...

Source file src/github.com/ory/fosite/handler/openid/flow_refresh_token_test.go

Documentation: github.com/ory/fosite/handler/openid 

     1  /*
     2   * Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   *
    16   * @author		Aeneas Rekkas <aeneas+oss@aeneas.io>
    17   * @copyright 	2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
    18   * @license 	Apache-2.0
    19   *
    20   */
    21  
    22  package openid
    23  
    24  import (
    25  	"testing"
    26  
    27  	"github.com/stretchr/testify/assert"
    28  	"github.com/stretchr/testify/require"
    29  
    30  	"github.com/ory/fosite"
    31  	"github.com/ory/fosite/token/jwt"
    32  )
    33  
    34  func TestOpenIDConnectRefreshHandler_HandleTokenEndpointRequest(t *testing.T) {
    35  	h := &OpenIDConnectRefreshHandler{}
    36  	for _, c := range []struct {
    37  		areq        *fosite.AccessRequest
    38  		expectedErr error
    39  		description string
    40  	}{
    41  		{
    42  			description: "should not pass because grant_type is wrong",
    43  			areq: &fosite.AccessRequest{
    44  				GrantTypes: []string{"foo"},
    45  			},
    46  			expectedErr: fosite.ErrUnknownRequest,
    47  		},
    48  		{
    49  			description: "should not pass because grant_type is right but scope is missing",
    50  			areq: &fosite.AccessRequest{
    51  				GrantTypes: []string{"refresh_token"},
    52  				Request: fosite.Request{
    53  					GrantedScope: []string{"something"},
    54  				},
    55  			},
    56  			expectedErr: fosite.ErrUnknownRequest,
    57  		},
    58  		{
    59  			description: "should not pass because client may not execute this grant type",
    60  			areq: &fosite.AccessRequest{
    61  				GrantTypes: []string{"refresh_token"},
    62  				Request: fosite.Request{
    63  					GrantedScope: []string{"openid"},
    64  					Client:       &fosite.DefaultClient{},
    65  				},
    66  			},
    67  			expectedErr: fosite.ErrUnauthorizedClient,
    68  		},
    69  		{
    70  			description: "should pass",
    71  			areq: &fosite.AccessRequest{
    72  				GrantTypes: []string{"refresh_token"},
    73  				Request: fosite.Request{
    74  					GrantedScope: []string{"openid"},
    75  					Client: &fosite.DefaultClient{
    76  						GrantTypes: []string{"refresh_token"},
    77  						//ResponseTypes: []string{"id_token"},
    78  					},
    79  					Session: &DefaultSession{},
    80  				},
    81  			},
    82  		},
    83  	} {
    84  		t.Run("case="+c.description, func(t *testing.T) {
    85  			err := h.HandleTokenEndpointRequest(nil, c.areq)
    86  			if c.expectedErr != nil {
    87  				require.EqualError(t, err, c.expectedErr.Error(), "%v", err)
    88  			} else {
    89  				require.NoError(t, err)
    90  			}
    91  		})
    92  	}
    93  }
    94  
    95  func TestOpenIDConnectRefreshHandler_PopulateTokenEndpointResponse(t *testing.T) {
    96  	var j = &DefaultStrategy{
    97  		JWTStrategy: &jwt.RS256JWTStrategy{
    98  			PrivateKey: key,
    99  		},
   100  		MinParameterEntropy: fosite.MinParameterEntropy,
   101  	}
   102  
   103  	h := &OpenIDConnectRefreshHandler{
   104  		IDTokenHandleHelper: &IDTokenHandleHelper{
   105  			IDTokenStrategy: j,
   106  		},
   107  	}
   108  	for _, c := range []struct {
   109  		areq        *fosite.AccessRequest
   110  		expectedErr error
   111  		check       func(t *testing.T, aresp *fosite.AccessResponse)
   112  		description string
   113  	}{
   114  		{
   115  			description: "should not pass because grant_type is wrong",
   116  			areq: &fosite.AccessRequest{
   117  				GrantTypes: []string{"foo"},
   118  			},
   119  			expectedErr: fosite.ErrUnknownRequest,
   120  		},
   121  		{
   122  			description: "should not pass because grant_type is right but scope is missing",
   123  			areq: &fosite.AccessRequest{
   124  				GrantTypes: []string{"refresh_token"},
   125  				Request: fosite.Request{
   126  					GrantedScope: []string{"something"},
   127  				},
   128  			},
   129  			expectedErr: fosite.ErrUnknownRequest,
   130  		},
   131  		// Disabled because this is already handled at the authorize_request_handler
   132  		//{
   133  		//	description: "should not pass because client may not ask for id_token",
   134  		//	areq: &fosite.AccessRequest{
   135  		//		GrantTypes: []string{"refresh_token"},
   136  		//		Request: fosite.Request{
   137  		//			GrantedScope: []string{"openid"},
   138  		//			Client: &fosite.DefaultClient{
   139  		//				GrantTypes: []string{"refresh_token"},
   140  		//			},
   141  		//		},
   142  		//	},
   143  		//	expectedErr: fosite.ErrUnknownRequest,
   144  		//},
   145  		{
   146  			description: "should pass",
   147  			areq: &fosite.AccessRequest{
   148  				GrantTypes: []string{"refresh_token"},
   149  				Request: fosite.Request{
   150  					GrantedScope: []string{"openid"},
   151  					Client: &fosite.DefaultClient{
   152  						GrantTypes: []string{"refresh_token"},
   153  						//ResponseTypes: []string{"id_token"},
   154  					},
   155  					Session: &DefaultSession{
   156  						Subject: "foo",
   157  						Claims: &jwt.IDTokenClaims{
   158  							Subject: "foo",
   159  						},
   160  					},
   161  				},
   162  			},
   163  			check: func(t *testing.T, aresp *fosite.AccessResponse) {
   164  				assert.NotEmpty(t, aresp.GetExtra("id_token"))
   165  				idToken, _ := aresp.GetExtra("id_token").(string)
   166  				decodedIdToken, err := jwt.Parse(idToken, func(token *jwt.Token) (interface{}, error) {
   167  					return key.PublicKey, nil
   168  				})
   169  				require.NoError(t, err)
   170  				claims := decodedIdToken.Claims
   171  				assert.NotEmpty(t, claims["at_hash"])
   172  			},
   173  		},
   174  		{
   175  			description: "should fail because missing subject claim",
   176  			areq: &fosite.AccessRequest{
   177  				GrantTypes: []string{"refresh_token"},
   178  				Request: fosite.Request{
   179  					GrantedScope: []string{"openid"},
   180  					Client: &fosite.DefaultClient{
   181  						GrantTypes: []string{"refresh_token"},
   182  						//ResponseTypes: []string{"id_token"},
   183  					},
   184  					Session: &DefaultSession{
   185  						Subject: "foo",
   186  						Claims:  &jwt.IDTokenClaims{},
   187  					},
   188  				},
   189  			},
   190  			expectedErr: fosite.ErrServerError,
   191  		},
   192  		{
   193  			description: "should fail because missing session",
   194  			areq: &fosite.AccessRequest{
   195  				GrantTypes: []string{"refresh_token"},
   196  				Request: fosite.Request{
   197  					GrantedScope: []string{"openid"},
   198  					Client: &fosite.DefaultClient{
   199  						GrantTypes: []string{"refresh_token"},
   200  					},
   201  				},
   202  			},
   203  			expectedErr: fosite.ErrServerError,
   204  		},
   205  	} {
   206  		t.Run("case="+c.description, func(t *testing.T) {
   207  			aresp := fosite.NewAccessResponse()
   208  			err := h.PopulateTokenEndpointResponse(nil, c.areq, aresp)
   209  			if c.expectedErr != nil {
   210  				require.EqualError(t, err, c.expectedErr.Error(), "%v", err)
   211  			} else {
   212  				require.NoError(t, err)
   213  			}
   214  
   215  			if c.check != nil {
   216  				c.check(t, aresp)
   217  			}
   218  		})
   219  	}
   220  }
   221  

View as plain text