2019-04-24 21:52:08 +00:00
|
|
|
package session
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"time"
|
2019-04-24 21:52:08 +00:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/valyala/fasthttp"
|
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/authentication"
|
|
|
|
"github.com/authelia/authelia/v4/internal/authorization"
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2022-04-01 11:18:58 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
2019-04-24 21:52:08 +00:00
|
|
|
)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
func newTestSession() (*Session, error) {
|
|
|
|
config := schema.SessionConfiguration{}
|
|
|
|
config.Cookies = []schema.SessionCookieConfiguration{
|
|
|
|
{
|
|
|
|
SessionCookieCommonConfiguration: schema.SessionCookieCommonConfiguration{
|
|
|
|
Name: testName,
|
|
|
|
Domain: testDomain,
|
|
|
|
Expiration: testExpiration,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
provider := NewProvider(config, nil)
|
|
|
|
|
|
|
|
return provider.Get(testDomain)
|
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
func TestShouldInitializerSession(t *testing.T) {
|
|
|
|
ctx := &fasthttp.RequestCtx{}
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
provider, err := newTestSession()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2020-01-17 22:48:48 +00:00
|
|
|
session, err := provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2023-01-25 09:36:40 +00:00
|
|
|
assert.Equal(t, provider.NewDefaultUserSession(), session)
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestShouldUpdateSession(t *testing.T) {
|
|
|
|
ctx := &fasthttp.RequestCtx{}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
provider, err := newTestSession()
|
|
|
|
assert.NoError(t, err)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
|
|
|
session, _ := provider.GetSession(ctx)
|
|
|
|
|
2020-05-02 16:20:40 +00:00
|
|
|
session.Username = testUsername
|
2019-04-24 21:52:08 +00:00
|
|
|
session.AuthenticationLevel = authentication.TwoFactor
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
err = provider.SaveSession(ctx, session)
|
|
|
|
assert.NoError(t, err)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2020-01-17 22:48:48 +00:00
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
|
|
|
assert.Equal(t, UserSession{
|
2023-01-25 09:36:40 +00:00
|
|
|
CookieDomain: testDomain,
|
2020-05-02 16:20:40 +00:00
|
|
|
Username: testUsername,
|
2019-04-24 21:52:08 +00:00
|
|
|
AuthenticationLevel: authentication.TwoFactor,
|
|
|
|
}, session)
|
|
|
|
}
|
2020-01-17 22:48:48 +00:00
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
func TestShouldSetSessionAuthenticationLevels(t *testing.T) {
|
|
|
|
ctx := &fasthttp.RequestCtx{}
|
|
|
|
|
|
|
|
timeOneFactor := time.Unix(1625048140, 0)
|
|
|
|
timeTwoFactor := time.Unix(1625048150, 0)
|
|
|
|
timeZeroFactor := time.Unix(0, 0)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
provider, err := newTestSession()
|
|
|
|
assert.NoError(t, err)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
session, _ := provider.GetSession(ctx)
|
|
|
|
|
|
|
|
session.SetOneFactor(timeOneFactor, &authentication.UserDetails{Username: testUsername}, false)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
err = provider.SaveSession(ctx, session)
|
|
|
|
assert.NoError(t, err)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
authAt, err := session.AuthenticatedTime(authorization.OneFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeOneFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.TwoFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.Denied)
|
|
|
|
assert.EqualError(t, err, "invalid authorization level")
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
|
|
|
|
assert.Equal(t, UserSession{
|
2023-01-25 09:36:40 +00:00
|
|
|
CookieDomain: testDomain,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
Username: testUsername,
|
|
|
|
AuthenticationLevel: authentication.OneFactor,
|
|
|
|
LastActivity: timeOneFactor.Unix(),
|
|
|
|
FirstFactorAuthnTimestamp: timeOneFactor.Unix(),
|
2022-04-01 11:18:58 +00:00
|
|
|
AuthenticationMethodRefs: oidc.AuthenticationMethodsReferences{UsernameAndPassword: true},
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}, session)
|
|
|
|
|
2022-04-01 11:18:58 +00:00
|
|
|
session.SetTwoFactorDuo(timeTwoFactor)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
assert.Equal(t, UserSession{
|
2023-01-25 09:36:40 +00:00
|
|
|
CookieDomain: testDomain,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
Username: testUsername,
|
|
|
|
AuthenticationLevel: authentication.TwoFactor,
|
|
|
|
LastActivity: timeTwoFactor.Unix(),
|
|
|
|
FirstFactorAuthnTimestamp: timeOneFactor.Unix(),
|
|
|
|
SecondFactorAuthnTimestamp: timeTwoFactor.Unix(),
|
2022-04-01 11:18:58 +00:00
|
|
|
AuthenticationMethodRefs: oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, Duo: true},
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}, session)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.OneFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeOneFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.TwoFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeTwoFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.Denied)
|
|
|
|
assert.EqualError(t, err, "invalid authorization level")
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
}
|
|
|
|
|
2022-04-01 11:18:58 +00:00
|
|
|
func TestShouldSetSessionAuthenticationLevelsAMR(t *testing.T) {
|
|
|
|
ctx := &fasthttp.RequestCtx{}
|
|
|
|
|
|
|
|
timeOneFactor := time.Unix(1625048140, 0)
|
|
|
|
timeTwoFactor := time.Unix(1625048150, 0)
|
|
|
|
timeZeroFactor := time.Unix(0, 0)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
provider, err := newTestSession()
|
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, _ := provider.GetSession(ctx)
|
|
|
|
|
|
|
|
session.SetOneFactor(timeOneFactor, &authentication.UserDetails{Username: testUsername}, false)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
err = provider.SaveSession(ctx, session)
|
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
authAt, err := session.AuthenticatedTime(authorization.OneFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeOneFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.TwoFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.Denied)
|
|
|
|
assert.EqualError(t, err, "invalid authorization level")
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
|
|
|
|
assert.Equal(t, UserSession{
|
2023-01-25 09:36:40 +00:00
|
|
|
CookieDomain: testDomain,
|
2022-04-01 11:18:58 +00:00
|
|
|
Username: testUsername,
|
|
|
|
AuthenticationLevel: authentication.OneFactor,
|
|
|
|
LastActivity: timeOneFactor.Unix(),
|
|
|
|
FirstFactorAuthnTimestamp: timeOneFactor.Unix(),
|
|
|
|
AuthenticationMethodRefs: oidc.AuthenticationMethodsReferences{UsernameAndPassword: true},
|
|
|
|
}, session)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, false, false)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
assert.Equal(t, oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true}, session.AuthenticationMethodRefs)
|
2022-04-01 11:18:58 +00:00
|
|
|
assert.True(t, session.AuthenticationMethodRefs.MultiFactorAuthentication())
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.OneFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeOneFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.TwoFactor)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, timeTwoFactor, authAt)
|
|
|
|
|
|
|
|
authAt, err = session.AuthenticatedTime(authorization.Denied)
|
|
|
|
assert.EqualError(t, err, "invalid authorization level")
|
|
|
|
assert.Equal(t, timeZeroFactor, authAt)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, false, false)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, false, false)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, true, false)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true, WebAuthnUserPresence: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, true, false)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true, WebAuthnUserPresence: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, false, true)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true, WebAuthnUserVerified: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
session.SetTwoFactorWebAuthn(timeTwoFactor, false, true)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, WebAuthn: true, WebAuthnUserVerified: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
|
|
|
session.SetTwoFactorTOTP(timeTwoFactor)
|
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, TOTP: true, WebAuthn: true, WebAuthnUserVerified: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
|
|
|
|
session.SetTwoFactorTOTP(timeTwoFactor)
|
|
|
|
|
|
|
|
err = provider.SaveSession(ctx, session)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
session, err = provider.GetSession(ctx)
|
2023-01-12 10:57:44 +00:00
|
|
|
assert.NoError(t, err)
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
assert.Equal(t,
|
2023-04-11 04:40:09 +00:00
|
|
|
oidc.AuthenticationMethodsReferences{UsernameAndPassword: true, TOTP: true, WebAuthn: true, WebAuthnUserVerified: true},
|
2022-04-01 11:18:58 +00:00
|
|
|
session.AuthenticationMethodRefs)
|
|
|
|
}
|
|
|
|
|
2020-01-17 22:48:48 +00:00
|
|
|
func TestShouldDestroySessionAndWipeSessionData(t *testing.T) {
|
|
|
|
ctx := &fasthttp.RequestCtx{}
|
2023-01-12 10:57:44 +00:00
|
|
|
domainSession, err := newTestSession()
|
|
|
|
assert.NoError(t, err)
|
2020-01-17 22:48:48 +00:00
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
session, err := domainSession.GetSession(ctx)
|
|
|
|
assert.NoError(t, err)
|
2020-01-17 22:48:48 +00:00
|
|
|
|
2020-05-02 16:20:40 +00:00
|
|
|
session.Username = testUsername
|
2020-01-17 22:48:48 +00:00
|
|
|
session.AuthenticationLevel = authentication.TwoFactor
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
err = domainSession.SaveSession(ctx, session)
|
|
|
|
assert.NoError(t, err)
|
2020-01-17 22:48:48 +00:00
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
newUserSession, err := domainSession.GetSession(ctx)
|
|
|
|
assert.NoError(t, err)
|
2020-05-02 16:20:40 +00:00
|
|
|
assert.Equal(t, testUsername, newUserSession.Username)
|
2020-01-17 22:48:48 +00:00
|
|
|
assert.Equal(t, authentication.TwoFactor, newUserSession.AuthenticationLevel)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
err = domainSession.DestroySession(ctx)
|
|
|
|
assert.NoError(t, err)
|
2020-01-17 22:48:48 +00:00
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
newUserSession, err = domainSession.GetSession(ctx)
|
|
|
|
assert.NoError(t, err)
|
2020-01-17 22:48:48 +00:00
|
|
|
assert.Equal(t, "", newUserSession.Username)
|
|
|
|
assert.Equal(t, authentication.NotAuthenticated, newUserSession.AuthenticationLevel)
|
|
|
|
}
|