authelia/internal/handlers/oidc_test.go

package handlers

import (
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/authelia/authelia/v4/internal/oidc"
	"github.com/authelia/authelia/v4/internal/session"
)

func TestShouldDetectIfConsentIsMissing(t *testing.T) {
	var workflow *session.OIDCWorkflowSession

	requestedScopes := []string{"openid", "profile"}
	requestedAudience := []string{"https://authelia.com"}

	assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))

	workflow = &session.OIDCWorkflowSession{
		GrantedScopes:   []string{"openid", "profile"},
		GrantedAudience: []string{"https://authelia.com"},
	}

	assert.False(t, isConsentMissing(workflow, requestedScopes, requestedAudience))

	requestedScopes = []string{"openid", "profile", "group"}

	assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))

	requestedScopes = []string{"openid", "profile"}
	requestedAudience = []string{"https://not.authelia.com"}
	assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))
}

func TestShouldGrantAppropriateClaimsForScopeOpenID(t *testing.T) {
	extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID}, []string{}, &oidcUserSessionJohn)

	assert.Len(t, extraClaims, 1)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])
}

func TestShouldGrantAppropriateClaimsForScopeOpenIDAndGroups(t *testing.T) {
	extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionJohn)

	assert.Len(t, extraClaims, 2)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimGroups)
	assert.Len(t, extraClaims[oidc.ClaimGroups], 2)
	assert.Contains(t, extraClaims[oidc.ClaimGroups], "admin")
	assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")

	extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionFred)

	assert.Len(t, extraClaims, 2)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimGroups)
	assert.Len(t, extraClaims[oidc.ClaimGroups], 1)
	assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")
}

func TestShouldGrantAppropriateClaimsForScopeOpenIDAndEmail(t *testing.T) {
	extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionJohn)

	assert.Len(t, extraClaims, 4)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimEmail)
	assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail])

	require.Contains(t, extraClaims, oidc.ClaimAltEmails)
	assert.Len(t, extraClaims[oidc.ClaimAltEmails], 1)
	assert.Contains(t, extraClaims[oidc.ClaimAltEmails], "admin@authelia.com")

	require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
	assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])

	extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionFred)

	assert.Len(t, extraClaims, 3)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimEmail)
	assert.Equal(t, "f.smith@authelia.com", extraClaims[oidc.ClaimEmail])

	require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
	assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])
}

func TestShouldGrantAppropriateClaimsForScopeOpenIDAndProfile(t *testing.T) {
	extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionJohn)

	assert.Len(t, extraClaims, 2)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimDisplayName)
	assert.Equal(t, "John Smith", extraClaims[oidc.ClaimDisplayName])

	extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionFred)

	assert.Len(t, extraClaims, 2)

	require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
	assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])

	require.Contains(t, extraClaims, oidc.ClaimDisplayName)
	assert.Equal(t, extraClaims[oidc.ClaimDisplayName], "Fred Smith")
}

var (
	oidcUserSessionJohn = session.UserSession{
		Username:    "john",
		Groups:      []string{"admin", "dev"},
		DisplayName: "John Smith",
		Emails:      []string{"j.smith@authelia.com", "admin@authelia.com"},
	}

	oidcUserSessionFred = session.UserSession{
		Username:    "fred",
		Groups:      []string{"dev"},
		DisplayName: "Fred Smith",
		Emails:      []string{"f.smith@authelia.com"},
	}
)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`"github.com/stretchr/testify/require"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`"github.com/authelia/authelia/v4/internal/oidc"`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/session"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

			`func TestShouldDetectIfConsentIsMissing(t *testing.T) {`
			`var workflow *session.OIDCWorkflowSession`

			`requestedScopes := []string{"openid", "profile"}`
			`requestedAudience := []string{"https://authelia.com"}`

			`assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))`

			`workflow = &session.OIDCWorkflowSession{`
			`GrantedScopes: []string{"openid", "profile"},`
			`GrantedAudience: []string{"https://authelia.com"},`
			`}`

			`assert.False(t, isConsentMissing(workflow, requestedScopes, requestedAudience))`

			`requestedScopes = []string{"openid", "profile", "group"}`

			`assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))`

			`requestedScopes = []string{"openid", "profile"}`
			`requestedAudience = []string{"https://not.authelia.com"}`
			`assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))`
			`}`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00
			`func TestShouldGrantAppropriateClaimsForScopeOpenID(t *testing.T) {`
			`extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID}, []string{}, &oidcUserSessionJohn)`

			`assert.Len(t, extraClaims, 1)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])`
			`}`

			`func TestShouldGrantAppropriateClaimsForScopeOpenIDAndGroups(t *testing.T) {`
			`extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionJohn)`

			`assert.Len(t, extraClaims, 2)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimGroups)`
			`assert.Len(t, extraClaims[oidc.ClaimGroups], 2)`
			`assert.Contains(t, extraClaims[oidc.ClaimGroups], "admin")`
			`assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")`

			`extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionFred)`

			`assert.Len(t, extraClaims, 2)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimGroups)`
			`assert.Len(t, extraClaims[oidc.ClaimGroups], 1)`
			`assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")`
			`}`

			`func TestShouldGrantAppropriateClaimsForScopeOpenIDAndEmail(t *testing.T) {`
			`extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionJohn)`

			`assert.Len(t, extraClaims, 4)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimEmail)`
			`assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail])`

			`require.Contains(t, extraClaims, oidc.ClaimAltEmails)`
			`assert.Len(t, extraClaims[oidc.ClaimAltEmails], 1)`
			`assert.Contains(t, extraClaims[oidc.ClaimAltEmails], "admin@authelia.com")`

			`require.Contains(t, extraClaims, oidc.ClaimEmailVerified)`
			`assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])`

			`extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionFred)`

			`assert.Len(t, extraClaims, 3)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimEmail)`
			`assert.Equal(t, "f.smith@authelia.com", extraClaims[oidc.ClaimEmail])`

			`require.Contains(t, extraClaims, oidc.ClaimEmailVerified)`
			`assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])`
			`}`

			`func TestShouldGrantAppropriateClaimsForScopeOpenIDAndProfile(t *testing.T) {`
			`extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionJohn)`

			`assert.Len(t, extraClaims, 2)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimDisplayName)`
			`assert.Equal(t, "John Smith", extraClaims[oidc.ClaimDisplayName])`

			`extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionFred)`

			`assert.Len(t, extraClaims, 2)`

			`require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)`
			`assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])`

			`require.Contains(t, extraClaims, oidc.ClaimDisplayName)`
			`assert.Equal(t, extraClaims[oidc.ClaimDisplayName], "Fred Smith")`
			`}`

			`var (`
			`oidcUserSessionJohn = session.UserSession{`
			`Username: "john",`
			`Groups: []string{"admin", "dev"},`
			`DisplayName: "John Smith",`
			`Emails: []string{"j.smith@authelia.com", "admin@authelia.com"},`
			`}`

			`oidcUserSessionFred = session.UserSession{`
			`Username: "fred",`
			`Groups: []string{"dev"},`
			`DisplayName: "Fred Smith",`
			`Emails: []string{"f.smith@authelia.com"},`
			`}`
			`)`