2023-05-24 20:29:58 +02:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"net/url"
|
|
|
|
|
"testing"
|
2025-05-02 13:44:24 +02:00
|
|
|
"time"
|
2023-05-24 20:29:58 +02:00
|
|
|
|
2025-05-02 13:44:24 +02:00
|
|
|
crewjam_saml "github.com/crewjam/saml"
|
|
|
|
|
goldap "github.com/go-ldap/ldap/v3"
|
2024-05-23 07:04:07 +02:00
|
|
|
"github.com/muhlemmer/gu"
|
2023-05-24 20:29:58 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2023-10-19 12:34:00 +02:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
2023-11-22 12:56:43 +02:00
|
|
|
"go.uber.org/mock/gomock"
|
2023-05-24 20:29:58 +02:00
|
|
|
"golang.org/x/oauth2"
|
2023-08-16 13:29:57 +02:00
|
|
|
"golang.org/x/text/language"
|
2023-05-24 20:29:58 +02:00
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/id"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/id/mock"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/idp"
|
2023-08-08 11:28:47 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/idp/providers/azuread"
|
2023-05-24 20:29:58 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/idp/providers/jwt"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/idp/providers/ldap"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/idp/providers/oauth"
|
|
|
|
|
openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
|
2025-05-02 13:44:24 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/idp/providers/saml"
|
2023-05-24 20:29:58 +02:00
|
|
|
rep_idp "github.com/zitadel/zitadel/internal/repository/idp"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/idpintent"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
2024-05-07 08:11:20 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/org"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2023-05-24 20:29:58 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestCommands_CreateIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-05-24 20:29:58 +02:00
|
|
|
idGenerator id.Generator
|
|
|
|
|
}
|
|
|
|
|
type args struct {
|
2025-02-26 13:20:47 +01:00
|
|
|
ctx context.Context
|
|
|
|
|
intentID string
|
|
|
|
|
idpID string
|
|
|
|
|
successURL string
|
|
|
|
|
failureURL string
|
|
|
|
|
instanceID string
|
|
|
|
|
idpArguments map[string]any
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
intentID string
|
|
|
|
|
details *domain.ObjectDetails
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"error no id generator",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-12-08 16:30:55 +02:00
|
|
|
idGenerator: mock.NewIDGeneratorExpectError(t, zerrors.ThrowInternal(nil, "", "error id")),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpID: "",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "", "error id"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"error no idpID",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpID: "",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInvalidArgument(nil, "COMMAND-x8j2bk", "Errors.Intent.IDPMissing"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"error no successURL",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: ":",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInvalidArgument(nil, "COMMAND-x8j3bk", "Errors.Intent.SuccessURLMissing"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"error no failureURL",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: ":",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInvalidArgument(nil, "COMMAND-x8j4bk", "Errors.Intent.FailureURLMissing"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
2024-05-07 08:11:20 +02:00
|
|
|
"error idp not existing org",
|
2023-05-24 20:29:58 +02:00
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(),
|
|
|
|
|
expectFilter(),
|
2024-05-07 08:11:20 +02:00
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
instanceID: "instance",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-39n221fs", "Errors.IDPConfig.NotExisting"),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"error idp not existing instance",
|
|
|
|
|
fields{
|
|
|
|
|
eventstore: expectEventstore(
|
|
|
|
|
expectFilter(),
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(),
|
|
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpID: "idp",
|
2024-05-07 08:11:20 +02:00
|
|
|
instanceID: "instance",
|
2023-05-24 20:29:58 +02:00
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-39n221fs", "Errors.IDPConfig.NotExisting"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
2024-05-07 08:11:20 +02:00
|
|
|
"push, org",
|
2023-05-24 20:29:58 +02:00
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(),
|
2024-05-07 08:11:20 +02:00
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusher(
|
|
|
|
|
org.NewOAuthIDPAddedEvent(context.Background(), &org.NewAggregate("org").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2024-05-07 08:11:20 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectPush(
|
|
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
|
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
|
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
2025-02-26 13:20:47 +01:00
|
|
|
nil,
|
2024-05-07 08:11:20 +02:00
|
|
|
)
|
|
|
|
|
}(),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
|
|
|
|
instanceID: "instance",
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
intentID: "id",
|
|
|
|
|
details: &domain.ObjectDetails{ResourceOwner: "instance"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push, instance",
|
|
|
|
|
fields{
|
|
|
|
|
eventstore: expectEventstore(
|
|
|
|
|
expectFilter(),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusher(
|
|
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2024-05-07 08:11:20 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectPush(
|
|
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
|
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
|
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
2025-02-26 13:20:47 +01:00
|
|
|
map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
2024-05-07 08:11:20 +02:00
|
|
|
)
|
|
|
|
|
}(),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
|
|
|
|
instanceID: "instance",
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
2025-02-26 13:20:47 +01:00
|
|
|
idpArguments: map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
2024-05-07 08:11:20 +02:00
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
intentID: "id",
|
|
|
|
|
details: &domain.ObjectDetails{ResourceOwner: "instance"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push, instance without org",
|
|
|
|
|
fields{
|
|
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusher(
|
2024-05-07 08:11:20 +02:00
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
2023-05-24 20:29:58 +02:00
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-05-24 20:29:58 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
2025-02-26 13:20:47 +01:00
|
|
|
map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
2023-10-19 12:19:10 +02:00
|
|
|
)
|
|
|
|
|
}(),
|
2023-05-24 20:29:58 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
2024-05-07 08:11:20 +02:00
|
|
|
ctx: context.Background(),
|
|
|
|
|
instanceID: "instance",
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
2025-02-26 13:20:47 +01:00
|
|
|
idpArguments: map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
intentID: "id",
|
|
|
|
|
details: &domain.ObjectDetails{ResourceOwner: "instance"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push, with id",
|
|
|
|
|
fields{
|
|
|
|
|
eventstore: expectEventstore(
|
|
|
|
|
expectFilter(),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusher(
|
|
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
|
|
|
|
true,
|
|
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectPush(
|
|
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
|
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
|
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
|
|
|
|
map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
}(),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
|
|
|
|
instanceID: "instance",
|
|
|
|
|
intentID: "id",
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
successURL: "https://success.url",
|
|
|
|
|
failureURL: "https://failure.url",
|
|
|
|
|
idpArguments: map[string]interface{}{
|
|
|
|
|
"verifier": "pkceOAuthVerifier",
|
|
|
|
|
},
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
intentID: "id",
|
2024-05-07 08:11:20 +02:00
|
|
|
details: &domain.ObjectDetails{ResourceOwner: "instance"},
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-05-24 20:29:58 +02:00
|
|
|
idGenerator: tt.fields.idGenerator,
|
|
|
|
|
}
|
2025-02-26 13:20:47 +01:00
|
|
|
intentWriteModel, details, err := c.CreateIntent(tt.args.ctx, tt.args.intentID, tt.args.idpID, tt.args.successURL, tt.args.failureURL, tt.args.instanceID, tt.args.idpArguments)
|
2023-05-24 20:29:58 +02:00
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
2023-08-16 13:29:57 +02:00
|
|
|
if intentWriteModel != nil {
|
|
|
|
|
assert.Equal(t, tt.res.intentID, intentWriteModel.AggregateID)
|
|
|
|
|
} else {
|
|
|
|
|
assert.Equal(t, tt.res.intentID, "")
|
|
|
|
|
}
|
2024-08-12 22:32:01 +02:00
|
|
|
assertObjectDetails(t, tt.res.details, details)
|
2023-05-24 20:29:58 +02:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-29 11:26:14 +02:00
|
|
|
func TestCommands_AuthFromProvider(t *testing.T) {
|
2023-05-24 20:29:58 +02:00
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-05-24 20:29:58 +02:00
|
|
|
secretCrypto crypto.EncryptionAlgorithm
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator id.Generator
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
idpID string
|
|
|
|
|
callbackURL string
|
2023-09-29 11:26:14 +02:00
|
|
|
samlRootURL string
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
type res struct {
|
2025-06-30 11:07:33 -04:00
|
|
|
auth idp.Auth
|
|
|
|
|
err error
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
2025-02-26 13:20:47 +01:00
|
|
|
{
|
|
|
|
|
"error no id generator",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
eventstore: expectEventstore(),
|
|
|
|
|
idGenerator: mock.NewIDGeneratorExpectError(t, zerrors.ThrowInternal(nil, "", "error id")),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
err: zerrors.ThrowInternal(nil, "", "error id"),
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-05-24 20:29:58 +02:00
|
|
|
{
|
|
|
|
|
"idp not existing",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(),
|
|
|
|
|
),
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowPreconditionFailed(nil, "", ""),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"idp removed",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-05-24 20:29:58 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewIDPRemovedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "COMMAND-xw921211", "Errors.IDPConfig.NotExisting"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
2023-09-29 11:26:14 +02:00
|
|
|
"oauth auth redirect",
|
2023-05-24 20:29:58 +02:00
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-05-24 20:29:58 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
"auth",
|
|
|
|
|
"token",
|
|
|
|
|
"user",
|
|
|
|
|
"idAttribute",
|
|
|
|
|
nil,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-05-24 20:29:58 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
),
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2025-06-30 11:07:33 -04:00
|
|
|
auth: &idp.RedirectAuth{RedirectURL: "auth?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&state=id"},
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
2023-08-04 11:35:36 +02:00
|
|
|
{
|
|
|
|
|
"migrated and push",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-08-04 11:35:36 +02:00
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"issuer",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
[]string{"openid", "profile", "User.Read"},
|
|
|
|
|
false,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-08-04 11:35:36 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOIDCIDPMigratedAzureADEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
[]string{"openid", "profile", "User.Read"},
|
|
|
|
|
"tenant",
|
|
|
|
|
true,
|
|
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOIDCIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"issuer",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
[]string{"openid", "profile", "User.Read"},
|
|
|
|
|
false,
|
2025-02-26 13:20:47 +01:00
|
|
|
true,
|
2023-08-04 11:35:36 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewOIDCIDPMigratedAzureADEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
"clientID",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("clientSecret"),
|
|
|
|
|
},
|
|
|
|
|
[]string{"openid", "profile", "User.Read"},
|
|
|
|
|
"tenant",
|
|
|
|
|
true,
|
|
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
),
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
2023-08-04 11:35:36 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
},
|
|
|
|
|
res{
|
2025-06-30 11:07:33 -04:00
|
|
|
auth: &idp.RedirectAuth{RedirectURL: "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&scope=openid+profile+User.Read&state=id"},
|
2023-08-04 11:35:36 +02:00
|
|
|
},
|
|
|
|
|
},
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpConfigEncryption: tt.fields.secretCrypto,
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: tt.fields.idGenerator,
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
2025-02-26 13:20:47 +01:00
|
|
|
_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
|
2023-05-24 20:29:58 +02:00
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
2025-02-26 13:20:47 +01:00
|
|
|
|
2025-06-30 11:07:33 -04:00
|
|
|
var got idp.Auth
|
2025-02-26 13:20:47 +01:00
|
|
|
if err == nil {
|
2025-06-30 11:07:33 -04:00
|
|
|
got, err = session.GetAuth(tt.args.ctx)
|
|
|
|
|
assert.Equal(t, tt.res.auth, got)
|
|
|
|
|
assert.NoError(t, err)
|
2025-02-26 13:20:47 +01:00
|
|
|
}
|
2023-09-29 11:26:14 +02:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCommands_AuthFromProvider_SAML(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-09-29 11:26:14 +02:00
|
|
|
secretCrypto crypto.EncryptionAlgorithm
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator id.Generator
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
idpID string
|
|
|
|
|
callbackURL string
|
|
|
|
|
samlRootURL string
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
url string
|
|
|
|
|
values map[string]string
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"saml auth default redirect",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-09-29 11:26:14 +02:00
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
[]byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-08-27T12:40:58.803Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <KeyDescriptor use=\"signing\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n </KeyDescriptor>\n <KeyDescriptor use=\"encryption\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n </KeyDescriptor>\n <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n </IDPSSODescriptor>\n</EntityDescriptor>"),
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("key"),
|
|
|
|
|
},
|
|
|
|
|
[]byte("certificate"),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
2024-05-23 07:04:07 +02:00
|
|
|
gu.Ptr(domain.SAMLNameIDFormatUnspecified),
|
|
|
|
|
"",
|
feat: federated logout for SAML IdPs (#9931)
# Which Problems Are Solved
Currently if a user signs in using an IdP, once they sign out of
Zitadel, the corresponding IdP session is not terminated. This can be
the desired behavior. In some cases, e.g. when using a shared computer
it results in a potential security risk, since a follower user might be
able to sign in as the previous using the still open IdP session.
# How the Problems Are Solved
- Admins can enabled a federated logout option on SAML IdPs through the
Admin and Management APIs.
- During the termination of a login V1 session using OIDC end_session
endpoint, Zitadel will check if an IdP was used to authenticate that
session.
- In case there was a SAML IdP used with Federated Logout enabled, it
will intercept the logout process, store the information into the shared
cache and redirect to the federated logout endpoint in the V1 login.
- The V1 login federated logout endpoint checks every request on an
existing cache entry. On success it will create a SAML logout request
for the used IdP and either redirect or POST to the configured SLO
endpoint. The cache entry is updated with a `redirected` state.
- A SLO endpoint is added to the `/idp` handlers, which will handle the
SAML logout responses. At the moment it will check again for an existing
federated logout entry (with state `redirected`) in the cache. On
success, the user is redirected to the initially provided
`post_logout_redirect_uri` from the end_session request.
# Additional Changes
None
# Additional Context
- This PR merges the https://github.com/zitadel/zitadel/pull/9841 and
https://github.com/zitadel/zitadel/pull/9854 to main, additionally
updating the docs on Entra ID SAML.
- closes #9228
- backport to 3.x
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
|
|
|
false,
|
2023-09-29 11:26:14 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
[]byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-08-27T12:40:58.803Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <KeyDescriptor use=\"signing\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n </KeyDescriptor>\n <KeyDescriptor use=\"encryption\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n </KeyDescriptor>\n <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n </IDPSSODescriptor>\n</EntityDescriptor>"),
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAxHd087RoEm9ywVWZ/H+tDWxQsmVvhfRz4jAq/RfU+OWXNH4J\njMMSHdFs0Q+WP98nNXRyc7fgbMb8NdmlB2yD4qLYapN5SDaBc5dh/3EnyFt53oSs\njTlKnQUPAeJr2qh/NY046CfyUyQMM4JR5OiQFo4TssfWnqdcgamGt0AEnk2lvbMZ\nKQdAqNS9lDzYbjMGavEQPTZE35mFXFQXjaooZXq+TIa7hbaq7/idH7cHNbLcPLgj\nfPQA8q+DYvnvhXlmq0LPQZH3Oiixf+SF2vRwrBzT2mqGD2OiOkUmhuPwyqEiiBHt\nfxklRtRU6WfLa1Gcb1PsV0uoBGpV3KybIl/GlwIDAQABAoIBAEQjDduLgOCL6Gem\n0X3hpdnW6/HC/jed/Sa//9jBECq2LYeWAqff64ON40hqOHi0YvvGA/+gEOSI6mWe\nsv5tIxxRz+6+cLybsq+tG96kluCE4TJMHy/nY7orS/YiWbd+4odnEApr+D3fbZ/b\nnZ1fDsHTyn8hkYx6jLmnWsJpIHDp7zxD76y7k2Bbg6DZrCGiVxngiLJk23dvz79W\np03lHLM7XE92aFwXQmhfxHGxrbuoB/9eY4ai5IHp36H4fw0vL6NXdNQAo/bhe0p9\nAYB7y0ZumF8Hg0Z/BmMeEzLy6HrYB+VE8cO93pNjhSyH+p2yDB/BlUyTiRLQAoM0\nVTmOZXECgYEA7NGlzpKNhyQEJihVqt0MW0LhKIO/xbBn+XgYfX6GpqPa/ucnMx5/\nVezpl3gK8IU4wPUhAyXXAHJiqNBcEeyxrw0MXLujDVMJgYaLysCLJdvMVgoY08mS\nK5IQivpbozpf4+0y3mOnA+Sy1kbfxv2X8xiWLODRQW3f3q/xoklwOR8CgYEA1GEe\nfaibOFTQAYcIVj77KXtBfYZsX3EGAyfAN9O7cKHq5oaxVstwnF47WxpuVtoKZxCZ\nbNm9D5WvQ9b+Ztpioe42tzwE7Bff/Osj868GcDdRPK7nFlh9N2yVn/D514dOYVwR\n4MBr1KrJzgRWt4QqS4H+to1GzudDTSNlG7gnK4kCgYBUi6AbOHzoYzZL/RhgcJwp\ntJ23nhmH1Su5h2OO4e3mbhcP66w19sxU+8iFN+kH5zfUw26utgKk+TE5vXExQQRK\nT2k7bg2PAzcgk80ybD0BHhA8I0yrx4m0nmfjhe/TPVLgh10iwgbtP+eM0i6v1vc5\nZWyvxu9N4ZEL6lpkqr0y1wKBgG/NAIQd8jhhTW7Aav8cAJQBsqQl038avJOEpYe+\nCnpsgoAAf/K0/f8TDCQVceh+t+MxtdK7fO9rWOxZjWsPo8Si5mLnUaAHoX4/OpnZ\nlYYVWMqdOEFnK+O1Yb7k2GFBdV2DXlX2dc1qavntBsls5ecB89id3pyk2aUN8Pf6\npYQhAoGAMGtrHFely9wyaxI0RTCyfmJbWZHGVGkv6ELK8wneJjdjl82XOBUGCg5q\naRCrTZ3dPitKwrUa6ibJCIFCIziiriBmjDvTHzkMvoJEap2TVxYNDR6IfINVsQ57\nlOsiC4A2uGq4Lbfld+gjoplJ5GX6qXtTgZ6m7eo0y7U6zm2tkN0=\n-----END RSA PRIVATE KEY-----\n"),
|
|
|
|
|
}, []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
2024-05-23 07:04:07 +02:00
|
|
|
gu.Ptr(domain.SAMLNameIDFormatUnspecified),
|
|
|
|
|
"",
|
feat: federated logout for SAML IdPs (#9931)
# Which Problems Are Solved
Currently if a user signs in using an IdP, once they sign out of
Zitadel, the corresponding IdP session is not terminated. This can be
the desired behavior. In some cases, e.g. when using a shared computer
it results in a potential security risk, since a follower user might be
able to sign in as the previous using the still open IdP session.
# How the Problems Are Solved
- Admins can enabled a federated logout option on SAML IdPs through the
Admin and Management APIs.
- During the termination of a login V1 session using OIDC end_session
endpoint, Zitadel will check if an IdP was used to authenticate that
session.
- In case there was a SAML IdP used with Federated Logout enabled, it
will intercept the logout process, store the information into the shared
cache and redirect to the federated logout endpoint in the V1 login.
- The V1 login federated logout endpoint checks every request on an
existing cache entry. On success it will create a SAML logout request
for the used IdP and either redirect or POST to the configured SLO
endpoint. The cache entry is updated with a `redirected` state.
- A SLO endpoint is added to the `/idp` handlers, which will handle the
SAML logout responses. At the moment it will check again for an existing
federated logout entry (with state `redirected`) in the cache. On
success, the user is redirected to the initially provided
`post_logout_redirect_uri` from the end_session request.
# Additional Changes
None
# Additional Context
- This PR merges the https://github.com/zitadel/zitadel/pull/9841 and
https://github.com/zitadel/zitadel/pull/9854 to main, additionally
updating the docs on Entra ID SAML.
- closes #9228
- backport to 3.x
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
|
|
|
false,
|
2023-09-29 11:26:14 +02:00
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-09-29 11:26:14 +02:00
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
2025-02-26 13:20:47 +01:00
|
|
|
nil,
|
2023-09-29 11:26:14 +02:00
|
|
|
)
|
|
|
|
|
}(),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
expectRandomPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
[]eventstore.Command{
|
2023-09-29 11:26:14 +02:00
|
|
|
idpintent.NewSAMLRequestEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-09-29 11:26:14 +02:00
|
|
|
"request",
|
|
|
|
|
),
|
2023-10-19 12:19:10 +02:00
|
|
|
},
|
2023-09-29 11:26:14 +02:00
|
|
|
),
|
|
|
|
|
),
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
2023-09-29 11:26:14 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
samlRootURL: "samlurl",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
url: "http://localhost:8000/sso",
|
|
|
|
|
values: map[string]string{
|
|
|
|
|
"SAMLRequest": "", // generated IDs so not assertable
|
|
|
|
|
"RelayState": "id",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2025-06-30 11:07:33 -04:00
|
|
|
{
|
|
|
|
|
"saml post auth",
|
|
|
|
|
fields{
|
|
|
|
|
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
eventstore: expectEventstore(
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
[]byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-08-27T12:40:58.803Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <KeyDescriptor use=\"signing\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n </KeyDescriptor>\n <KeyDescriptor use=\"encryption\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n </KeyDescriptor>\n <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n </IDPSSODescriptor>\n</EntityDescriptor>"),
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("key"),
|
|
|
|
|
},
|
|
|
|
|
[]byte("certificate"),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
gu.Ptr(domain.SAMLNameIDFormatUnspecified),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
instance.NewSAMLIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
|
|
|
|
|
"idp",
|
|
|
|
|
"name",
|
|
|
|
|
[]byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-08-27T12:40:58.803Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <KeyDescriptor use=\"signing\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n </KeyDescriptor>\n <KeyDescriptor use=\"encryption\">\n <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n </X509Data>\n </KeyInfo>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n </KeyDescriptor>\n <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n </IDPSSODescriptor>\n</EntityDescriptor>"),
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAxHd087RoEm9ywVWZ/H+tDWxQsmVvhfRz4jAq/RfU+OWXNH4J\njMMSHdFs0Q+WP98nNXRyc7fgbMb8NdmlB2yD4qLYapN5SDaBc5dh/3EnyFt53oSs\njTlKnQUPAeJr2qh/NY046CfyUyQMM4JR5OiQFo4TssfWnqdcgamGt0AEnk2lvbMZ\nKQdAqNS9lDzYbjMGavEQPTZE35mFXFQXjaooZXq+TIa7hbaq7/idH7cHNbLcPLgj\nfPQA8q+DYvnvhXlmq0LPQZH3Oiixf+SF2vRwrBzT2mqGD2OiOkUmhuPwyqEiiBHt\nfxklRtRU6WfLa1Gcb1PsV0uoBGpV3KybIl/GlwIDAQABAoIBAEQjDduLgOCL6Gem\n0X3hpdnW6/HC/jed/Sa//9jBECq2LYeWAqff64ON40hqOHi0YvvGA/+gEOSI6mWe\nsv5tIxxRz+6+cLybsq+tG96kluCE4TJMHy/nY7orS/YiWbd+4odnEApr+D3fbZ/b\nnZ1fDsHTyn8hkYx6jLmnWsJpIHDp7zxD76y7k2Bbg6DZrCGiVxngiLJk23dvz79W\np03lHLM7XE92aFwXQmhfxHGxrbuoB/9eY4ai5IHp36H4fw0vL6NXdNQAo/bhe0p9\nAYB7y0ZumF8Hg0Z/BmMeEzLy6HrYB+VE8cO93pNjhSyH+p2yDB/BlUyTiRLQAoM0\nVTmOZXECgYEA7NGlzpKNhyQEJihVqt0MW0LhKIO/xbBn+XgYfX6GpqPa/ucnMx5/\nVezpl3gK8IU4wPUhAyXXAHJiqNBcEeyxrw0MXLujDVMJgYaLysCLJdvMVgoY08mS\nK5IQivpbozpf4+0y3mOnA+Sy1kbfxv2X8xiWLODRQW3f3q/xoklwOR8CgYEA1GEe\nfaibOFTQAYcIVj77KXtBfYZsX3EGAyfAN9O7cKHq5oaxVstwnF47WxpuVtoKZxCZ\nbNm9D5WvQ9b+Ztpioe42tzwE7Bff/Osj868GcDdRPK7nFlh9N2yVn/D514dOYVwR\n4MBr1KrJzgRWt4QqS4H+to1GzudDTSNlG7gnK4kCgYBUi6AbOHzoYzZL/RhgcJwp\ntJ23nhmH1Su5h2OO4e3mbhcP66w19sxU+8iFN+kH5zfUw26utgKk+TE5vXExQQRK\nT2k7bg2PAzcgk80ybD0BHhA8I0yrx4m0nmfjhe/TPVLgh10iwgbtP+eM0i6v1vc5\nZWyvxu9N4ZEL6lpkqr0y1wKBgG/NAIQd8jhhTW7Aav8cAJQBsqQl038avJOEpYe+\nCnpsgoAAf/K0/f8TDCQVceh+t+MxtdK7fO9rWOxZjWsPo8Si5mLnUaAHoX4/OpnZ\nlYYVWMqdOEFnK+O1Yb7k2GFBdV2DXlX2dc1qavntBsls5ecB89id3pyk2aUN8Pf6\npYQhAoGAMGtrHFely9wyaxI0RTCyfmJbWZHGVGkv6ELK8wneJjdjl82XOBUGCg5q\naRCrTZ3dPitKwrUa6ibJCIFCIziiriBmjDvTHzkMvoJEap2TVxYNDR6IfINVsQ57\nlOsiC4A2uGq4Lbfld+gjoplJ5GX6qXtTgZ6m7eo0y7U6zm2tkN0=\n-----END RSA PRIVATE KEY-----\n"),
|
|
|
|
|
}, []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
gu.Ptr(domain.SAMLNameIDFormatUnspecified),
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
rep_idp.Options{},
|
|
|
|
|
)),
|
|
|
|
|
),
|
|
|
|
|
expectFilter(
|
|
|
|
|
eventFromEventPusherWithInstanceID(
|
|
|
|
|
"instance",
|
|
|
|
|
func() eventstore.Command {
|
|
|
|
|
success, _ := url.Parse("https://success.url")
|
|
|
|
|
failure, _ := url.Parse("https://failure.url")
|
|
|
|
|
return idpintent.NewStartedEvent(
|
|
|
|
|
context.Background(),
|
|
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
|
|
|
|
success,
|
|
|
|
|
failure,
|
|
|
|
|
"idp",
|
|
|
|
|
nil,
|
|
|
|
|
)
|
|
|
|
|
}(),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
expectRandomPush(
|
|
|
|
|
[]eventstore.Command{
|
|
|
|
|
idpintent.NewSAMLRequestEvent(
|
|
|
|
|
context.Background(),
|
|
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
|
|
|
|
"request",
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
idGenerator: mock.ExpectID(t, "id"),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
|
|
|
|
|
idpID: "idp",
|
|
|
|
|
callbackURL: "url",
|
|
|
|
|
samlRootURL: "samlurl",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
url: "http://localhost:8000/sso",
|
|
|
|
|
values: map[string]string{
|
|
|
|
|
"SAMLRequest": "", // generated IDs so not assertable
|
|
|
|
|
"RelayState": "id",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-09-29 11:26:14 +02:00
|
|
|
idpConfigEncryption: tt.fields.secretCrypto,
|
2025-02-26 13:20:47 +01:00
|
|
|
idGenerator: tt.fields.idGenerator,
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
2025-02-26 13:20:47 +01:00
|
|
|
_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
|
2023-09-29 11:26:14 +02:00
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
|
2025-06-30 11:07:33 -04:00
|
|
|
auth, err := session.GetAuth(tt.args.ctx)
|
2023-09-29 11:26:14 +02:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
2025-06-30 11:07:33 -04:00
|
|
|
var authURL *url.URL
|
|
|
|
|
authFields := make(map[string]string)
|
|
|
|
|
|
|
|
|
|
switch a := auth.(type) {
|
|
|
|
|
case *idp.RedirectAuth:
|
|
|
|
|
authURL, err = url.Parse(a.RedirectURL)
|
|
|
|
|
for key, values := range authURL.Query() {
|
|
|
|
|
authFields[key] = values[0]
|
|
|
|
|
}
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
case *idp.FormAuth:
|
|
|
|
|
authURL, err = url.Parse(a.URL)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
authFields = a.Fields
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-29 11:26:14 +02:00
|
|
|
assert.Equal(t, tt.res.url, authURL.Scheme+"://"+authURL.Host+authURL.Path)
|
|
|
|
|
for k, v := range tt.res.values {
|
2025-06-30 11:07:33 -04:00
|
|
|
assert.Contains(t, authFields, k)
|
2023-09-29 11:26:14 +02:00
|
|
|
if v != "" {
|
2025-06-30 11:07:33 -04:00
|
|
|
assert.Equal(t, v, authFields[k])
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
|
|
|
|
}
|
2023-05-24 20:29:58 +02:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCommands_SucceedIDPIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-05-24 20:29:58 +02:00
|
|
|
idpConfigEncryption crypto.EncryptionAlgorithm
|
|
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
writeModel *IDPIntentWriteModel
|
|
|
|
|
idpUser idp.User
|
|
|
|
|
idpSession idp.Session
|
|
|
|
|
userID string
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
token string
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"encryption fails",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: func() crypto.EncryptionAlgorithm {
|
|
|
|
|
m := crypto.NewMockEncryptionAlgorithm(gomock.NewController(t))
|
2023-12-08 16:30:55 +02:00
|
|
|
m.EXPECT().Encrypt(gomock.Any()).Return(nil, zerrors.ThrowInternal(nil, "id", "encryption failed"))
|
2023-05-24 20:29:58 +02:00
|
|
|
return m
|
|
|
|
|
}(),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "ro", 0),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"token encryption fails",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: func() crypto.EncryptionAlgorithm {
|
|
|
|
|
m := crypto.NewMockEncryptionAlgorithm(gomock.NewController(t))
|
|
|
|
|
m.EXPECT().Encrypt(gomock.Any()).DoAndReturn(func(value []byte) ([]byte, error) {
|
|
|
|
|
return value, nil
|
|
|
|
|
})
|
2023-12-08 16:30:55 +02:00
|
|
|
m.EXPECT().Encrypt(gomock.Any()).Return(nil, zerrors.ThrowInternal(nil, "id", "encryption failed"))
|
2023-05-24 20:29:58 +02:00
|
|
|
return m
|
|
|
|
|
}(),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "ro", 0),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpSession: &oauth.Session{
|
|
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
func() eventstore.Command {
|
|
|
|
|
event := idpintent.NewSucceededEvent(
|
2023-06-21 16:06:18 +02:00
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-06-21 16:06:18 +02:00
|
|
|
[]byte(`{"sub":"id","preferred_username":"username"}`),
|
|
|
|
|
"id",
|
|
|
|
|
"username",
|
|
|
|
|
"",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("accessToken"),
|
|
|
|
|
},
|
|
|
|
|
"idToken",
|
2025-05-02 13:44:24 +02:00
|
|
|
time.Time{},
|
2023-10-19 12:19:10 +02:00
|
|
|
)
|
|
|
|
|
return event
|
|
|
|
|
}(),
|
2023-05-24 20:29:58 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
2023-06-20 14:39:50 +02:00
|
|
|
idpSession: &openid.Session{
|
2023-05-24 20:29:58 +02:00
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
2023-06-20 14:39:50 +02:00
|
|
|
IDToken: "idToken",
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
2023-06-20 14:39:50 +02:00
|
|
|
idpUser: openid.NewUser(&oidc.UserInfo{
|
|
|
|
|
Subject: "id",
|
|
|
|
|
UserInfoProfile: oidc.UserInfoProfile{
|
|
|
|
|
PreferredUsername: "username",
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
2023-06-20 14:39:50 +02:00
|
|
|
}),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
token: "aWQ",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-05-24 20:29:58 +02:00
|
|
|
idpConfigEncryption: tt.fields.idpConfigEncryption,
|
|
|
|
|
}
|
|
|
|
|
got, err := c.SucceedIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.idpSession, tt.args.userID)
|
|
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
assert.Equal(t, tt.res.token, got)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-29 11:26:14 +02:00
|
|
|
func TestCommands_SucceedSAMLIDPIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-09-29 11:26:14 +02:00
|
|
|
idpConfigEncryption crypto.EncryptionAlgorithm
|
|
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
writeModel *IDPIntentWriteModel
|
|
|
|
|
idpUser idp.User
|
2025-05-02 13:44:24 +02:00
|
|
|
session *saml.Session
|
2023-09-29 11:26:14 +02:00
|
|
|
userID string
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
token string
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"encryption fails",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: func() crypto.EncryptionAlgorithm {
|
|
|
|
|
m := crypto.NewMockEncryptionAlgorithm(gomock.NewController(t))
|
2023-12-08 16:30:55 +02:00
|
|
|
m.EXPECT().Encrypt(gomock.Any()).Return(nil, zerrors.ThrowInternal(nil, "id", "encryption failed"))
|
2023-09-29 11:26:14 +02:00
|
|
|
return m
|
|
|
|
|
}(),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-09-29 11:26:14 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "ro", 0),
|
2023-09-29 11:26:14 +02:00
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
|
2023-09-29 11:26:14 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-09-29 11:26:14 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
idpintent.NewSAMLSucceededEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
[]byte(`{"sub":"id","preferred_username":"username"}`),
|
|
|
|
|
"id",
|
|
|
|
|
"username",
|
|
|
|
|
"",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id\" IssueInstant=\"0001-01-01T00:00:00Z\" Version=\"\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"\" SPNameQualifier=\"\" Format=\"\" SPProvidedID=\"\"></Issuer></Assertion>"),
|
|
|
|
|
},
|
2025-05-02 13:44:24 +02:00
|
|
|
time.Time{},
|
2023-09-29 11:26:14 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
|
|
|
|
session: &saml.Session{
|
|
|
|
|
Assertion: &crewjam_saml.Assertion{ID: "id"},
|
|
|
|
|
},
|
2023-09-29 11:26:14 +02:00
|
|
|
idpUser: openid.NewUser(&oidc.UserInfo{
|
|
|
|
|
Subject: "id",
|
|
|
|
|
UserInfoProfile: oidc.UserInfoProfile{
|
|
|
|
|
PreferredUsername: "username",
|
|
|
|
|
},
|
|
|
|
|
}),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
token: "aWQ",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push with userID",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-09-29 11:26:14 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
idpintent.NewSAMLSucceededEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
[]byte(`{"sub":"id","preferred_username":"username"}`),
|
|
|
|
|
"id",
|
|
|
|
|
"username",
|
|
|
|
|
"user",
|
|
|
|
|
&crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id\" IssueInstant=\"0001-01-01T00:00:00Z\" Version=\"\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"\" SPNameQualifier=\"\" Format=\"\" SPProvidedID=\"\"></Issuer></Assertion>"),
|
|
|
|
|
},
|
2025-05-02 13:44:24 +02:00
|
|
|
time.Time{},
|
2023-09-29 11:26:14 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
|
|
|
|
session: &saml.Session{
|
|
|
|
|
Assertion: &crewjam_saml.Assertion{ID: "id"},
|
|
|
|
|
},
|
2023-09-29 11:26:14 +02:00
|
|
|
idpUser: openid.NewUser(&oidc.UserInfo{
|
|
|
|
|
Subject: "id",
|
|
|
|
|
UserInfoProfile: oidc.UserInfoProfile{
|
|
|
|
|
PreferredUsername: "username",
|
|
|
|
|
},
|
|
|
|
|
}),
|
|
|
|
|
userID: "user",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
token: "aWQ",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-09-29 11:26:14 +02:00
|
|
|
idpConfigEncryption: tt.fields.idpConfigEncryption,
|
|
|
|
|
}
|
2025-05-02 13:44:24 +02:00
|
|
|
got, err := c.SucceedSAMLIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.session)
|
2023-09-29 11:26:14 +02:00
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
assert.Equal(t, tt.res.token, got)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCommands_RequestSAMLIDPIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
writeModel *IDPIntentWriteModel
|
|
|
|
|
request string
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"push",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-09-29 11:26:14 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
idpintent.NewSAMLRequestEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
"request",
|
2023-09-29 11:26:14 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
2023-09-29 11:26:14 +02:00
|
|
|
request: "request",
|
|
|
|
|
},
|
|
|
|
|
res{},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-09-29 11:26:14 +02:00
|
|
|
}
|
|
|
|
|
err := c.RequestSAMLIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.request)
|
|
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
require.Equal(t, tt.args.writeModel.RequestID, tt.args.request)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-16 13:29:57 +02:00
|
|
|
func TestCommands_SucceedLDAPIDPIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-08-16 13:29:57 +02:00
|
|
|
idpConfigEncryption crypto.EncryptionAlgorithm
|
|
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
writeModel *IDPIntentWriteModel
|
|
|
|
|
idpUser idp.User
|
|
|
|
|
userID string
|
2025-05-02 13:44:24 +02:00
|
|
|
session *ldap.Session
|
2023-08-16 13:29:57 +02:00
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
token string
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"encryption fails",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: func() crypto.EncryptionAlgorithm {
|
|
|
|
|
m := crypto.NewMockEncryptionAlgorithm(gomock.NewController(t))
|
2023-12-08 16:30:55 +02:00
|
|
|
m.EXPECT().Encrypt(gomock.Any()).Return(nil, zerrors.ThrowInternal(nil, "id", "encryption failed"))
|
2023-08-16 13:29:57 +02:00
|
|
|
return m
|
|
|
|
|
}(),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(),
|
2023-08-16 13:29:57 +02:00
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
2023-08-16 13:29:57 +02:00
|
|
|
},
|
|
|
|
|
res{
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
|
2023-08-16 13:29:57 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"push",
|
|
|
|
|
fields{
|
|
|
|
|
idpConfigEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-08-16 13:29:57 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
idpintent.NewLDAPSucceededEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
[]byte(`{"id":"id","preferredUsername":"username","preferredLanguage":"und"}`),
|
|
|
|
|
"id",
|
|
|
|
|
"username",
|
|
|
|
|
"",
|
|
|
|
|
map[string][]string{"id": {"id"}},
|
2025-05-02 13:44:24 +02:00
|
|
|
time.Time{},
|
2023-08-16 13:29:57 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
|
|
|
|
session: &ldap.Session{
|
|
|
|
|
Entry: &goldap.Entry{
|
|
|
|
|
Attributes: []*goldap.EntryAttribute{
|
|
|
|
|
{
|
|
|
|
|
Name: "id",
|
|
|
|
|
Values: []string{"id"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-08-16 13:29:57 +02:00
|
|
|
idpUser: ldap.NewUser(
|
|
|
|
|
"id",
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
"username",
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
language.Tag{},
|
|
|
|
|
"",
|
|
|
|
|
"",
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
token: "aWQ",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-08-16 13:29:57 +02:00
|
|
|
idpConfigEncryption: tt.fields.idpConfigEncryption,
|
|
|
|
|
}
|
2025-05-02 13:44:24 +02:00
|
|
|
got, err := c.SucceedLDAPIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.idpUser, tt.args.userID, tt.args.session)
|
2023-08-16 13:29:57 +02:00
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
assert.Equal(t, tt.res.token, got)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-24 20:29:58 +02:00
|
|
|
func TestCommands_FailIDPIntent(t *testing.T) {
|
|
|
|
|
type fields struct {
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore func(t *testing.T) *eventstore.Eventstore
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
type args struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
writeModel *IDPIntentWriteModel
|
|
|
|
|
reason string
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fields fields
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"push",
|
|
|
|
|
fields{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: expectEventstore(
|
2023-05-24 20:29:58 +02:00
|
|
|
expectPush(
|
2023-10-19 12:19:10 +02:00
|
|
|
idpintent.NewFailedEvent(
|
|
|
|
|
context.Background(),
|
2024-05-07 08:11:20 +02:00
|
|
|
&idpintent.NewAggregate("id", "instance").Aggregate,
|
2023-10-19 12:19:10 +02:00
|
|
|
"reason",
|
2023-05-24 20:29:58 +02:00
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
args{
|
|
|
|
|
ctx: context.Background(),
|
2025-05-02 13:44:24 +02:00
|
|
|
writeModel: NewIDPIntentWriteModel("id", "instance", 0),
|
2023-05-24 20:29:58 +02:00
|
|
|
reason: "reason",
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &Commands{
|
2024-05-07 08:11:20 +02:00
|
|
|
eventstore: tt.fields.eventstore(t),
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
err := c.FailIDPIntent(tt.args.ctx, tt.args.writeModel, tt.args.reason)
|
|
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_tokensForSucceededIDPIntent(t *testing.T) {
|
|
|
|
|
type args struct {
|
|
|
|
|
session idp.Session
|
|
|
|
|
encryptionAlg crypto.EncryptionAlgorithm
|
|
|
|
|
}
|
|
|
|
|
type res struct {
|
|
|
|
|
accessToken *crypto.CryptoValue
|
|
|
|
|
idToken string
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
args args
|
|
|
|
|
res res
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
"no tokens",
|
|
|
|
|
args{
|
|
|
|
|
&ldap.Session{},
|
|
|
|
|
crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: nil,
|
|
|
|
|
idToken: "",
|
|
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"token encryption fails",
|
|
|
|
|
args{
|
|
|
|
|
&oauth.Session{
|
|
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
func() crypto.EncryptionAlgorithm {
|
|
|
|
|
m := crypto.NewMockEncryptionAlgorithm(gomock.NewController(t))
|
2023-12-08 16:30:55 +02:00
|
|
|
m.EXPECT().Encrypt(gomock.Any()).Return(nil, zerrors.ThrowInternal(nil, "id", "encryption failed"))
|
2023-05-24 20:29:58 +02:00
|
|
|
return m
|
|
|
|
|
}(),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: nil,
|
|
|
|
|
idToken: "",
|
2023-12-08 16:30:55 +02:00
|
|
|
err: zerrors.ThrowInternal(nil, "id", "encryption failed"),
|
2023-05-24 20:29:58 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"oauth tokens",
|
|
|
|
|
args{
|
|
|
|
|
&oauth.Session{
|
|
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: &crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("accessToken"),
|
|
|
|
|
},
|
|
|
|
|
idToken: "",
|
|
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"oidc tokens",
|
|
|
|
|
args{
|
|
|
|
|
&openid.Session{
|
|
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
|
|
|
|
IDToken: "idToken",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: &crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("accessToken"),
|
|
|
|
|
},
|
|
|
|
|
idToken: "idToken",
|
|
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"jwt tokens",
|
|
|
|
|
args{
|
|
|
|
|
&jwt.Session{
|
|
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
IDToken: "idToken",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: nil,
|
|
|
|
|
idToken: "idToken",
|
|
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-08-08 11:28:47 +02:00
|
|
|
{
|
|
|
|
|
"azure tokens",
|
|
|
|
|
args{
|
|
|
|
|
&azuread.Session{
|
2024-01-10 16:02:17 +01:00
|
|
|
OAuthSession: &oauth.Session{
|
2023-08-08 11:28:47 +02:00
|
|
|
Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
|
|
|
|
|
Token: &oauth2.Token{
|
|
|
|
|
AccessToken: "accessToken",
|
|
|
|
|
},
|
2024-01-10 16:02:17 +01:00
|
|
|
IDToken: "idToken",
|
2023-08-08 11:28:47 +02:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
|
|
|
|
|
},
|
|
|
|
|
res{
|
|
|
|
|
accessToken: &crypto.CryptoValue{
|
|
|
|
|
CryptoType: crypto.TypeEncryption,
|
|
|
|
|
Algorithm: "enc",
|
|
|
|
|
KeyID: "id",
|
|
|
|
|
Crypted: []byte("accessToken"),
|
|
|
|
|
},
|
2024-01-10 16:02:17 +01:00
|
|
|
idToken: "idToken",
|
2023-08-08 11:28:47 +02:00
|
|
|
err: nil,
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-05-24 20:29:58 +02:00
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
gotAccessToken, gotIDToken, err := tokensForSucceededIDPIntent(tt.args.session, tt.args.encryptionAlg)
|
|
|
|
|
require.ErrorIs(t, err, tt.res.err)
|
|
|
|
|
assert.Equal(t, tt.res.accessToken, gotAccessToken)
|
|
|
|
|
assert.Equal(t, tt.res.idToken, gotIDToken)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|