mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-07 09:07:43 +00:00
435 lines
11 KiB
Go
435 lines
11 KiB
Go
|
package oidc
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"encoding/base64"
|
||
|
"fmt"
|
||
|
"testing"
|
||
|
"time"
|
||
|
|
||
|
"github.com/stretchr/testify/assert"
|
||
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
||
|
"golang.org/x/text/language"
|
||
|
|
||
|
"github.com/zitadel/zitadel/internal/domain"
|
||
|
"github.com/zitadel/zitadel/internal/query"
|
||
|
)
|
||
|
|
||
|
func Test_prepareRoles(t *testing.T) {
|
||
|
type args struct {
|
||
|
projectID string
|
||
|
scope []string
|
||
|
roleAudience []string
|
||
|
}
|
||
|
tests := []struct {
|
||
|
name string
|
||
|
args args
|
||
|
wantRa []string
|
||
|
wantRequestedRoles []string
|
||
|
}{
|
||
|
{
|
||
|
name: "empty scope and roleAudience",
|
||
|
args: args{
|
||
|
projectID: "projID",
|
||
|
scope: nil,
|
||
|
roleAudience: nil,
|
||
|
},
|
||
|
wantRa: nil,
|
||
|
wantRequestedRoles: nil,
|
||
|
},
|
||
|
{
|
||
|
name: "some scope and roleAudience",
|
||
|
args: args{
|
||
|
projectID: "projID",
|
||
|
scope: []string{"openid", "profile"},
|
||
|
roleAudience: []string{"project2"},
|
||
|
},
|
||
|
wantRa: []string{"project2", "projID"},
|
||
|
wantRequestedRoles: []string{},
|
||
|
},
|
||
|
{
|
||
|
name: "scope projects roles",
|
||
|
args: args{
|
||
|
projectID: "projID",
|
||
|
scope: []string{ScopeProjectsRoles, domain.ProjectIDScope + "project2" + domain.AudSuffix},
|
||
|
roleAudience: nil,
|
||
|
},
|
||
|
wantRa: []string{"project2", "projID"},
|
||
|
wantRequestedRoles: []string{},
|
||
|
},
|
||
|
{
|
||
|
name: "scope project role prefix",
|
||
|
args: args{
|
||
|
projectID: "projID",
|
||
|
scope: []string{"openid", "profile", ScopeProjectRolePrefix + "foo", ScopeProjectRolePrefix + "bar"},
|
||
|
roleAudience: nil,
|
||
|
},
|
||
|
wantRa: []string{"projID"},
|
||
|
wantRequestedRoles: []string{"foo", "bar"},
|
||
|
},
|
||
|
}
|
||
|
for _, tt := range tests {
|
||
|
t.Run(tt.name, func(t *testing.T) {
|
||
|
gotRa, gotRequestedRoles := prepareRoles(context.Background(), tt.args.projectID, tt.args.scope, tt.args.roleAudience)
|
||
|
assert.Equal(t, tt.wantRa, gotRa, "roleAudience")
|
||
|
assert.Equal(t, tt.wantRequestedRoles, gotRequestedRoles, "requestedRoles")
|
||
|
})
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func Test_userInfoToOIDC(t *testing.T) {
|
||
|
metadata := []query.UserMetadata{
|
||
|
{
|
||
|
Key: "key1",
|
||
|
Value: []byte{1, 2, 3},
|
||
|
},
|
||
|
{
|
||
|
Key: "key2",
|
||
|
Value: []byte{4, 5, 6},
|
||
|
},
|
||
|
}
|
||
|
organization := &query.UserInfoOrg{
|
||
|
ID: "orgID",
|
||
|
Name: "orgName",
|
||
|
PrimaryDomain: "orgDomain",
|
||
|
}
|
||
|
humanUserInfo := &query.OIDCUserInfo{
|
||
|
User: &query.User{
|
||
|
ID: "human1",
|
||
|
CreationDate: time.Unix(123, 456),
|
||
|
ChangeDate: time.Unix(567, 890),
|
||
|
ResourceOwner: "orgID",
|
||
|
Sequence: 22,
|
||
|
State: domain.UserStateActive,
|
||
|
Type: domain.UserTypeHuman,
|
||
|
Username: "username",
|
||
|
LoginNames: []string{"foo", "bar"},
|
||
|
PreferredLoginName: "foo",
|
||
|
Human: &query.Human{
|
||
|
FirstName: "user",
|
||
|
LastName: "name",
|
||
|
NickName: "foobar",
|
||
|
DisplayName: "xxx",
|
||
|
AvatarKey: "picture.png",
|
||
|
PreferredLanguage: language.Dutch,
|
||
|
Gender: domain.GenderDiverse,
|
||
|
Email: "foo@bar.com",
|
||
|
IsEmailVerified: true,
|
||
|
Phone: "+31123456789",
|
||
|
IsPhoneVerified: true,
|
||
|
},
|
||
|
},
|
||
|
Metadata: metadata,
|
||
|
Org: organization,
|
||
|
UserGrants: []query.UserGrant{
|
||
|
{
|
||
|
ID: "ug1",
|
||
|
CreationDate: time.Unix(444, 444),
|
||
|
ChangeDate: time.Unix(555, 555),
|
||
|
Sequence: 55,
|
||
|
Roles: []string{"role1", "role2"},
|
||
|
GrantID: "grantID",
|
||
|
State: domain.UserGrantStateActive,
|
||
|
UserID: "human1",
|
||
|
Username: "username",
|
||
|
ResourceOwner: "orgID",
|
||
|
ProjectID: "project1",
|
||
|
OrgName: "orgName",
|
||
|
OrgPrimaryDomain: "orgDomain",
|
||
|
ProjectName: "projectName",
|
||
|
UserResourceOwner: "org1",
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
machineUserInfo := &query.OIDCUserInfo{
|
||
|
User: &query.User{
|
||
|
ID: "machine1",
|
||
|
CreationDate: time.Unix(123, 456),
|
||
|
ChangeDate: time.Unix(567, 890),
|
||
|
ResourceOwner: "orgID",
|
||
|
Sequence: 23,
|
||
|
State: domain.UserStateActive,
|
||
|
Type: domain.UserTypeMachine,
|
||
|
Username: "machine",
|
||
|
PreferredLoginName: "meanMachine",
|
||
|
Machine: &query.Machine{
|
||
|
Name: "machine",
|
||
|
Description: "I'm a robot",
|
||
|
},
|
||
|
},
|
||
|
Org: organization,
|
||
|
UserGrants: []query.UserGrant{
|
||
|
{
|
||
|
ID: "ug1",
|
||
|
CreationDate: time.Unix(444, 444),
|
||
|
ChangeDate: time.Unix(555, 555),
|
||
|
Sequence: 55,
|
||
|
Roles: []string{"role1", "role2"},
|
||
|
GrantID: "grantID",
|
||
|
State: domain.UserGrantStateActive,
|
||
|
UserID: "human1",
|
||
|
Username: "username",
|
||
|
ResourceOwner: "orgID",
|
||
|
ProjectID: "project1",
|
||
|
OrgName: "orgName",
|
||
|
OrgPrimaryDomain: "orgDomain",
|
||
|
ProjectName: "projectName",
|
||
|
UserResourceOwner: "org1",
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
|
||
|
type args struct {
|
||
|
projectID string
|
||
|
user *query.OIDCUserInfo
|
||
|
scope []string
|
||
|
roleAudience []string
|
||
|
requestedRoles []string
|
||
|
}
|
||
|
tests := []struct {
|
||
|
name string
|
||
|
args args
|
||
|
want *oidc.UserInfo
|
||
|
}{
|
||
|
{
|
||
|
name: "human, empty",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
},
|
||
|
want: &oidc.UserInfo{},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, empty",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
},
|
||
|
want: &oidc.UserInfo{},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope openid",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{oidc.ScopeOpenID},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Subject: "human1",
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope openid",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{oidc.ScopeOpenID},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Subject: "machine1",
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope email",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{oidc.ScopeEmail},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoEmail: oidc.UserInfoEmail{
|
||
|
Email: "foo@bar.com",
|
||
|
EmailVerified: true,
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope email",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{oidc.ScopeEmail},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoEmail: oidc.UserInfoEmail{},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope profile",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{oidc.ScopeProfile},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoProfile: oidc.UserInfoProfile{
|
||
|
Name: "xxx",
|
||
|
GivenName: "user",
|
||
|
FamilyName: "name",
|
||
|
Nickname: "foobar",
|
||
|
Picture: "https://foo.com/assets/orgID/picture.png",
|
||
|
Gender: "diverse",
|
||
|
Locale: oidc.NewLocale(language.Dutch),
|
||
|
UpdatedAt: oidc.FromTime(time.Unix(567, 890)),
|
||
|
PreferredUsername: "foo",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope profile",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{oidc.ScopeProfile},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoProfile: oidc.UserInfoProfile{
|
||
|
Name: "machine",
|
||
|
UpdatedAt: oidc.FromTime(time.Unix(567, 890)),
|
||
|
PreferredUsername: "meanMachine",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope phone",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{oidc.ScopePhone},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoPhone: oidc.UserInfoPhone{
|
||
|
PhoneNumber: "+31123456789",
|
||
|
PhoneNumberVerified: true,
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope phone",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{oidc.ScopePhone},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
UserInfoPhone: oidc.UserInfoPhone{},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope metadata",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{ScopeUserMetaData},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
ClaimUserMetaData: map[string]string{
|
||
|
"key1": base64.RawURLEncoding.EncodeToString([]byte{1, 2, 3}),
|
||
|
"key2": base64.RawURLEncoding.EncodeToString([]byte{4, 5, 6}),
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope metadata, none found",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{ScopeUserMetaData},
|
||
|
},
|
||
|
want: &oidc.UserInfo{},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope resource owner",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{ScopeResourceOwner},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
ClaimResourceOwner + "id": "orgID",
|
||
|
ClaimResourceOwner + "name": "orgName",
|
||
|
ClaimResourceOwner + "primary_domain": "orgDomain",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, scope org primary domain prefix",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
scope: []string{domain.OrgDomainPrimaryScope + "foo.com"},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
domain.OrgDomainPrimaryClaim: "foo.com",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "machine, scope org id",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: machineUserInfo,
|
||
|
scope: []string{domain.OrgIDScope + "orgID"},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
domain.OrgIDClaim: "orgID",
|
||
|
ClaimResourceOwner + "id": "orgID",
|
||
|
ClaimResourceOwner + "name": "orgName",
|
||
|
ClaimResourceOwner + "primary_domain": "orgDomain",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, roleAudience",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
roleAudience: []string{"project1"},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
ClaimProjectRoles: projectRoles{
|
||
|
"role1": {"orgID": "orgDomain"},
|
||
|
"role2": {"orgID": "orgDomain"},
|
||
|
},
|
||
|
fmt.Sprintf(ClaimProjectRolesFormat, "project1"): projectRoles{
|
||
|
"role1": {"orgID": "orgDomain"},
|
||
|
"role2": {"orgID": "orgDomain"},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "human, requested roles",
|
||
|
args: args{
|
||
|
projectID: "project1",
|
||
|
user: humanUserInfo,
|
||
|
roleAudience: []string{"project1"},
|
||
|
requestedRoles: []string{"role2"},
|
||
|
},
|
||
|
want: &oidc.UserInfo{
|
||
|
Claims: map[string]any{
|
||
|
ClaimProjectRoles: projectRoles{
|
||
|
"role2": {"orgID": "orgDomain"},
|
||
|
},
|
||
|
fmt.Sprintf(ClaimProjectRolesFormat, "project1"): projectRoles{
|
||
|
"role2": {"orgID": "orgDomain"},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
for _, tt := range tests {
|
||
|
t.Run(tt.name, func(t *testing.T) {
|
||
|
assetPrefix := "https://foo.com/assets"
|
||
|
got := userInfoToOIDC(tt.args.projectID, tt.args.user, tt.args.scope, tt.args.roleAudience, tt.args.requestedRoles, assetPrefix)
|
||
|
assert.Equal(t, tt.want, got)
|
||
|
})
|
||
|
}
|
||
|
}
|