package oidc import ( "context" "testing" "github.com/ory/fosite" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/authelia/authelia/v4/internal/authorization" "github.com/authelia/authelia/v4/internal/configuration/schema" ) func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) { s := NewStore(&schema.OpenIDConnectConfiguration{ IssuerCertificateChain: schema.X509CertificateChain{}, IssuerPrivateKey: MustParseRSAPrivateKey(exampleIssuerPrivateKey), Clients: []schema.OpenIDConnectClientConfiguration{ { ID: myclient, Description: myclientdesc, Policy: onefactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), }, { ID: "myotherclient", Description: myclientdesc, Policy: twofactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), }, }, }, nil) policyOne := s.GetClientPolicy(myclient) assert.Equal(t, authorization.OneFactor, policyOne) policyTwo := s.GetClientPolicy("myotherclient") assert.Equal(t, authorization.TwoFactor, policyTwo) policyInvalid := s.GetClientPolicy("invalidclient") assert.Equal(t, authorization.TwoFactor, policyInvalid) } func TestOpenIDConnectStore_GetInternalClient(t *testing.T) { s := NewStore(&schema.OpenIDConnectConfiguration{ IssuerCertificateChain: schema.X509CertificateChain{}, IssuerPrivateKey: MustParseRSAPrivateKey(exampleIssuerPrivateKey), Clients: []schema.OpenIDConnectClientConfiguration{ { ID: myclient, Description: myclientdesc, Policy: onefactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), }, }, }, nil) client, err := s.GetClient(context.Background(), "myinvalidclient") assert.EqualError(t, err, "invalid_client") assert.Nil(t, client) client, err = s.GetClient(context.Background(), myclient) require.NoError(t, err) require.NotNil(t, client) assert.Equal(t, myclient, client.GetID()) } func TestOpenIDConnectStore_GetInternalClient_ValidClient(t *testing.T) { id := myclient c1 := schema.OpenIDConnectClientConfiguration{ ID: id, Description: myclientdesc, Policy: onefactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), } s := NewStore(&schema.OpenIDConnectConfiguration{ IssuerCertificateChain: schema.X509CertificateChain{}, IssuerPrivateKey: MustParseRSAPrivateKey(exampleIssuerPrivateKey), Clients: []schema.OpenIDConnectClientConfiguration{c1}, }, nil) client, err := s.GetFullClient(id) require.NoError(t, err) require.NotNil(t, client) assert.Equal(t, id, client.GetID()) assert.Equal(t, myclientdesc, client.GetDescription()) assert.Equal(t, fosite.Arguments(c1.Scopes), client.GetScopes()) assert.Equal(t, fosite.Arguments([]string{GrantTypeAuthorizationCode}), client.GetGrantTypes()) assert.Equal(t, fosite.Arguments([]string{ResponseTypeAuthorizationCodeFlow}), client.GetResponseTypes()) assert.Equal(t, []string(nil), client.GetRedirectURIs()) assert.Equal(t, authorization.OneFactor, client.GetAuthorizationPolicy()) assert.Equal(t, "$plaintext$mysecret", client.GetSecret().Encode()) } func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) { c1 := schema.OpenIDConnectClientConfiguration{ ID: myclient, Description: myclientdesc, Policy: onefactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), } s := NewStore(&schema.OpenIDConnectConfiguration{ IssuerCertificateChain: schema.X509CertificateChain{}, IssuerPrivateKey: MustParseRSAPrivateKey(exampleIssuerPrivateKey), Clients: []schema.OpenIDConnectClientConfiguration{c1}, }, nil) client, err := s.GetFullClient("another-client") assert.Nil(t, client) assert.EqualError(t, err, "invalid_client") } func TestOpenIDConnectStore_IsValidClientID(t *testing.T) { s := NewStore(&schema.OpenIDConnectConfiguration{ IssuerCertificateChain: schema.X509CertificateChain{}, IssuerPrivateKey: MustParseRSAPrivateKey(exampleIssuerPrivateKey), Clients: []schema.OpenIDConnectClientConfiguration{ { ID: myclient, Description: myclientdesc, Policy: onefactor, Scopes: []string{ScopeOpenID, ScopeProfile}, Secret: MustDecodeSecret("$plaintext$mysecret"), }, }, }, nil) validClient := s.IsValidClientID(myclient) invalidClient := s.IsValidClientID("myinvalidclient") assert.True(t, validClient) assert.False(t, invalidClient) }