2024-12-19 12:11:40 +01:00
|
|
|
//go:build integration
|
|
|
|
|
|
|
|
|
|
package saml_test
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"net/url"
|
|
|
|
|
"regexp"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/crewjam/saml"
|
2025-02-11 19:45:09 +01:00
|
|
|
"github.com/crewjam/saml/samlsp"
|
2024-12-19 12:11:40 +01:00
|
|
|
"github.com/muhlemmer/gu"
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/integration"
|
2025-10-14 18:24:09 +02:00
|
|
|
filter "github.com/zitadel/zitadel/pkg/grpc/filter/v2beta"
|
2025-09-10 08:00:31 +02:00
|
|
|
mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
|
2024-12-19 12:11:40 +01:00
|
|
|
"github.com/zitadel/zitadel/pkg/grpc/object/v2"
|
2025-10-14 18:24:09 +02:00
|
|
|
project_v2beta "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
|
2024-12-19 12:11:40 +01:00
|
|
|
saml_pb "github.com/zitadel/zitadel/pkg/grpc/saml/v2"
|
|
|
|
|
"github.com/zitadel/zitadel/pkg/grpc/session/v2"
|
|
|
|
|
)
|
|
|
|
|
|
2025-02-11 19:45:09 +01:00
|
|
|
func TestServer_GetSAMLRequest(t *testing.T) {
|
2024-12-19 12:11:40 +01:00
|
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
|
|
|
acsPost := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[1]
|
|
|
|
|
|
2025-02-11 19:45:09 +01:00
|
|
|
_, _, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
|
|
|
|
|
_, _, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
|
2024-12-19 12:11:40 +01:00
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
2025-02-11 19:45:09 +01:00
|
|
|
dep func() (time.Time, string, error)
|
2024-12-19 12:11:40 +01:00
|
|
|
wantErr bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "Not found",
|
2025-02-11 19:45:09 +01:00
|
|
|
dep: func() (time.Time, string, error) {
|
|
|
|
|
return time.Time{}, "123", nil
|
2024-12-19 12:11:40 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "success, redirect binding",
|
2025-02-11 19:45:09 +01:00
|
|
|
dep: func() (time.Time, string, error) {
|
2025-09-10 08:00:31 +02:00
|
|
|
return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "success, post binding",
|
2025-02-11 19:45:09 +01:00
|
|
|
dep: func() (time.Time, string, error) {
|
2025-09-10 08:00:31 +02:00
|
|
|
return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2025-02-11 19:45:09 +01:00
|
|
|
creationTime, authRequestID, err := tt.dep()
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
|
2025-07-15 07:38:00 -04:00
|
|
|
got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{
|
2024-12-19 12:11:40 +01:00
|
|
|
SamlRequestId: authRequestID,
|
|
|
|
|
})
|
|
|
|
|
if tt.wantErr {
|
|
|
|
|
assert.Error(ttt, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
assert.NoError(ttt, err)
|
|
|
|
|
authRequest := got.GetSamlRequest()
|
|
|
|
|
assert.NotNil(ttt, authRequest)
|
|
|
|
|
assert.Equal(ttt, authRequestID, authRequest.GetId())
|
2025-02-11 19:45:09 +01:00
|
|
|
assert.WithinRange(ttt, authRequest.GetCreationDate().AsTime(), creationTime.Add(-time.Second), creationTime.Add(time.Second))
|
2024-12-19 12:11:40 +01:00
|
|
|
}, retryDuration, tick, "timeout waiting for expected saml request result")
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestServer_CreateResponse(t *testing.T) {
|
|
|
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
|
|
|
acsPost := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[1]
|
|
|
|
|
|
2025-02-11 19:45:09 +01:00
|
|
|
_, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
|
|
|
|
|
_, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
|
2025-07-15 07:38:00 -04:00
|
|
|
sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID)
|
2024-12-19 12:11:40 +01:00
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx context.Context
|
2024-12-19 12:11:40 +01:00
|
|
|
req *saml_pb.CreateResponseRequest
|
|
|
|
|
AuthError string
|
|
|
|
|
want *saml_pb.CreateResponseResponse
|
|
|
|
|
wantURL *url.URL
|
|
|
|
|
wantErr bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "Not found",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: "123",
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "session not found",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: "foo",
|
|
|
|
|
SessionToken: "bar",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "session token invalid",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: "bar",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "fail callback, post",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
|
|
|
Error: &saml_pb.AuthorizationError{
|
|
|
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
|
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: regexp.QuoteMeta(`https://` + rootURLPost + `/saml/acs`),
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Post{Post: &saml_pb.PostResponse{
|
|
|
|
|
RelayState: "notempty",
|
|
|
|
|
SamlResponse: "notempty",
|
|
|
|
|
}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "fail callback, post, already failed",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
2025-07-15 07:38:00 -04:00
|
|
|
Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED)
|
2024-12-19 12:11:40 +01:00
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
|
|
|
Error: &saml_pb.AuthorizationError{
|
|
|
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
|
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "fail callback, redirect",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
|
|
|
Error: &saml_pb.AuthorizationError{
|
|
|
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
|
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/` + rootURLRedirect + `\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
2025-07-15 07:38:00 -04:00
|
|
|
{
|
|
|
|
|
name: "fail callback, no permission, error",
|
|
|
|
|
ctx: CTX,
|
|
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2025-07-15 07:38:00 -04:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
|
|
|
Error: &saml_pb.AuthorizationError{
|
|
|
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
|
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
2024-12-19 12:11:40 +01:00
|
|
|
{
|
|
|
|
|
name: "callback, redirect",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/` + rootURLRedirect + `\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "callback, post",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: regexp.QuoteMeta(`https://` + rootURLPost + `/saml/acs`),
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Post{Post: &saml_pb.PostResponse{
|
|
|
|
|
RelayState: "notempty",
|
|
|
|
|
SamlResponse: "notempty",
|
|
|
|
|
}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "callback, post",
|
2025-07-15 07:38:00 -04:00
|
|
|
ctx: LoginCTX,
|
|
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2025-07-15 07:38:00 -04:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "callback, no permission, error",
|
|
|
|
|
ctx: CTX,
|
2024-12-19 12:11:40 +01:00
|
|
|
req: &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: func() string {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
2024-12-19 12:11:40 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return authRequestID
|
|
|
|
|
}(),
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2025-07-15 07:38:00 -04:00
|
|
|
got, err := Client.CreateResponse(tt.ctx, tt.req)
|
2024-12-19 12:11:40 +01:00
|
|
|
if tt.wantErr {
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
integration.AssertDetails(t, tt.want, got)
|
|
|
|
|
if tt.want != nil {
|
|
|
|
|
assert.Regexp(t, regexp.MustCompile(tt.want.Url), got.GetUrl())
|
|
|
|
|
if tt.want.GetPost() != nil {
|
|
|
|
|
assert.NotEmpty(t, got.GetPost().GetRelayState())
|
|
|
|
|
assert.NotEmpty(t, got.GetPost().GetSamlResponse())
|
|
|
|
|
}
|
|
|
|
|
if tt.want.GetRedirect() != nil {
|
|
|
|
|
assert.NotNil(t, got.GetRedirect())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-02-11 19:45:09 +01:00
|
|
|
|
|
|
|
|
func TestServer_CreateResponse_Permission(t *testing.T) {
|
|
|
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
dep func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest
|
|
|
|
|
want *saml_pb.CreateResponseResponse
|
|
|
|
|
wantURL *url.URL
|
|
|
|
|
wantErr bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "usergrant to project and different resourceowner with different project grant",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
projectID2, _, _ := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-05-21 14:40:47 +02:00
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID2, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "usergrant to project and different resourceowner with project grant",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-05-21 14:40:47 +02:00
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "usergrant to project grant and different resourceowner with project grant",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-05-21 14:40:47 +02:00
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-09-21 16:04:25 +02:00
|
|
|
createProjectGrantUserGrant(ctx, t, projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no usergrant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no usergrant and same resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "usergrant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "usergrant and same resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
|
|
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
2025-09-10 08:00:31 +02:00
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, usergrant and same resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
|
|
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
2025-09-10 08:00:31 +02:00
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, no usergrant and same resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, usergrant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, no usergrant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, usergrant on project grant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-05-21 14:40:47 +02:00
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-09-21 16:04:25 +02:00
|
|
|
createProjectGrantUserGrant(ctx, t, projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
|
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-05-21 14:40:47 +02:00
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "hasProjectCheck, same resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "hasProjectCheck, different resourceowner",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "hasProjectCheck, different resourceowner with project grant",
|
|
|
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
|
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
2025-09-10 08:00:31 +02:00
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
2025-10-14 18:24:09 +02:00
|
|
|
createProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
2025-09-10 08:00:31 +02:00
|
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
2025-02-11 19:45:09 +01:00
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
2025-02-11 19:45:09 +01:00
|
|
|
},
|
|
|
|
|
want: &saml_pb.CreateResponseResponse{
|
|
|
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
|
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
|
|
|
Details: &object.Details{
|
|
|
|
|
ChangeDate: timestamppb.Now(),
|
|
|
|
|
ResourceOwner: Instance.ID(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
req := tt.dep(IAMCTX, t)
|
|
|
|
|
|
2025-07-15 07:38:00 -04:00
|
|
|
got, err := Client.CreateResponse(LoginCTX, req)
|
2025-02-11 19:45:09 +01:00
|
|
|
if tt.wantErr {
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
integration.AssertDetails(t, tt.want, got)
|
|
|
|
|
if tt.want != nil {
|
|
|
|
|
assert.Regexp(t, regexp.MustCompile(tt.want.Url), got.GetUrl())
|
|
|
|
|
if tt.want.GetPost() != nil {
|
|
|
|
|
assert.NotEmpty(t, got.GetPost().GetRelayState())
|
|
|
|
|
assert.NotEmpty(t, got.GetPost().GetSamlResponse())
|
|
|
|
|
}
|
|
|
|
|
if tt.want.GetRedirect() != nil {
|
|
|
|
|
assert.NotNil(t, got.GetRedirect())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createSession(ctx context.Context, t *testing.T, userID string) *session.CreateSessionResponse {
|
|
|
|
|
sessionResp, err := Instance.Client.SessionV2.CreateSession(ctx, &session.CreateSessionRequest{
|
|
|
|
|
Checks: &session.Checks{
|
|
|
|
|
User: &session.CheckUser{
|
|
|
|
|
Search: &session.CheckUser_UserId{
|
|
|
|
|
UserId: userID,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
return sessionResp
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createSessionAndSmlRequestForCallback(ctx context.Context, t *testing.T, sp *samlsp.Middleware, loginClient string, acsRedirect saml.Endpoint, userID, binding string) *saml_pb.CreateResponseRequest {
|
2025-09-10 08:00:31 +02:00
|
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(sp, loginClient, acsRedirect, integration.RelayState(), binding)
|
2025-02-11 19:45:09 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
sessionResp := createSession(ctx, t, userID)
|
|
|
|
|
return &saml_pb.CreateResponseRequest{
|
|
|
|
|
SamlRequestId: authRequestID,
|
|
|
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
|
|
|
Session: &saml_pb.Session{
|
|
|
|
|
SessionId: sessionResp.GetSessionId(),
|
|
|
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createSAMLSP(t *testing.T, idpMetadata *saml.EntityDescriptor, binding string) (string, *samlsp.Middleware) {
|
2025-09-10 08:00:31 +02:00
|
|
|
rootURL := "example." + integration.DomainName()
|
2025-02-11 19:45:09 +01:00
|
|
|
spMiddleware, err := integration.CreateSAMLSP("https://"+rootURL, idpMetadata, binding)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
return rootURL, spMiddleware
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createSAMLApplication(ctx context.Context, t *testing.T, idpMetadata *saml.EntityDescriptor, binding string, projectRoleCheck, hasProjectCheck bool) (string, string, *samlsp.Middleware) {
|
2025-08-07 15:27:01 +02:00
|
|
|
project := Instance.CreateProject(ctx, t, "", integration.ProjectName(), projectRoleCheck, hasProjectCheck)
|
2025-02-11 19:45:09 +01:00
|
|
|
rootURL, sp := createSAMLSP(t, idpMetadata, binding)
|
2025-05-21 14:40:47 +02:00
|
|
|
_, err := Instance.CreateSAMLClient(ctx, project.GetId(), sp)
|
2025-02-11 19:45:09 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return project.GetId(), rootURL, sp
|
|
|
|
|
}
|
2025-09-10 08:00:31 +02:00
|
|
|
|
2025-10-14 18:24:09 +02:00
|
|
|
func createProjectGrant(ctx context.Context, t *testing.T, projectID, grantedOrgID string) {
|
|
|
|
|
Instance.CreateProjectGrant(ctx, t, projectID, grantedOrgID)
|
|
|
|
|
|
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
|
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
|
|
|
|
resp, err := Instance.Client.Projectv2Beta.ListProjectGrants(ctx, &project_v2beta.ListProjectGrantsRequest{
|
|
|
|
|
Filters: []*project_v2beta.ProjectGrantSearchFilter{
|
|
|
|
|
{Filter: &project_v2beta.ProjectGrantSearchFilter_InProjectIdsFilter{InProjectIdsFilter: &filter.InIDsFilter{
|
|
|
|
|
Ids: []string{projectID},
|
|
|
|
|
}}},
|
|
|
|
|
{Filter: &project_v2beta.ProjectGrantSearchFilter_ProjectGrantResourceOwnerFilter{ProjectGrantResourceOwnerFilter: &filter.IDFilter{
|
|
|
|
|
Id: grantedOrgID,
|
|
|
|
|
}}},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
assert.NoError(collect, err)
|
|
|
|
|
assert.Len(collect, resp.GetProjectGrants(), 1)
|
|
|
|
|
}, retryDuration, tick)
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-28 13:11:12 +01:00
|
|
|
func createProjectUserGrant(ctx context.Context, t *testing.T, organizationID, projectID, userID string) {
|
|
|
|
|
resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
|
2025-09-10 08:00:31 +02:00
|
|
|
|
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
|
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
2025-10-28 13:11:12 +01:00
|
|
|
_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, organizationID), &mgmt.GetUserGrantByIDRequest{
|
2025-09-10 08:00:31 +02:00
|
|
|
UserId: userID,
|
2025-09-21 16:04:25 +02:00
|
|
|
GrantId: resp.GetId(),
|
2025-09-10 08:00:31 +02:00
|
|
|
})
|
|
|
|
|
assert.NoError(collect, err)
|
|
|
|
|
}, retryDuration, tick)
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-21 16:04:25 +02:00
|
|
|
func createProjectGrantUserGrant(ctx context.Context, t *testing.T, projectID, grantedOrgID, userID string) {
|
|
|
|
|
resp := Instance.CreateAuthorizationProjectGrant(t, ctx, projectID, grantedOrgID, userID)
|
2025-09-10 08:00:31 +02:00
|
|
|
|
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
|
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
2025-09-21 16:04:25 +02:00
|
|
|
_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, grantedOrgID), &mgmt.GetUserGrantByIDRequest{
|
2025-09-10 08:00:31 +02:00
|
|
|
UserId: userID,
|
2025-09-21 16:04:25 +02:00
|
|
|
GrantId: resp.GetId(),
|
2025-09-10 08:00:31 +02:00
|
|
|
})
|
|
|
|
|
assert.NoError(collect, err)
|
|
|
|
|
}, retryDuration, tick)
|
|
|
|
|
}
|
