2021-05-05 05:06:05 +07:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2022-01-18 16:32:06 +07:00
|
|
|
"github.com/stretchr/testify/require"
|
2021-05-05 05:06:05 +07:00
|
|
|
|
2022-01-18 16:32:06 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
2021-08-11 08:04:35 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/session"
|
2021-05-05 05:06:05 +07:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestShouldDetectIfConsentIsMissing(t *testing.T) {
|
|
|
|
var workflow *session.OIDCWorkflowSession
|
|
|
|
|
|
|
|
requestedScopes := []string{"openid", "profile"}
|
|
|
|
requestedAudience := []string{"https://authelia.com"}
|
|
|
|
|
|
|
|
assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))
|
|
|
|
|
|
|
|
workflow = &session.OIDCWorkflowSession{
|
|
|
|
GrantedScopes: []string{"openid", "profile"},
|
|
|
|
GrantedAudience: []string{"https://authelia.com"},
|
|
|
|
}
|
|
|
|
|
|
|
|
assert.False(t, isConsentMissing(workflow, requestedScopes, requestedAudience))
|
|
|
|
|
|
|
|
requestedScopes = []string{"openid", "profile", "group"}
|
|
|
|
|
|
|
|
assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))
|
|
|
|
|
|
|
|
requestedScopes = []string{"openid", "profile"}
|
|
|
|
requestedAudience = []string{"https://not.authelia.com"}
|
|
|
|
assert.True(t, isConsentMissing(workflow, requestedScopes, requestedAudience))
|
|
|
|
}
|
2022-01-18 16:32:06 +07:00
|
|
|
|
|
|
|
func TestShouldGrantAppropriateClaimsForScopeOpenID(t *testing.T) {
|
|
|
|
extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID}, []string{}, &oidcUserSessionJohn)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 1)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestShouldGrantAppropriateClaimsForScopeOpenIDAndGroups(t *testing.T) {
|
|
|
|
extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionJohn)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 2)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimGroups)
|
|
|
|
assert.Len(t, extraClaims[oidc.ClaimGroups], 2)
|
|
|
|
assert.Contains(t, extraClaims[oidc.ClaimGroups], "admin")
|
|
|
|
assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")
|
|
|
|
|
|
|
|
extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeGroups}, []string{}, &oidcUserSessionFred)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 2)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimGroups)
|
|
|
|
assert.Len(t, extraClaims[oidc.ClaimGroups], 1)
|
|
|
|
assert.Contains(t, extraClaims[oidc.ClaimGroups], "dev")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestShouldGrantAppropriateClaimsForScopeOpenIDAndEmail(t *testing.T) {
|
|
|
|
extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionJohn)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 4)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimEmail)
|
|
|
|
assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimAltEmails)
|
|
|
|
assert.Len(t, extraClaims[oidc.ClaimAltEmails], 1)
|
|
|
|
assert.Contains(t, extraClaims[oidc.ClaimAltEmails], "admin@authelia.com")
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
|
|
|
|
assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])
|
|
|
|
|
|
|
|
extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeEmail}, []string{}, &oidcUserSessionFred)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 3)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimEmail)
|
|
|
|
assert.Equal(t, "f.smith@authelia.com", extraClaims[oidc.ClaimEmail])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
|
|
|
|
assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestShouldGrantAppropriateClaimsForScopeOpenIDAndProfile(t *testing.T) {
|
|
|
|
extraClaims := oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionJohn)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 2)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "john", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimDisplayName)
|
|
|
|
assert.Equal(t, "John Smith", extraClaims[oidc.ClaimDisplayName])
|
|
|
|
|
|
|
|
extraClaims = oidcGrantRequests(nil, []string{oidc.ScopeOpenID, oidc.ScopeProfile}, []string{}, &oidcUserSessionFred)
|
|
|
|
|
|
|
|
assert.Len(t, extraClaims, 2)
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimPreferredUsername)
|
|
|
|
assert.Equal(t, "fred", extraClaims[oidc.ClaimPreferredUsername])
|
|
|
|
|
|
|
|
require.Contains(t, extraClaims, oidc.ClaimDisplayName)
|
|
|
|
assert.Equal(t, extraClaims[oidc.ClaimDisplayName], "Fred Smith")
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
oidcUserSessionJohn = session.UserSession{
|
|
|
|
Username: "john",
|
|
|
|
Groups: []string{"admin", "dev"},
|
|
|
|
DisplayName: "John Smith",
|
|
|
|
Emails: []string{"j.smith@authelia.com", "admin@authelia.com"},
|
|
|
|
}
|
|
|
|
|
|
|
|
oidcUserSessionFred = session.UserSession{
|
|
|
|
Username: "fred",
|
|
|
|
Groups: []string{"dev"},
|
|
|
|
DisplayName: "Fred Smith",
|
|
|
|
Emails: []string{"f.smith@authelia.com"},
|
|
|
|
}
|
|
|
|
)
|