RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/oidc/config_test.go

230 lines
7.7 KiB
Go
Raw Normal View History

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-05-15 00:32:10 +00:00
package oidc_test
import (
"context"
"fmt"
"net/url"
"testing"
"time"
"github.com/ory/fosite/token/jwt"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/authelia/authelia/v4/internal/oidc"
"github.com/authelia/authelia/v4/internal/templates"
)
func TestConfig_GetAllowedPrompts(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.Equal(t, []string(nil), config.AllowedPrompts)
assert.Equal(t, []string{oidc.PromptNone, oidc.PromptLogin, oidc.PromptConsent}, config.GetAllowedPrompts(ctx))
assert.Equal(t, []string{oidc.PromptNone, oidc.PromptLogin, oidc.PromptConsent}, config.AllowedPrompts)
config.AllowedPrompts = []string{oidc.PromptNone}
assert.Equal(t, []string{oidc.PromptNone}, config.AllowedPrompts)
}
func TestConfig_PKCE(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.False(t, config.GetEnforcePKCE(ctx))
assert.False(t, config.GetEnforcePKCEForPublicClients(ctx))
config.ProofKeyCodeExchange.Enforce = true
assert.True(t, config.GetEnforcePKCE(ctx))
assert.True(t, config.GetEnforcePKCEForPublicClients(ctx))
config.ProofKeyCodeExchange.Enforce = false
assert.False(t, config.GetEnforcePKCEForPublicClients(ctx))
config.ProofKeyCodeExchange.EnforcePublicClients = true
assert.True(t, config.GetEnforcePKCEForPublicClients(ctx))
assert.False(t, config.GetEnablePKCEPlainChallengeMethod(ctx))
config.ProofKeyCodeExchange.AllowPlainChallengeMethod = true
assert.True(t, config.GetEnablePKCEPlainChallengeMethod(ctx))
}
func TestConfig_GrantTypeJWTBearer(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.False(t, config.GetGrantTypeJWTBearerIDOptional(ctx))
assert.False(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx))
assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx))
config.GrantTypeJWTBearer.OptionalJTIClaim = true
assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx))
assert.False(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx))
assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx))
config.GrantTypeJWTBearer.OptionalClientAuth = true
assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx))
assert.True(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx))
assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx))
config.GrantTypeJWTBearer.OptionalIssuedDate = true
assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx))
assert.True(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx))
assert.True(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx))
}
func TestConfig_Durations(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.Equal(t, time.Duration(0), config.JWTMaxDuration)
assert.Equal(t, time.Hour*24, config.GetJWTMaxDuration(ctx))
assert.Equal(t, time.Hour*24, config.JWTMaxDuration)
assert.Equal(t, time.Duration(0), config.Lifespans.IDToken)
assert.Equal(t, time.Hour, config.GetIDTokenLifespan(ctx))
assert.Equal(t, time.Hour, config.Lifespans.IDToken)
assert.Equal(t, time.Duration(0), config.Lifespans.AccessToken)
assert.Equal(t, time.Hour, config.GetAccessTokenLifespan(ctx))
assert.Equal(t, time.Hour, config.Lifespans.AccessToken)
assert.Equal(t, time.Duration(0), config.Lifespans.RefreshToken)
assert.Equal(t, time.Hour*24*30, config.GetRefreshTokenLifespan(ctx))
assert.Equal(t, time.Hour*24*30, config.Lifespans.RefreshToken)
assert.Equal(t, time.Duration(0), config.Lifespans.AuthorizeCode)
assert.Equal(t, time.Minute*15, config.GetAuthorizeCodeLifespan(ctx))
assert.Equal(t, time.Minute*15, config.Lifespans.AuthorizeCode)
}
func TestConfig_GetTokenEntropy(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.Equal(t, 0, config.TokenEntropy)
assert.Equal(t, 32, config.GetTokenEntropy(ctx))
assert.Equal(t, 32, config.TokenEntropy)
}
func TestConfig_Misc(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.False(t, config.DisableRefreshTokenValidation)
assert.False(t, config.GetDisableRefreshTokenValidation(ctx))
assert.Equal(t, "", config.Issuers.AccessToken)
assert.Equal(t, "", config.GetAccessTokenIssuer(ctx))
assert.Equal(t, "", config.Issuers.IDToken)
assert.Equal(t, "", config.GetIDTokenIssuer(ctx))
assert.Equal(t, jwt.JWTScopeFieldUnset, config.JWTScopeField)
assert.Equal(t, jwt.JWTScopeFieldList, config.GetJWTScopeField(ctx))
assert.Equal(t, jwt.JWTScopeFieldList, config.JWTScopeField)
assert.Equal(t, []string(nil), config.SanitationWhiteList)
assert.Equal(t, []string(nil), config.GetSanitationWhiteList(ctx))
assert.Equal(t, []string(nil), config.SanitationWhiteList)
assert.False(t, config.OmitRedirectScopeParameter)
assert.False(t, config.GetOmitRedirectScopeParam(ctx))
assert.NotNil(t, config.GetRedirectSecureChecker(ctx))
assert.NotNil(t, config.GetHTTPClient(ctx))
assert.Nil(t, config.Strategy.Scope)
assert.NotNil(t, config.GetScopeStrategy(ctx))
assert.NotNil(t, config.Strategy.Scope)
assert.Nil(t, config.Strategy.Audience)
assert.NotNil(t, config.GetAudienceStrategy(ctx))
assert.NotNil(t, config.Strategy.Audience)
assert.Equal(t, []string(nil), config.RefreshTokenScopes)
assert.Equal(t, []string{oidc.ScopeOffline, oidc.ScopeOfflineAccess}, config.GetRefreshTokenScopes(ctx))
assert.Equal(t, []string{oidc.ScopeOffline, oidc.ScopeOfflineAccess}, config.RefreshTokenScopes)
assert.Equal(t, 0, config.MinParameterEntropy)
assert.Equal(t, 8, config.GetMinParameterEntropy(ctx))
assert.Equal(t, 8, config.MinParameterEntropy)
assert.False(t, config.SendDebugMessagesToClients)
assert.False(t, config.GetSendDebugMessagesToClients(ctx))
config.SendDebugMessagesToClients = true
assert.True(t, config.GetSendDebugMessagesToClients(ctx))
assert.Nil(t, config.Strategy.JWKSFetcher)
assert.NotNil(t, config.GetJWKSFetcherStrategy(ctx))
assert.NotNil(t, config.Strategy.JWKSFetcher)
assert.Nil(t, config.Strategy.ClientAuthentication)
assert.Nil(t, config.GetClientAuthenticationStrategy(ctx))
assert.Nil(t, config.MessageCatalog)
assert.Nil(t, config.GetMessageCatalog(ctx))
assert.Nil(t, config.Templates)
assert.Nil(t, config.GetFormPostHTMLTemplate(ctx))
var err error
config.Templates, err = templates.New(templates.Config{})
require.NoError(t, err)
assert.NotNil(t, config.GetFormPostHTMLTemplate(ctx))
assert.NotNil(t, config.Templates)
assert.False(t, config.GetUseLegacyErrorFormat(ctx))
assert.Nil(t, config.GetAuthorizeEndpointHandlers(ctx))
assert.Nil(t, config.GetTokenEndpointHandlers(ctx))
assert.Nil(t, config.GetTokenIntrospectionHandlers(ctx))
assert.Nil(t, config.GetRevocationHandlers(ctx))
assert.Nil(t, config.GetPushedAuthorizeEndpointHandlers(ctx))
assert.Nil(t, config.GetResponseModeHandlerExtension(ctx))
assert.Equal(t, "", config.GetTokenURL(ctx))
octx := &MockOpenIDConnectContext{
Context: ctx,
IssuerURLFunc: func() (issuerURL *url.URL, err error) {
return nil, fmt.Errorf("test error")
},
}
assert.Equal(t, "", config.GetTokenURL(octx))
}
func TestConfig_PAR(t *testing.T) {
ctx := context.Background()
config := &oidc.Config{}
assert.Equal(t, "", config.PAR.URIPrefix)
assert.Equal(t, "urn:ietf:params:oauth:request_uri:", config.GetPushedAuthorizeRequestURIPrefix(ctx))
assert.Equal(t, "urn:ietf:params:oauth:request_uri:", config.PAR.URIPrefix)
assert.False(t, config.PAR.Enforced)
assert.False(t, config.EnforcePushedAuthorize(ctx))
assert.False(t, config.PAR.Enforced)
config.PAR.Enforced = true
assert.True(t, config.EnforcePushedAuthorize(ctx))
assert.Equal(t, time.Duration(0), config.PAR.ContextLifespan)
assert.Equal(t, time.Minute*5, config.GetPushedAuthorizeContextLifespan(ctx))
assert.Equal(t, time.Minute*5, config.PAR.ContextLifespan)
}