authelia/internal/oidc/store_test.go

package oidc

import (
	"context"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/authelia/authelia/v4/internal/authorization"
	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
		IssuerPrivateKey: exampleIssuerPrivateKey,
		Clients: []schema.OpenIDConnectClientConfiguration{
			{
				ID:          "myclient",
				Description: "myclient desc",
				Policy:      "one_factor",
				Scopes:      []string{"openid", "profile"},
				Secret:      "mysecret",
			},
			{
				ID:          "myotherclient",
				Description: "myclient desc",
				Policy:      "two_factor",
				Scopes:      []string{"openid", "profile"},
				Secret:      "mysecret",
			},
		},
	}, nil)

	policyOne := s.GetClientPolicy("myclient")
	assert.Equal(t, authorization.OneFactor, policyOne)

	policyTwo := s.GetClientPolicy("myotherclient")
	assert.Equal(t, authorization.TwoFactor, policyTwo)

	policyInvalid := s.GetClientPolicy("invalidclient")
	assert.Equal(t, authorization.TwoFactor, policyInvalid)
}

func TestOpenIDConnectStore_GetInternalClient(t *testing.T) {
	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
		IssuerPrivateKey: exampleIssuerPrivateKey,
		Clients: []schema.OpenIDConnectClientConfiguration{
			{
				ID:          "myclient",
				Description: "myclient desc",
				Policy:      "one_factor",
				Scopes:      []string{"openid", "profile"},
				Secret:      "mysecret",
			},
		},
	}, nil)

	client, err := s.GetClient(context.Background(), "myinvalidclient")
	assert.EqualError(t, err, "not_found")
	assert.Nil(t, client)

	client, err = s.GetClient(context.Background(), "myclient")
	require.NoError(t, err)
	require.NotNil(t, client)
	assert.Equal(t, "myclient", client.GetID())
}

func TestOpenIDConnectStore_GetInternalClient_ValidClient(t *testing.T) {
	c1 := schema.OpenIDConnectClientConfiguration{
		ID:          "myclient",
		Description: "myclient desc",
		Policy:      "one_factor",
		Scopes:      []string{"openid", "profile"},
		Secret:      "mysecret",
	}

	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
		IssuerPrivateKey: exampleIssuerPrivateKey,
		Clients:          []schema.OpenIDConnectClientConfiguration{c1},
	}, nil)

	client, err := s.GetFullClient(c1.ID)
	require.NoError(t, err)
	require.NotNil(t, client)
	assert.Equal(t, client.ID, c1.ID)
	assert.Equal(t, client.Description, c1.Description)
	assert.Equal(t, client.Scopes, c1.Scopes)
	assert.Equal(t, client.GrantTypes, c1.GrantTypes)
	assert.Equal(t, client.ResponseTypes, c1.ResponseTypes)
	assert.Equal(t, client.RedirectURIs, c1.RedirectURIs)
	assert.Equal(t, client.Policy, authorization.OneFactor)
	assert.Equal(t, client.Secret, []byte(c1.Secret))
}

func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {
	c1 := schema.OpenIDConnectClientConfiguration{
		ID:          "myclient",
		Description: "myclient desc",
		Policy:      "one_factor",
		Scopes:      []string{"openid", "profile"},
		Secret:      "mysecret",
	}

	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
		IssuerPrivateKey: exampleIssuerPrivateKey,
		Clients:          []schema.OpenIDConnectClientConfiguration{c1},
	}, nil)

	client, err := s.GetFullClient("another-client")
	assert.Nil(t, client)
	assert.EqualError(t, err, "not_found")
}

func TestOpenIDConnectStore_IsValidClientID(t *testing.T) {
	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
		IssuerPrivateKey: exampleIssuerPrivateKey,
		Clients: []schema.OpenIDConnectClientConfiguration{
			{
				ID:          "myclient",
				Description: "myclient desc",
				Policy:      "one_factor",
				Scopes:      []string{"openid", "profile"},
				Secret:      "mysecret",
			},
		},
	}, nil)

	validClient := s.IsValidClientID("myclient")
	invalidClient := s.IsValidClientID("myinvalidclient")

	assert.True(t, validClient)
	assert.False(t, invalidClient)
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package oidc`

test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`import (`
			`"context"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"github.com/authelia/authelia/v4/internal/authorization"`
			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
			`)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`IssuerPrivateKey: exampleIssuerPrivateKey,`
			`Clients: []schema.OpenIDConnectClientConfiguration{`
			`{`
			`ID: "myclient",`
			`Description: "myclient desc",`
			`Policy: "one_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`},`
			`{`
			`ID: "myotherclient",`
			`Description: "myclient desc",`
			`Policy: "two_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`},`
			`},`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}, nil)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`policyOne := s.GetClientPolicy("myclient")`
			`assert.Equal(t, authorization.OneFactor, policyOne)`

			`policyTwo := s.GetClientPolicy("myotherclient")`
			`assert.Equal(t, authorization.TwoFactor, policyTwo)`

			`policyInvalid := s.GetClientPolicy("invalidclient")`
			`assert.Equal(t, authorization.TwoFactor, policyInvalid)`
			`}`

			`func TestOpenIDConnectStore_GetInternalClient(t *testing.T) {`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`IssuerPrivateKey: exampleIssuerPrivateKey,`
			`Clients: []schema.OpenIDConnectClientConfiguration{`
			`{`
			`ID: "myclient",`
			`Description: "myclient desc",`
			`Policy: "one_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`},`
			`},`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}, nil)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`client, err := s.GetClient(context.Background(), "myinvalidclient")`
			`assert.EqualError(t, err, "not_found")`
			`assert.Nil(t, client)`

			`client, err = s.GetClient(context.Background(), "myclient")`
			`require.NoError(t, err)`
			`require.NotNil(t, client)`
			`assert.Equal(t, "myclient", client.GetID())`
			`}`

			`func TestOpenIDConnectStore_GetInternalClient_ValidClient(t *testing.T) {`
			`c1 := schema.OpenIDConnectClientConfiguration{`
			`ID: "myclient",`
			`Description: "myclient desc",`
			`Policy: "one_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`}`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00
			`s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`IssuerPrivateKey: exampleIssuerPrivateKey,`
			`Clients: []schema.OpenIDConnectClientConfiguration{c1},`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}, nil)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`client, err := s.GetFullClient(c1.ID)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`require.NoError(t, err)`
			`require.NotNil(t, client)`
			`assert.Equal(t, client.ID, c1.ID)`
			`assert.Equal(t, client.Description, c1.Description)`
			`assert.Equal(t, client.Scopes, c1.Scopes)`
			`assert.Equal(t, client.GrantTypes, c1.GrantTypes)`
			`assert.Equal(t, client.ResponseTypes, c1.ResponseTypes)`
			`assert.Equal(t, client.RedirectURIs, c1.RedirectURIs)`
			`assert.Equal(t, client.Policy, authorization.OneFactor)`
			`assert.Equal(t, client.Secret, []byte(c1.Secret))`
			`}`

			`func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {`
			`c1 := schema.OpenIDConnectClientConfiguration{`
			`ID: "myclient",`
			`Description: "myclient desc",`
			`Policy: "one_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`}`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00
			`s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`IssuerPrivateKey: exampleIssuerPrivateKey,`
			`Clients: []schema.OpenIDConnectClientConfiguration{c1},`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}, nil)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`client, err := s.GetFullClient("another-client")`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`assert.Nil(t, client)`
			`assert.EqualError(t, err, "not_found")`
			`}`

			`func TestOpenIDConnectStore_IsValidClientID(t *testing.T) {`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`IssuerPrivateKey: exampleIssuerPrivateKey,`
			`Clients: []schema.OpenIDConnectClientConfiguration{`
			`{`
			`ID: "myclient",`
			`Description: "myclient desc",`
			`Policy: "one_factor",`
			`Scopes: []string{"openid", "profile"},`
			`Secret: "mysecret",`
			`},`
			`},`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}, nil)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`validClient := s.IsValidClientID("myclient")`
			`invalidClient := s.IsValidClientID("myinvalidclient")`

			`assert.True(t, validClient)`
			`assert.False(t, invalidClient)`
test(oidc): fix disabled tests (#3173) 2022-04-12 03:02:12 +00:00			`}`