package hscontrol import ( "testing" "github.com/juanfont/headscale/hscontrol/types" ) func TestDoOIDCAuthorization(t *testing.T) { testCases := []struct { name string cfg *types.OIDCConfig claims *types.OIDCClaims wantErr bool }{ { name: "verified email domain", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{"test.com"}, AllowedUsers: []string{}, AllowedGroups: []string{}, }, claims: &types.OIDCClaims{ Email: "user@test.com", EmailVerified: true, }, }, { name: "verified email user", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{"user@test.com"}, AllowedGroups: []string{}, }, claims: &types.OIDCClaims{ Email: "user@test.com", EmailVerified: true, }, }, { name: "unverified email domain", wantErr: true, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{"test.com"}, AllowedUsers: []string{}, AllowedGroups: []string{}, }, claims: &types.OIDCClaims{ Email: "user@test.com", EmailVerified: false, }, }, { name: "group member", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{}, AllowedGroups: []string{"test"}, }, claims: &types.OIDCClaims{Groups: []string{"test"}}, }, { name: "non group member", wantErr: true, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{}, AllowedGroups: []string{"nope"}, }, claims: &types.OIDCClaims{Groups: []string{"testo"}}, }, { name: "group member but bad domain", wantErr: true, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{"user@good.com"}, AllowedUsers: []string{}, AllowedGroups: []string{"test group"}, }, claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "bad@bad.com", EmailVerified: true}, }, { name: "all checks pass", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{"test.com"}, AllowedUsers: []string{"user@test.com"}, AllowedGroups: []string{"test group"}, }, claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: true}, }, { name: "all checks pass with unverified email", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: false, AllowedDomains: []string{"test.com"}, AllowedUsers: []string{"user@test.com"}, AllowedGroups: []string{"test group"}, }, claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false}, }, { name: "fail on unverified email", wantErr: true, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{"test.com"}, AllowedUsers: []string{"user@test.com"}, AllowedGroups: []string{"test group"}, }, claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false}, }, { name: "unverified email user only", wantErr: true, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{"user@test.com"}, AllowedGroups: []string{}, }, claims: &types.OIDCClaims{ Email: "user@test.com", EmailVerified: false, }, }, { name: "no filters configured", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{}, AllowedGroups: []string{}, }, claims: &types.OIDCClaims{ Email: "anyone@anywhere.com", EmailVerified: false, }, }, { name: "multiple allowed groups second matches", wantErr: false, cfg: &types.OIDCConfig{ EmailVerifiedRequired: true, AllowedDomains: []string{}, AllowedUsers: []string{}, AllowedGroups: []string{"group1", "group2", "group3"}, }, claims: &types.OIDCClaims{Groups: []string{"group2"}}, }, } for _, tC := range testCases { t.Run(tC.name, func(t *testing.T) { err := doOIDCAuthorization(tC.cfg, tC.claims) if ((err != nil) && !tC.wantErr) || ((err == nil) && tC.wantErr) { t.Errorf("bad authorization: %s > want=%v | got=%v", tC.name, tC.wantErr, err) } }) } }