.Errorf("no id token found: %v", err)
|
|
return
|
|
}
|
|
idToken, err := p.Verifier(&oidc.Config{ClientID: testClientID}).Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
t.Errorf("failed to parse ID Token: %v", err)
|
|
return
|
|
}
|
|
|
|
sort.Strings(idToken.Audience)
|
|
expAudience := []string{peerID, testClientID}
|
|
if !reflect.DeepEqual(idToken.Audience, expAudience) {
|
|
t.Errorf("expected audience %q, got %q", expAudience, idToken.Audience)
|
|
}
|
|
}
|
|
if gotState := q.Get("state"); gotState != state {
|
|
t.Errorf("state did not match, want=%q got=%q", state, gotState)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusSeeOther)
|
|
}))
|
|
|
|
defer oauth2Server.Close()
|
|
|
|
redirectURL := oauth2Server.URL + "/callback"
|
|
client := storage.Client{
|
|
ID: testClientID,
|
|
Secret: "testclientsecret",
|
|
RedirectURIs: []string{redirectURL},
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
peer := storage.Client{
|
|
ID: peerID,
|
|
Secret: "foobar",
|
|
TrustedPeers: []string{"testclient"},
|
|
}
|
|
|
|
if err := s.storage.CreateClient(peer); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
oauth2Config = &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: []string{
|
|
oidc.ScopeOpenID, "profile", "email",
|
|
"audience:server:client_id:" + peer.ID,
|
|
},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
|
|
resp, err := http.Get(oauth2Server.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if reqDump, err = httputil.DumpRequest(resp.Request, false); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if respDump, err = httputil.DumpResponse(resp, true); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestPasswordDB(t *testing.T) {
|
|
s := memory.New(logger)
|
|
conn := newPasswordDB(s)
|
|
|
|
pw := "hi"
|
|
|
|
h, err := bcrypt.GenerateFromPassword([]byte(pw), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
s.CreatePassword(storage.Password{
|
|
Email: "jane@example.com",
|
|
Username: "jane",
|
|
UserID: "foobar",
|
|
Hash: h,
|
|
})
|
|
|
|
tests := []struct {
|
|
name string
|
|
username string
|
|
password string
|
|
wantIdentity connector.Identity
|
|
wantInvalid bool
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "valid password",
|
|
username: "jane@example.com",
|
|
password: pw,
|
|
wantIdentity: connector.Identity{
|
|
Email: "jane@example.com",
|
|
Username: "jane",
|
|
UserID: "foobar",
|
|
EmailVerified: true,
|
|
},
|
|
},
|
|
{
|
|
name: "unknown user",
|
|
username: "john@example.com",
|
|
password: pw,
|
|
wantInvalid: true,
|
|
},
|
|
{
|
|
name: "invalid password",
|
|
username: "jane@example.com",
|
|
password: "not the correct password",
|
|
wantInvalid: true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
ident, valid, err := conn.Login(context.Background(), connector.Scopes{}, tc.username, tc.password)
|
|
if err != nil {
|
|
if !tc.wantErr {
|
|
t.Errorf("%s: %v", tc.name, err)
|
|
}
|
|
continue
|
|
}
|
|
|
|
if tc.wantErr {
|
|
t.Errorf("%s: expected error", tc.name)
|
|
continue
|
|
}
|
|
|
|
if !valid {
|
|
if !tc.wantInvalid {
|
|
t.Errorf("%s: expected valid password", tc.name)
|
|
}
|
|
continue
|
|
}
|
|
|
|
if tc.wantInvalid {
|
|
t.Errorf("%s: expected invalid password", tc.name)
|
|
continue
|
|
}
|
|
|
|
if diff := pretty.Compare(tc.wantIdentity, ident); diff != "" {
|
|
t.Errorf("%s: %s", tc.name, diff)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPasswordDBUsernamePrompt(t *testing.T) {
|
|
s := memory.New(logger)
|
|
conn := newPasswordDB(s)
|
|
|
|
expected := "Email Address"
|
|
if actual := conn.Prompt(); actual != expected {
|
|
t.Errorf("expected %v, got %v", expected, actual)
|
|
}
|
|
}
|
|
|
|
type storageWithKeysTrigger struct {
|
|
storage.Storage
|
|
f func()
|
|
}
|
|
|
|
func (s storageWithKeysTrigger) GetKeys() (storage.Keys, error) {
|
|
s.f()
|
|
return s.Storage.GetKeys()
|
|
}
|
|
|
|
func TestKeyCacher(t *testing.T) {
|
|
tNow := time.Now()
|
|
now := func() time.Time { return tNow }
|
|
|
|
s := memory.New(logger)
|
|
|
|
tests := []struct {
|
|
before func()
|
|
wantCallToStorage bool
|
|
}{
|
|
{
|
|
before: func() {},
|
|
wantCallToStorage: true,
|
|
},
|
|
{
|
|
before: func() {
|
|
s.UpdateKeys(func(old storage.Keys) (storage.Keys, error) {
|
|
old.NextRotation = tNow.Add(time.Minute)
|
|
return old, nil
|
|
})
|
|
},
|
|
wantCallToStorage: true,
|
|
},
|
|
{
|
|
before: func() {},
|
|
wantCallToStorage: false,
|
|
},
|
|
{
|
|
before: func() {
|
|
tNow = tNow.Add(time.Hour)
|
|
},
|
|
wantCallToStorage: true,
|
|
},
|
|
{
|
|
before: func() {
|
|
tNow = tNow.Add(time.Hour)
|
|
s.UpdateKeys(func(old storage.Keys) (storage.Keys, error) {
|
|
old.NextRotation = tNow.Add(time.Minute)
|
|
return old, nil
|
|
})
|
|
},
|
|
wantCallToStorage: true,
|
|
},
|
|
{
|
|
before: func() {},
|
|
wantCallToStorage: false,
|
|
},
|
|
}
|
|
|
|
gotCall := false
|
|
s = newKeyCacher(storageWithKeysTrigger{s, func() { gotCall = true }}, now)
|
|
for i, tc := range tests {
|
|
gotCall = false
|
|
tc.before()
|
|
s.GetKeys()
|
|
if gotCall != tc.wantCallToStorage {
|
|
t.Errorf("case %d: expected call to storage=%t got call to storage=%t", i, tc.wantCallToStorage, gotCall)
|
|
}
|
|
}
|
|
}
|
|
|
|
func checkErrorResponse(err error, t *testing.T, tc test) {
|
|
if err == nil {
|
|
t.Errorf("%s: DANGEROUS! got a token when we should not get one!", tc.name)
|
|
return
|
|
}
|
|
if rErr, ok := err.(*oauth2.RetrieveError); ok {
|
|
if rErr.Response.StatusCode != tc.tokenError.StatusCode {
|
|
t.Errorf("%s: got wrong StatusCode from server %d. expected %d",
|
|
tc.name, rErr.Response.StatusCode, tc.tokenError.StatusCode)
|
|
}
|
|
details := new(OAuth2ErrorResponse)
|
|
if err := json.Unmarshal(rErr.Body, details); err != nil {
|
|
t.Errorf("%s: could not parse return json: %s", tc.name, err)
|
|
return
|
|
}
|
|
if tc.tokenError.Error != "" && details.Error != tc.tokenError.Error {
|
|
t.Errorf("%s: got wrong Error in response: %s (%s). expected %s",
|
|
tc.name, details.Error, details.ErrorDescription, tc.tokenError.Error)
|
|
}
|
|
} else {
|
|
t.Errorf("%s: unexpected error type: %s. expected *oauth2.RetrieveError", tc.name, reflect.TypeOf(err))
|
|
}
|
|
}
|
|
|
|
type oauth2Client struct {
|
|
config *oauth2.Config
|
|
token *oauth2.Token
|
|
server *httptest.Server
|
|
}
|
|
|
|
// TestRefreshTokenFlow tests the refresh token code flow for oauth2. The test verifies
|
|
// that only valid refresh tokens can be used to refresh an expired token.
|
|
func TestRefreshTokenFlow(t *testing.T) {
|
|
state := "state"
|
|
now := time.Now
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
c.Now = now
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
var oauth2Client oauth2Client
|
|
|
|
oauth2Client.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/callback" {
|
|
// User is visiting app first time. Redirect to dex.
|
|
http.Redirect(w, r, oauth2Client.config.AuthCodeURL(state), http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// User is at '/callback' so they were just redirected _from_ dex.
|
|
q := r.URL.Query()
|
|
|
|
if errType := q.Get("error"); errType != "" {
|
|
if desc := q.Get("error_description"); desc != "" {
|
|
t.Errorf("got error from server %s: %s", errType, desc)
|
|
} else {
|
|
t.Errorf("got error from server %s", errType)
|
|
}
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Grab code, exchange for token.
|
|
if code := q.Get("code"); code != "" {
|
|
token, err := oauth2Client.config.Exchange(ctx, code)
|
|
if err != nil {
|
|
t.Errorf("failed to exchange code for token: %v", err)
|
|
return
|
|
}
|
|
oauth2Client.token = token
|
|
}
|
|
|
|
// Ensure state matches.
|
|
if gotState := q.Get("state"); gotState != state {
|
|
t.Errorf("state did not match, want=%q got=%q", state, gotState)
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer oauth2Client.server.Close()
|
|
|
|
// Register the client above with dex.
|
|
redirectURL := oauth2Client.server.URL + "/callback"
|
|
client := storage.Client{
|
|
ID: "testclient",
|
|
Secret: "testclientsecret",
|
|
RedirectURIs: []string{redirectURL},
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
oauth2Client.config = &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: []string{oidc.ScopeOpenID, "email", "offline_access"},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
|
|
resp, err := http.Get(oauth2Client.server.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
tok := &oauth2.Token{
|
|
RefreshToken: oauth2Client.token.RefreshToken,
|
|
Expiry: time.Now().Add(-time.Hour),
|
|
}
|
|
|
|
// Login in again to receive a new token.
|
|
resp, err = http.Get(oauth2Client.server.URL + "/login")
|
|
if err != nil {
|
|
t.Fatalf("get failed: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
// try to refresh expired token with old refresh token.
|
|
if _, err := oauth2Client.config.TokenSource(ctx, tok).Token(); err == nil {
|
|
t.Errorf("Token refreshed with invalid refresh token, error expected.")
|
|
}
|
|
}
|
|
|
|
// TestOAuth2DeviceFlow runs device flow integration tests against a test server
|
|
func TestOAuth2DeviceFlow(t *testing.T) {
|
|
clientID := "testclient"
|
|
clientSecret := ""
|
|
requestedScopes := []string{oidc.ScopeOpenID, "email", "profile", "groups", "offline_access"}
|
|
|
|
t0 := time.Now()
|
|
|
|
// Always have the time function used by the server return the same time so
|
|
// we can predict expected values of "expires_in" fields exactly.
|
|
now := func() time.Time { return t0 }
|
|
|
|
// Connector used by the tests.
|
|
var conn *mock.Callback
|
|
idTokensValidFor := time.Second * 30
|
|
|
|
for _, tc := range makeOAuth2Tests(clientID, clientSecret, now).tests {
|
|
func() {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
// Setup a dex server.
|
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
|
c.Issuer += "/non-root-path"
|
|
c.Now = now
|
|
c.IDTokensValidFor = idTokensValidFor
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
mockConn := s.connectors["mock"]
|
|
conn = mockConn.Connector.(*mock.Callback)
|
|
|
|
p, err := oidc.NewProvider(ctx, httpServer.URL)
|
|
if err != nil {
|
|
t.Fatalf("failed to get provider: %v", err)
|
|
}
|
|
|
|
// Add the Clients to the test server
|
|
client := storage.Client{
|
|
ID: clientID,
|
|
RedirectURIs: []string{deviceCallbackURI},
|
|
Public: true,
|
|
}
|
|
if err := s.storage.CreateClient(client); err != nil {
|
|
t.Fatalf("failed to create client: %v", err)
|
|
}
|
|
|
|
// Grab the issuer that we'll reuse for the different endpoints to hit
|
|
issuer, err := url.Parse(s.issuerURL.String())
|
|
if err != nil {
|
|
t.Errorf("Could not parse issuer URL %v", err)
|
|
}
|
|
|
|
// Send a new Device Request
|
|
codeURL, _ := url.Parse(issuer.String())
|
|
codeURL.Path = path.Join(codeURL.Path, "device/code")
|
|
|
|
data := url.Values{}
|
|
data.Set("client_id", clientID)
|
|
data.Add("scope", strings.Join(requestedScopes, " "))
|
|
resp, err := http.PostForm(codeURL.String(), data)
|
|
if err != nil {
|
|
t.Errorf("Could not request device code: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
responseBody, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Errorf("Could read device code response %v", err)
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Errorf("%v - Unexpected Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody))
|
|
}
|
|
if resp.Header.Get("Cache-Control") != "no-store" {
|
|
t.Errorf("Cache-Control header doesn't exist in Device Code Response")
|
|
}
|
|
|
|
// Parse the code response
|
|
var deviceCode deviceCodeResponse
|
|
if err := json.Unmarshal(responseBody, &deviceCode); err != nil {
|
|
t.Errorf("Unexpected Device Code Response Format %v", string(responseBody))
|
|
}
|
|
|
|
// Mock the user hitting the verification URI and posting the form
|
|
verifyURL, _ := url.Parse(issuer.String())
|
|
verifyURL.Path = path.Join(verifyURL.Path, "/device/auth/verify_code")
|
|
urlData := url.Values{}
|
|
urlData.Set("user_code", deviceCode.UserCode)
|
|
resp, err = http.PostForm(verifyURL.String(), urlData)
|
|
if err != nil {
|
|
t.Errorf("Error Posting Form: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
responseBody, err = ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Errorf("Could read verification response %v", err)
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Errorf("%v - Unexpected Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody))
|
|
}
|
|
|
|
// Hit the Token Endpoint, and try and get an access token
|
|
tokenURL, _ := url.Parse(issuer.String())
|
|
tokenURL.Path = path.Join(tokenURL.Path, "/device/token")
|
|
v := url.Values{}
|
|
v.Add("grant_type", grantTypeDeviceCode)
|
|
v.Add("device_code", deviceCode.DeviceCode)
|
|
resp, err = http.PostForm(tokenURL.String(), v)
|
|
if err != nil {
|
|
t.Errorf("Could not request device token: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
responseBody, err = ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Errorf("Could read device token response %v", err)
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Errorf("%v - Unexpected Token Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody))
|
|
}
|
|
|
|
// Parse the response
|
|
var tokenRes accessTokenResponse
|
|
if err := json.Unmarshal(responseBody, &tokenRes); err != nil {
|
|
t.Errorf("Unexpected Device Access Token Response Format %v", string(responseBody))
|
|
}
|
|
|
|
token := &oauth2.Token{
|
|
AccessToken: tokenRes.AccessToken,
|
|
TokenType: tokenRes.TokenType,
|
|
RefreshToken: tokenRes.RefreshToken,
|
|
}
|
|
raw := make(map[string]interface{})
|
|
json.Unmarshal(responseBody, &raw) // no error checks for optional fields
|
|
token = token.WithExtra(raw)
|
|
if secs := tokenRes.ExpiresIn; secs > 0 {
|
|
token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
|
|
}
|
|
|
|
// Run token tests to validate info is correct
|
|
// Create the OAuth2 config.
|
|
oauth2Config := &oauth2.Config{
|
|
ClientID: client.ID,
|
|
ClientSecret: client.Secret,
|
|
Endpoint: p.Endpoint(),
|
|
Scopes: requestedScopes,
|
|
RedirectURL: deviceCallbackURI,
|
|
}
|
|
if len(tc.scopes) != 0 {
|
|
oauth2Config.Scopes = tc.scopes
|
|
}
|
|
err = tc.handleToken(ctx, p, oauth2Config, token, conn)
|
|
if err != nil {
|
|
t.Errorf("%s: %v", tc.name, err)
|
|
}
|
|
}()
|
|
}
|
|
}
|