auth

Paddy 2015-12-14 Parent:8ecb60d29b0d

auth/client_test.go

Break out scopes and events. This repo has gotten unwieldy, and there are portions of it that need to be imported by a large number of other packages. For example, scopes will be used in almost every API we write. Rather than importing the entirety of this codebase into every API we write, I've opted to move the scope logic out into a scopes package, with a subpackage for the defined types, which is all most projects actually want to import. We also define some event type constants, and importing those shouldn't require a project to import all our dependencies, either. So I made an events subpackage that just holds those constants. This package has become a little bit of a red-headed stepchild and is do for a refactor, but I'm trying to put that off as long as I can. The refactoring of our scopes stuff has left a bug wherein a token can be granted for scopes that don't exist. I'm going to need to revisit that, and also how to limit scopes to only be granted to the users that should be able to request them. But that's a battle for another day.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "bytes"

5 "encoding/json"

6 "fmt"

7 "github.com/gorilla/mux"

8 "io/ioutil"

9 "net/http"

10 "net/http/httptest"

11 "net/url"

12 "os"

13 "sort"

14 "strings"

15 "testing"

16 "time"

18 "code.secondbit.org/uuid.hg"

19 )

21 const (

22 clientChangeSecret = 1 << iota

23 clientChangeOwnerID

24 clientChangeName

25 clientChangeLogo

26 clientChangeWebsite

27 )

29 func init() {

30 if os.Getenv("PG_TEST_DB") != "" {

31 p, err := NewPostgres(os.Getenv("PG_TEST_DB"))

32 if err != nil {

33 panic(err)

34 }

35 clientStores = append(clientStores, &p)

36 }

37 }

39 var clientStores = []clientStore{NewMemstore()}

41 func compareClients(client1, client2 Client) (success bool, field string, val1, val2 interface{}) {

42 if !client1.ID.Equal(client2.ID) {

43 return false, "ID", client1.ID, client2.ID

44 }

45 if client1.Secret != client2.Secret {

46 return false, "secret", client1.Secret, client2.Secret

47 }

48 if !client1.OwnerID.Equal(client2.OwnerID) {

49 return false, "owner ID", client1.OwnerID, client2.OwnerID

50 }

51 if client1.Name != client2.Name {

52 return false, "name", client1.Name, client2.Name

53 }

54 if client1.Logo != client2.Logo {

55 return false, "logo", client1.Logo, client2.Logo

56 }

57 if client1.Website != client2.Website {

58 return false, "website", client1.Website, client2.Website

59 }

60 if client1.Type != client2.Type {

61 return false, "type", client1.Type, client2.Type

62 }

63 return true, "", nil, nil

64 }

66 func compareEndpoints(endpoint1, endpoint2 Endpoint) (success bool, field string, val1, val2 interface{}) {

67 if !endpoint1.ID.Equal(endpoint2.ID) {

68 return false, "ID", endpoint1.ID, endpoint2.ID

69 }

70 if !endpoint1.ClientID.Equal(endpoint2.ClientID) {

71 return false, "OwnerID", endpoint1.ClientID, endpoint2.ClientID

72 }

73 if !endpoint1.Added.Equal(endpoint2.Added) {

74 return false, "Added", endpoint1.Added, endpoint2.Added

75 }

76 if endpoint1.URI != endpoint2.URI {

77 return false, "URI", endpoint1.URI, endpoint2.URI

78 }

79 return true, "", nil, nil

80 }

82 func TestClientStoreSuccess(t *testing.T) {

83 t.Parallel()

84 client := Client{

85 ID: uuid.NewID(),

86 Secret: "secret",

87 OwnerID: uuid.NewID(),

88 Name: "name",

89 Logo: "logo",

90 Website: "website",

91 }

92 for _, store := range clientStores {

93 context := Context{clients: store}

94 err := context.SaveClient(client)

95 if err != nil {

96 t.Fatalf("Error saving client to %T: %s", store, err)

97 }

98 err = context.SaveClient(client)

99 if err != ErrClientAlreadyExists {

100 t.Fatalf("Expected ErrClientAlreadyExists, got %v from %T", err, store)

101 }

102 retrieved, err := context.GetClient(client.ID)

103 if err != nil {

104 t.Fatalf("Error retrieving client from %T: %s", store, err)

105 }

106 success, field, expectation, result := compareClients(client, retrieved)

107 if !success {

108 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

109 }

110 clients, err := context.ListClientsByOwner(client.OwnerID, 25, 0)

111 if err != nil {

112 t.Fatalf("Error retrieving clients by owner from %T: %s", store, err)

113 }

114 if len(clients) != 1 {

115 t.Fatalf("Expected 1 client in response from %T, got %+v", store, clients)

116 }

117 success, field, expectation, result = compareClients(client, clients[0])

118 if !success {

119 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

120 }

121 deleted := true

122 err = context.UpdateClient(client.ID, ClientChange{Deleted: &deleted})

123 if err != nil {

124 t.Fatalf("Error deleting client from %T: %s", store, err)

125 }

126 retrieved, err = context.GetClient(client.ID)

127 if err != ErrClientNotFound {

128 t.Fatalf("Expected ErrClientNotFound from %T, got %+v and %s", store, retrieved, err)

129 }

130 clients, err = context.ListClientsByOwner(client.OwnerID, 25, 0)

131 if err != nil {

132 t.Fatalf("Error listing clients by owner from %T: %s", store, err)

133 }

134 if len(clients) != 0 {

135 t.Fatalf("Expected 0 clients in response from %T, got %+v", store, clients)

136 }

137 }

138 }

139

140 func TestEndpointStoreSuccess(t *testing.T) {

141 t.Parallel()

142 client := Client{

143 ID: uuid.NewID(),

144 Secret: "secret",

145 OwnerID: uuid.NewID(),

146 Name: "name",

147 Logo: "logo",

148 Website: "website",

149 }

150 endpoint1 := Endpoint{

151 ID: uuid.NewID(),

152 ClientID: client.ID,

153 Added: time.Now().Round(time.Millisecond),

154 URI: "https://www.example.com/",

155 }

156 endpoint2 := Endpoint{

157 ID: uuid.NewID(),

158 ClientID: client.ID,

159 Added: time.Now().Round(time.Millisecond),

160 URI: "https://www.example.com/my/full/path",

161 }

162 for _, store := range clientStores {

163 context := Context{clients: store}

164 err := context.SaveClient(client)

165 if err != nil {

166 t.Fatalf("Error saving client to %T: %s", store, err)

167 }

168 err = context.AddEndpoints([]Endpoint{endpoint1})

169 if err != nil {

170 t.Fatalf("Error adding endpoint to client in %T: %s", store, err)

171 }

172 endpoints, err := context.ListEndpoints(client.ID, 10, 0)

173 if err != nil {

174 t.Fatalf("Error retrieving endpoints from %T: %s", store, err)

175 }

176 if len(endpoints) != 1 {

177 t.Fatalf("Expected %d endpoints, got %+v from %T", 1, endpoints, store)

178 }

179 success, field, expectation, result := compareEndpoints(endpoint1, endpoints[0])

180 if !success {

181 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

182 }

183 err = context.AddEndpoints([]Endpoint{endpoint2})

184 if err != nil {

185 t.Fatalf("Error adding endpoint to client in %T: %s", store, err)

186 }

187 endpoints, err = context.ListEndpoints(client.ID, 10, 0)

188 if err != nil {

189 t.Fatalf("Error retrieving endpoints from %T: %s", store, err)

190 }

191 if len(endpoints) != 2 {

192 t.Fatalf("Expected %d endpoints, got %+v from %T", 2, endpoints, store)

193 }

194 sortedEnd := sortedEndpoints(endpoints)

195 sort.Sort(sortedEnd)

196 endpoints = []Endpoint(sortedEnd)

197 success, field, expectation, result = compareEndpoints(endpoint1, endpoints[0])

198 if !success {

199 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

200 }

201 success, field, expectation, result = compareEndpoints(endpoint2, endpoints[1])

202 if !success {

203 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

204 }

205 err = context.RemoveEndpoint(client.ID, endpoint1.ID)

206 if err != nil {

207 t.Fatalf("Error removing endpoint from client in %T: %s", store, err)

208 }

209 endpoints, err = context.ListEndpoints(client.ID, 10, 0)

210 if err != nil {

211 t.Fatalf("Error listing endpoints in %T: %s", store, err)

212 }

213 if len(endpoints) != 1 {

214 t.Fatalf("Expected %d endpoints, got %+v from %T", 1, endpoints, store)

215 }

216 success, field, expectation, result = compareEndpoints(endpoint2, endpoints[0])

217 if !success {

218 t.Fatalf("Expected field %s to be %v, but %T returned %v", field, expectation, store, result)

219 }

220 err = context.RemoveEndpoint(client.ID, endpoint2.ID)

221 if err != nil {

222 t.Fatalf("Error removing endpoint from client in %T: %s", store, err)

223 }

224 endpoints, err = context.ListEndpoints(client.ID, 10, 0)

225 if err != nil {

226 t.Fatalf("Error listing endpoints in %T: %s", store, err)

227 }

228 if len(endpoints) != 0 {

229 t.Fatalf("Expected %d endpoints, got %+v from %T", 0, endpoints, store)

230 }

231 }

232 }

233

234 func TestClientUpdates(t *testing.T) {

235 t.Parallel()

236 variations := 1 << 5

237 client := Client{

238 ID: uuid.NewID(),

239 Secret: "secret",

240 OwnerID: uuid.NewID(),

241 Name: "name",

242 Logo: "logo",

243 Website: "website",

244 }

245 for i := 0; i < variations; i++ {

246 var secret, name, logo, website string

247 change := ClientChange{}

248 client.ID = uuid.NewID()

249 expectation := client

250 result := client

251 if i&clientChangeSecret != 0 {

252 secret = fmt.Sprintf("secret-%d", i)

253 change.Secret = &secret

254 expectation.Secret = secret

255 }

256 if i&clientChangeOwnerID != 0 {

257 change.OwnerID = uuid.NewID()

258 expectation.OwnerID = change.OwnerID

259 }

260 if i&clientChangeName != 0 {

261 name = fmt.Sprintf("name-%d", i)

262 change.Name = &name

263 expectation.Name = name

264 }

265 if i&clientChangeLogo != 0 {

266 logo = fmt.Sprintf("logo-%d", i)

267 change.Logo = &logo

268 expectation.Logo = logo

269 }

270 if i&clientChangeWebsite != 0 {

271 website = fmt.Sprintf("website-%d", i)

272 change.Website = &website

273 expectation.Website = website

274 }

275 result.ApplyChange(change)

276 match, field, expected, got := compareClients(expectation, result)

277 if !match {

278 t.Fatalf("Expected field `%s` to be `%v`, got `%v`", field, expected, got)

279 }

280 for _, store := range clientStores {

281 context := Context{clients: store}

282 err := context.SaveClient(client)

283 if err != nil {

284 t.Fatalf("Error saving client in %T: %s", store, err)

285 }

286 err = context.UpdateClient(client.ID, change)

287 if err != nil {

288 t.Fatalf("Error updating client in %T: %s", store, err)

289 }

290 retrieved, err := context.GetClient(client.ID)

291 if err != nil {

292 t.Fatalf("Error getting client from %T: %s", store, err)

293 }

294 match, field, expected, got = compareClients(expectation, retrieved)

295 if !match {

296 t.Fatalf("Expected field `%s` to be `%v`, got `%v` from %T", field, expected, got, store)

297 }

298 deleted := true

299 err = context.UpdateClient(client.ID, ClientChange{Deleted: &deleted})

300 if err != nil {

301 t.Fatalf("Error deleting client from %T: %s", store, err)

302 }

303 }

304 }

305 }

306

307 func TestClientEndpointChecks(t *testing.T) {

308 t.Parallel()

309 client := Client{

310 ID: uuid.NewID(),

311 Secret: "secret",

312 OwnerID: uuid.NewID(),

313 Name: "name",

314 Logo: "logo",

315 Website: "website",

316 }

317 endpoint1 := Endpoint{

318 ID: uuid.NewID(),

319 ClientID: client.ID,

320 Added: time.Now().Round(time.Millisecond),

321 URI: "https://www.example.com/first",

322 }

323 endpoint2 := Endpoint{

324 ID: uuid.NewID(),

325 ClientID: client.ID,

326 Added: time.Now().Round(time.Millisecond),

327 URI: "https://www.example.com/my/full/path",

328 }

329 candidates := map[string]bool{

330 "https://www.example.com/": false,

331 "https://www.example.com/first": true,

332 "https://www.example.com/first/extra/path": false,

333 "https://www.example.com/my": false,

334 "https://www.example.com/my/full/path": true,

335 }

336 for _, store := range clientStores {

337 context := Context{clients: store}

338 err := context.SaveClient(client)

339 if err != nil {

340 t.Fatalf("Error saving client in %T: %s", store, err)

341 }

342 err = context.AddEndpoints([]Endpoint{endpoint1})

343 if err != nil {

344 t.Fatalf("Error saving endpoint in %T: %s", store, err)

345 }

346 err = context.AddEndpoints([]Endpoint{endpoint2})

347 if err != nil {

348 t.Fatalf("Error saving endpoint in %T: %s", store, err)

349 }

350 for candidate, expectation := range candidates {

351 result, err := context.CheckEndpoint(client.ID, candidate)

352 if err != nil {

353 t.Fatalf("Error checking endpoint %s in %T: %s", candidate, store, err)

354 }

355 if result != expectation {

356 expectStr := "no"

357 resultStr := "a"

358 if expectation {

359 expectStr = "a"

360 resultStr = "no"

361 }

362 t.Errorf("Expected %s match for %s in %T, got %s match", expectStr, candidate, store, resultStr)

363 }

364 }

365 }

366 }

367

368 func TestClientEndpointChecksStrict(t *testing.T) {

369 t.Parallel()

370 client := Client{

371 ID: uuid.NewID(),

372 Secret: "secret",

373 OwnerID: uuid.NewID(),

374 Name: "name",

375 Logo: "logo",

376 Website: "website",

377 }

378 endpoint1 := Endpoint{

379 ID: uuid.NewID(),

380 ClientID: client.ID,

381 Added: time.Now().Round(time.Millisecond),

382 URI: "https://www.example.com/first",

383 }

384 endpoint2 := Endpoint{

385 ID: uuid.NewID(),

386 ClientID: client.ID,

387 Added: time.Now().Round(time.Millisecond),

388 URI: "https://www.example.com/my/full/path",

389 }

390 candidates := map[string]bool{

391 "https://www.example.com/": false,

392 "https://www.example.com/first": true,

393 "https://www.example.com/first/extra/path": false,

394 "https://www.example.com/my": false,

395 "https://www.example.com/my/full/path": true,

396 }

397 for _, store := range clientStores {

398 context := Context{clients: store}

399 err := context.SaveClient(client)

400 if err != nil {

401 t.Fatalf("Error saving client in %T: %s", store, err)

402 }

403 err = context.AddEndpoints([]Endpoint{endpoint1})

404 if err != nil {

405 t.Fatalf("Error saving endpoint in %T: %s", store, err)

406 }

407 err = context.AddEndpoints([]Endpoint{endpoint2})

408 if err != nil {

409 t.Fatalf("Error saving endpoint in %T: %s", store, err)

410 }

411 for candidate, expectation := range candidates {

412 result, err := context.CheckEndpoint(client.ID, candidate)

413 if err != nil {

414 t.Fatalf("Error checking endpoint %s in %T: %s", candidate, store, err)

415 }

416 if result != expectation {

417 expectStr := "no"

418 resultStr := "a"

419 if expectation {

420 expectStr = "a"

421 resultStr = "no"

422 }

423 t.Errorf("Expected %s match for %s in %T, got %s match", expectStr, candidate, store, resultStr)

424 }

425 }

426 }

427 }

428

429 func TestClientChangeValidation(t *testing.T) {

430 t.Parallel()

431 change := ClientChange{}

432 if err := change.Validate(); err[0] != ErrEmptyChange {

433 t.Errorf("Expected %s to give an error of %s, gave %s", "empty change", ErrEmptyChange, err)

434 }

435 names := map[string][]error{

436 "a": []error{ErrClientNameTooShort},

437 "ab": []error{},

438 "abc": []error{},

439 "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopq": []error{ErrClientNameTooLong},

440 }

441 for name, expectation := range names {

442 change = ClientChange{Name: &name}

443 errs := change.Validate()

444 if len(errs) != len(expectation) {

445 t.Errorf("Expected %s to give %d errors, gave %d", name, len(expectation), len(errs))

446 t.Logf("%+v", errs)

447 }

448 for pos, err := range errs {

449 if err != expectation[pos] {

450 t.Errorf("Expected %s to give an error of %s in position %d, gave %s", name, expectation[pos], pos, err)

451 }

452 }

453 }

454 longPath := ""

455 for i := 0; i < 1025; i++ {

456 longPath = fmt.Sprintf("%s%d", longPath, i)

457 }

458 logos := map[string][]error{

459 "https://www.example.com/" + longPath: []error{ErrClientLogoTooLong},

460 "https://www.example.com/ab": []error{},

461 "www.example.com/ab": []error{ErrClientLogoNotURL},

462 "test": []error{ErrClientLogoNotURL},

463 "": []error{},

464 }

465 for logo, expectation := range logos {

466 change = ClientChange{Logo: &logo}

467 errs := change.Validate()

468 if len(errs) != len(expectation) {

469 t.Errorf("Expected %s to give %d errors, gave %d", logo, len(expectation), len(errs))

470 }

471 for pos, err := range errs {

472 if err != expectation[pos] {

473 t.Errorf("Expected %s to give an error of %s in positiong %d, gave %s", logo, expectation[pos], pos, err)

474 }

475 }

476 }

477 websites := map[string][]error{

478 "https://www.example.com/" + longPath: []error{ErrClientWebsiteTooLong},

479 "https://www.example.com/ab": []error{},

480 "www.example.com/ab": []error{ErrClientWebsiteNotURL},

481 "test": []error{ErrClientWebsiteNotURL},

482 "": []error{},

483 }

484 for website, expectation := range websites {

485 change = ClientChange{Website: &website}

486 errs := change.Validate()

487 if len(errs) != len(expectation) {

488 t.Errorf("Expected %s to give %d errors, gave %d", website, len(expectation), len(errs))

489 }

490 for pos, err := range errs {

491 if err != expectation[pos] {

492 t.Errorf("Expected %s to give an error of %s in position %d, gave %s", website, expectation[pos], pos, err)

493 }

494 }

495 }

496 }

497

498 func TestGetClientAuth(t *testing.T) {

499 t.Parallel()

500 type clientAuthRequest struct {

501 username string

502 pass string

503 clientID string

504 allowPublic bool

505 expectedClientID uuid.ID

506 expectedClientSecret string

507 expectedValid bool

508 expectedCode int

509 expectedBody string

510 expectAuthenticateHeader bool

511 }

512 id := uuid.NewID()

513 tests := []clientAuthRequest{

514 {"", "", "", false, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

515 {"", "", "", true, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

516 {"", "no clientID set", "", false, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

517 {"", "no clientID set", "", true, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

518 {"not an actual id", "invalid client ID set", "", false, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

519 {"not an actual id", "invalid client ID set", "", true, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

520 {"", "", "not an actual id", true, nil, "", false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

521 {id.String(), "secret", "", true, id, "secret", true, http.StatusOK, "", false},

522 {id.String(), "secret", "", false, id, "secret", true, http.StatusOK, "", false},

523 {"", "", id.String(), true, id, "", true, http.StatusOK, "", false},

524 {"", "", id.String(), false, nil, "", false, http.StatusBadRequest, `{"error":"unauthorized_client"}`, false},

525 }

526 for pos, test := range tests {

527 t.Logf("Running test #%d, with request %+v", pos, test)

528 w := httptest.NewRecorder()

529 r, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)

530 if err != nil {

531 t.Fatal("Can't build request:", err)

532 }

533 if test.username != "" || test.pass != "" {

534 r.SetBasicAuth(test.username, test.pass)

535 }

536 r.Header.Set("Content-Type", "application/x-www-form-urlencoded")

537 params := url.Values{}

538 params.Set("client_id", test.clientID)

539 body := bytes.NewBufferString(params.Encode())

540 r.Body = ioutil.NopCloser(body)

541 respID, respSecret, success := getClientAuth(w, r, test.allowPublic)

542 if (respID == nil && test.expectedClientID != nil) || (respID != nil && test.expectedClientID == nil) || !respID.Equal(test.expectedClientID) {

543 t.Errorf("Expected response ID to be %v, got %v", test.expectedClientID, respID)

544 }

545 if test.expectedClientSecret != respSecret {

546 t.Errorf("Expected response secret to be '%s', got '%s'", test.expectedClientSecret, respSecret)

547 }

548 if test.expectedValid != success {

549 t.Errorf("Expected success result to be %v, got %v", test.expectedValid, success)

550 }

551 if test.expectedCode != w.Code {

552 t.Errorf("Expected response code to be %d, got %d", test.expectedCode, w.Code)

553 }

554 if test.expectedBody != strings.TrimSpace(w.Body.String()) {

555 t.Errorf("Expected body to be '%s', got '%s'", test.expectedBody, strings.TrimSpace(w.Body.String()))

556 }

557 if test.expectAuthenticateHeader && w.Header().Get("WWW-Authenticate") != "Basic" {

558 t.Errorf(`Expected header WWW-Authenticate to be set to "Basic", got "%s"`, w.Header().Get("WWW-Authenticate"))

559 }

560 }

561 }

562

563 func TestVerifyClient(t *testing.T) {

564 t.Parallel()

565 type verifyClientRequest struct {

566 username string

567 pass string

568 clientID string

569 allowPublic bool

570 expectedClientID uuid.ID

571 expectedValid bool

572 expectedCode int

573 expectedBody string

574 expectAuthenticateHeader bool

575 }

576 memstore := NewMemstore()

577 context := Context{

578 clients: memstore,

579 }

580 client := Client{

581 ID: uuid.NewID(),

582 Secret: "super secret!",

583 OwnerID: uuid.NewID(),

584 Name: "My test client",

585 Logo: "https://secondbit.org/logo.png",

586 Website: "https://secondbit.org/",

587 Type: "confidential",

588 }

589 err := context.SaveClient(client)

590 if err != nil {

591 t.Fatal("Could not save client:", err)

592 }

593 publicClient := Client{

594 ID: uuid.NewID(),

595 Secret: "",

596 OwnerID: uuid.NewID(),

597 Name: "A public client",

598 Logo: "https://secondbit.org/logo.png",

599 Website: "https://secondbit.org/",

600 Type: "public",

601 }

602 err = context.SaveClient(publicClient)

603 if err != nil {

604 t.Fatal("Could not save client:", err)

605 }

606 id := uuid.NewID()

607 tests := []verifyClientRequest{

608 {"", "", "", false, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

609 {"", "", "", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

610 {"", "no clientID set", "", false, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

611 {"", "no clientID set", "", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

612 {"not an actual id", "invalid client ID set", "", false, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

613 {"not an actual id", "invalid client ID set", "", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

614 {id.String(), "unsaved client ID set", "", false, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

615 {id.String(), "unsaved client ID set", "", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

616 {client.ID.String(), "wrong secret", "", false, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

617 {client.ID.String(), "wrong secret", "", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, true},

618 {"", "", "not an actual id", true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

619 {"", "", id.String(), true, nil, false, http.StatusUnauthorized, `{"error":"invalid_client"}`, false},

620 {client.ID.String(), client.Secret, "", true, client.ID, true, http.StatusOK, "", false},

621 {client.ID.String(), client.Secret, "", false, client.ID, true, http.StatusOK, "", false},

622 {"", "", publicClient.ID.String(), true, publicClient.ID, true, http.StatusOK, "", false},

623 {"", "", publicClient.ID.String(), false, nil, false, http.StatusBadRequest, `{"error":"unauthorized_client"}`, false},

624 }

625

626 for pos, test := range tests {

627 t.Logf("Running test #%d, with request %+v", pos, test)

628 w := httptest.NewRecorder()

629 r, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)

630 if err != nil {

631 t.Fatal("Can't build request:", err)

632 }

633 if test.username != "" || test.pass != "" {

634 r.SetBasicAuth(test.username, test.pass)

635 }

636 r.Header.Set("Content-Type", "application/x-www-form-urlencoded")

637 params := url.Values{}

638 params.Set("client_id", test.clientID)

639 body := bytes.NewBufferString(params.Encode())

640 r.Body = ioutil.NopCloser(body)

641 respID, success := verifyClient(w, r, test.allowPublic, context)

642 if (respID == nil && test.expectedClientID != nil) || (respID != nil && test.expectedClientID == nil) || !respID.Equal(test.expectedClientID) {

643 t.Errorf("Expected response ID to be %v, got %v", test.expectedClientID, respID)

644 }

645 if test.expectedValid != success {

646 t.Errorf("Expected success result to be %v, got %v", test.expectedValid, success)

647 }

648 if test.expectedCode != w.Code {

649 t.Errorf("Expected response code to be %d, got %d", test.expectedCode, w.Code)

650 }

651 if test.expectedBody != strings.TrimSpace(w.Body.String()) {

652 t.Errorf("Expected body to be '%s', got '%s'", test.expectedBody, strings.TrimSpace(w.Body.String()))

653 }

654 if test.expectAuthenticateHeader && w.Header().Get("WWW-Authenticate") != "Basic" {

655 t.Errorf(`Expected header WWW-Authenticate to be set to "Basic", got "%s"`, w.Header().Get("WWW-Authenticate"))

656 }

657 }

658 }

659

660 func TestCreateClientHandler(t *testing.T) {

661 t.Parallel()

662 memstore := NewMemstore()

663 c := Context{

664 clients: memstore,

665 profiles: memstore,

666 }

667 w := httptest.NewRecorder()

668 r, err := http.NewRequest("POST", "https://test.auth.secondbit.org/clients", nil)

669 if err != nil {

670 t.Fatal("Can't build request:", err)

671 }

672 r.Header.Set("Content-Type", "application/json")

673 CreateClientHandler(w, r, c)

674 if w.Code != http.StatusUnauthorized {

675 t.Errorf("Expected status of %d, got status %d", http.StatusUnauthorized, w.Code)

676 }

677 expected := `{"errors":[{"error":"access_denied"}]}`

678 result := strings.TrimSpace(w.Body.String())

679 if result != expected {

680 t.Errorf("Expected response to be `%s`, got `%s`", expected, result)

681 }

682 w = httptest.NewRecorder()

683 r.Header.Set("Authorization", "Not basic at all...")

684 CreateClientHandler(w, r, c)

685 if w.Code != http.StatusUnauthorized {

686 t.Errorf("Expected status of %d, got status %d", http.StatusUnauthorized, w.Code)

687 }

688 expected = `{"errors":[{"error":"access_denied"}]}`

689 result = strings.TrimSpace(w.Body.String())

690 if result != expected {

691 t.Errorf("Expected response to be `%s`, got `%s`", expected, result)

692 }

693 w = httptest.NewRecorder()

694 r.Header.Set("Authorization", "Basic TotallyNotBase64Encoded")

695 CreateClientHandler(w, r, c)

696 if w.Code != http.StatusUnauthorized {

697 t.Errorf("Expected status of %d, got status %d", http.StatusUnauthorized, w.Code)

698 }

699 expected = `{"errors":[{"error":"access_denied"}]}`

700 result = strings.TrimSpace(w.Body.String())

701 if result != expected {

702 t.Errorf("Expected response to be `%s`, got `%s`", expected, result)

703 }

704 w = httptest.NewRecorder()

705 r.Header.Set("Authorization", "Basic dGhpc2hhc25vY29sb24=")

706 CreateClientHandler(w, r, c)

707 if w.Code != http.StatusUnauthorized {

708 t.Errorf("Expected status of %d, got status %d", http.StatusUnauthorized, w.Code)

709 }

710 expected = `{"errors":[{"error":"access_denied"}]}`

711 result = strings.TrimSpace(w.Body.String())

712 if result != expected {

713 t.Errorf("Expected response to be `%s`, got `%s`", expected, result)

714 }

715 profile := Profile{

716 ID: uuid.NewID(),

717 Name: "Test User",

718 Passphrase: "f3a4ac4f1d657b2e6e776d24213e39406d50a87a52691a2a78891425af1271d0",

719 Iterations: 1,

720 Salt: "d82d92cfa8bfb5a08270ebbf39a3710d24b352b937fcc8959ebcb40384cc616b",

721 PassphraseScheme: 1,

722 Compromised: false,

723 LockedUntil: time.Time{},

724 PassphraseReset: "",

725 PassphraseResetCreated: time.Time{},

726 Created: time.Now().Round(time.Millisecond),

727 LastSeen: time.Time{},

728 }

729 login := Login{

730 Type: "email",

731 Value: "test@example.com",

732 ProfileID: profile.ID,

733 Created: time.Now().Round(time.Millisecond),

734 LastUsed: time.Time{},

735 }

736 w = httptest.NewRecorder()

737 r.SetBasicAuth("test@example.com", "mysecurepassphrase")

738 CreateClientHandler(w, r, c)

739 if w.Code != http.StatusUnauthorized {

740 t.Errorf("Expected status of %d, got status %d", http.StatusUnauthorized, w.Code)

741 }

742 expected = `{"errors":[{"error":"access_denied"}]}`

743 result = strings.TrimSpace(w.Body.String())

744 if result != expected {

745 t.Errorf("Expected response to be `%s`, got `%s`", expected, result)

746 }

747 err = c.SaveProfile(profile)

748 if err != nil {

749 t.Error("Error saving profile:", err)

750 }

751 err = c.AddLogin(login)

752 if err != nil {

753 t.Error("Error adding login:", err)

754 }

755 r.SetBasicAuth("test@example.com", "mysecurepassphrase")

756 type testStruct struct {

757 request string

758 code int

759 resp Response

760 }

761 tests := []testStruct{

762 {``, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInvalidFormat, Field: "/"}}}},

763 {`{}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrMissing, Field: "/type"}, {Slug: RequestErrMissing, Field: "/name"}}}},

764 {`{"type":"notarealtype"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInvalidValue, Field: "/type"}, {Slug: RequestErrMissing, Field: "/name"}}}},

765 {`{"type":"notarealtype","name":"myreallylongnameislongerthatthemaximumnamelength"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInvalidValue, Field: "/type"}, {Slug: RequestErrOverflow, Field: "/name"}}}},

766 {`{"type":"notarealtype","name":"a"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInvalidValue, Field: "/type"}, {Slug: RequestErrInsufficient, Field: "/name"}}}},

767 {`{"type":"public"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrMissing, Field: "/name"}}}},

768 {`{"type":"public","name":"myreallylongnameislongerthatthemaximumnamelength"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrOverflow, Field: "/name"}}}},

769 {`{"type":"public","name":"a"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInsufficient, Field: "/name"}}}},

770 {`{"name":"My Client"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrMissing, Field: "/type"}}}},

771 {`{"type":"notarealtype","name":"My Client"}`, http.StatusBadRequest, Response{Errors: []RequestError{{Slug: RequestErrInvalidValue, Field: "/type"}}}},

772 {`{"type":"public","name":"My Client"}`, http.StatusCreated, Response{Clients: []Client{{Name: "My Client", OwnerID: profile.ID, Type: "public"}}}},

773 {`{"type":"public","name":"My Client", "endpoints": ["https://test.secondbit.org/", "https://paddy.io"]}`, http.StatusCreated, Response{Clients: []Client{{Name: "My Client", OwnerID: profile.ID, Type: "public"}}, Endpoints: []Endpoint{{URI: "https://test.secondbit.org/"}, {URI: "https://paddy.io"}}}},

774 {`{"type":"public","name":"My Client", "endpoints": [":/not a url", "https://paddy.io"]}`, http.StatusCreated, Response{Clients: []Client{{Name: "My Client", OwnerID: profile.ID, Type: "public"}}, Endpoints: []Endpoint{{URI: "https://paddy.io"}}, Errors: []RequestError{{Slug: RequestErrInvalidFormat, Field: "/endpoints/0"}}}},

775 {`{"type":"public","name":"My Client", "endpoints": [":/not a url", "/relative/uri", "https://paddy.io"]}`, http.StatusCreated, Response{Clients: []Client{{Name: "My Client", OwnerID: profile.ID, Type: "public"}}, Endpoints: []Endpoint{{URI: "https://paddy.io"}}, Errors: []RequestError{{Slug: RequestErrInvalidFormat, Field: "/endpoints/0"}, {Slug: RequestErrInvalidValue, Field: "/endpoints/1"}}}},

776 {`{"type":"confidential","name":"Secret Client", "endpoints": ["https://secondbit.org"]}`, http.StatusCreated, Response{Clients: []Client{{Name: "Secret Client", OwnerID: profile.ID, Type: "confidential"}}, Endpoints: []Endpoint{{URI: "https://secondbit.org"}}}},

777 }

778 for pos, test := range tests {

779 t.Logf("Test #%d: `%s`", pos, test.request)

780 w = httptest.NewRecorder()

781 body := bytes.NewBufferString(test.request)

782 r.Body = ioutil.NopCloser(body)

783 CreateClientHandler(w, r, c)

784 if w.Code != test.code {

785 t.Errorf("Expected response code to be %d, got %d", test.code, w.Code)

786 }

787 t.Logf("Response: %s", w.Body.String())

788 var res Response