headscale/hscontrol/oidc_test.go

package hscontrol

import (
	"testing"

	"github.com/juanfont/headscale/hscontrol/types"
)

func TestDoOIDCAuthorization(t *testing.T) {
	testCases := []struct {
		name    string
		cfg     *types.OIDCConfig
		claims  *types.OIDCClaims
		wantErr bool
	}{
		{
			name:    "verified email domain",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{"test.com"},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{},
			},
			claims: &types.OIDCClaims{
				Email:         "user@test.com",
				EmailVerified: true,
			},
		},
		{
			name:    "verified email user",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{"user@test.com"},
				AllowedGroups:         []string{},
			},
			claims: &types.OIDCClaims{
				Email:         "user@test.com",
				EmailVerified: true,
			},
		},
		{
			name:    "unverified email domain",
			wantErr: true,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{"test.com"},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{},
			},
			claims: &types.OIDCClaims{
				Email:         "user@test.com",
				EmailVerified: false,
			},
		},
		{
			name:    "group member",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{"test"},
			},
			claims: &types.OIDCClaims{Groups: []string{"test"}},
		},
		{
			name:    "non group member",
			wantErr: true,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{"nope"},
			},
			claims: &types.OIDCClaims{Groups: []string{"testo"}},
		},
		{
			name:    "group member but bad domain",
			wantErr: true,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{"user@good.com"},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{"test group"},
			},
			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "bad@bad.com", EmailVerified: true},
		},
		{
			name:    "all checks pass",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{"test.com"},
				AllowedUsers:          []string{"user@test.com"},
				AllowedGroups:         []string{"test group"},
			},
			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: true},
		},
		{
			name:    "all checks pass with unverified email",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: false,
				AllowedDomains:        []string{"test.com"},
				AllowedUsers:          []string{"user@test.com"},
				AllowedGroups:         []string{"test group"},
			},
			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},
		},
		{
			name:    "fail on unverified email",
			wantErr: true,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{"test.com"},
				AllowedUsers:          []string{"user@test.com"},
				AllowedGroups:         []string{"test group"},
			},
			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},
		},
		{
			name:    "unverified email user only",
			wantErr: true,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{"user@test.com"},
				AllowedGroups:         []string{},
			},
			claims: &types.OIDCClaims{
				Email:         "user@test.com",
				EmailVerified: false,
			},
		},
		{
			name:    "no filters configured",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{},
			},
			claims: &types.OIDCClaims{
				Email:         "anyone@anywhere.com",
				EmailVerified: false,
			},
		},
		{
			name:    "multiple allowed groups second matches",
			wantErr: false,
			cfg: &types.OIDCConfig{
				EmailVerifiedRequired: true,
				AllowedDomains:        []string{},
				AllowedUsers:          []string{},
				AllowedGroups:         []string{"group1", "group2", "group3"},
			},
			claims: &types.OIDCClaims{Groups: []string{"group2"}},
		},
	}

	for _, tC := range testCases {
		t.Run(tC.name, func(t *testing.T) {
			err := doOIDCAuthorization(tC.cfg, tC.claims)
			if ((err != nil) && !tC.wantErr) || ((err == nil) && tC.wantErr) {
				t.Errorf("bad authorization: %s > want=%v | got=%v", tC.name, tC.wantErr, err)
			}
		})
	}
}
oidc: make email verification configurable Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com> 2025-12-18 06:42:32 -05:00			`package hscontrol`

			`import (`
			`"testing"`

			`"github.com/juanfont/headscale/hscontrol/types"`
			`)`

			`func TestDoOIDCAuthorization(t *testing.T) {`
			`testCases := []struct {`
			`name string`
			`cfg *types.OIDCConfig`
			`claims *types.OIDCClaims`
			`wantErr bool`
			`}{`
			`{`
			`name: "verified email domain",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{"test.com"},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{},`
			`},`
			`claims: &types.OIDCClaims{`
			`Email: "user@test.com",`
			`EmailVerified: true,`
			`},`
			`},`
			`{`
			`name: "verified email user",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{"user@test.com"},`
			`AllowedGroups: []string{},`
			`},`
			`claims: &types.OIDCClaims{`
			`Email: "user@test.com",`
			`EmailVerified: true,`
			`},`
			`},`
			`{`
			`name: "unverified email domain",`
			`wantErr: true,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{"test.com"},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{},`
			`},`
			`claims: &types.OIDCClaims{`
			`Email: "user@test.com",`
			`EmailVerified: false,`
			`},`
			`},`
			`{`
			`name: "group member",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{"test"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"test"}},`
			`},`
			`{`
			`name: "non group member",`
			`wantErr: true,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{"nope"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"testo"}},`
			`},`
			`{`
			`name: "group member but bad domain",`
			`wantErr: true,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{"user@good.com"},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{"test group"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "bad@bad.com", EmailVerified: true},`
			`},`
			`{`
			`name: "all checks pass",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{"test.com"},`
			`AllowedUsers: []string{"user@test.com"},`
			`AllowedGroups: []string{"test group"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: true},`
			`},`
			`{`
			`name: "all checks pass with unverified email",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: false,`
			`AllowedDomains: []string{"test.com"},`
			`AllowedUsers: []string{"user@test.com"},`
			`AllowedGroups: []string{"test group"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},`
			`},`
			`{`
			`name: "fail on unverified email",`
			`wantErr: true,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{"test.com"},`
			`AllowedUsers: []string{"user@test.com"},`
			`AllowedGroups: []string{"test group"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},`
			`},`
			`{`
			`name: "unverified email user only",`
			`wantErr: true,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{"user@test.com"},`
			`AllowedGroups: []string{},`
			`},`
			`claims: &types.OIDCClaims{`
			`Email: "user@test.com",`
			`EmailVerified: false,`
			`},`
			`},`
			`{`
			`name: "no filters configured",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{},`
			`},`
			`claims: &types.OIDCClaims{`
			`Email: "anyone@anywhere.com",`
			`EmailVerified: false,`
			`},`
			`},`
			`{`
			`name: "multiple allowed groups second matches",`
			`wantErr: false,`
			`cfg: &types.OIDCConfig{`
			`EmailVerifiedRequired: true,`
			`AllowedDomains: []string{},`
			`AllowedUsers: []string{},`
			`AllowedGroups: []string{"group1", "group2", "group3"},`
			`},`
			`claims: &types.OIDCClaims{Groups: []string{"group2"}},`
			`},`
			`}`

			`for _, tC := range testCases {`
			`t.Run(tC.name, func(t *testing.T) {`
			`err := doOIDCAuthorization(tC.cfg, tC.claims)`
			`if ((err != nil) && !tC.wantErr) \|\| ((err == nil) && tC.wantErr) {`
			`t.Errorf("bad authorization: %s > want=%v \| got=%v", tC.name, tC.wantErr, err)`
			`}`
			`})`
			`}`
			`}`