auth

Paddy 2014-12-06 Parent:dfb10e19de87 Child:0a6e3f14b054

auth/oauth2_test.go

Update TODOs with error messages and test obtaining a token. Update the TODOs about returning errors when obtaining a token with the actual error code that should be returned. Write a unit test that covers obtaining a token from a grant code, but doesn't cover any of the error conditions or states.

Download raw file

View source Diff to previous Annotate

paddy@52	1 package auth
paddy@52	2
paddy@52	3 import (
paddy@66	4 "bytes"
paddy@81	5 "encoding/json"
paddy@52	6 "html/template"
paddy@66	7 "io/ioutil"
paddy@52	8 "net/http"
paddy@52	9 "net/http/httptest"
paddy@53	10 "net/url"
paddy@52	11 "testing"
paddy@56	12 "time"
paddy@56	13
paddy@56	14 "code.secondbit.org/uuid"
paddy@52	15 )
paddy@52	16
paddy@53	17 const (
paddy@53	18 scopeSet = 1 << iota
paddy@53	19 stateSet
paddy@53	20 uriSet
paddy@53	21 )
paddy@53	22
paddy@65	23 func stripParam(param string, u *url.URL) {
paddy@65	24 q := u.Query()
paddy@65	25 q.Del(param)
paddy@65	26 u.RawQuery = q.Encode()
paddy@65	27 }
paddy@65	28
paddy@52	29 func TestGetGrantCodeSuccess(t *testing.T) {
paddy@52	30 t.Parallel()
paddy@52	31 store := NewMemstore()
paddy@52	32 testContext := Context{
paddy@52	33 template: template.Must(template.New(getGrantTemplateName).Parse("Get auth grant")),
paddy@52	34 clients: store,
paddy@52	35 grants: store,
paddy@52	36 profiles: store,
paddy@52	37 tokens: store,
paddy@77	38 sessions: store,
paddy@52	39 }
paddy@56	40 client := Client{
paddy@56	41 ID: uuid.NewID(),
paddy@56	42 Secret: "super secret!",
paddy@56	43 OwnerID: uuid.NewID(),
paddy@56	44 Name: "My test client",
paddy@56	45 Logo: "https://secondbit.org/logo.png",
paddy@56	46 Website: "https://secondbit.org",
paddy@56	47 Type: "public",
paddy@56	48 }
paddy@56	49 uri, err := url.Parse("https://test.secondbit.org/redirect")
paddy@56	50 if err != nil {
paddy@56	51 t.Fatal("Can't parse URL:", err)
paddy@56	52 }
paddy@56	53 endpoint := Endpoint{
paddy@56	54 ID: uuid.NewID(),
paddy@56	55 ClientID: client.ID,
paddy@56	56 URI: *uri,
paddy@56	57 Added: time.Now(),
paddy@56	58 }
paddy@56	59 err = testContext.SaveClient(client)
paddy@56	60 if err != nil {
paddy@56	61 t.Fatal("Can't store client:", err)
paddy@56	62 }
paddy@56	63 err = testContext.AddEndpoint(client.ID, endpoint)
paddy@56	64 if err != nil {
paddy@56	65 t.Fatal("Can't store endpoint:", err)
paddy@56	66 }
paddy@77	67 session := Session{
paddy@77	68 ID: "testsession",
paddy@77	69 Active: true,
paddy@77	70 }
paddy@77	71 err = testContext.CreateSession(session)
paddy@77	72 if err != nil {
paddy@77	73 t.Fatal("Can't store session:", err)
paddy@77	74 }
paddy@52	75 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@52	76 if err != nil {
paddy@52	77 t.Fatal("Can't build request:", err)
paddy@52	78 }
paddy@77	79 cookie := &http.Cookie{
paddy@77	80 Name: authCookieName,
paddy@77	81 Value: session.ID,
paddy@77	82 }
paddy@77	83 req.AddCookie(cookie)
paddy@58	84 for i := 0; i < 1<<3; i++ {
paddy@53	85 w := httptest.NewRecorder()
paddy@53	86 params := url.Values{}
paddy@53	87 // see OAuth 2.0 spec, section 4.1.1
paddy@53	88 params.Set("response_type", "code")
paddy@56	89 params.Set("client_id", client.ID.String())
paddy@53	90 if i&uriSet != 0 {
paddy@58	91 params.Set("redirect_uri", endpoint.URI.String())
paddy@53	92 }
paddy@53	93 if i&scopeSet != 0 {
paddy@53	94 params.Set("scope", "testscope")
paddy@53	95 }
paddy@53	96 if i&stateSet != 0 {
paddy@53	97 params.Set("state", "my super secure state string")
paddy@53	98 }
paddy@53	99 req.URL.RawQuery = params.Encode()
paddy@66	100 req.Method = "GET"
paddy@66	101 req.Body = nil
paddy@66	102 req.Header.Del("Content-Type")
paddy@53	103 GetGrantHandler(w, req, testContext)
paddy@53	104 if w.Code != http.StatusOK {
paddy@53	105 t.Errorf("Expected status code to be %d, got %d for %s", http.StatusOK, w.Code, req.URL.String())
paddy@53	106 }
paddy@53	107 if w.Body.String() != "Get auth grant" {
paddy@53	108 t.Errorf("Expected body to be `%s`, got `%s` for %s", "Get auth grant", w.Body.String(), req.URL.String())
paddy@53	109 }
paddy@66	110 req.Method = "POST"
paddy@66	111 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@66	112 w = httptest.NewRecorder()
paddy@66	113 data := url.Values{}
paddy@66	114 data.Set("grant", "approved")
paddy@66	115 body := bytes.NewBufferString(data.Encode())
paddy@66	116 req.Body = ioutil.NopCloser(body)
paddy@66	117 GetGrantHandler(w, req, testContext)
paddy@66	118 if w.Code != http.StatusFound {
paddy@66	119 t.Errorf("Expected status code to be %d, got %d for %s", http.StatusFound, w.Code, req.URL.String())
paddy@66	120 }
paddy@66	121 redirectedTo := w.Header().Get("Location")
paddy@66	122 red, err := url.Parse(redirectedTo)
paddy@66	123 if err != nil {
paddy@66	124 t.Fatalf(`Being redirected to a non-URL "%s" threw error "%s" for "%s"\n`, redirectedTo, err, req.URL.String())
paddy@66	125 }
paddy@66	126 t.Log("Redirected to", redirectedTo)
paddy@66	127 if red.Query().Get("code") == "" {
paddy@66	128 t.Fatalf(`Expected code param in redirect URL to be set, but it wasn't for %s`, req.URL.String())
paddy@66	129 }
paddy@67	130 if _, err := testContext.GetGrant(red.Query().Get("code")); err != nil {
paddy@67	131 t.Fatalf(`Unexpected error "%s: retrieving the grant "%s" supplied in the redirect URL for %s`, err, red.Query().Get("code"), req.URL.String())
paddy@66	132 }
paddy@66	133 err = testContext.DeleteGrant(red.Query().Get("code"))
paddy@66	134 if err != nil {
paddy@66	135 t.Log(`Unexpected error "%s" deleting grant "%s" for %s`, err, red.Query().Get("code"), req.URL.String())
paddy@66	136 }
paddy@66	137 stripParam("code", red)
paddy@66	138 if red.Query().Get("state") != params.Get("state") {
paddy@66	139 t.Errorf(`Expected state param in redirect URL to be "%s", got "%s" for %s`, params.Get("state"), red.Query().Get("state"), req.URL.String())
paddy@66	140 }
paddy@66	141 stripParam("state", red)
paddy@66	142 if red.String() != endpoint.URI.String() {
paddy@66	143 t.Errorf(`Expected redirect URL to be "%s", got "%s"`, endpoint.URI.String(), red.String())
paddy@66	144 }
paddy@52	145 }
paddy@52	146 }
paddy@56	147
paddy@62	148 func TestGetGrantCodeInvalidClient(t *testing.T) {
paddy@62	149 t.Parallel()
paddy@62	150 store := NewMemstore()
paddy@62	151 testContext := Context{
paddy@62	152 template: template.Must(template.New(getGrantTemplateName).Parse("{{ .error }}")),
paddy@62	153 clients: store,
paddy@62	154 grants: store,
paddy@62	155 profiles: store,
paddy@62	156 tokens: store,
paddy@77	157 sessions: store,
paddy@62	158 }
paddy@62	159 client := Client{
paddy@62	160 ID: uuid.NewID(),
paddy@62	161 Secret: "super secret!",
paddy@62	162 OwnerID: uuid.NewID(),
paddy@62	163 Name: "My test client",
paddy@62	164 Type: "public",
paddy@62	165 }
paddy@62	166 err := testContext.SaveClient(client)
paddy@62	167 if err != nil {
paddy@62	168 t.Fatal("Can't store client:", err)
paddy@62	169 }
paddy@77	170 session := Session{
paddy@77	171 ID: "testsession",
paddy@77	172 Active: true,
paddy@77	173 }
paddy@77	174 err = testContext.CreateSession(session)
paddy@77	175 if err != nil {
paddy@77	176 t.Fatal("Can't store session:", err)
paddy@77	177 }
paddy@62	178 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@62	179 if err != nil {
paddy@62	180 t.Fatal("Can't build request:", err)
paddy@62	181 }
paddy@62	182 w := httptest.NewRecorder()
paddy@62	183 params := url.Values{}
paddy@62	184 params.Set("response_type", "code")
paddy@62	185 params.Set("redirect_uri", "https://test.secondbit.org/")
paddy@62	186 req.URL.RawQuery = params.Encode()
paddy@77	187 cookie := &http.Cookie{
paddy@77	188 Name: authCookieName,
paddy@77	189 Value: session.ID,
paddy@77	190 }
paddy@77	191 req.AddCookie(cookie)
paddy@62	192 GetGrantHandler(w, req, testContext)
paddy@62	193 if w.Code != http.StatusBadRequest {
paddy@62	194 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@62	195 }
paddy@62	196 if w.Body.String() != "Client ID must be specified in the request." {
paddy@62	197 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "Client ID must be specified in the request.", w.Body.String())
paddy@62	198 }
paddy@62	199 w = httptest.NewRecorder()
paddy@62	200 params.Set("client_id", "Not an ID")
paddy@62	201 req.URL.RawQuery = params.Encode()
paddy@62	202 GetGrantHandler(w, req, testContext)
paddy@62	203 if w.Code != http.StatusBadRequest {
paddy@62	204 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@62	205 }
paddy@62	206 if w.Body.String() != "client_id is not a valid Client ID." {
paddy@62	207 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "client_id is not a valid Client ID.", w.Body.String())
paddy@62	208 }
paddy@62	209 w = httptest.NewRecorder()
paddy@62	210 params.Set("client_id", uuid.NewID().String())
paddy@62	211 req.URL.RawQuery = params.Encode()
paddy@62	212 GetGrantHandler(w, req, testContext)
paddy@62	213 if w.Code != http.StatusBadRequest {
paddy@62	214 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@62	215 }
paddy@62	216 if w.Body.String() != "The specified Client couldn’t be found." {
paddy@62	217 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The specified Client couldn’t be found.", w.Body.String())
paddy@62	218 }
paddy@62	219 }
paddy@62	220
paddy@56	221 func TestGetGrantCodeInvalidURI(t *testing.T) {
paddy@56	222 t.Parallel()
paddy@56	223 store := NewMemstore()
paddy@56	224 testContext := Context{
paddy@56	225 template: template.Must(template.New(getGrantTemplateName).Parse("{{ .error }}")),
paddy@56	226 clients: store,
paddy@56	227 grants: store,
paddy@56	228 profiles: store,
paddy@56	229 tokens: store,
paddy@77	230 sessions: store,
paddy@56	231 }
paddy@56	232 client := Client{
paddy@56	233 ID: uuid.NewID(),
paddy@56	234 Secret: "super secret!",
paddy@56	235 OwnerID: uuid.NewID(),
paddy@56	236 Name: "My test client",
paddy@56	237 Type: "public",
paddy@56	238 }
paddy@56	239 uri, err := url.Parse("https://test.secondbit.org/redirect")
paddy@56	240 if err != nil {
paddy@56	241 t.Fatal("Can't parse URL:", err)
paddy@56	242 }
paddy@56	243 err = testContext.SaveClient(client)
paddy@56	244 if err != nil {
paddy@56	245 t.Fatal("Can't store client:", err)
paddy@56	246 }
paddy@77	247 session := Session{
paddy@77	248 ID: "testsession",
paddy@77	249 Active: true,
paddy@77	250 }
paddy@77	251 err = testContext.CreateSession(session)
paddy@77	252 if err != nil {
paddy@77	253 t.Fatal("Can't store session:", err)
paddy@77	254 }
paddy@56	255 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@56	256 if err != nil {
paddy@56	257 t.Fatal("Can't build request:", err)
paddy@56	258 }
paddy@77	259 cookie := &http.Cookie{
paddy@77	260 Name: authCookieName,
paddy@77	261 Value: session.ID,
paddy@77	262 }
paddy@77	263 req.AddCookie(cookie)
paddy@56	264 w := httptest.NewRecorder()
paddy@56	265 params := url.Values{}
paddy@56	266 params.Set("response_type", "code")
paddy@56	267 params.Set("client_id", client.ID.String())
paddy@64	268 req.URL.RawQuery = params.Encode()
paddy@64	269 GetGrantHandler(w, req, testContext)
paddy@64	270 if w.Code != http.StatusBadRequest {
paddy@64	271 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@64	272 }
paddy@64	273 if w.Body.String() != "The redirect_uri specified is not valid." {
paddy@64	274 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
paddy@64	275 }
paddy@64	276 endpoint := Endpoint{
paddy@64	277 ID: uuid.NewID(),
paddy@64	278 ClientID: client.ID,
paddy@64	279 URI: *uri,
paddy@64	280 Added: time.Now(),
paddy@64	281 }
paddy@64	282 err = testContext.AddEndpoint(client.ID, endpoint)
paddy@64	283 if err != nil {
paddy@64	284 t.Fatal("Can't store endpoint:", err)
paddy@64	285 }
paddy@64	286 w = httptest.NewRecorder()
paddy@56	287 params.Set("redirect_uri", "https://test.secondbit.org/wrong")
paddy@56	288 req.URL.RawQuery = params.Encode()
paddy@56	289 GetGrantHandler(w, req, testContext)
paddy@56	290 if w.Code != http.StatusBadRequest {
paddy@56	291 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@56	292 }
paddy@56	293 if w.Body.String() != "The redirect_uri specified is not valid." {
paddy@56	294 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
paddy@56	295 }
paddy@64	296 endpoint2 := Endpoint{
paddy@64	297 ID: uuid.NewID(),
paddy@64	298 ClientID: client.ID,
paddy@64	299 URI: *uri,
paddy@64	300 Added: time.Now(),
paddy@64	301 }
paddy@64	302 err = testContext.AddEndpoint(client.ID, endpoint2)
paddy@60	303 if err != nil {
paddy@64	304 t.Fatal("Can't store endpoint:", err)
paddy@60	305 }
paddy@60	306 w = httptest.NewRecorder()
paddy@64	307 params.Set("redirect_uri", "")
paddy@64	308 req.URL.RawQuery = params.Encode()
paddy@64	309 GetGrantHandler(w, req, testContext)
paddy@64	310 if w.Code != http.StatusBadRequest {
paddy@64	311 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@64	312 }
paddy@64	313 if w.Body.String() != "The redirect_uri specified is not valid." {
paddy@64	314 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
paddy@64	315 }
paddy@64	316 w = httptest.NewRecorder()
paddy@64	317 params.Set("redirect_uri", "://not a URL")
paddy@60	318 req.URL.RawQuery = params.Encode()
paddy@60	319 GetGrantHandler(w, req, testContext)
paddy@60	320 if w.Code != http.StatusBadRequest {
paddy@60	321 t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
paddy@60	322 }
paddy@60	323 if w.Body.String() != "The redirect_uri specified is not valid." {
paddy@60	324 t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
paddy@60	325 }
paddy@56	326 }
paddy@65	327
paddy@65	328 func TestGetGrantCodeInvalidResponseType(t *testing.T) {
paddy@65	329 t.Parallel()
paddy@65	330 store := NewMemstore()
paddy@65	331 testContext := Context{
paddy@65	332 template: template.Must(template.New(getGrantTemplateName).Parse("{{ .error }}")),
paddy@65	333 clients: store,
paddy@65	334 grants: store,
paddy@65	335 profiles: store,
paddy@65	336 tokens: store,
paddy@77	337 sessions: store,
paddy@65	338 }
paddy@65	339 client := Client{
paddy@65	340 ID: uuid.NewID(),
paddy@65	341 Secret: "super secret!",
paddy@65	342 OwnerID: uuid.NewID(),
paddy@65	343 Name: "My test client",
paddy@65	344 Logo: "https://secondbit.org/logo.png",
paddy@65	345 Website: "https://secondbit.org",
paddy@65	346 Type: "public",
paddy@65	347 }
paddy@65	348 uri, err := url.Parse("https://test.secondbit.org/redirect")
paddy@65	349 if err != nil {
paddy@65	350 t.Fatal("Can't parse URL:", err)
paddy@65	351 }
paddy@65	352 endpoint := Endpoint{
paddy@65	353 ID: uuid.NewID(),
paddy@65	354 ClientID: client.ID,
paddy@65	355 URI: *uri,
paddy@65	356 Added: time.Now(),
paddy@65	357 }
paddy@65	358 err = testContext.SaveClient(client)
paddy@65	359 if err != nil {
paddy@65	360 t.Fatal("Can't store client:", err)
paddy@65	361 }
paddy@65	362 err = testContext.AddEndpoint(client.ID, endpoint)
paddy@65	363 if err != nil {
paddy@65	364 t.Fatal("Can't store endpoint:", err)
paddy@65	365 }
paddy@77	366 session := Session{
paddy@77	367 ID: "testsession",
paddy@77	368 Active: true,
paddy@77	369 }
paddy@77	370 err = testContext.CreateSession(session)
paddy@77	371 if err != nil {
paddy@77	372 t.Fatal("Can't store session:", err)
paddy@77	373 }
paddy@65	374 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@65	375 if err != nil {
paddy@65	376 t.Fatal("Can't build request:", err)
paddy@65	377 }
paddy@77	378 cookie := &http.Cookie{
paddy@77	379 Name: authCookieName,
paddy@77	380 Value: session.ID,
paddy@77	381 }
paddy@77	382 req.AddCookie(cookie)
paddy@65	383 params := url.Values{}
paddy@65	384 params.Set("response_type", "totally not code")
paddy@65	385 params.Set("client_id", client.ID.String())
paddy@65	386 params.Set("redirect_uri", endpoint.URI.String())
paddy@65	387 params.Set("scope", "testscope")
paddy@65	388 params.Set("state", "my super secure state string")
paddy@65	389 req.URL.RawQuery = params.Encode()
paddy@65	390 w := httptest.NewRecorder()
paddy@65	391 GetGrantHandler(w, req, testContext)
paddy@65	392 if w.Code != http.StatusFound {
paddy@65	393 t.Errorf("Expected status code to be %d, got %d", http.StatusFound, w.Code)
paddy@65	394 }
paddy@65	395 redirectedTo := w.Header().Get("Location")
paddy@65	396 red, err := url.Parse(redirectedTo)
paddy@65	397 if err != nil {
paddy@65	398 t.Fatalf("Being redirected to a non-URL (%s) threw error: %s\n", redirectedTo, err)
paddy@65	399 }
paddy@65	400 if red.Query().Get("error") != "invalid_request" {
paddy@65	401 t.Errorf(`Expected error param in redirect URL to be "%s", got "%s"`, "invalid_request", red.Query().Get("error"))
paddy@65	402 }
paddy@65	403 stripParam("error", red)
paddy@65	404 if red.Query().Get("state") != params.Get("state") {
paddy@65	405 t.Errorf(`Expected state param in redirect URL to be "%s", got "%s"`, params.Get("state"), red.Query().Get("state"))
paddy@65	406 }
paddy@65	407 stripParam("state", red)
paddy@65	408 if red.String() != endpoint.URI.String() {
paddy@65	409 t.Errorf(`Expected redirect URL to be "%s", got "%s"`, endpoint.URI.String(), red.String())
paddy@65	410 }
paddy@65	411 stripParam("response_type", req.URL)
paddy@65	412 w = httptest.NewRecorder()
paddy@65	413 GetGrantHandler(w, req, testContext)
paddy@65	414 if w.Code != http.StatusFound {
paddy@65	415 t.Errorf("Expected status code to be %d, got %d", http.StatusFound, w.Code)
paddy@65	416 }
paddy@65	417 redirectedTo = w.Header().Get("Location")
paddy@65	418 red, err = url.Parse(redirectedTo)
paddy@65	419 if err != nil {
paddy@65	420 t.Fatalf("Being redirected to a non-URL (%s) threw error: %s\n", redirectedTo, err)
paddy@65	421 }
paddy@65	422 if red.Query().Get("error") != "invalid_request" {
paddy@65	423 t.Errorf(`Expected error param in redirect URL to be "%s", got "%s"`, "invalid_request", red.Query().Get("error"))
paddy@65	424 }
paddy@65	425 stripParam("error", red)
paddy@65	426 if red.Query().Get("state") != params.Get("state") {
paddy@65	427 t.Errorf(`Expected state param in redirect URL to be "%s", got "%s"`, params.Get("state"), red.Query().Get("state"))
paddy@65	428 }
paddy@65	429 stripParam("state", red)
paddy@65	430 if red.String() != endpoint.URI.String() {
paddy@65	431 t.Errorf(`Expected redirect URL to be "%s", got "%s"`, endpoint.URI.String(), red.String())
paddy@65	432 }
paddy@65	433 }
paddy@66	434
paddy@66	435 func TestGetGrantCodeDenied(t *testing.T) {
paddy@66	436 t.Parallel()
paddy@66	437 store := NewMemstore()
paddy@66	438 testContext := Context{
paddy@66	439 template: template.Must(template.New(getGrantTemplateName).Parse("{{ .error }}")),
paddy@66	440 clients: store,
paddy@66	441 grants: store,
paddy@66	442 profiles: store,
paddy@66	443 tokens: store,
paddy@77	444 sessions: store,
paddy@66	445 }
paddy@66	446 client := Client{
paddy@66	447 ID: uuid.NewID(),
paddy@66	448 Secret: "super secret!",
paddy@66	449 OwnerID: uuid.NewID(),
paddy@66	450 Name: "My test client",
paddy@66	451 Logo: "https://secondbit.org/logo.png",
paddy@66	452 Website: "https://secondbit.org",
paddy@66	453 Type: "public",
paddy@66	454 }
paddy@66	455 uri, err := url.Parse("https://test.secondbit.org/redirect")
paddy@66	456 if err != nil {
paddy@66	457 t.Fatal("Can't parse URL:", err)
paddy@66	458 }
paddy@66	459 endpoint := Endpoint{
paddy@66	460 ID: uuid.NewID(),
paddy@66	461 ClientID: client.ID,
paddy@66	462 URI: *uri,
paddy@66	463 Added: time.Now(),
paddy@66	464 }
paddy@66	465 err = testContext.SaveClient(client)
paddy@66	466 if err != nil {
paddy@66	467 t.Fatal("Can't store client:", err)
paddy@66	468 }
paddy@66	469 err = testContext.AddEndpoint(client.ID, endpoint)
paddy@66	470 if err != nil {
paddy@66	471 t.Fatal("Can't store endpoint:", err)
paddy@66	472 }
paddy@77	473 session := Session{
paddy@77	474 ID: "testsession",
paddy@77	475 Active: true,
paddy@77	476 }
paddy@77	477 err = testContext.CreateSession(session)
paddy@77	478 if err != nil {
paddy@77	479 t.Fatal("Can't store session:", err)
paddy@77	480 }
paddy@66	481 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@66	482 if err != nil {
paddy@66	483 t.Fatal("Can't build request:", err)
paddy@66	484 }
paddy@77	485 cookie := &http.Cookie{
paddy@77	486 Name: authCookieName,
paddy@77	487 Value: session.ID,
paddy@77	488 }
paddy@77	489 req.AddCookie(cookie)
paddy@66	490 params := url.Values{}
paddy@66	491 params.Set("response_type", "code")
paddy@66	492 params.Set("client_id", client.ID.String())
paddy@66	493 params.Set("redirect_uri", endpoint.URI.String())
paddy@66	494 params.Set("scope", "testscope")
paddy@66	495 params.Set("state", "my super secure state string")
paddy@66	496 data := url.Values{}
paddy@66	497 data.Set("grant", "denied")
paddy@66	498 req.URL.RawQuery = params.Encode()
paddy@66	499 req.Body = ioutil.NopCloser(bytes.NewBufferString(data.Encode()))
paddy@66	500 req.Method = "POST"
paddy@66	501 w := httptest.NewRecorder()
paddy@66	502 GetGrantHandler(w, req, testContext)
paddy@66	503 if w.Code != http.StatusFound {
paddy@66	504 t.Errorf("Expected status code to be %d, got %d", http.StatusFound, w.Code)
paddy@66	505 }
paddy@66	506 redirectedTo := w.Header().Get("Location")
paddy@66	507 red, err := url.Parse(redirectedTo)
paddy@66	508 if err != nil {
paddy@66	509 t.Fatalf("Being redirected to a non-URL (%s) threw error: %s\n", redirectedTo, err)
paddy@66	510 }
paddy@66	511 if red.Query().Get("error") != "access_denied" {
paddy@66	512 t.Errorf(`Expected error param in redirect URL to be "%s", got "%s"`, "access_denied", red.Query().Get("error"))
paddy@66	513 }
paddy@66	514 stripParam("error", red)
paddy@66	515 if red.Query().Get("state") != params.Get("state") {
paddy@66	516 t.Errorf(`Expected state param in redirect URL to be "%s", got "%s"`, params.Get("state"), red.Query().Get("state"))
paddy@66	517 }
paddy@66	518 stripParam("state", red)
paddy@66	519 if red.String() != endpoint.URI.String() {
paddy@66	520 t.Errorf(`Expected redirect URL to be "%s", got "%s"`, endpoint.URI.String(), red.String())
paddy@66	521 }
paddy@66	522 }
paddy@77	523
paddy@80	524 func TestGetGrantCodeLoginRedirect(t *testing.T) {
paddy@80	525 t.Parallel()
paddy@80	526 req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@80	527 if err != nil {
paddy@80	528 t.Fatal("Can't build request:", err)
paddy@80	529 }
paddy@80	530 w := httptest.NewRecorder()
paddy@80	531 GetGrantHandler(w, req, Context{template: template.Must(template.New(getGrantTemplateName).Parse("{{ .internal_error }}"))})
paddy@80	532 if w.Code != http.StatusInternalServerError {
paddy@80	533 t.Errorf("Expected status code to be %d, got %d", http.StatusInternalServerError, w.Code)
paddy@80	534 }
paddy@80	535 expectation := "Missing login URL."
paddy@80	536 if w.Body.String() != expectation {
paddy@80	537 t.Errorf(`Expected body to be "%s", got "%s"`, expectation, w.Body.String())
paddy@80	538 }
paddy@80	539 uri, err := url.Parse("https://client.secondbit.org/")
paddy@80	540 if err != nil {
paddy@80	541 t.Errorf("Unexpected error", err)
paddy@80	542 }
paddy@80	543 testContext := Context{
paddy@80	544 loginURI: uri,
paddy@80	545 }
paddy@80	546 w = httptest.NewRecorder()
paddy@80	547 GetGrantHandler(w, req, testContext)
paddy@80	548 if w.Code != http.StatusFound {
paddy@80	549 t.Errorf("Expected status code to be %d, got %d", http.StatusFound, w.Code)
paddy@80	550 }
paddy@80	551 redirectedTo := w.Header().Get("Location")
paddy@80	552 expectation = "https://client.secondbit.org/?from=https%3A%2F%2Ftest.auth.secondbit.org%2Foauth2%2Fgrant"
paddy@80	553 if redirectedTo != expectation {
paddy@80	554 t.Errorf("Expected to be redirected to '%s', was redirected to '%s'", expectation, redirectedTo)
paddy@80	555 }
paddy@80	556 }
paddy@80	557
paddy@77	558 func TestGetBasicAuth(t *testing.T) {
paddy@77	559 tests := map[string]struct {
paddy@77	560 un string
paddy@77	561 pass string
paddy@77	562 err error
paddy@77	563 }{
paddy@77	564 "Basic dGVzdHVzZXI6cGFzc3dvcmQx": {"testuser", "password1", nil},
paddy@77	565 "": {"", "", ErrNoAuth},
paddy@77	566 "dGVzdHVzZXI6cGFzc3dvcmQx": {"", "", ErrInvalidAuthFormat},
paddy@77	567 "Basic _*&^##$@#$@&!!@": {"", "", ErrInvalidAuthFormat},
paddy@77	568 "Basic abcdefgh": {"", "", ErrInvalidAuthFormat},
paddy@77	569 "Basic dXNlcjo=": {"user", "", nil},
paddy@77	570 }
paddy@77	571
paddy@77	572 for header, test := range tests {
paddy@77	573 req, err := http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@77	574 if err != nil {
paddy@77	575 t.Error("Unexpected error creating base request:", err)
paddy@77	576 }
paddy@77	577 req.Header.Set("Authorization", header)
paddy@77	578 un, pass, err := getBasicAuth(req)
paddy@77	579 if un != test.un {
paddy@77	580 t.Errorf(`Expected header "%s" to return username "%s", got "%s"`, header, test.un, un)
paddy@77	581 }
paddy@77	582 if pass != test.pass {
paddy@77	583 t.Errorf(`Expected header "%s" to return password "%s", got "%s"`, header, test.pass, pass)
paddy@77	584 }
paddy@77	585 if err != test.err {
paddy@77	586 t.Errorf(`Expected header "%s" to return error "%s", got "%s"`, header, test.err, err)
paddy@77	587 }
paddy@77	588 }
paddy@77	589 }
paddy@78	590
paddy@78	591 func TestCheckCookie(t *testing.T) {
paddy@78	592 t.Parallel()
paddy@78	593 req, err := http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@78	594 if err != nil {
paddy@78	595 t.Error("Unexpected error creating base request:", err)
paddy@78	596 }
paddy@78	597 store := NewMemstore()
paddy@78	598 testContext := Context{
paddy@78	599 sessions: store,
paddy@78	600 }
paddy@78	601 session, err := checkCookie(req, testContext)
paddy@78	602 if err != ErrNoSession {
paddy@78	603 t.Errorf("Expected ErrNoSession, got %s", err)
paddy@78	604 }
paddy@78	605 session = Session{
paddy@78	606 ID: "testsession",
paddy@78	607 Active: true,
paddy@78	608 }
paddy@78	609 err = testContext.CreateSession(session)
paddy@78	610 if err != nil {
paddy@78	611 t.Error("Unexpected error persisting session:", err)
paddy@78	612 }
paddy@78	613 invalidSession := Session{
paddy@78	614 ID: "testsession2",
paddy@78	615 Active: false,
paddy@78	616 }
paddy@78	617 err = testContext.CreateSession(invalidSession)
paddy@78	618 if err != nil {
paddy@78	619 t.Error("Unexpected error persisting session:", err)
paddy@78	620 }
paddy@78	621 result, err := checkCookie(req, testContext)
paddy@78	622 if err != ErrNoSession {
paddy@78	623 t.Errorf("Expected ErrNoSession, got %s", err)
paddy@78	624 }
paddy@78	625 req.AddCookie(&http.Cookie{
paddy@78	626 Name: "wrongcookie",
paddy@78	627 Value: "wrong value",
paddy@78	628 })
paddy@78	629 result, err = checkCookie(req, testContext)
paddy@78	630 if err != ErrNoSession {
paddy@78	631 t.Error("Expected ErrNoSession, got", err)
paddy@78	632 }
paddy@78	633 req, err = http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@78	634 if err != nil {
paddy@78	635 t.Error("Unexpected error creating base request:", err)
paddy@78	636 }
paddy@78	637 req.AddCookie(&http.Cookie{
paddy@78	638 Name: "Stillwrongcookie",
paddy@78	639 Value: session.ID,
paddy@78	640 })
paddy@78	641 result, err = checkCookie(req, testContext)
paddy@78	642 if err != ErrNoSession {
paddy@78	643 t.Error("Expected ErrNoSession, got", err)
paddy@78	644 }
paddy@78	645 req, err = http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@78	646 if err != nil {
paddy@78	647 t.Error("Unexpected error creating base request:", err)
paddy@78	648 }
paddy@78	649 req.AddCookie(&http.Cookie{
paddy@78	650 Name: authCookieName,
paddy@78	651 Value: "wrong value",
paddy@78	652 })
paddy@78	653 result, err = checkCookie(req, testContext)
paddy@78	654 if err != ErrInvalidSession {
paddy@78	655 t.Error("Expected ErrInvalidSession, got", err)
paddy@78	656 }
paddy@78	657 req, err = http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@78	658 if err != nil {
paddy@78	659 t.Error("Unexpected error creating base request:", err)
paddy@78	660 }
paddy@78	661 req.AddCookie(&http.Cookie{
paddy@78	662 Name: authCookieName,
paddy@78	663 Value: invalidSession.ID,
paddy@78	664 })
paddy@78	665 result, err = checkCookie(req, testContext)
paddy@78	666 if err != ErrInvalidSession {
paddy@78	667 t.Error("Expected ErrInvalidSession, got", err)
paddy@78	668 }
paddy@78	669 req, err = http.NewRequest("GET", "https://auth.secondbit.org", nil)
paddy@78	670 if err != nil {
paddy@78	671 t.Error("Unexpected error creating base request:", err)
paddy@78	672 }
paddy@78	673 req.AddCookie(&http.Cookie{
paddy@78	674 Name: authCookieName,
paddy@78	675 Value: session.ID,
paddy@78	676 })
paddy@78	677 result, err = checkCookie(req, testContext)
paddy@78	678 if err != nil {
paddy@78	679 t.Error("Unexpected error:", err)
paddy@78	680 }
paddy@78	681 success, field, expectation, outcome := compareSessions(session, result)
paddy@78	682 if !success {
paddy@78	683 t.Errorf(`Expected field %s to be %v, but got %v`, field, expectation, outcome)
paddy@78	684 }
paddy@78	685 }
paddy@78	686
paddy@78	687 func TestBuildLoginRedirect(t *testing.T) {
paddy@78	688 t.Parallel()
paddy@78	689 req, err := http.NewRequest("GET", "https://client.secondbit.org/my/awesome/path?has=query&params=to&screw=this&all=up", nil)
paddy@78	690 if err != nil {
paddy@78	691 t.Error("Unexpected error creating base request:", err)
paddy@78	692 }
paddy@78	693 result := buildLoginRedirect(req, Context{})
paddy@78	694 if result != "" {
paddy@78	695 t.Error("Expected empty string as the result, got", result)
paddy@78	696 }
paddy@78	697 uri, err := url.Parse("https://auth.secondbit.org/login?query=string&other=param")
paddy@78	698 if err != nil {
paddy@78	699 t.Error("Unexpected error parsing URL:", err)
paddy@78	700 }
paddy@78	701 c := Context{loginURI: uri}
paddy@78	702 result = buildLoginRedirect(req, c)
paddy@78	703 expectation := "https://auth.secondbit.org/login?from=https%3A%2F%2Fclient.secondbit.org%2Fmy%2Fawesome%2Fpath%3Fhas%3Dquery%26params%3Dto%26screw%3Dthis%26all%3Dup&other=param&query=string"
paddy@78	704 if result != expectation {
paddy@78	705 t.Errorf(`Expected result string to be "%s", was "%s"`, expectation, result)
paddy@78	706 }
paddy@78	707 }
paddy@79	708
paddy@79	709 func TestAuthenticateHelper(t *testing.T) {
paddy@79	710 t.Parallel()
paddy@79	711 store := NewMemstore()
paddy@79	712 context := Context{
paddy@79	713 profiles: store,
paddy@79	714 }
paddy@79	715 profile := Profile{
paddy@79	716 ID: uuid.NewID(),
paddy@79	717 Name: "Test User",
paddy@79	718 Passphrase: "55d87acb9adff90a0d8e4c9b77f239c2d6e3a1945dbd09b0270467411198db25",
paddy@79	719 Iterations: 4096,
paddy@79	720 Salt: "this is a super secure random salt",
paddy@79	721 PassphraseScheme: 1,
paddy@79	722 Compromised: false,
paddy@79	723 LockedUntil: time.Time{},
paddy@79	724 PassphraseReset: "",
paddy@79	725 PassphraseResetCreated: time.Time{},
paddy@79	726 Created: time.Now(),
paddy@79	727 LastSeen: time.Time{},
paddy@79	728 }
paddy@79	729 login := Login{
paddy@79	730 Type: "email",
paddy@79	731 Value: "test@example.com",
paddy@79	732 ProfileID: profile.ID,
paddy@79	733 Created: time.Now(),
paddy@79	734 LastUsed: time.Time{},
paddy@79	735 }
paddy@79	736 err := context.SaveProfile(profile)
paddy@79	737 if err != nil {
paddy@79	738 t.Error("Error saving profile:", err)
paddy@79	739 }
paddy@79	740 err = context.AddLogin(login)
paddy@79	741 if err != nil {
paddy@79	742 t.Error("Error adding login:", err)
paddy@79	743 }
paddy@79	744 response, err := authenticate("test@example.com", "a really secure password", context)
paddy@79	745 if err != nil {
paddy@79	746 t.Error("Unexpected error:", err)
paddy@79	747 }
paddy@79	748 success, field, expectation, result := compareProfiles(profile, response)
paddy@79	749 if !success {
paddy@79	750 t.Errorf(`Expected field %s to be "%v", got "%v"`, field, expectation, result)
paddy@79	751 }
paddy@79	752 response, err = authenticate("test2@example.com", "a really secure password", context)
paddy@79	753 if err != ErrIncorrectAuth {
paddy@79	754 t.Error("Expected ErrIncorrectAuth, got", err)
paddy@79	755 }
paddy@79	756 response, err = authenticate("test@example.com", "not the right password", context)
paddy@79	757 if err != ErrIncorrectAuth {
paddy@79	758 t.Error("Expected ErrIncorrectAuth, got", err)
paddy@79	759 }
paddy@79	760 scheme := 1000
paddy@79	761 phrase := "doesn't really matter, the scheme doesn't exist"
paddy@79	762 change := ProfileChange{
paddy@79	763 PassphraseScheme: &scheme,
paddy@79	764 Passphrase: &phrase,
paddy@79	765 }
paddy@79	766 err = context.UpdateProfile(profile.ID, change)
paddy@79	767 if err != nil {
paddy@79	768 t.Error("Unexpected error:", err)
paddy@79	769 }
paddy@79	770 response, err = authenticate("test@example.com", "not the right password", context)
paddy@79	771 if err != ErrInvalidPassphraseScheme {
paddy@79	772 t.Error("Expected ErrIncorrectAuth, got", err)
paddy@79	773 }
paddy@79	774 }
paddy@81	775
paddy@81	776 func TestGetTokenHandler(t *testing.T) {
paddy@81	777 t.Parallel()
paddy@81	778 store := NewMemstore()
paddy@81	779 context := Context{
paddy@81	780 clients: store,
paddy@81	781 grants: store,
paddy@81	782 tokens: store,
paddy@81	783 }
paddy@81	784 client := Client{
paddy@81	785 ID: uuid.NewID(),
paddy@81	786 Secret: "sometimes I feel like I don't know what I'm doing",
paddy@81	787 OwnerID: uuid.NewID(),
paddy@81	788 Name: "A Super Awesome Client!",
paddy@81	789 Logo: "https://logos.secondbit.org/client.png",
paddy@81	790 Website: "https://client.secondbit.org/",
paddy@81	791 Type: "confidential",
paddy@81	792 }
paddy@81	793 grant := Grant{
paddy@81	794 Code: "testcode",
paddy@81	795 Created: time.Now(),
paddy@81	796 ExpiresIn: 600,
paddy@81	797 ClientID: client.ID,
paddy@81	798 Scope: "testscope",
paddy@81	799 RedirectURI: "https://client.secondbit.org/",
paddy@81	800 State: "teststate",
paddy@81	801 ProfileID: uuid.NewID(),
paddy@81	802 }
paddy@81	803 err := context.SaveGrant(grant)
paddy@81	804 if err != nil {
paddy@81	805 t.Error("Error saving grant:", err)
paddy@81	806 }
paddy@81	807 err = context.SaveClient(client)
paddy@81	808 if err != nil {
paddy@81	809 t.Error("Error saving client:", err)
paddy@81	810 }
paddy@81	811 data := url.Values{}
paddy@81	812 data.Set("grant_type", "authorization_code")
paddy@81	813 data.Set("code", grant.Code)
paddy@81	814 data.Set("redirect_uri", grant.RedirectURI)
paddy@81	815 body := bytes.NewBufferString(data.Encode())
paddy@81	816 req, err := http.NewRequest("POST", "https://auth.secondbit.org/", ioutil.NopCloser(body))
paddy@81	817 if err != nil {
paddy@81	818 t.Error("Error constructing request:", err)
paddy@81	819 }
paddy@81	820 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@81	821 req.SetBasicAuth(client.ID.String(), client.Secret)
paddy@81	822 w := httptest.NewRecorder()
paddy@81	823 GetTokenHandler(w, req, context)
paddy@81	824 resp := tokenResponse{}
paddy@81	825 err = json.Unmarshal(w.Body.Bytes(), &resp)
paddy@81	826 if err != nil {
paddy@81	827 t.Error("Error unmarshalling response:", err)
paddy@81	828 }
paddy@81	829 if resp.AccessToken == "" {
paddy@81	830 t.Error("Got blank access token back")
paddy@81	831 }
paddy@81	832 if resp.RefreshToken == "" {
paddy@81	833 t.Error("Got blank refresh token back")
paddy@81	834 }
paddy@81	835 if resp.TokenType == "" {
paddy@81	836 t.Error("Got blank token type back")
paddy@81	837 }
paddy@81	838 if resp.ExpiresIn == 0 {
paddy@81	839 t.Error("Got blank expires in back")
paddy@81	840 }
paddy@81	841 tokens, err := context.GetTokensByProfileID(grant.ProfileID, 1, 0)
paddy@81	842 if err != nil {
paddy@81	843 t.Error("Error retrieving token:", err)
paddy@81	844 }
paddy@81	845 if len(tokens) != 1 {
paddy@81	846 t.Errorf("Expected %d tokens, got %d", 1, len(tokens))
paddy@81	847 }
paddy@81	848 if tokens[0].AccessToken != resp.AccessToken {
paddy@81	849 t.Errorf(`Expected access token to be "%s", got "%s"`, tokens[0].AccessToken, resp.AccessToken)
paddy@81	850 }
paddy@81	851 if tokens[0].RefreshToken != resp.RefreshToken {
paddy@81	852 t.Errorf(`Expected refresh token to be "%s", got "%s"`, tokens[0].RefreshToken, resp.RefreshToken)
paddy@81	853 }
paddy@81	854 if tokens[0].ExpiresIn != resp.ExpiresIn {
paddy@81	855 t.Errorf(`Expected expires in to be %d, got %d`, tokens[0].ExpiresIn, resp.ExpiresIn)
paddy@81	856 }
paddy@81	857 if tokens[0].TokenType != resp.TokenType {
paddy@81	858 t.Errorf(`Expected token type to be %s, got %s`, tokens[0].TokenType, resp.TokenType)
paddy@81	859 }
paddy@81	860 }