TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 14:37:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
* fix: require permission to create and update session

* fix: require permission to fail auth requests

* merge main and fix integration tests

* fix merge

* fix integration tests

* fix integration tests

* fix saml permission check
This commit is contained in:
Livio Spring
2025-07-15 07:38:00 -04:00
committed by GitHub
parent 91487a0b23
commit 4c942f3477
33 changed files with 681 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
internal/api/grpc/oidc/v2/integration_test/oidc_test.go
View File

@@ -102,7 +102,7 @@ func TestServer_CreateCallback(t *testing.T) {
require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct {
name string
@@ -113,7 +113,7 @@ func TestServer_CreateCallback(t *testing.T) {
}{
{
name: "Not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: "123",
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -127,10 +127,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "session not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -145,10 +145,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "session token invalid",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -163,10 +163,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "fail callback",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -192,7 +192,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -214,11 +214,30 @@ func TestServer_CreateCallback(t *testing.T) {
wantErr: false,
},
{
name: "code callback",
name: "fail callback, no permission, error",
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
Error: &oidc_pb.AuthorizationError{
Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
ErrorDescription: gu.Ptr("nope"),
ErrorUri: gu.Ptr("https://example.com/docs"),
},
},
},
wantErr: true,
},
{
name: "code callback",
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -243,7 +262,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -261,7 +280,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -283,12 +302,12 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "implicit",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit)
require.NoError(t, err)
return authRequestID
}(),
@@ -315,7 +334,7 @@ func TestServer_CreateCallback(t *testing.T) {
AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err)
return authRequestID
}(),
@@ -363,7 +382,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}{
{
name: "usergrant to project and different resourceowner with different project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
projectID2, _ := createOIDCApplication(ctx, t, true, true)
@@ -373,13 +392,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant to project and different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -388,7 +407,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -400,7 +419,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "usergrant to project grant and different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -409,7 +428,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -421,31 +440,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "no usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "no usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -453,19 +472,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -477,13 +496,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -495,25 +514,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "projectRoleCheck, usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -525,19 +544,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "projectRoleCheck, usergrant on project grant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
@@ -545,7 +564,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -557,25 +576,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "hasProjectCheck, same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
user := Instance.CreateHumanUser(ctx)
_, clientID := createOIDCApplication(ctx, t, false, true)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -587,19 +606,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "hasProjectCheck, different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "hasProjectCheck, different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, false, true)
@@ -607,7 +626,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -655,15 +674,15 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
UserCode: "notFound",
}, nil
},
ctx: CTX,
ctx: CTXLoginClient,
wantErr: true,
},
{
name: "success",
dep: func() (*oidc.DeviceAuthorizationResponse, error) {
return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
return Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
},
ctx: CTX,
ctx: CTXLoginClient,
},
}
for _, tt := range tests {
@@ -671,7 +690,7 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
deviceAuth, err := tt.dep()
require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: deviceAuth.UserCode,
@@ -697,7 +716,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
project := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)
client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct {
name string
@@ -710,7 +729,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
}{
{
name: "Not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: "123",
Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
@@ -724,14 +743,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
},
{
name: "session not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(t, err)
@@ -750,14 +769,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
},
{
name: "session token invalid",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)
@@ -776,14 +795,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
},
{
name: "deny device authorization",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)
@@ -796,16 +815,38 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{},
wantErr: false,
},
{
name: "deny device authorization, no permission, error",
ctx: CTX,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)
id = resp.GetDeviceAuthorizationRequest().GetId()
}, 5*time.Second, 100*time.Millisecond)
return id
}(),
Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{},
},
want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{},
wantErr: true,
},
{
name: "authorize, no permission, error",
ctx: CTX,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)
@@ -827,11 +868,11 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)

127
internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go
View File

@@ -39,22 +39,22 @@ func TestServer_GetAuthRequest(t *testing.T) {
dep: func() (time.Time, string, error) {
return time.Now(), "123", nil
},
ctx: CTX,
ctx: CTXLoginClient,
wantErr: true,
},
{
name: "success",
dep: func() (time.Time, string, error) {
return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
},
ctx: CTX,
ctx: CTXLoginClient,
},
{
name: "without login client, no permission",
dep: func() (time.Time, string, error) {
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
},
ctx: CTX,
wantErr: true,
@@ -64,7 +64,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
dep: func() (time.Time, string, error) {
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
},
ctx: CTXLoginClient,
@@ -75,7 +75,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
now, authRequestID, err := tt.dep()
require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{
AuthRequestId: authRequestID,
@@ -101,7 +101,7 @@ func TestServer_CreateCallback(t *testing.T) {
require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct {
name string
@@ -114,7 +114,7 @@ func TestServer_CreateCallback(t *testing.T) {
}{
{
name: "Not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: "123",
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -128,10 +128,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "session not found",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -146,10 +146,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "session token invalid",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -164,10 +164,10 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "fail callback",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -193,7 +193,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -215,11 +215,30 @@ func TestServer_CreateCallback(t *testing.T) {
wantErr: false,
},
{
name: "code callback",
name: "fail callback, no permission, error",
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
Error: &oidc_pb.AuthorizationError{
Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
ErrorDescription: gu.Ptr("nope"),
ErrorUri: gu.Ptr("https://example.com/docs"),
},
},
},
wantErr: true,
},
{
name: "code callback",
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
@@ -244,7 +263,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -262,7 +281,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
@@ -284,12 +303,12 @@ func TestServer_CreateCallback(t *testing.T) {
},
{
name: "implicit",
ctx: CTX,
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit)
require.NoError(t, err)
return authRequestID
}(),
@@ -316,7 +335,7 @@ func TestServer_CreateCallback(t *testing.T) {
AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2)
require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err)
return authRequestID
}(),
@@ -364,7 +383,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}{
{
name: "usergrant to project and different resourceowner with different project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
projectID2, _ := createOIDCApplication(ctx, t, true, true)
@@ -374,13 +393,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant to project and different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -389,7 +408,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -401,7 +420,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "usergrant to project grant and different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -410,7 +429,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -422,31 +441,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "no usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "no usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -454,19 +473,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -478,13 +497,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -496,25 +515,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant and same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "projectRoleCheck, usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -526,19 +545,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "projectRoleCheck, usergrant on project grant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
@@ -546,7 +565,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -558,25 +577,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "hasProjectCheck, same resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
user := Instance.CreateHumanUser(ctx)
_, clientID := createOIDCApplication(ctx, t, false, true)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -588,19 +607,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
},
{
name: "hasProjectCheck, different resourceowner",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
wantErr: true,
},
{
name: "hasProjectCheck, different resourceowner with project grant",
ctx: CTX,
ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, false, true)
@@ -608,7 +627,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
},
want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,

114
internal/api/grpc/saml/v2/integration_test/saml_test.go
View File

@@ -48,13 +48,13 @@ func TestServer_GetSAMLRequest(t *testing.T) {
{
name: "success, redirect binding",
dep: func() (time.Time, string, error) {
return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
},
},
{
name: "success, post binding",
dep: func() (time.Time, string, error) {
return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
},
},
}
@@ -63,9 +63,9 @@ func TestServer_GetSAMLRequest(t *testing.T) {
creationTime, authRequestID, err := tt.dep()
require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetSAMLRequest(CTX, &saml_pb.GetSAMLRequestRequest{
got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{
SamlRequestId: authRequestID,
})
if tt.wantErr {
@@ -90,10 +90,11 @@ func TestServer_CreateResponse(t *testing.T) {
_, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
_, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
sessionResp := createSession(CTX, t, Instance.Users[integration.UserTypeOrgOwner].ID)
sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct {
name string
ctx context.Context
req *saml_pb.CreateResponseRequest
AuthError string
want *saml_pb.CreateResponseResponse
@@ -102,6 +103,7 @@ func TestServer_CreateResponse(t *testing.T) {
}{
{
name: "Not found",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: "123",
ResponseKind: &saml_pb.CreateResponseRequest_Session{
@@ -115,9 +117,10 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "session not found",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -132,9 +135,10 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "session token invalid",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -149,9 +153,10 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "fail callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -177,11 +182,12 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "fail callback, post, already failed",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
Instance.FailSAMLAuthRequest(CTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED)
Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Error{
@@ -195,9 +201,10 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "fail callback, redirect",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -219,10 +226,29 @@ func TestServer_CreateResponse(t *testing.T) {
wantErr: false,
},
{
name: "callback, redirect",
name: "fail callback, no permission, error",
ctx: CTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Error{
Error: &saml_pb.AuthorizationError{
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
ErrorDescription: gu.Ptr("nope"),
},
},
},
wantErr: true,
},
{
name: "callback, redirect",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -245,9 +271,10 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
return authRequestID
}(),
@@ -273,11 +300,30 @@ func TestServer_CreateResponse(t *testing.T) {
},
{
name: "callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Session{
Session: &saml_pb.Session{
SessionId: sessionResp.GetSessionId(),
SessionToken: sessionResp.GetSessionToken(),
},
},
},
wantErr: true,
},
{
name: "callback, no permission, error",
ctx: CTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
Instance.SuccessfulSAMLAuthRequest(CTX, Instance.Users[integration.UserTypeOrgOwner].ID, authRequestID)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Session{
@@ -292,7 +338,7 @@ func TestServer_CreateResponse(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateResponse(CTX, tt.req)
got, err := Client.CreateResponse(tt.ctx, tt.req)
if tt.wantErr {
require.Error(t, err)
return
@@ -336,7 +382,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -350,7 +396,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -372,7 +418,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -391,7 +437,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -401,7 +447,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -414,7 +460,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -426,7 +472,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -445,7 +491,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -462,7 +508,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -474,7 +520,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -492,7 +538,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -506,7 +552,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -526,7 +572,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -536,7 +582,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -554,7 +600,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
wantErr: true,
},
@@ -566,7 +612,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
},
want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -582,7 +628,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
req := tt.dep(IAMCTX, t)
got, err := Client.CreateResponse(CTX, req)
got, err := Client.CreateResponse(LoginCTX, req)
if tt.wantErr {
require.Error(t, err)
return

2
internal/api/grpc/saml/v2/integration_test/server_test.go
View File

@@ -15,6 +15,7 @@ import (
var (
CTX context.Context
IAMCTX context.Context
LoginCTX context.Context
Instance *integration.Instance
Client saml_pb.SAMLServiceClient
)
@@ -29,6 +30,7 @@ func TestMain(m *testing.M) {
IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
return m.Run()
}())
}

12
internal/api/grpc/session/v2/integration_test/query_test.go
View File

@@ -72,7 +72,7 @@ func TestServer_GetSession(t *testing.T) {
{
name: "get session, permission, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{})
@@ -213,7 +213,7 @@ func TestServer_GetSession(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
var sequence uint64
if tt.args.dep != nil {
sequence = tt.args.dep(CTX, t, tt.args.req)
sequence = tt.args.dep(LoginCTX, t, tt.args.req)
}
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
@@ -360,7 +360,7 @@ func TestServer_ListSessions(t *testing.T) {
{
name: "list sessions, permission, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, "", "", nil, nil)
@@ -501,7 +501,7 @@ func TestServer_ListSessions(t *testing.T) {
{
name: "list sessions, own creator, ok",
args: args{
CTX,
LoginCTX,
&session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -542,7 +542,7 @@ func TestServer_ListSessions(t *testing.T) {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
request.Queries = append(request.Queries,
&session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}},
&session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeOrgOwner).ID)}}})
&session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeLogin).ID)}}})
return []*sessionAttr{info}
},
},
@@ -682,7 +682,7 @@ func TestServer_ListSessions(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
infos := tt.args.dep(CTX, t, tt.args.req)
infos := tt.args.dep(LoginCTX, t, tt.args.req)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) {

78
internal/api/grpc/session/v2/integration_test/session_test.go
View File

@@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateSession(CTX, tt.req)
got, err := Client.CreateSession(LoginCTX, tt.req)
if tt.wantErr {
require.Error(t, err)
return
@@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
require.NoError(t, err)
for i := 0; i <= maxAttempts; i++ {
_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
_, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
func TestServer_CreateSession_webauthn(t *testing.T) {
// create new session with user and request the webauthn challenge
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
require.NoError(t, err)
// update the session with webauthn assertion data
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err)
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -402,7 +402,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
// session with intent check must now succeed
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -422,7 +422,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -435,7 +435,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
intent := Instance.CreateIntent(CTX, idpID)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{
_, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{
@@ -556,13 +556,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
userExisting := createFullUser(CTX)
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -578,7 +578,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
})
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -594,7 +594,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -616,7 +616,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -630,13 +630,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
})
userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret)
createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionTokenImport := createRespImport.GetSessionToken()
verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -653,7 +653,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -669,13 +669,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
func TestServer_SetSession_flow(t *testing.T) {
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -691,7 +691,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -707,7 +707,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -733,7 +733,7 @@ func TestServer_SetSession_flow(t *testing.T) {
session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
} {
t.Run(userVerificationRequirement.String(), func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -749,7 +749,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -767,7 +767,7 @@ func TestServer_SetSession_flow(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -781,7 +781,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check OTP SMS", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true},
@@ -794,7 +794,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpSms()
require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
OtpSms: &session.CheckOTP{
@@ -808,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check OTP Email", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
OtpEmail: &session.RequestChallenges_OTPEmail{
@@ -823,7 +823,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpEmail()
require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
OtpEmail: &session.CheckOTP{
@@ -838,13 +838,13 @@ func TestServer_SetSession_flow(t *testing.T) {
}
func TestServer_SetSession_expired(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(20 * time.Second),
})
require.NoError(t, err)
// test session token works
_, err = Instance.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{
_, err = Instance.Client.SessionV2.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second),
})
@@ -852,7 +852,7 @@ func TestServer_SetSession_expired(t *testing.T) {
// ensure session expires and does not work anymore
time.Sleep(20 * time.Second)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{
_, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second),
})
@@ -860,7 +860,7 @@ func TestServer_SetSession_expired(t *testing.T) {
}
func TestServer_DeleteSession_token(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
@@ -880,14 +880,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
// create two users for the test and a session each to get tokens for authorization
user1 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false)
_, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword)
_, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword)
user2 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false)
_, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword)
_, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword)
// create a new session for the first user
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -912,7 +912,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
}
func TestServer_DeleteSession_with_permission(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -932,7 +932,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) {
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
@@ -947,7 +947,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
}
func Test_ZITADEL_API_success(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
ctx := integration.WithAuthorizationToken(context.Background(), token)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -963,7 +963,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
}
func Test_ZITADEL_API_session_not_found(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
// test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token)
@@ -994,7 +994,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) {
}
func Test_ZITADEL_API_session_expired(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second)
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second)
// test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token)

2
internal/api/grpc/session/v2/session.go
View File

@@ -51,7 +51,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se
return nil, err
}
set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration())
set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration())
if err != nil {
return nil, err
}

30
internal/api/grpc/session/v2beta/integration_test/query_test.go
View File

@@ -61,7 +61,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
request.SessionId = resp.SessionId
return resp.GetDetails().GetSequence()
@@ -72,10 +72,10 @@ func TestServer_GetSession(t *testing.T) {
{
name: "get session, permission, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
request.SessionId = resp.SessionId
return resp.GetDetails().GetSequence()
@@ -91,7 +91,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
request.SessionId = resp.SessionId
request.SessionToken = gu.Ptr(resp.SessionToken)
@@ -108,7 +108,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
UserAgent: &session.UserAgent{
FingerprintId: gu.Ptr("fingerPrintID"),
Ip: gu.Ptr("1.2.3.4"),
@@ -144,7 +144,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(5 * time.Minute),
},
)
@@ -165,7 +165,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Metadata: map[string][]byte{"foo": []byte("bar")},
},
)
@@ -187,7 +187,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX,
&session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -337,7 +337,7 @@ func TestServer_ListSessions(t *testing.T) {
},
},
{
name: "list sessions, wrong creator",
name: "list sessions, no permission",
args: args{
UserCTX,
&session.ListSessionsRequest{},
@@ -349,7 +349,7 @@ func TestServer_ListSessions(t *testing.T) {
},
want: &session.ListSessionsResponse{
Details: &object.ListDetails{
TotalResult: 0,
TotalResult: 1,
Timestamp: timestamppb.Now(),
},
Sessions: []*session.Session{},
@@ -358,7 +358,7 @@ func TestServer_ListSessions(t *testing.T) {
{
name: "list sessions, full, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -391,7 +391,7 @@ func TestServer_ListSessions(t *testing.T) {
{
name: "list sessions, multiple, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -446,7 +446,7 @@ func TestServer_ListSessions(t *testing.T) {
{
name: "list sessions, userid, ok",
args: args{
CTX,
IAMOwnerCTX,
&session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
createdUser := createFullUser(ctx)
@@ -480,7 +480,7 @@ func TestServer_ListSessions(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
infos := tt.args.dep(CTX, t, tt.args.req)
infos := tt.args.dep(LoginCTX, t, tt.args.req)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
@@ -499,7 +499,7 @@ func TestServer_ListSessions(t *testing.T) {
}
// expected count of sessions is not equal to received sessions
if !assert.Equal(ttt, got.Details.TotalResult, tt.want.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) {
if !assert.Equal(ttt, tt.want.Details.TotalResult, got.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) {
return
}

2
internal/api/grpc/session/v2beta/integration_test/server_test.go
View File

@@ -18,6 +18,7 @@ import (
var (
CTX context.Context
IAMOwnerCTX context.Context
LoginCTX context.Context
UserCTX context.Context
Instance *integration.Instance
Client session.SessionServiceClient
@@ -36,6 +37,7 @@ func TestMain(m *testing.M) {
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
User = createFullUser(CTX)
DeactivatedUser = createDeactivatedUser(CTX)

82
internal/api/grpc/session/v2beta/integration_test/session_test.go
View File

@@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateSession(CTX, tt.req)
got, err := Client.CreateSession(LoginCTX, tt.req)
if tt.wantErr {
require.Error(t, err)
return
@@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
require.NoError(t, err)
for i := 0; i <= maxAttempts; i++ {
_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
_, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
func TestServer_CreateSession_webauthn(t *testing.T) {
// create new session with user and request the webauthn challenge
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
require.NoError(t, err)
// update the session with webauthn assertion data
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -342,7 +342,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
func TestServer_CreateSession_successfulIntent(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -356,7 +356,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err)
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{
@@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err)
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -403,7 +403,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
// session with intent check must now succeed
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -423,7 +423,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -436,7 +436,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
intent := Instance.CreateIntent(CTX, idpID)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{
_, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{
@@ -557,13 +557,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
userExisting := createFullUser(CTX)
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -579,7 +579,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
})
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -595,7 +595,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -617,7 +617,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -631,13 +631,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
})
userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret)
createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionTokenImport := createRespImport.GetSessionToken()
verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -654,7 +654,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -670,13 +670,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
func TestServer_SetSession_flow(t *testing.T) {
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
User: &session.CheckUser{
@@ -692,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -708,7 +708,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -734,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) {
session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
} {
t.Run(userVerificationRequirement.String(), func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -750,7 +750,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false)
require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{
@@ -768,7 +768,7 @@ func TestServer_SetSession_flow(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
Totp: &session.CheckTOTP{
@@ -782,7 +782,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check OTP SMS", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true},
@@ -795,7 +795,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpSms()
require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
OtpSms: &session.CheckOTP{
@@ -809,7 +809,7 @@ func TestServer_SetSession_flow(t *testing.T) {
})
t.Run("check OTP Email", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{
OtpEmail: &session.RequestChallenges_OTPEmail{
@@ -824,7 +824,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpEmail()
require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Checks: &session.Checks{
OtpEmail: &session.CheckOTP{
@@ -839,13 +839,13 @@ func TestServer_SetSession_flow(t *testing.T) {
}
func TestServer_SetSession_expired(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(20 * time.Second),
})
require.NoError(t, err)
// test session token works
_, err = Client.SetSession(CTX, &session.SetSessionRequest{
_, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second),
})
@@ -853,7 +853,7 @@ func TestServer_SetSession_expired(t *testing.T) {
// ensure session expires and does not work anymore
time.Sleep(20 * time.Second)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{
_, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second),
})
@@ -861,7 +861,7 @@ func TestServer_SetSession_expired(t *testing.T) {
}
func TestServer_DeleteSession_token(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
@@ -881,14 +881,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
// create two users for the test and a session each to get tokens for authorization
user1 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false)
_, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword)
_, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword)
user2 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false)
_, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword)
_, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword)
// create a new session for the first user
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -913,7 +913,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
}
func TestServer_DeleteSession_with_permission(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{
@@ -933,7 +933,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) {
// create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
@@ -948,7 +948,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
}
func Test_ZITADEL_API_success(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
ctx := integration.WithAuthorizationToken(context.Background(), token)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -964,7 +964,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
}
func Test_ZITADEL_API_session_not_found(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
// test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token)
@@ -995,7 +995,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) {
}
func Test_ZITADEL_API_session_expired(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second)
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second)
// test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token)

10
internal/api/grpc/session/v2beta/session.go
View File

@@ -12,7 +12,6 @@ import (
"google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/authz"
object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
@@ -90,7 +89,7 @@ func (s *Server) SetSession(ctx context.Context, req *connect.Request[session.Se
return nil, err
}
set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration())
set, err := s.command.UpdateSession(ctx, req.Msg.GetSessionId(), req.Msg.GetSessionToken(), cmds, req.Msg.GetMetadata(), req.Msg.GetLifetime().AsDuration())
if err != nil {
return nil, err
}
@@ -256,18 +255,13 @@ func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRe
}
func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries)+1)
q := make([]query.SearchQuery, len(queries))
for i, v := range queries {
q[i], err = sessionQueryToQuery(v)
if err != nil {
return nil, err
}
}
creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID)
if err != nil {
return nil, err
}
q[len(queries)] = creatorQuery
return q, nil
}

20
internal/api/grpc/user/v2/integration_test/otp_test.go
View File

@@ -17,11 +17,11 @@ import (
func TestServer_AddOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX)
_, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
})
require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
func TestServer_RemoveOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
UserId: userSelf.GetUserId(),
@@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
func TestServer_AddOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX)
_, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
})
require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
func TestServer_RemoveOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -335,7 +335,7 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
UserId: userSelf.GetUserId(),

2
internal/api/grpc/user/v2/integration_test/passkey_test.go
View File

@@ -28,7 +28,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
// We also need a user session
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
type args struct {
ctx context.Context

2
internal/api/grpc/user/v2/integration_test/phone_test.go
View File

@@ -256,7 +256,7 @@ func TestServer_Deprecated_RemovePhone(t *testing.T) {
doubleRemoveUser := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
tests := []struct {
name string

12
internal/api/grpc/user/v2/integration_test/totp_test.go
View File

@@ -20,12 +20,12 @@ import (
func TestServer_RegisterTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
type args struct {
@@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) {
func TestServer_VerifyTOTPRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{
@@ -118,7 +118,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
@@ -209,11 +209,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
func TestServer_RemoveTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
_, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
UserId: userVerified.GetUserId(),

6
internal/api/grpc/user/v2/integration_test/u2f_test.go
View File

@@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) {
// We also need a user session
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
type args struct {
ctx context.Context
@@ -183,7 +183,7 @@ func TestServer_VerifyU2FRegistration(t *testing.T) {
func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{

6
internal/api/grpc/user/v2/integration_test/user_test.go
View File

@@ -34,6 +34,7 @@ import (
var (
CTX context.Context
IamCTX context.Context
LoginCTX context.Context
UserCTX context.Context
SystemCTX context.Context
SystemUserWithNoPermissionsCTX context.Context
@@ -51,6 +52,7 @@ func TestMain(m *testing.M) {
SystemUserWithNoPermissionsCTX = integration.WithSystemUserWithNoPermissionsAuthorization(ctx)
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
SystemCTX = integration.WithSystemAuthorization(ctx)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
Client = Instance.Client.UserV2
@@ -1853,7 +1855,7 @@ func TestServer_DeleteUser(t *testing.T) {
require.NoError(t, err)
request.UserId = removeUser.Id
Instance.RegisterUserPasskey(CTX, removeUser.Id)
_, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, removeUser.Id)
_, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, removeUser.Id)
return integration.WithAuthorizationToken(UserCTX, token)
},
},
@@ -2745,7 +2747,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{})

18
internal/api/grpc/user/v2beta/integration_test/otp_test.go
View File

@@ -17,11 +17,11 @@ import (
func TestServer_AddOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX)
_, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
})
require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
func TestServer_RemoveOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{
UserId: userSelf.GetUserId(),
@@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
func TestServer_AddOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX)
_, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
})
require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
func TestServer_RemoveOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())

2
internal/api/grpc/user/v2beta/integration_test/passkey_test.go
View File

@@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
// We also need a user session
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
type args struct {
ctx context.Context

2
internal/api/grpc/user/v2beta/integration_test/phone_test.go
View File

@@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) {
doubleRemoveUser := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
tests := []struct {
name string

12
internal/api/grpc/user/v2beta/integration_test/totp_test.go
View File

@@ -20,12 +20,12 @@ import (
func TestServer_RegisterTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
type args struct {
@@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) {
func TestServer_VerifyTOTPRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
var reg *user.RegisterTOTPResponse
@@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
@@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
func TestServer_RemoveTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
_, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
UserId: userVerified.GetUserId(),

6
internal/api/grpc/user/v2beta/integration_test/u2f_test.go
View File

@@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) {
// We also need a user session
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
type args struct {
ctx context.Context
@@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) {
func TestServer_VerifyU2FRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{

2
internal/api/grpc/user/v2beta/integration_test/user_test.go
View File

@@ -31,6 +31,7 @@ import (
var (
CTX context.Context
IamCTX context.Context
LoginCTX context.Context
UserCTX context.Context
SystemCTX context.Context
Instance *integration.Instance
@@ -46,6 +47,7 @@ func TestMain(m *testing.M) {
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
SystemCTX = integration.WithSystemAuthorization(ctx)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
Client = Instance.Client.UserV2beta

2
internal/api/oidc/integration_test/oidc_test.go
View File

@@ -90,7 +90,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) {
clientID, _ := createClient(t, Instance)
authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
createResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{
createResp, err := Instance.Client.SessionV2.CreateSession(CTXLOGIN, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
Search: &session.CheckUser_UserId{UserId: User.GetUserId()},

5
internal/command/auth_request.go
View File

@@ -137,6 +137,11 @@ func (c *Commands) FailAuthRequest(ctx context.Context, id string, reason domain
if writeModel.AuthRequestState != domain.AuthRequestStateAdded {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled")
}
if authz.GetCtxData(ctx).UserID != writeModel.LoginClient {
if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil {
return nil, nil, err
}
}
err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent(
ctx,
&authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate,

46
internal/command/auth_request_test.go
View File

@@ -911,7 +911,8 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
func TestCommands_FailAuthRequest(t *testing.T) {
mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient")
type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore
eventstore func(*testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
@@ -945,6 +946,45 @@ func TestCommands_FailAuthRequest(t *testing.T) {
wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"),
},
},
{
"missing permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_id", "instanceID").Aggregate,
"login",
"clientID",
"redirectURI",
"state",
"nonce",
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
nil,
nil,
nil,
true,
"issuer",
),
),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: mockCtx,
id: "V2_id",
reason: domain.OIDCErrorReasonLoginRequired,
},
res{
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{
"failed",
fields{
@@ -977,6 +1017,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
domain.OIDCErrorReasonLoginRequired),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: mockCtx,
@@ -1006,7 +1047,8 @@ func TestCommands_FailAuthRequest(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.res.wantErr)

3
internal/command/device_auth.go
View File

@@ -136,6 +136,9 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai
if !model.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound")
}
if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil {
return nil, err
}
pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason))
if err != nil {
return nil, err

29
internal/command/device_auth_test.go
View File

@@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
pushErr := errors.New("pushErr")
type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore
eventstore func(*testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
@@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"),
},
{
name: "missing permission, error",
fields: fields{
eventstore: expectEventstore(
expectFilter(eventFromEventPusherWithInstanceID(
"instance1",
deviceauth.NewAddedEvent(
ctx,
deviceauth.NewAggregate("123", "instance1"),
"client_id", "123", "456", now,
[]string{"a", "b", "c"},
[]string{"projectID", "clientID"}, true,
),
)),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
{
name: "push error",
fields: fields{
@@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: pushErr,
@@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantDetails: &domain.ObjectDetails{
@@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{ctx, "123", domain.DeviceAuthCanceledExpired},
wantDetails: &domain.ObjectDetails{
@@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.wantErr)

3
internal/command/saml_request.go
View File

@@ -119,6 +119,9 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain
if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled")
}
if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil {
return nil, nil, err
}
err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent(
ctx,
&samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate,

43
internal/command/saml_request_test.go
View File

@@ -786,7 +786,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
func TestCommands_FailSAMLRequest(t *testing.T) {
mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient")
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
eventstore func(t *testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
@@ -820,7 +821,40 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
res{
wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"),
},
}, {
},
{
"missing permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate,
"login",
"application",
"acs",
"relaystate",
"request",
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: mockCtx,
id: "V2_id",
reason: domain.SAMLErrorReasonAuthNFailed,
description: "desc",
},
res{
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{
"already failed",
fields{
eventstore: expectEventstore(
@@ -843,6 +877,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: mockCtx,
@@ -879,6 +914,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: mockCtx,
@@ -908,7 +944,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.res.wantErr)

37
internal/command/session.go
View File

@@ -285,7 +285,13 @@ func (s *SessionCommands) commands(ctx context.Context) (string, []eventstore.Co
return token, s.eventCommands, nil
}
func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, metadata map[string][]byte, userAgent *domain.UserAgent, lifetime time.Duration) (set *SessionChanged, err error) {
func (c *Commands) CreateSession(
ctx context.Context,
cmds []SessionCommand,
metadata map[string][]byte,
userAgent *domain.UserAgent,
lifetime time.Duration,
) (set *SessionChanged, err error) {
sessionID, err := c.idGenerator.Next()
if err != nil {
return nil, err
@@ -295,17 +301,29 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met
if err != nil {
return nil, err
}
if err = c.checkSessionWritePermission(ctx, sessionWriteModel, ""); err != nil {
return nil, err
}
cmd := c.NewSessionCommands(cmds, sessionWriteModel)
cmd.Start(ctx, userAgent)
return c.updateSession(ctx, cmd, metadata, lifetime)
}
func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) {
func (c *Commands) UpdateSession(
ctx context.Context,
sessionID, sessionToken string,
cmds []SessionCommand,
metadata map[string][]byte,
lifetime time.Duration,
) (set *SessionChanged, err error) {
sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID())
err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
if err != nil {
return nil, err
}
if err = c.checkSessionWritePermission(ctx, sessionWriteModel, sessionToken); err != nil {
return nil, err
}
cmd := c.NewSessionCommands(cmds, sessionWriteModel)
return c.updateSession(ctx, cmd, metadata, lifetime)
}
@@ -380,6 +398,21 @@ func (c *Commands) updateSession(ctx context.Context, checks *SessionCommands, m
return changed, nil
}
// checkSessionWritePermission will check that the provided sessionToken is correct or
// if empty, check that the caller is granted the "session.write" permission on the resource owner of the authenticated user.
// In case the user is not set and the userResourceOwner is not set (also the case for the session creation),
// it will check permission on the instance.
func (c *Commands) checkSessionWritePermission(ctx context.Context, model *SessionWriteModel, sessionToken string) error {
if sessionToken != "" {
return c.sessionTokenVerifier(ctx, sessionToken, model.AggregateID, model.TokenID)
}
userResourceOwner, err := c.sessionUserResourceOwner(ctx, model)
if err != nil {
return err
}
return c.checkPermission(ctx, domain.PermissionSessionWrite, userResourceOwner, model.UserID)
}
// checkSessionTerminationPermission will check that the provided sessionToken is correct or
// if empty, check that the caller is either terminating the own session or
// is granted the "session.delete" permission on the resource owner of the authenticated user.

109
internal/command/session_test.go
View File

@@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) {
func TestCommands_CreateSession(t *testing.T) {
type fields struct {
idGenerator id.Generator
tokenCreator func(sessionID string) (string, string, error)
idGenerator id.Generator
tokenCreator func(sessionID string) (string, string, error)
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
@@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) {
err: zerrors.ThrowInternal(nil, "id", "filter failed"),
},
},
{
"missing permission",
fields{
idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: context.Background(),
},
[]expect{
expectFilter(),
},
res{
err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{
"negative lifetime",
fields{
@@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) {
"token",
nil
},
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instance1", "", ""),
@@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) {
"token",
nil
},
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instance1", "", ""),
@@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) {
eventstore: expectEventstore(tt.expect...)(t),
idGenerator: tt.fields.idGenerator,
sessionTokenCreator: tt.fields.tokenCreator,
checkPermission: tt.fields.checkPermission,
}
got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime)
require.ErrorIs(t, err, tt.res.err)
@@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) {
func TestCommands_UpdateSession(t *testing.T) {
type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore
tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
eventstore func(*testing.T) *eventstore.Eventstore
tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
sessionID string
checks []SessionCommand
metadata map[string][]byte
lifetime time.Duration
ctx context.Context
sessionID string
sessionToken string
checks []SessionCommand
metadata map[string][]byte
lifetime time.Duration
}
type res struct {
want *SessionChanged
@@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) {
err: zerrors.ThrowInternal(nil, "id", "filter failed"),
},
},
{
"invalid session token",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
session.NewAddedEvent(context.Background(),
&session.NewAggregate("sessionID", "instance1").Aggregate,
&domain.UserAgent{
FingerprintID: gu.Ptr("fp1"),
IP: net.ParseIP("1.2.3.4"),
Description: gu.Ptr("firefox"),
Header: http.Header{"foo": []string{"bar"}},
},
)),
eventFromEventPusher(
session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
"tokenID")),
),
),
tokenVerifier: newMockTokenVerifierInvalid(),
},
args{
ctx: context.Background(),
sessionID: "sessionID",
sessionToken: "invalid",
},
res{
err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
},
},
{
"no token, no permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
session.NewAddedEvent(context.Background(),
&session.NewAggregate("sessionID", "instance1").Aggregate,
&domain.UserAgent{
FingerprintID: gu.Ptr("fp1"),
IP: net.ParseIP("1.2.3.4"),
Description: gu.Ptr("firefox"),
Header: http.Header{"foo": []string{"bar"}},
},
)),
eventFromEventPusher(
session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
"tokenID")),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: context.Background(),
sessionID: "sessionID",
},
res{
err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{
"no change",
fields{
@@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) {
},
},
args{
ctx: context.Background(),
sessionID: "sessionID",
ctx: context.Background(),
sessionID: "sessionID",
sessionToken: "token",
},
res{
want: &SessionChanged{
@@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
sessionTokenVerifier: tt.fields.tokenVerifier,
checkPermission: tt.fields.checkPermission,
}
got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime)
got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime)
require.ErrorIs(t, err, tt.res.err)
assert.Equal(t, tt.res.want, got)
})