authelia/internal/oidc/const_test.go

package oidc_test

import (
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/x509"
	"fmt"
	"net/url"
	"os"
	"strings"

	"github.com/ory/fosite"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/utils"
)

const (
	pathCrypto     = "../configuration/test_resources/crypto/%s.%s"
	myclient       = "myclient"
	myclientdesc   = "My Client"
	onefactor      = "one_factor"
	twofactor      = "two_factor"
	examplecom     = "https://example.com"
	examplecomsid  = "example.com"
	badhmac        = "asbdhaaskmdlkamdklasmdlkams"
	badTokenString = "badTokenString"
)

const (
	rs256 = "rs256"
)

func MustDecodeSecret(value string) *schema.PasswordDigest {
	if secret, err := schema.DecodePasswordDigest(value); err != nil {
		panic(err)
	} else {
		return secret
	}
}

func MustParseRequestURI(input string) *url.URL {
	if requestURI, err := url.ParseRequestURI(input); err != nil {
		panic(err)
	} else {
		return requestURI
	}
}

func MustLoadCrypto(alg, mod, ext string, extra ...string) any {
	fparts := []string{alg, mod}
	if len(extra) != 0 {
		fparts = append(fparts, extra...)
	}

	var (
		data    []byte
		decoded any
		err     error
	)

	if data, err = os.ReadFile(fmt.Sprintf(pathCrypto, strings.Join(fparts, "_"), ext)); err != nil {
		panic(err)
	}

	if decoded, err = utils.ParseX509FromPEMRecursive(data); err != nil {
		panic(err)
	}

	return decoded
}

func MustLoadCertificateChain(alg, op string) schema.X509CertificateChain {
	decoded := MustLoadCrypto(alg, op, "crt")

	switch cert := decoded.(type) {
	case *x509.Certificate:
		return schema.NewX509CertificateChainFromCerts([]*x509.Certificate{cert})
	case []*x509.Certificate:
		return schema.NewX509CertificateChainFromCerts(cert)
	default:
		panic(fmt.Errorf("the key was not a *x509.Certificate or []*x509.Certificate, it's a %T", cert))
	}
}

func MustLoadECDSAPrivateKey(curve string, extra ...string) *ecdsa.PrivateKey {
	decoded := MustLoadCrypto("ECDSA", curve, "pem", extra...)

	key, ok := decoded.(*ecdsa.PrivateKey)
	if !ok {
		panic(fmt.Errorf("the key was not a *ecdsa.PrivateKey, it's a %T", key))
	}

	return key
}

func MustLoadRSAPublicKey(bits string, extra ...string) *rsa.PublicKey {
	decoded := MustLoadCrypto("RSA", bits, "pem", extra...)

	key, ok := decoded.(*rsa.PublicKey)
	if !ok {
		panic(fmt.Errorf("the key was not a *rsa.PublicKey, it's a %T", key))
	}

	return key
}

func MustLoadRSAPrivateKey(bits string, extra ...string) *rsa.PrivateKey {
	decoded := MustLoadCrypto("RSA", bits, "pem", extra...)

	key, ok := decoded.(*rsa.PrivateKey)
	if !ok {
		panic(fmt.Errorf("the key was not a *rsa.PrivateKey, it's a %T", key))
	}

	return key
}

type RFC6749ErrorTest struct {
	*fosite.RFC6749Error
}

func (err *RFC6749ErrorTest) Error() string {
	return err.WithExposeDebug(true).GetDescription()
}

func ErrorToRFC6749ErrorTest(err error) (rfc error) {
	if err == nil {
		return nil
	}

	ferr := fosite.ErrorToRFC6749Error(err)

	return &RFC6749ErrorTest{ferr}
}

var (
	tOpenIDConnectPBKDF2ClientSecret, tOpenIDConnectPlainTextClientSecret *schema.PasswordDigest

	// Standard RSA key / certificate pairs.
	keyRSA1024, keyRSA2048, keyRSA4096    *rsa.PrivateKey
	certRSA1024, certRSA2048, certRSA4096 schema.X509CertificateChain

	// Standard ECDSA key / certificate pairs.
	keyECDSAP224, keyECDSAP256, keyECDSAP384, keyECDSAP521     *ecdsa.PrivateKey
	certECDSAP224, certECDSAP256, certECDSAP384, certECDSAP521 schema.X509CertificateChain
)

func init() {
	tOpenIDConnectPBKDF2ClientSecret = MustDecodeSecret("$pbkdf2-sha512$100000$cfNEo93VkIUIvaXHqetFoQ$O6qFLAlwCMz6.hv9XqUEPnMtrFxODw70T7bmnfTzfNPi3iXbgUEmGiyA6msybOfmj7m3QJS6lLy4DglgJifkKw")
	tOpenIDConnectPlainTextClientSecret = MustDecodeSecret("$plaintext$client-secret")

	keyRSA1024 = MustLoadRSAPrivateKey("1024")
	keyRSA2048 = MustLoadRSAPrivateKey("2048")
	keyRSA4096 = MustLoadRSAPrivateKey("4096")
	keyECDSAP224 = MustLoadECDSAPrivateKey("P224")
	keyECDSAP256 = MustLoadECDSAPrivateKey("P256")
	keyECDSAP384 = MustLoadECDSAPrivateKey("P384")
	keyECDSAP521 = MustLoadECDSAPrivateKey("P521")

	certRSA1024 = MustLoadCertificateChain("RSA", "1024")
	certRSA2048 = MustLoadCertificateChain("RSA", "2048")
	certRSA4096 = MustLoadCertificateChain("RSA", "4096")
	certECDSAP224 = MustLoadCertificateChain("ECDSA", "P224")
	certECDSAP256 = MustLoadCertificateChain("ECDSA", "P256")
	certECDSAP384 = MustLoadCertificateChain("ECDSA", "P384")
	certECDSAP521 = MustLoadCertificateChain("ECDSA", "P521")
}
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`package oidc_test`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`import (`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`"crypto/ecdsa"`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`"crypto/rsa"`
			`"crypto/x509"`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`"fmt"`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`"net/url"`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`"os"`
			`"strings"`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`"github.com/ory/fosite"`

feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`"github.com/authelia/authelia/v4/internal/utils"`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`)`

feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`const (`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`pathCrypto = "../configuration/test_resources/crypto/%s.%s"`
			`myclient = "myclient"`
			`myclientdesc = "My Client"`
			`onefactor = "one_factor"`
			`twofactor = "two_factor"`
			`examplecom = "https://example.com"`
			`examplecomsid = "example.com"`
			`badhmac = "asbdhaaskmdlkamdklasmdlkams"`
			`badTokenString = "badTokenString"`
			`)`

			`const (`
			`rs256 = "rs256"`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`)`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00
			`func MustDecodeSecret(value string) *schema.PasswordDigest {`
			`if secret, err := schema.DecodePasswordDigest(value); err != nil {`
			`panic(err)`
			`} else {`
			`return secret`
			`}`
			`}`

			`func MustParseRequestURI(input string) *url.URL {`
			`if requestURI, err := url.ParseRequestURI(input); err != nil {`
			`panic(err)`
			`} else {`
			`return requestURI`
			`}`
			`}`

feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`func MustLoadCrypto(alg, mod, ext string, extra ...string) any {`
			`fparts := []string{alg, mod}`
			`if len(extra) != 0 {`
			`fparts = append(fparts, extra...)`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`}`

feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`var (`
			`data []byte`
			`decoded any`
			`err error`
			`)`

			`if data, err = os.ReadFile(fmt.Sprintf(pathCrypto, strings.Join(fparts, "_"), ext)); err != nil {`
			`panic(err)`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`}`

feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`if decoded, err = utils.ParseX509FromPEMRecursive(data); err != nil {`
feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`panic(err)`
			`}`

feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`return decoded`
			`}`

			`func MustLoadCertificateChain(alg, op string) schema.X509CertificateChain {`
			`decoded := MustLoadCrypto(alg, op, "crt")`

			`switch cert := decoded.(type) {`
			`case *x509.Certificate:`
			`return schema.NewX509CertificateChainFromCerts([]*x509.Certificate{cert})`
			`case []*x509.Certificate:`
			`return schema.NewX509CertificateChainFromCerts(cert)`
			`default:`
			`panic(fmt.Errorf("the key was not a x509.Certificate or []x509.Certificate, it's a %T", cert))`
			`}`
			`}`

			`func MustLoadECDSAPrivateKey(curve string, extra ...string) *ecdsa.PrivateKey {`
			`decoded := MustLoadCrypto("ECDSA", curve, "pem", extra...)`

			`key, ok := decoded.(*ecdsa.PrivateKey)`
			`if !ok {`
			`panic(fmt.Errorf("the key was not a *ecdsa.PrivateKey, it's a %T", key))`
			`}`

feat(oidc): client_secret_jwt client auth (#5253) This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-14 23:51:59 +00:00			`return key`
			`}`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00
			`func MustLoadRSAPublicKey(bits string, extra ...string) *rsa.PublicKey {`
			`decoded := MustLoadCrypto("RSA", bits, "pem", extra...)`

			`key, ok := decoded.(*rsa.PublicKey)`
			`if !ok {`
			`panic(fmt.Errorf("the key was not a *rsa.PublicKey, it's a %T", key))`
			`}`

			`return key`
			`}`

			`func MustLoadRSAPrivateKey(bits string, extra ...string) *rsa.PrivateKey {`
			`decoded := MustLoadCrypto("RSA", bits, "pem", extra...)`

			`key, ok := decoded.(*rsa.PrivateKey)`
			`if !ok {`
			`panic(fmt.Errorf("the key was not a *rsa.PrivateKey, it's a %T", key))`
			`}`

			`return key`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`type RFC6749ErrorTest struct {`
			`*fosite.RFC6749Error`
			`}`

			`func (err *RFC6749ErrorTest) Error() string {`
			`return err.WithExposeDebug(true).GetDescription()`
			`}`

			`func ErrorToRFC6749ErrorTest(err error) (rfc error) {`
			`if err == nil {`
			`return nil`
			`}`

			`ferr := fosite.ErrorToRFC6749Error(err)`

			`return &RFC6749ErrorTest{ferr}`
			`}`

feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`var (`
			`tOpenIDConnectPBKDF2ClientSecret, tOpenIDConnectPlainTextClientSecret *schema.PasswordDigest`

			`// Standard RSA key / certificate pairs.`
			`keyRSA1024, keyRSA2048, keyRSA4096 *rsa.PrivateKey`
			`certRSA1024, certRSA2048, certRSA4096 schema.X509CertificateChain`

			`// Standard ECDSA key / certificate pairs.`
			`keyECDSAP224, keyECDSAP256, keyECDSAP384, keyECDSAP521 *ecdsa.PrivateKey`
			`certECDSAP224, certECDSAP256, certECDSAP384, certECDSAP521 schema.X509CertificateChain`
			`)`

			`func init() {`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`tOpenIDConnectPBKDF2ClientSecret = MustDecodeSecret("$pbkdf2-sha512$100000$cfNEo93VkIUIvaXHqetFoQ$O6qFLAlwCMz6.hv9XqUEPnMtrFxODw70T7bmnfTzfNPi3iXbgUEmGiyA6msybOfmj7m3QJS6lLy4DglgJifkKw")`
			`tOpenIDConnectPlainTextClientSecret = MustDecodeSecret("$plaintext$client-secret")`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00
			`keyRSA1024 = MustLoadRSAPrivateKey("1024")`
			`keyRSA2048 = MustLoadRSAPrivateKey("2048")`
			`keyRSA4096 = MustLoadRSAPrivateKey("4096")`
			`keyECDSAP224 = MustLoadECDSAPrivateKey("P224")`
			`keyECDSAP256 = MustLoadECDSAPrivateKey("P256")`
			`keyECDSAP384 = MustLoadECDSAPrivateKey("P384")`
			`keyECDSAP521 = MustLoadECDSAPrivateKey("P521")`

			`certRSA1024 = MustLoadCertificateChain("RSA", "1024")`
			`certRSA2048 = MustLoadCertificateChain("RSA", "2048")`
			`certRSA4096 = MustLoadCertificateChain("RSA", "4096")`
			`certECDSAP224 = MustLoadCertificateChain("ECDSA", "P224")`
			`certECDSAP256 = MustLoadCertificateChain("ECDSA", "P256")`
			`certECDSAP384 = MustLoadCertificateChain("ECDSA", "P384")`
			`certECDSAP521 = MustLoadCertificateChain("ECDSA", "P521")`
			`}`