auth

Paddy 2015-04-19 Parent:2809016184f6 Child:b7e685839a1b

163:73e12d5a1124 Go to Latest

auth/authcode_test.go

Use postgres arrays for scope associations. Use the new pqarrays library I wrote to store Scope associations for Tokens and AuthorizationCodes, instead of using our hacky and abstraction-breaking many-to-many code. We also created the authStore.deleteAuthorizationCodesByProfileID method, to clear out the AuthorizationCodes that belong to a Profile (used when the Profile is deleted). So we added the implementation for memstore and for our postgres store. Call Context.DeleteAuthorizationCodesByProfileID when deleting a Profile to clean up after it. Rename sortedScopes to Scopes, which we use pqarrays.StringArray's methods on to fulfill the sql.Scanner and driver.Valuer interfaces. This lets us store Scopes in postgres arrays. Create a stringsToScopes helper function that creates Scope objects, with their IDs filled by the strings specified. Update our GrantType.Validate function signature to return Scopes instead of []string. Create a Scopes.Strings() helper method that returns a []string of the IDs of the Scopes. Update our SQL init file to use the new postgres array definition, instead of the many-to-many definition.

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "bytes"
5 "io/ioutil"
6 "net/http"
7 "net/http/httptest"
8 "net/url"
9 "os"
10 "strings"
11 "testing"
12 "time"
13
14 "code.secondbit.org/uuid.hg"
15 )
16
17 func init() {
18 if os.Getenv("PG_TEST_DB") != "" {
19 p, err := NewPostgres(os.Getenv("PG_TEST_DB"))
20 if err != nil {
21 panic(err)
22 }
23 authCodeStores = append(authCodeStores, &p)
24 }
25 }
26
27 var authCodeStores = []authorizationCodeStore{NewMemstore()}
28
29 func compareAuthorizationCodes(authCode1, authCode2 AuthorizationCode) (success bool, field string, authCode1val, authCode2val interface{}) {
30 if authCode1.Code != authCode2.Code {
31 return false, "code", authCode1.Code, authCode2.Code
32 }
33 if !authCode1.Created.Equal(authCode2.Created) {
34 return false, "created", authCode1.Created, authCode2.Created
35 }
36 if authCode1.ExpiresIn != authCode2.ExpiresIn {
37 return false, "expires in", authCode1.ExpiresIn, authCode2.ExpiresIn
38 }
39 if !authCode1.ClientID.Equal(authCode2.ClientID) {
40 return false, "client ID", authCode1.ClientID, authCode2.ClientID
41 }
42 if len(authCode1.Scopes) != len(authCode2.Scopes) {
43 return false, "scopes", authCode1.Scopes, authCode2.Scopes
44 }
45 for pos, scope := range authCode1.Scopes {
46 if scope != authCode2.Scopes[pos] {
47 return false, "scopes", authCode1.Scopes, authCode2.Scopes
48 }
49 }
50 if authCode1.RedirectURI != authCode2.RedirectURI {
51 return false, "redirect URI", authCode1.RedirectURI, authCode2.RedirectURI
52 }
53 if authCode1.State != authCode2.State {
54 return false, "state", authCode1.State, authCode2.State
55 }
56 if !authCode1.ProfileID.Equal(authCode2.ProfileID) {
57 return false, "profile ID", authCode1.ProfileID, authCode2.ProfileID
58 }
59 if authCode1.Used != authCode2.Used {
60 return false, "used", authCode1.Used, authCode2.Used
61 }
62 return true, "", nil, nil
63 }
64
65 func TestAuthorizationCodeStore(t *testing.T) {
66 t.Parallel()
67 authCode := AuthorizationCode{
68 Code: "code",
69 Created: time.Now().Round(time.Millisecond),
70 ExpiresIn: 180,
71 ClientID: uuid.NewID(),
72 Scopes: stringsToScopes([]string{"scope"}),
73 RedirectURI: "redirectURI",
74 State: "state",
75 }
76 for _, store := range authCodeStores {
77 context := Context{authCodes: store}
78 err := context.SaveAuthorizationCode(authCode)
79 if err != nil {
80 t.Errorf("Error saving auth code to %T: %s", store, err)
81 }
82 err = context.SaveAuthorizationCode(authCode)
83 if err != ErrAuthorizationCodeAlreadyExists {
84 t.Errorf("Expected ErrAuthorizationCodeAlreadyExists from %T, got %+v", store, err)
85 }
86 retrieved, err := context.GetAuthorizationCode(authCode.Code)
87 if err != nil {
88 t.Errorf("Error retrieving auth code from %T: %s", store, err)
89 }
90 match, field, expectation, result := compareAuthorizationCodes(authCode, retrieved)
91 if !match {
92 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
93 }
94 err = context.UseAuthorizationCode(authCode.Code)
95 if err != nil {
96 t.Errorf("Error retrieving auth code from %T: %s", store, err)
97 }
98 retrieved, err = context.GetAuthorizationCode(authCode.Code)
99 if err != nil {
100 t.Errorf("Error retrieving auth code from %T: %s", store, err)
101 }
102 authCode.Used = true
103 match, field, expectation, result = compareAuthorizationCodes(authCode, retrieved)
104 if !match {
105 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
106 }
107 err = context.DeleteAuthorizationCode(authCode.Code)
108 if err != nil {
109 t.Errorf("Error removing auth code from %T: %s", store, err)
110 }
111 retrieved, err = context.GetAuthorizationCode(authCode.Code)
112 if err != ErrAuthorizationCodeNotFound {
113 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v and %+v", store, retrieved, err)
114 }
115 err = context.DeleteAuthorizationCode(authCode.Code)
116 if err != ErrAuthorizationCodeNotFound {
117 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
118 }
119 err = context.UseAuthorizationCode(authCode.Code)
120 if err != ErrAuthorizationCodeNotFound {
121 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
122 }
123 }
124 }
125
126 func TestAuthCodeGrantValidate(t *testing.T) {
127 t.Parallel()
128 store := NewMemstore()
129 testContext := Context{
130 clients: store,
131 authCodes: store,
132 profiles: store,
133 tokens: store,
134 sessions: store,
135 }
136 client := Client{
137 ID: uuid.NewID(),
138 Secret: "super secret!",
139 OwnerID: uuid.NewID(),
140 Name: "My test client",
141 Logo: "https://secondbit.org/logo.png",
142 Website: "https://secondbit.org/",
143 Type: "public",
144 }
145 endpoint := Endpoint{
146 ID: uuid.NewID(),
147 ClientID: client.ID,
148 URI: "https://test.secondbit.org/redirect",
149 Added: time.Now().Round(time.Millisecond),
150 }
151 err := testContext.SaveClient(client)
152 if err != nil {
153 t.Fatal("Can't store client:", err)
154 }
155 err = testContext.AddEndpoints([]Endpoint{endpoint})
156 if err != nil {
157 t.Fatal("Can't store endpoint:", err)
158 }
159 code := AuthorizationCode{
160 Code: "myauthcode",
161 Created: time.Now().Round(time.Millisecond),
162 ExpiresIn: 180,
163 ClientID: uuid.NewID(),
164 Scopes: stringsToScopes([]string{"scope"}),
165 RedirectURI: "redirectURI",
166 State: "state",
167 }
168 err = testContext.SaveAuthorizationCode(code)
169 if err != nil {
170 t.Fatal("Can't add auth code:", err)
171 }
172 code2 := code
173 code2.Code = "otherauthcode"
174 code2.ClientID = client.ID
175 err = testContext.SaveAuthorizationCode(code2)
176 if err != nil {
177 t.Fatal("Can't add second auth code:", err)
178 }
179 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
180 if err != nil {
181 t.Fatal("Can't build request:", err)
182 }
183 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
184 w := httptest.NewRecorder()
185 params := url.Values{}
186 body := bytes.NewBufferString(params.Encode())
187 req.Body = ioutil.NopCloser(body)
188 scope, profileID, valid := authCodeGrantValidate(w, req, testContext)
189 if valid {
190 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
191 }
192 if w.Code != http.StatusBadRequest {
193 t.Errorf("Expected status %d, got %d", http.StatusBadRequest, w.Code)
194 }
195 expectedBody := `{"error":"invalid_request"}`
196 if strings.TrimSpace(w.Body.String()) != expectedBody {
197 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
198 }
199
200 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
201 if err != nil {
202 t.Fatal("Can't build request:", err)
203 }
204 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
205 w = httptest.NewRecorder()
206 params = url.Values{}
207 params.Set("code", "notmycode")
208 body = bytes.NewBufferString(params.Encode())
209 req.Body = ioutil.NopCloser(body)
210 err = req.ParseForm()
211 if err != nil {
212 t.Log(err)
213 }
214 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
215 if valid {
216 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
217 }
218 if w.Code != http.StatusUnauthorized {
219 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
220 }
221 expectedBody = `{"error":"invalid_client"}`
222 if expectedBody != strings.TrimSpace(w.Body.String()) {
223 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
224 }
225
226 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
227 if err != nil {
228 t.Fatal("Can't build request:", err)
229 }
230 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
231 req.SetBasicAuth(client.ID.String(), client.Secret)
232 w = httptest.NewRecorder()
233 params = url.Values{}
234 params.Set("code", "notmycode")
235 body = bytes.NewBufferString(params.Encode())
236 req.Body = ioutil.NopCloser(body)
237 err = req.ParseForm()
238 if err != nil {
239 t.Log(err)
240 }
241 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
242 if valid {
243 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
244 }
245 if w.Code != http.StatusBadRequest {
246 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
247 }
248 expectedBody = `{"error":"invalid_grant"}`
249 if expectedBody != strings.TrimSpace(w.Body.String()) {
250 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
251 }
252
253 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
254 if err != nil {
255 t.Fatal("Can't build request:", err)
256 }
257 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
258 req.SetBasicAuth(client.ID.String(), client.Secret)
259 w = httptest.NewRecorder()
260 params = url.Values{}
261 params.Set("code", code.Code)
262 params.Set("redirect_uri", "not my redirectURI")
263 body = bytes.NewBufferString(params.Encode())
264 req.Body = ioutil.NopCloser(body)
265 err = req.ParseForm()
266 if err != nil {
267 t.Log(err)
268 }
269 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
270 if valid {
271 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
272 }
273 if w.Code != http.StatusBadRequest {
274 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
275 }
276 expectedBody = `{"error":"invalid_grant"}`
277 if expectedBody != strings.TrimSpace(w.Body.String()) {
278 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
279 }
280
281 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
282 if err != nil {
283 t.Fatal("Can't build request:", err)
284 }
285 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
286 req.SetBasicAuth(client.ID.String(), client.Secret)
287 w = httptest.NewRecorder()
288 params = url.Values{}
289 params.Set("code", code.Code)
290 params.Set("redirect_uri", code.RedirectURI)
291 body = bytes.NewBufferString(params.Encode())
292 req.Body = ioutil.NopCloser(body)
293 err = req.ParseForm()
294 if err != nil {
295 t.Log(err)
296 }
297 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
298 if valid {
299 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
300 }
301 if w.Code != http.StatusBadRequest {
302 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
303 }
304 expectedBody = `{"error":"invalid_grant"}`
305 if expectedBody != strings.TrimSpace(w.Body.String()) {
306 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
307 }
308
309 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
310 if err != nil {
311 t.Fatal("Can't build request:", err)
312 }
313 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
314 req.SetBasicAuth(client.ID.String(), client.Secret)
315 w = httptest.NewRecorder()
316 params = url.Values{}
317 params.Set("code", code2.Code)
318 params.Set("redirect_uri", code2.RedirectURI)
319 body = bytes.NewBufferString(params.Encode())
320 req.Body = ioutil.NopCloser(body)
321 err = req.ParseForm()
322 if err != nil {
323 t.Log(err)
324 }
325 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
326 if !valid {
327 t.Fatalf("Expected valid auth code, was not valid.")
328 }
329 }
330
331 func TestAuthCodeGrantInvalidate(t *testing.T) {
332 t.Parallel()
333 store := NewMemstore()
334 testContext := Context{
335 clients: store,
336 authCodes: store,
337 profiles: store,
338 tokens: store,
339 sessions: store,
340 }
341 code := AuthorizationCode{
342 Code: "myauthcode",
343 Created: time.Now().Round(time.Millisecond),
344 ExpiresIn: 180,
345 ClientID: uuid.NewID(),
346 Scopes: stringsToScopes([]string{"scope"}),
347 RedirectURI: "redirectURI",
348 State: "state",
349 }
350 err := testContext.SaveAuthorizationCode(code)
351 if err != nil {
352 t.Fatal("Can't add auth code:", err)
353 }
354 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
355 if err != nil {
356 t.Fatal("Can't build request:", err)
357 }
358 err = authCodeGrantInvalidate(req, testContext)
359 if err != ErrAuthorizationCodeNotFound {
360 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
361 }
362 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
363 if err != nil {
364 t.Fatal("Can't build request:", err)
365 }
366 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
367 params := url.Values{}
368 params.Set("code", "notmycode")
369 body := bytes.NewBufferString(params.Encode())
370 req.Body = ioutil.NopCloser(body)
371 err = authCodeGrantInvalidate(req, testContext)
372 if err != ErrAuthorizationCodeNotFound {
373 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
374 }
375 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
376 if err != nil {
377 t.Fatal("Can't build request:", err)
378 }
379 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
380 params.Set("code", code.Code)
381 body = bytes.NewBufferString(params.Encode())
382 req.Body = ioutil.NopCloser(body)
383 err = authCodeGrantInvalidate(req, testContext)
384 if err != nil {
385 t.Error("Error invalidating auth code:", err)
386 }
387 authCode, err := testContext.GetAuthorizationCode(code.Code)
388 if err != nil {
389 t.Error("Error retrieving auth code:", err)
390 }
391 if !authCode.Used {
392 t.Error("Expected auth code to be used, was not.")
393 }
394 }