zitadel/internal/api/oidc/server_integration_test.go

//go:build integration

package oidc_test

import (
	"io"
	"net/http"
	"net/url"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"github.com/zitadel/oidc/v3/pkg/client"
	"github.com/zitadel/oidc/v3/pkg/client/rp"
	"github.com/zitadel/oidc/v3/pkg/oidc"
	"github.com/zitadel/schema"
)

func TestServer_RefreshToken_Status(t *testing.T) {
	clientID, _ := createClient(t)
	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
	require.NoError(t, err)

	tests := []struct {
		name         string
		refreshToken string
	}{
		{
			name:         "invalid base64",
			refreshToken: "~!~@#$%",
		},
		{
			name:         "invalid after decrypt",
			refreshToken: "DEADBEEFDEADBEEF",
		},
		{
			name:         "short input",
			refreshToken: "DEAD",
		},
		{
			name:         "empty input",
			refreshToken: "",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			request := rp.RefreshTokenRequest{
				RefreshToken: tt.refreshToken,
				ClientID:     clientID,
				GrantType:    oidc.GrantTypeRefreshToken,
			}
			client.CallTokenEndpoint(CTX, request, tokenEndpointCaller{RelyingParty: provider})

			values := make(url.Values)
			err := schema.NewEncoder().Encode(request, values)
			require.NoError(t, err)

			resp, err := http.Post(provider.OAuthConfig().Endpoint.TokenURL, "application/x-www-form-urlencoded", strings.NewReader(values.Encode()))
			require.NoError(t, err)
			defer resp.Body.Close()
			assert.Less(t, resp.StatusCode, 500)
			body, err := io.ReadAll(resp.Body)
			require.NoError(t, err)
			t.Log(string(body))
		})
	}
}

type tokenEndpointCaller struct {
	rp.RelyingParty
}

func (t tokenEndpointCaller) TokenEndpoint() string {
	return t.OAuthConfig().Endpoint.TokenURL
}
chore(oidc): add refresh token error integration test (#7766) We are trying to reproduce a few 500 responses we observe on zitadel cloud's token endpoint. As in the past these were caused by wrongly encoded or encrypted refresh tokens, I created a integration test which tries to reproduce 500 errors by sending invalid refresh tokens. The added test does not reproduce 500s, all returned errors are in the 400 range as they should. However, as the test is already written, we might as well include them. Related to #7765 Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-04-17 08:38:03 +00:00			`//go:build integration`

			`package oidc_test`

			`import (`
			`"io"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`"github.com/zitadel/oidc/v3/pkg/client"`
			`"github.com/zitadel/oidc/v3/pkg/client/rp"`
			`"github.com/zitadel/oidc/v3/pkg/oidc"`
			`"github.com/zitadel/schema"`
			`)`

			`func TestServer_RefreshToken_Status(t *testing.T) {`
			`clientID, _ := createClient(t)`
			`provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)`
			`require.NoError(t, err)`

			`tests := []struct {`
			`name string`
			`refreshToken string`
			`}{`
			`{`
			`name: "invalid base64",`
			`refreshToken: "~!~@#$%",`
			`},`
			`{`
			`name: "invalid after decrypt",`
			`refreshToken: "DEADBEEFDEADBEEF",`
			`},`
			`{`
			`name: "short input",`
			`refreshToken: "DEAD",`
			`},`
			`{`
			`name: "empty input",`
			`refreshToken: "",`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`request := rp.RefreshTokenRequest{`
			`RefreshToken: tt.refreshToken,`
			`ClientID: clientID,`
			`GrantType: oidc.GrantTypeRefreshToken,`
			`}`
			`client.CallTokenEndpoint(CTX, request, tokenEndpointCaller{RelyingParty: provider})`

			`values := make(url.Values)`
			`err := schema.NewEncoder().Encode(request, values)`
			`require.NoError(t, err)`

			`resp, err := http.Post(provider.OAuthConfig().Endpoint.TokenURL, "application/x-www-form-urlencoded", strings.NewReader(values.Encode()))`
			`require.NoError(t, err)`
			`defer resp.Body.Close()`
			`assert.Less(t, resp.StatusCode, 500)`
			`body, err := io.ReadAll(resp.Body)`
			`require.NoError(t, err)`
			`t.Log(string(body))`
			`})`
			`}`
			`}`

			`type tokenEndpointCaller struct {`
			`rp.RelyingParty`
			`}`

			`func (t tokenEndpointCaller) TokenEndpoint() string {`
			`return t.OAuthConfig().Endpoint.TokenURL`
			`}`