authelia/internal/oidc/discovery_test.go

package oidc

import (
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

func TestNewOpenIDConnectWellKnownConfiguration(t *testing.T) {
	testCases := []struct {
		desc               string
		pkcePlainChallenge bool
		enforcePAR         bool
		clients            map[string]*Client

		expectCodeChallengeMethodsSupported, expectSubjectTypesSupported []string
	}{
		{
			desc:                                "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublic",
			pkcePlainChallenge:                  false,
			clients:                             map[string]*Client{"a": {}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
			expectSubjectTypesSupported:         []string{SubjectTypePublic},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublic",
			pkcePlainChallenge:                  true,
			clients:                             map[string]*Client{"a": {}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublicPairwise",
			pkcePlainChallenge:                  false,
			clients:                             map[string]*Client{"a": {SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublicPairwise",
			pkcePlainChallenge:                  true,
			clients:                             map[string]*Client{"a": {SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
		},
		{
			desc:                                "ShouldHaveTokenAuthMethodsNone",
			pkcePlainChallenge:                  true,
			clients:                             map[string]*Client{"a": {SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
		},
		{
			desc:               "ShouldHaveTokenAuthMethodsNone",
			pkcePlainChallenge: true,
			clients: map[string]*Client{
				"a": {SectorIdentifier: "yes"},
				"b": {SectorIdentifier: "yes"},
			},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.desc, func(t *testing.T) {
			c := schema.OpenIDConnectConfiguration{
				EnablePKCEPlainChallenge: tc.pkcePlainChallenge,
				PAR: schema.OpenIDConnectPARConfiguration{
					Enforce: tc.enforcePAR,
				},
			}

			actual := NewOpenIDConnectWellKnownConfiguration(&c, tc.clients)
			for _, codeChallengeMethod := range tc.expectCodeChallengeMethodsSupported {
				assert.Contains(t, actual.CodeChallengeMethodsSupported, codeChallengeMethod)
			}

			for _, subjectType := range tc.expectSubjectTypesSupported {
				assert.Contains(t, actual.SubjectTypesSupported, subjectType)
			}

			for _, codeChallengeMethod := range actual.CodeChallengeMethodsSupported {
				assert.Contains(t, tc.expectCodeChallengeMethodsSupported, codeChallengeMethod)
			}

			for _, subjectType := range actual.SubjectTypesSupported {
				assert.Contains(t, tc.expectSubjectTypesSupported, subjectType)
			}
		})
	}
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`package oidc`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00
			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`)`

			`func TestNewOpenIDConnectWellKnownConfiguration(t *testing.T) {`
			`testCases := []struct {`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`desc string`
			`pkcePlainChallenge bool`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`enforcePAR bool`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`clients map[string]*Client`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`expectCodeChallengeMethodsSupported, expectSubjectTypesSupported []string`
			`}{`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublic",`
			`pkcePlainChallenge: false,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`clients: map[string]*Client{"a": {}},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublic",`
			`pkcePlainChallenge: true,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`clients: map[string]*Client{"a": {}},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublicPairwise",`
			`pkcePlainChallenge: false,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`clients: map[string]*Client{"a": {SectorIdentifier: "yes"}},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublicPairwise",`
			`pkcePlainChallenge: true,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`clients: map[string]*Client{"a": {SectorIdentifier: "yes"}},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
			`},`
			`{`
			`desc: "ShouldHaveTokenAuthMethodsNone",`
			`pkcePlainChallenge: true,`
			`clients: map[string]*Client{"a": {SectorIdentifier: "yes"}},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
			`},`
			`{`
			`desc: "ShouldHaveTokenAuthMethodsNone",`
			`pkcePlainChallenge: true,`
			`clients: map[string]*Client{`
			`"a": {SectorIdentifier: "yes"},`
			`"b": {SectorIdentifier: "yes"},`
			`},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.desc, func(t *testing.T) {`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`c := schema.OpenIDConnectConfiguration{`
			`EnablePKCEPlainChallenge: tc.pkcePlainChallenge,`
			`PAR: schema.OpenIDConnectPARConfiguration{`
			`Enforce: tc.enforcePAR,`
			`},`
			`}`

			`actual := NewOpenIDConnectWellKnownConfiguration(&c, tc.clients)`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`for _, codeChallengeMethod := range tc.expectCodeChallengeMethodsSupported {`
			`assert.Contains(t, actual.CodeChallengeMethodsSupported, codeChallengeMethod)`
			`}`

			`for _, subjectType := range tc.expectSubjectTypesSupported {`
			`assert.Contains(t, actual.SubjectTypesSupported, subjectType)`
			`}`

			`for _, codeChallengeMethod := range actual.CodeChallengeMethodsSupported {`
			`assert.Contains(t, tc.expectCodeChallengeMethodsSupported, codeChallengeMethod)`
			`}`

			`for _, subjectType := range actual.SubjectTypesSupported {`
			`assert.Contains(t, tc.expectSubjectTypesSupported, subjectType)`
			`}`
			`})`
			`}`
			`}`