mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 03:57:32 +00:00
Merge commit from fork
* fix: require permission to create and update session * fix: require permission to fail auth requests * merge main and fix integration tests * fix merge * fix integration tests * fix integration tests * fix saml permission check
This commit is contained in:
Livio Spring
@@ -39,22 +39,22 @@ func TestServer_GetAuthRequest(t *testing.T) {
|
||||
dep: func() (time.Time, string, error) {
|
||||
return time.Now(), "123", nil
|
||||
},
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "success",
|
||||
dep: func() (time.Time, string, error) {
|
||||
return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
|
||||
return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
|
||||
},
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
},
|
||||
{
|
||||
name: "without login client, no permission",
|
||||
dep: func() (time.Time, string, error) {
|
||||
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
|
||||
require.NoError(t, err)
|
||||
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
|
||||
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
|
||||
},
|
||||
ctx: CTX,
|
||||
wantErr: true,
|
||||
@@ -64,7 +64,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
|
||||
dep: func() (time.Time, string, error) {
|
||||
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
|
||||
require.NoError(t, err)
|
||||
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
|
||||
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
|
||||
|
||||
},
|
||||
ctx: CTXLoginClient,
|
||||
@@ -75,7 +75,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
|
||||
now, authRequestID, err := tt.dep()
|
||||
require.NoError(t, err)
|
||||
|
||||
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
|
||||
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute)
|
||||
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
|
||||
got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{
|
||||
AuthRequestId: authRequestID,
|
||||
@@ -101,7 +101,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
|
||||
require.NoError(t, err)
|
||||
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
|
||||
sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
@@ -114,7 +114,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
}{
|
||||
{
|
||||
name: "Not found",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: "123",
|
||||
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
||||
@@ -128,10 +128,10 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "session not found",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -146,10 +146,10 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "session token invalid",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -164,10 +164,10 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "fail callback",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -193,7 +193,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -215,11 +215,30 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "code callback",
|
||||
name: "fail callback, no permission, error",
|
||||
ctx: CTX,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
|
||||
Error: &oidc_pb.AuthorizationError{
|
||||
Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
|
||||
ErrorDescription: gu.Ptr("nope"),
|
||||
ErrorUri: gu.Ptr("https://example.com/docs"),
|
||||
},
|
||||
},
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "code callback",
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -244,7 +263,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
ctx: CTX,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -262,7 +281,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
|
||||
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -284,12 +303,12 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "implicit",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
req: &oidc_pb.CreateCallbackRequest{
|
||||
AuthRequestId: func() string {
|
||||
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, nil)
|
||||
require.NoError(t, err)
|
||||
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
|
||||
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -316,7 +335,7 @@ func TestServer_CreateCallback(t *testing.T) {
|
||||
AuthRequestId: func() string {
|
||||
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, t, redirectURIImplicit, loginV2)
|
||||
require.NoError(t, err)
|
||||
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
|
||||
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit)
|
||||
require.NoError(t, err)
|
||||
return authRequestID
|
||||
}(),
|
||||
@@ -364,7 +383,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
}{
|
||||
{
|
||||
name: "usergrant to project and different resourceowner with different project grant",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
projectID2, _ := createOIDCApplication(ctx, t, true, true)
|
||||
@@ -374,13 +393,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "usergrant to project and different resourceowner with project grant",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
|
||||
@@ -389,7 +408,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -401,7 +420,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "usergrant to project grant and different resourceowner with project grant",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
|
||||
@@ -410,7 +429,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -422,31 +441,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "no usergrant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
_, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
|
||||
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "no usergrant and same resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
_, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
user := Instance.CreateHumanUser(ctx)
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "usergrant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
|
||||
@@ -454,19 +473,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "usergrant and same resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, true)
|
||||
user := Instance.CreateHumanUser(ctx)
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -478,13 +497,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, usergrant and same resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
user := Instance.CreateHumanUser(ctx)
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -496,25 +515,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, no usergrant and same resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
_, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
user := Instance.CreateHumanUser(ctx)
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, usergrant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -526,19 +545,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, no usergrant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
_, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, usergrant on project grant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
|
||||
@@ -546,7 +565,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -558,25 +577,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, true, false)
|
||||
|
||||
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
|
||||
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "hasProjectCheck, same resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
user := Instance.CreateHumanUser(ctx)
|
||||
_, clientID := createOIDCApplication(ctx, t, false, true)
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
@@ -588,19 +607,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "hasProjectCheck, different resourceowner",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
_, clientID := createOIDCApplication(ctx, t, false, true)
|
||||
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "hasProjectCheck, different resourceowner with project grant",
|
||||
ctx: CTX,
|
||||
ctx: CTXLoginClient,
|
||||
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
|
||||
projectID, clientID := createOIDCApplication(ctx, t, false, true)
|
||||
|
||||
@@ -608,7 +627,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
|
||||
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
||||
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
|
||||
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId())
|
||||
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
|
||||
},
|
||||
want: &oidc_pb.CreateCallbackResponse{
|
||||
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
|
||||
|
||||
Reference in New Issue
Block a user