fix: prevent intent token reuse and add expiry

(cherry picked from commit b1e60e7398)
2025-08-12 14:37:32 +00:00 · 2025-04-24 08:33:08 +02:00
parent 9f312b907d
commit 18d14959c9
47 changed files with 1058 additions and 146 deletions
--- a/internal/integration/client.go
+++ b/internal/integration/client.go
@@ -472,6 +472,26 @@ func (i *Instance) AddOrgGenericOAuthProvider(ctx context.Context, name string)
 	return resp
 }

+func (i *Instance) AddGenericOIDCProvider(ctx context.Context, name string) *admin.AddGenericOIDCProviderResponse {
+	resp, err := i.Client.Admin.AddGenericOIDCProvider(ctx, &admin.AddGenericOIDCProviderRequest{
+		Name:         name,
+		Issuer:       "https://example.com",
+		ClientId:     "clientID",
+		ClientSecret: "clientSecret",
+		Scopes:       []string{"openid", "profile", "email"},
+		ProviderOptions: &idp.Options{
+			IsLinkingAllowed:  true,
+			IsCreationAllowed: true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+		},
+		IsIdTokenMapping: false,
+	})
+	logging.OnError(err).Panic("create generic oidc idp")
+	return resp
+}
+
 func (i *Instance) AddSAMLProvider(ctx context.Context) string {
 	resp, err := i.Client.Admin.AddSAMLProvider(ctx, &admin.AddSAMLProviderRequest{
 		Name: "saml-idp",
@@ -526,6 +546,32 @@ func (i *Instance) AddSAMLPostProvider(ctx context.Context) string {
 	return resp.GetId()
 }

+func (i *Instance) AddLDAPProvider(ctx context.Context) string {
+	resp, err := i.Client.Admin.AddLDAPProvider(ctx, &admin.AddLDAPProviderRequest{
+		Name:              "ldap-idp-post",
+		Servers:           []string{"https://localhost:8000"},
+		StartTls:          false,
+		BaseDn:            "baseDn",
+		BindDn:            "admin",
+		BindPassword:      "admin",
+		UserBase:          "dn",
+		UserObjectClasses: []string{"user"},
+		UserFilters:       []string{"(objectclass=*)"},
+		Timeout:           durationpb.New(10 * time.Second),
+		Attributes: &idp.LDAPAttributes{
+			IdAttribute: "id",
+		},
+		ProviderOptions: &idp.Options{
+			IsLinkingAllowed:  true,
+			IsCreationAllowed: true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+		},
+	})
+	logging.OnError(err).Panic("create ldap idp")
+	return resp.GetId()
+}
+
 func (i *Instance) CreateIntent(ctx context.Context, idpID string) *user_v2.StartIdentityProviderIntentResponse {
 	resp, err := i.Client.UserV2.StartIdentityProviderIntent(ctx, &user_v2.StartIdentityProviderIntentRequest{
 		IdpId: idpID,
@@ -597,6 +643,23 @@ func (i *Instance) CreatePasswordSession(t *testing.T, ctx context.Context, user
 		createResp.GetDetails().GetChangeDate().AsTime(), createResp.GetDetails().GetChangeDate().AsTime()
 }

+func (i *Instance) CreateIntentSession(t *testing.T, ctx context.Context, userID, intentID, intentToken string) (id, token string, start, change time.Time) {
+	createResp, err := i.Client.SessionV2.CreateSession(ctx, &session.CreateSessionRequest{
+		Checks: &session.Checks{
+			User: &session.CheckUser{
+				Search: &session.CheckUser_UserId{UserId: userID},
+			},
+			IdpIntent: &session.CheckIDPIntent{
+				IdpIntentId:    intentID,
+				IdpIntentToken: intentToken,
+			},
+		},
+	})
+	require.NoError(t, err)
+	return createResp.GetSessionId(), createResp.GetSessionToken(),
+		createResp.GetDetails().GetChangeDate().AsTime(), createResp.GetDetails().GetChangeDate().AsTime()
+}
+
 func (i *Instance) CreateProjectGrant(ctx context.Context, projectID, grantedOrgID string) *mgmt.AddProjectGrantResponse {
 	resp, err := i.Client.Mgmt.AddProjectGrant(ctx, &mgmt.AddProjectGrantRequest{
 		GrantedOrgId: grantedOrgID,