TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 17:48:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: permission checks on session API

Browse Source 
# Which Problems Are Solved

The session API allowed any authenticated user to update sessions by their ID without any further check.
This was unintentionally introduced with version 2.53.0 when the requirement of providing the latest session token on every session update was removed and no other permission check (e.g. session.write) was ensured.

# How the Problems Are Solved

- Granted `session.write` to `IAM_OWNER` and `IAM_LOGIN_CLIENT` in the defaults.yaml
- Granted `session.read` to `IAM_ORG_MANAGER`, `IAM_USER_MANAGER` and `ORG_OWNER` in the defaults.yaml
- Pass the session token to the UpdateSession command.
- Check for `session.write` permission on session creation and update.
  - Alternatively, the (latest) sessionToken can be used to update the session.
- Setting an auth request to failed on the OIDC Service `CreateCallback` endpoint now ensures it's either the same user as used to create the auth request (for backwards compatibilty) or requires `session.link` permission.
- Setting an device auth request to failed on the OIDC Service `AuthorizeOrDenyDeviceAuthorization` endpoint now requires `session.link` permission.
- Setting an auth request to failed on the SAML Service `CreateResponse` endpoint now requires `session.link` permission.

# Additional Changes

none

# Additional Context

none

(cherry picked from commit 4c942f3477)
This commit is contained in:
Livio Spring
2025-07-15 13:38:00 +02:00
parent c787cdf7b4
commit b76d8d37cb
34 changed files with 683 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/defaults.yaml
View File

@@ -1307,6 +1307,7 @@ InternalAuthZ:
- "events.read" - "events.read"
- "milestones.read" - "milestones.read"
- "session.read" - "session.read"
- "session.write"
- "session.delete" - "session.delete"
- "action.target.read" - "action.target.read"
- "action.target.write" - "action.target.write"
@@ -1316,8 +1317,6 @@ InternalAuthZ:
- "userschema.read" - "userschema.read"
- "userschema.write" - "userschema.write"
- "userschema.delete" - "userschema.delete"
- "session.read"
- "session.delete"
- Role: "IAM_OWNER_VIEWER" - Role: "IAM_OWNER_VIEWER"
Permissions: Permissions:
- "iam.read" - "iam.read"
@@ -1411,6 +1410,7 @@ InternalAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "project.grant.member.delete" - "project.grant.member.delete"
- "session.read"
- "session.delete" - "session.delete"
- Role: "IAM_USER_MANAGER" - Role: "IAM_USER_MANAGER"
Permissions: Permissions:
@@ -1438,6 +1438,7 @@ InternalAuthZ:
- "project.grant.write" - "project.grant.write"
- "project.grant.delete" - "project.grant.delete"
- "project.grant.member.read" - "project.grant.member.read"
- "session.read"
- "session.delete" - "session.delete"
- Role: "IAM_ADMIN_IMPERSONATOR" - Role: "IAM_ADMIN_IMPERSONATOR"
Permissions: Permissions:
@@ -1501,6 +1502,7 @@ InternalAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "project.grant.member.delete" - "project.grant.member.delete"
- "session.read"
- "session.delete" - "session.delete"
- Role: "IAM_LOGIN_CLIENT" - Role: "IAM_LOGIN_CLIENT"
Permissions: Permissions:
@@ -1536,6 +1538,7 @@ InternalAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "session.read" - "session.read"
- "session.write"
- "session.link" - "session.link"
- "session.delete" - "session.delete"
- "userschema.read" - "userschema.read"
@@ -1556,6 +1559,7 @@ InternalAuthZ:
- "policy.read" - "policy.read"
- "project.read" - "project.read"
- "project.role.read" - "project.role.read"
- "session.read"
- "session.delete" - "session.delete"
- Role: "ORG_OWNER_VIEWER" - Role: "ORG_OWNER_VIEWER"
Permissions: Permissions:
@@ -1863,6 +1867,7 @@ SystemAuthZ:
- "events.read" - "events.read"
- "milestones.read" - "milestones.read"
- "session.read" - "session.read"
- "session.write"
- "session.delete" - "session.delete"
- "action.target.read" - "action.target.read"
- "action.target.write" - "action.target.write"
@@ -1872,8 +1877,6 @@ SystemAuthZ:
- "userschema.read" - "userschema.read"
- "userschema.write" - "userschema.write"
- "userschema.delete" - "userschema.delete"
- "session.read"
- "session.delete"
- Role: "IAM_OWNER_VIEWER" - Role: "IAM_OWNER_VIEWER"
Permissions: Permissions:
- "iam.read" - "iam.read"
@@ -1967,6 +1970,7 @@ SystemAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "project.grant.member.delete" - "project.grant.member.delete"
- "session.read"
- "session.delete" - "session.delete"
- Role: "IAM_USER_MANAGER" - Role: "IAM_USER_MANAGER"
Permissions: Permissions:
@@ -1994,6 +1998,7 @@ SystemAuthZ:
- "project.grant.write" - "project.grant.write"
- "project.grant.delete" - "project.grant.delete"
- "project.grant.member.read" - "project.grant.member.read"
- "session.read"
- "session.delete" - "session.delete"
- Role: "IAM_ADMIN_IMPERSONATOR" - Role: "IAM_ADMIN_IMPERSONATOR"
Permissions: Permissions:
@@ -2036,6 +2041,7 @@ SystemAuthZ:
- "project.grant.member.read" - "project.grant.member.read"
- "project.grant.member.write" - "project.grant.member.write"
- "session.read" - "session.read"
- "session.write"
- "session.link" - "session.link"
- "session.delete" - "session.delete"
- "userschema.read" - "userschema.read"

175
internal/api/grpc/oidc/v2/integration_test/oidc_test.go
View File

@@ -104,7 +104,7 @@ func TestServer_CreateCallback(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err) require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct { tests := []struct {
name string name string
@@ -115,7 +115,7 @@ func TestServer_CreateCallback(t *testing.T) {
}{ }{
{ {
name: "Not found", name: "Not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: "123", AuthRequestId: "123",
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -129,10 +129,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "session not found", name: "session not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -147,10 +147,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "session token invalid", name: "session token invalid",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -165,10 +165,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "fail callback", name: "fail callback",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -194,7 +194,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -216,11 +216,30 @@ func TestServer_CreateCallback(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "code callback", name: "fail callback, no permission, error",
ctx: CTX, ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err)
return authRequestID
}(),
CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
Error: &oidc_pb.AuthorizationError{
Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
ErrorDescription: gu.Ptr("nope"),
ErrorUri: gu.Ptr("https://example.com/docs"),
},
},
},
wantErr: true,
},
{
name: "code callback",
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -245,7 +264,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX, ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -263,7 +282,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -285,12 +304,12 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "implicit", name: "implicit",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil) client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
require.NoError(t, err) require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -317,7 +336,7 @@ func TestServer_CreateCallback(t *testing.T) {
AuthRequestId: func() string { AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2) clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2)
require.NoError(t, err) require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -365,7 +384,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}{ }{
{ {
name: "usergrant to project and different resourceowner with different project grant", name: "usergrant to project and different resourceowner with different project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
projectID2, _ := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true)
@@ -375,13 +394,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant to project and different resourceowner with project grant", name: "usergrant to project and different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -390,7 +409,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -402,7 +421,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "usergrant to project grant and different resourceowner with project grant", name: "usergrant to project grant and different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -411,7 +430,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -423,31 +442,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "no usergrant and different resourceowner", name: "no usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true) _, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "no usergrant and same resourceowner", name: "no usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true) _, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant and different resourceowner", name: "usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -455,19 +474,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant and same resourceowner", name: "usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -479,13 +498,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, usergrant and same resourceowner", name: "projectRoleCheck, usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -497,25 +516,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant and same resourceowner", name: "projectRoleCheck, no usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false) _, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "projectRoleCheck, usergrant and different resourceowner", name: "projectRoleCheck, usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -527,19 +546,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant and different resourceowner", name: "projectRoleCheck, no usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false) _, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "projectRoleCheck, usergrant on project grant and different resourceowner", name: "projectRoleCheck, usergrant on project grant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
@@ -547,7 +566,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -559,25 +578,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant on project grant and different resourceowner", name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "hasProjectCheck, same resourceowner", name: "hasProjectCheck, same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
_, clientID := createOIDCApplication(ctx, t, false, true) _, clientID := createOIDCApplication(ctx, t, false, true)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -589,19 +608,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "hasProjectCheck, different resourceowner", name: "hasProjectCheck, different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, false, true) _, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "hasProjectCheck, different resourceowner with project grant", name: "hasProjectCheck, different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, false, true) projectID, clientID := createOIDCApplication(ctx, t, false, true)
@@ -609,7 +628,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -658,15 +677,15 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
UserCode: "notFound", UserCode: "notFound",
}, nil }, nil
}, },
ctx: CTX, ctx: CTXLoginClient,
wantErr: true, wantErr: true,
}, },
{ {
name: "success", name: "success",
dep: func() (*oidc.DeviceAuthorizationResponse, error) { dep: func() (*oidc.DeviceAuthorizationResponse, error) {
return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") return Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
}, },
ctx: CTX, ctx: CTXLoginClient,
}, },
} }
for _, tt := range tests { for _, tt := range tests {
@@ -674,7 +693,7 @@ func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
deviceAuth, err := tt.dep() deviceAuth, err := tt.dep()
require.NoError(t, err) require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) { require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{ got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: deviceAuth.UserCode, UserCode: deviceAuth.UserCode,
@@ -701,7 +720,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE) client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
require.NoError(t, err) require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct { tests := []struct {
name string name string
@@ -714,7 +733,7 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
}{ }{
{ {
name: "Not found", name: "Not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: "123", DeviceAuthorizationId: "123",
Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{ Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
@@ -728,14 +747,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
}, },
{ {
name: "session not found", name: "session not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string { DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err) require.NoError(t, err)
var id string var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) { assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode, UserCode: req.UserCode,
}) })
assert.NoError(t, err) assert.NoError(t, err)
@@ -754,14 +773,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
}, },
{ {
name: "session token invalid", name: "session token invalid",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string { DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err) require.NoError(t, err)
var id string var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) { assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode, UserCode: req.UserCode,
}) })
assert.NoError(collectT, err) assert.NoError(collectT, err)
@@ -780,14 +799,14 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
}, },
{ {
name: "deny device authorization", name: "deny device authorization",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string { DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err) require.NoError(t, err)
var id string var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) { assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode, UserCode: req.UserCode,
}) })
assert.NoError(collectT, err) assert.NoError(collectT, err)
@@ -800,16 +819,38 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{},
wantErr: false, wantErr: false,
}, },
{
name: "deny device authorization, no permission, error",
ctx: CTX,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err)
var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode,
})
assert.NoError(collectT, err)
id = resp.GetDeviceAuthorizationRequest().GetId()
}, 5*time.Second, 100*time.Millisecond)
return id
}(),
Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{},
},
want: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{},
wantErr: true,
},
{ {
name: "authorize, no permission, error", name: "authorize, no permission, error",
ctx: CTX, ctx: CTX,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string { DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err) require.NoError(t, err)
var id string var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) { assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode, UserCode: req.UserCode,
}) })
assert.NoError(collectT, err) assert.NoError(collectT, err)
@@ -831,11 +872,11 @@ func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
ctx: CTXLoginClient, ctx: CTXLoginClient,
req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{ req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
DeviceAuthorizationId: func() string { DeviceAuthorizationId: func() string {
req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid") req, err := Instance.CreateDeviceAuthorizationRequest(CTXLoginClient, client.GetClientId(), "openid")
require.NoError(t, err) require.NoError(t, err)
var id string var id string
assert.EventuallyWithT(t, func(collectT *assert.CollectT) { assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{ resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTXLoginClient, &oidc_pb.GetDeviceAuthorizationRequestRequest{
UserCode: req.UserCode, UserCode: req.UserCode,
}) })
assert.NoError(collectT, err) assert.NoError(collectT, err)

127
internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go
View File

@@ -40,22 +40,22 @@ func TestServer_GetAuthRequest(t *testing.T) {
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
return time.Now(), "123", nil return time.Now(), "123", nil
}, },
ctx: CTX, ctx: CTXLoginClient,
wantErr: true, wantErr: true,
}, },
{ {
name: "success", name: "success",
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
return Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) return Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
}, },
ctx: CTX, ctx: CTXLoginClient,
}, },
{ {
name: "without login client, no permission", name: "without login client, no permission",
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err) require.NoError(t, err)
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
}, },
ctx: CTX, ctx: CTX,
wantErr: true, wantErr: true,
@@ -65,7 +65,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err) require.NoError(t, err)
return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "") return Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, client.GetClientId(), redirectURI, "")
}, },
ctx: CTXLoginClient, ctx: CTXLoginClient,
@@ -76,7 +76,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
now, authRequestID, err := tt.dep() now, authRequestID, err := tt.dep()
require.NoError(t, err) require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTXLoginClient, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) { require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{ got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{
AuthRequestId: authRequestID, AuthRequestId: authRequestID,
@@ -103,7 +103,7 @@ func TestServer_CreateCallback(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2) clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
require.NoError(t, err) require.NoError(t, err)
sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID) sessionResp := createSession(t, CTXLoginClient, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct { tests := []struct {
name string name string
@@ -116,7 +116,7 @@ func TestServer_CreateCallback(t *testing.T) {
}{ }{
{ {
name: "Not found", name: "Not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: "123", AuthRequestId: "123",
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{ CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -130,10 +130,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "session not found", name: "session not found",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users[integration.UserTypeLogin].ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -148,10 +148,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "session token invalid", name: "session token invalid",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -166,10 +166,10 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "fail callback", name: "fail callback",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -195,7 +195,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -217,11 +217,30 @@ func TestServer_CreateCallback(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "code callback", name: "fail callback, no permission, error",
ctx: CTX, ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI) _, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err)
return authRequestID
}(),
CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
Error: &oidc_pb.AuthorizationError{
Error: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
ErrorDescription: gu.Ptr("nope"),
ErrorUri: gu.Ptr("https://example.com/docs"),
},
},
},
wantErr: true,
},
{
name: "code callback",
ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequest(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -246,7 +265,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTX, ctx: CTX,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -264,7 +283,7 @@ func TestServer_CreateCallback(t *testing.T) {
ctx: CTXLoginClient, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
_, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "") _, authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURI, "")
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -286,12 +305,12 @@ func TestServer_CreateCallback(t *testing.T) {
}, },
{ {
name: "implicit", name: "implicit",
ctx: CTX, ctx: CTXLoginClient,
req: &oidc_pb.CreateCallbackRequest{ req: &oidc_pb.CreateCallbackRequest{
AuthRequestId: func() string { AuthRequestId: func() string {
client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil) client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
require.NoError(t, err) require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit) authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTXLoginClient, client.GetClientId(), Instance.Users.Get(integration.UserTypeLogin).ID, redirectURIImplicit)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -318,7 +337,7 @@ func TestServer_CreateCallback(t *testing.T) {
AuthRequestId: func() string { AuthRequestId: func() string {
clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2) clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2)
require.NoError(t, err) require.NoError(t, err)
authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit) authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTXLoginClient, clientV2.GetClientId(), redirectURIImplicit)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -366,7 +385,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}{ }{
{ {
name: "usergrant to project and different resourceowner with different project grant", name: "usergrant to project and different resourceowner with different project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
projectID2, _ := createOIDCApplication(ctx, t, true, true) projectID2, _ := createOIDCApplication(ctx, t, true, true)
@@ -376,13 +395,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant to project and different resourceowner with project grant", name: "usergrant to project and different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -391,7 +410,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -403,7 +422,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "usergrant to project grant and different resourceowner with project grant", name: "usergrant to project grant and different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -412,7 +431,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -424,31 +443,31 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "no usergrant and different resourceowner", name: "no usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true) _, clientID := createOIDCApplication(ctx, t, true, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "no usergrant and same resourceowner", name: "no usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, true) _, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant and different resourceowner", name: "usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
@@ -456,19 +475,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "usergrant and same resourceowner", name: "usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, true) projectID, clientID := createOIDCApplication(ctx, t, true, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -480,13 +499,13 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, usergrant and same resourceowner", name: "projectRoleCheck, usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -498,25 +517,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant and same resourceowner", name: "projectRoleCheck, no usergrant and same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false) _, clientID := createOIDCApplication(ctx, t, true, false)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "projectRoleCheck, usergrant and different resourceowner", name: "projectRoleCheck, usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -528,19 +547,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant and different resourceowner", name: "projectRoleCheck, no usergrant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, true, false) _, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "projectRoleCheck, usergrant on project grant and different resourceowner", name: "projectRoleCheck, usergrant on project grant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
@@ -548,7 +567,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) projectGrantResp := Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -560,25 +579,25 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "projectRoleCheck, no usergrant on project grant and different resourceowner", name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, true, false) projectID, clientID := createOIDCApplication(ctx, t, true, false)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "hasProjectCheck, same resourceowner", name: "hasProjectCheck, same resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
_, clientID := createOIDCApplication(ctx, t, false, true) _, clientID := createOIDCApplication(ctx, t, false, true)
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
@@ -590,19 +609,19 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
}, },
{ {
name: "hasProjectCheck, different resourceowner", name: "hasProjectCheck, different resourceowner",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
_, clientID := createOIDCApplication(ctx, t, false, true) _, clientID := createOIDCApplication(ctx, t, false, true)
orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "oidc-permission-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
wantErr: true, wantErr: true,
}, },
{ {
name: "hasProjectCheck, different resourceowner with project grant", name: "hasProjectCheck, different resourceowner with project grant",
ctx: CTX, ctx: CTXLoginClient,
dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest { dep: func(ctx context.Context, t *testing.T) *oidc_pb.CreateCallbackRequest {
projectID, clientID := createOIDCApplication(ctx, t, false, true) projectID, clientID := createOIDCApplication(ctx, t, false, true)
@@ -610,7 +629,7 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeOrgOwner).ID, user.GetUserId()) return createSessionAndAuthRequestForCallback(ctx, t, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, user.GetUserId())
}, },
want: &oidc_pb.CreateCallbackResponse{ want: &oidc_pb.CreateCallbackResponse{
CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`, CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,

114
internal/api/grpc/saml/v2/integration/saml_test.go
View File

@@ -48,13 +48,13 @@ func TestServer_GetSAMLRequest(t *testing.T) {
{ {
name: "success, redirect binding", name: "success, redirect binding",
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
}, },
}, },
{ {
name: "success, post binding", name: "success, post binding",
dep: func() (time.Time, string, error) { dep: func() (time.Time, string, error) {
return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
}, },
}, },
} }
@@ -63,9 +63,9 @@ func TestServer_GetSAMLRequest(t *testing.T) {
creationTime, authRequestID, err := tt.dep() creationTime, authRequestID, err := tt.dep()
require.NoError(t, err) require.NoError(t, err)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) { require.EventuallyWithT(t, func(ttt *assert.CollectT) {
got, err := Client.GetSAMLRequest(CTX, &saml_pb.GetSAMLRequestRequest{ got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{
SamlRequestId: authRequestID, SamlRequestId: authRequestID,
}) })
if tt.wantErr { if tt.wantErr {
@@ -90,10 +90,11 @@ func TestServer_CreateResponse(t *testing.T) {
_, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false) _, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
_, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false) _, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
sessionResp := createSession(CTX, t, Instance.Users[integration.UserTypeOrgOwner].ID) sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID)
tests := []struct { tests := []struct {
name string name string
ctx context.Context
req *saml_pb.CreateResponseRequest req *saml_pb.CreateResponseRequest
AuthError string AuthError string
want *saml_pb.CreateResponseResponse want *saml_pb.CreateResponseResponse
@@ -102,6 +103,7 @@ func TestServer_CreateResponse(t *testing.T) {
}{ }{
{ {
name: "Not found", name: "Not found",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: "123", SamlRequestId: "123",
ResponseKind: &saml_pb.CreateResponseRequest_Session{ ResponseKind: &saml_pb.CreateResponseRequest_Session{
@@ -115,9 +117,10 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "session not found", name: "session not found",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -132,9 +135,10 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "session token invalid", name: "session token invalid",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -149,9 +153,10 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "fail callback, post", name: "fail callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -177,11 +182,12 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "fail callback, post, already failed", name: "fail callback, post, already failed",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err) require.NoError(t, err)
Instance.FailSAMLAuthRequest(CTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED) Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED)
return authRequestID return authRequestID
}(), }(),
ResponseKind: &saml_pb.CreateResponseRequest_Error{ ResponseKind: &saml_pb.CreateResponseRequest_Error{
@@ -195,9 +201,10 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "fail callback, redirect", name: "fail callback, redirect",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -219,10 +226,29 @@ func TestServer_CreateResponse(t *testing.T) {
wantErr: false, wantErr: false,
}, },
{ {
name: "callback, redirect", name: "fail callback, no permission, error",
ctx: CTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Error{
Error: &saml_pb.AuthorizationError{
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
ErrorDescription: gu.Ptr("nope"),
},
},
},
wantErr: true,
},
{
name: "callback, redirect",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, gofakeit.BitcoinAddress(), saml.HTTPRedirectBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -245,9 +271,10 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "callback, post", name: "callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err) require.NoError(t, err)
return authRequestID return authRequestID
}(), }(),
@@ -273,11 +300,30 @@ func TestServer_CreateResponse(t *testing.T) {
}, },
{ {
name: "callback, post", name: "callback, post",
ctx: LoginCTX,
req: &saml_pb.CreateResponseRequest{ req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string { SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeOrgOwner].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding) _, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err)
Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID)
return authRequestID
}(),
ResponseKind: &saml_pb.CreateResponseRequest_Session{
Session: &saml_pb.Session{
SessionId: sessionResp.GetSessionId(),
SessionToken: sessionResp.GetSessionToken(),
},
},
},
wantErr: true,
},
{
name: "callback, no permission, error",
ctx: CTX,
req: &saml_pb.CreateResponseRequest{
SamlRequestId: func() string {
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, gofakeit.BitcoinAddress(), saml.HTTPPostBinding)
require.NoError(t, err) require.NoError(t, err)
Instance.SuccessfulSAMLAuthRequest(CTX, Instance.Users[integration.UserTypeOrgOwner].ID, authRequestID)
return authRequestID return authRequestID
}(), }(),
ResponseKind: &saml_pb.CreateResponseRequest_Session{ ResponseKind: &saml_pb.CreateResponseRequest_Session{
@@ -292,7 +338,7 @@ func TestServer_CreateResponse(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateResponse(CTX, tt.req) got, err := Client.CreateResponse(tt.ctx, tt.req)
if tt.wantErr { if tt.wantErr {
require.Error(t, err) require.Error(t, err)
return return
@@ -336,7 +382,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -350,7 +396,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -372,7 +418,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -391,7 +437,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -401,7 +447,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true) _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -414,7 +460,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -426,7 +472,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -445,7 +491,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -462,7 +508,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false) _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -474,7 +520,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId()) Instance.CreateProjectUserGrant(t, ctx, projectID, user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -492,7 +538,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -506,7 +552,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId()) Instance.CreateProjectGrantUserGrant(ctx, orgResp.GetOrganizationId(), projectID, projectGrantResp.GetGrantId(), user.GetUserId())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -526,7 +572,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -536,7 +582,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true) _, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
user := Instance.CreateHumanUser(ctx) user := Instance.CreateHumanUser(ctx)
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -554,7 +600,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email()) orgResp := Instance.CreateOrganization(ctx, "saml-permisison-"+gofakeit.AppName(), gofakeit.Email())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
wantErr: true, wantErr: true,
}, },
@@ -566,7 +612,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId()) Instance.CreateProjectGrant(ctx, projectID, orgResp.GetOrganizationId())
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone()) user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), gofakeit.Email(), gofakeit.Phone())
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeOrgOwner].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding) return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
}, },
want: &saml_pb.CreateResponseResponse{ want: &saml_pb.CreateResponseResponse{
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`, Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
@@ -582,7 +628,7 @@ func TestServer_CreateResponse_Permission(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
req := tt.dep(IAMCTX, t) req := tt.dep(IAMCTX, t)
got, err := Client.CreateResponse(CTX, req) got, err := Client.CreateResponse(LoginCTX, req)
if tt.wantErr { if tt.wantErr {
require.Error(t, err) require.Error(t, err)
return return

2
internal/api/grpc/saml/v2/integration/server_test.go
View File

@@ -15,6 +15,7 @@ import (
var ( var (
CTX context.Context CTX context.Context
IAMCTX context.Context IAMCTX context.Context
LoginCTX context.Context
Instance *integration.Instance Instance *integration.Instance
Client saml_pb.SAMLServiceClient Client saml_pb.SAMLServiceClient
) )
@@ -29,6 +30,7 @@ func TestMain(m *testing.M) {
IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
return m.Run() return m.Run()
}()) }())
} }

12
internal/api/grpc/session/v2/integration_test/query_test.go
View File

@@ -72,7 +72,7 @@ func TestServer_GetSession(t *testing.T) {
{ {
name: "get session, permission, ok", name: "get session, permission, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{}) resp, err := Client.CreateSession(ctx, &session.CreateSessionRequest{})
@@ -213,7 +213,7 @@ func TestServer_GetSession(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
var sequence uint64 var sequence uint64
if tt.args.dep != nil { if tt.args.dep != nil {
sequence = tt.args.dep(CTX, t, tt.args.req) sequence = tt.args.dep(LoginCTX, t, tt.args.req)
} }
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
@@ -360,7 +360,7 @@ func TestServer_ListSessions(t *testing.T) {
{ {
name: "list sessions, permission, ok", name: "list sessions, permission, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, "", "", nil, nil) info := createSession(ctx, t, "", "", nil, nil)
@@ -501,7 +501,7 @@ func TestServer_ListSessions(t *testing.T) {
{ {
name: "list sessions, own creator, ok", name: "list sessions, own creator, ok",
args: args{ args: args{
CTX, LoginCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -542,7 +542,7 @@ func TestServer_ListSessions(t *testing.T) {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
request.Queries = append(request.Queries, request.Queries = append(request.Queries,
&session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}}, &session.SearchQuery{Query: &session.SearchQuery_IdsQuery{IdsQuery: &session.IDsQuery{Ids: []string{info.ID}}}},
&session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeOrgOwner).ID)}}}) &session.SearchQuery{Query: &session.SearchQuery_CreatorQuery{CreatorQuery: &session.CreatorQuery{Id: gu.Ptr(Instance.Users.Get(integration.UserTypeLogin).ID)}}})
return []*sessionAttr{info} return []*sessionAttr{info}
}, },
}, },
@@ -682,7 +682,7 @@ func TestServer_ListSessions(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
infos := tt.args.dep(CTX, t, tt.args.req) infos := tt.args.dep(LoginCTX, t, tt.args.req)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) { require.EventuallyWithT(t, func(ttt *assert.CollectT) {

78
internal/api/grpc/session/v2/integration_test/session_test.go
View File

@@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateSession(CTX, tt.req) got, err := Client.CreateSession(LoginCTX, tt.req)
if tt.wantErr { if tt.wantErr {
require.Error(t, err) require.Error(t, err)
return return
@@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
for i := 0; i <= maxAttempts; i++ { for i := 0; i <= maxAttempts; i++ {
_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
func TestServer_CreateSession_webauthn(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) {
// create new session with user and request the webauthn challenge // create new session with user and request the webauthn challenge
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// update the session with webauthn assertion data // update the session with webauthn assertion data
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err) require.NoError(t, err)
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -402,7 +402,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
// session with intent check must now succeed // session with intent check must now succeed
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -422,7 +422,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -435,7 +435,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
intent := Instance.CreateIntent(CTX, idpID) intent := Instance.CreateIntent(CTX, idpID)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{ _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{ IdpIntent: &session.CheckIDPIntent{
@@ -556,13 +556,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
userExisting := createFullUser(CTX) userExisting := createFullUser(CTX)
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionToken := createResp.GetSessionToken() sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -578,7 +578,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
}) })
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -594,7 +594,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -616,7 +616,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -630,13 +630,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
}) })
userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret)
createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionTokenImport := createRespImport.GetSessionToken() sessionTokenImport := createRespImport.GetSessionToken()
verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(), SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -653,7 +653,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(), SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -669,13 +669,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
func TestServer_SetSession_flow(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) {
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionToken := createResp.GetSessionToken() sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -691,7 +691,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -707,7 +707,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -733,7 +733,7 @@ func TestServer_SetSession_flow(t *testing.T) {
session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
} { } {
t.Run(userVerificationRequirement.String(), func(t *testing.T) { t.Run(userVerificationRequirement.String(), func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -749,7 +749,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -767,7 +767,7 @@ func TestServer_SetSession_flow(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -781,7 +781,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check OTP SMS", func(t *testing.T) { t.Run("check OTP SMS", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true},
@@ -794,7 +794,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpSms() otp := resp.GetChallenges().GetOtpSms()
require.NotEmpty(t, otp) require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
OtpSms: &session.CheckOTP{ OtpSms: &session.CheckOTP{
@@ -808,7 +808,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check OTP Email", func(t *testing.T) { t.Run("check OTP Email", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
OtpEmail: &session.RequestChallenges_OTPEmail{ OtpEmail: &session.RequestChallenges_OTPEmail{
@@ -823,7 +823,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpEmail() otp := resp.GetChallenges().GetOtpEmail()
require.NotEmpty(t, otp) require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
OtpEmail: &session.CheckOTP{ OtpEmail: &session.CheckOTP{
@@ -838,13 +838,13 @@ func TestServer_SetSession_flow(t *testing.T) {
} }
func TestServer_SetSession_expired(t *testing.T) { func TestServer_SetSession_expired(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
require.NoError(t, err) require.NoError(t, err)
// test session token works // test session token works
_, err = Instance.Client.SessionV2.SetSession(CTX, &session.SetSessionRequest{ _, err = Instance.Client.SessionV2.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
@@ -852,7 +852,7 @@ func TestServer_SetSession_expired(t *testing.T) {
// ensure session expires and does not work anymore // ensure session expires and does not work anymore
time.Sleep(20 * time.Second) time.Sleep(20 * time.Second)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{ _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
@@ -860,7 +860,7 @@ func TestServer_SetSession_expired(t *testing.T) {
} }
func TestServer_DeleteSession_token(t *testing.T) { func TestServer_DeleteSession_token(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
@@ -880,14 +880,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
// create two users for the test and a session each to get tokens for authorization // create two users for the test and a session each to get tokens for authorization
user1 := Instance.CreateHumanUser(CTX) user1 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false)
_, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword)
user2 := Instance.CreateHumanUser(CTX) user2 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false)
_, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword)
// create a new session for the first user // create a new session for the first user
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -912,7 +912,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
} }
func TestServer_DeleteSession_with_permission(t *testing.T) { func TestServer_DeleteSession_with_permission(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -932,7 +932,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) {
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
@@ -947,7 +947,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
} }
func Test_ZITADEL_API_success(t *testing.T) { func Test_ZITADEL_API_success(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -963,7 +963,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
} }
func Test_ZITADEL_API_session_not_found(t *testing.T) { func Test_ZITADEL_API_session_not_found(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
// test session token works // test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)
@@ -994,7 +994,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) {
} }
func Test_ZITADEL_API_session_expired(t *testing.T) { func Test_ZITADEL_API_session_expired(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second)
// test session token works // test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)

2
internal/api/grpc/session/v2/session.go
View File

@@ -50,7 +50,7 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest)
return nil, err return nil, err
} }
set, err := s.command.UpdateSession(ctx, req.GetSessionId(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration())
if err != nil { if err != nil {
return nil, err return nil, err
} }

30
internal/api/grpc/session/v2beta/integration_test/query_test.go
View File

@@ -61,7 +61,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
request.SessionId = resp.SessionId request.SessionId = resp.SessionId
return resp.GetDetails().GetSequence() return resp.GetDetails().GetSequence()
@@ -72,10 +72,10 @@ func TestServer_GetSession(t *testing.T) {
{ {
name: "get session, permission, ok", name: "get session, permission, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
request.SessionId = resp.SessionId request.SessionId = resp.SessionId
return resp.GetDetails().GetSequence() return resp.GetDetails().GetSequence()
@@ -91,7 +91,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
request.SessionId = resp.SessionId request.SessionId = resp.SessionId
request.SessionToken = gu.Ptr(resp.SessionToken) request.SessionToken = gu.Ptr(resp.SessionToken)
@@ -108,7 +108,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
UserAgent: &session.UserAgent{ UserAgent: &session.UserAgent{
FingerprintId: gu.Ptr("fingerPrintID"), FingerprintId: gu.Ptr("fingerPrintID"),
Ip: gu.Ptr("1.2.3.4"), Ip: gu.Ptr("1.2.3.4"),
@@ -144,7 +144,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(5 * time.Minute), Lifetime: durationpb.New(5 * time.Minute),
}, },
) )
@@ -165,7 +165,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Metadata: map[string][]byte{"foo": []byte("bar")}, Metadata: map[string][]byte{"foo": []byte("bar")},
}, },
) )
@@ -187,7 +187,7 @@ func TestServer_GetSession(t *testing.T) {
UserCTX, UserCTX,
&session.GetSessionRequest{}, &session.GetSessionRequest{},
func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 { func(ctx context.Context, t *testing.T, request *session.GetSessionRequest) uint64 {
resp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ resp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -337,7 +337,7 @@ func TestServer_ListSessions(t *testing.T) {
}, },
}, },
{ {
name: "list sessions, wrong creator", name: "list sessions, no permission",
args: args{ args: args{
UserCTX, UserCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
@@ -349,7 +349,7 @@ func TestServer_ListSessions(t *testing.T) {
}, },
want: &session.ListSessionsResponse{ want: &session.ListSessionsResponse{
Details: &object.ListDetails{ Details: &object.ListDetails{
TotalResult: 0, TotalResult: 1,
Timestamp: timestamppb.Now(), Timestamp: timestamppb.Now(),
}, },
Sessions: []*session.Session{}, Sessions: []*session.Session{},
@@ -358,7 +358,7 @@ func TestServer_ListSessions(t *testing.T) {
{ {
name: "list sessions, full, ok", name: "list sessions, full, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) info := createSession(ctx, t, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -391,7 +391,7 @@ func TestServer_ListSessions(t *testing.T) {
{ {
name: "list sessions, multiple, ok", name: "list sessions, multiple, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")}) infos := createSessions(ctx, t, 3, User.GetUserId(), "agent", durationpb.New(time.Minute*5), map[string][]byte{"key": []byte("value")})
@@ -446,7 +446,7 @@ func TestServer_ListSessions(t *testing.T) {
{ {
name: "list sessions, userid, ok", name: "list sessions, userid, ok",
args: args{ args: args{
CTX, IAMOwnerCTX,
&session.ListSessionsRequest{}, &session.ListSessionsRequest{},
func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr { func(ctx context.Context, t *testing.T, request *session.ListSessionsRequest) []*sessionAttr {
createdUser := createFullUser(ctx) createdUser := createFullUser(ctx)
@@ -480,7 +480,7 @@ func TestServer_ListSessions(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
infos := tt.args.dep(CTX, t, tt.args.req) infos := tt.args.dep(LoginCTX, t, tt.args.req)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
require.EventuallyWithT(t, func(ttt *assert.CollectT) { require.EventuallyWithT(t, func(ttt *assert.CollectT) {
@@ -499,7 +499,7 @@ func TestServer_ListSessions(t *testing.T) {
} }
// expected count of sessions is not equal to received sessions // expected count of sessions is not equal to received sessions
if !assert.Equal(ttt, got.Details.TotalResult, tt.want.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) { if !assert.Equal(ttt, tt.want.Details.TotalResult, got.Details.TotalResult) || !assert.Len(ttt, got.Sessions, len(tt.want.Sessions)) {
return return
} }

2
internal/api/grpc/session/v2beta/integration_test/server_test.go
View File

@@ -18,6 +18,7 @@ import (
var ( var (
CTX context.Context CTX context.Context
IAMOwnerCTX context.Context IAMOwnerCTX context.Context
LoginCTX context.Context
UserCTX context.Context UserCTX context.Context
Instance *integration.Instance Instance *integration.Instance
Client session.SessionServiceClient Client session.SessionServiceClient
@@ -36,6 +37,7 @@ func TestMain(m *testing.M) {
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
User = createFullUser(CTX) User = createFullUser(CTX)
DeactivatedUser = createDeactivatedUser(CTX) DeactivatedUser = createDeactivatedUser(CTX)

82
internal/api/grpc/session/v2beta/integration_test/session_test.go
View File

@@ -251,7 +251,7 @@ func TestServer_CreateSession(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got, err := Client.CreateSession(CTX, tt.req) got, err := Client.CreateSession(LoginCTX, tt.req)
if tt.wantErr { if tt.wantErr {
require.Error(t, err) require.Error(t, err)
return return
@@ -280,7 +280,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
for i := 0; i <= maxAttempts; i++ { for i := 0; i <= maxAttempts; i++ {
_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ _, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -306,7 +306,7 @@ func TestServer_CreateSession_lock_user(t *testing.T) {
func TestServer_CreateSession_webauthn(t *testing.T) { func TestServer_CreateSession_webauthn(t *testing.T) {
// create new session with user and request the webauthn challenge // create new session with user and request the webauthn challenge
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -328,7 +328,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// update the session with webauthn assertion data // update the session with webauthn assertion data
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -342,7 +342,7 @@ func TestServer_CreateSession_webauthn(t *testing.T) {
func TestServer_CreateSession_successfulIntent(t *testing.T) { func TestServer_CreateSession_successfulIntent(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -356,7 +356,7 @@ func TestServer_CreateSession_successfulIntent(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err) require.NoError(t, err)
updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{ updateResp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{ IdpIntent: &session.CheckIDPIntent{
@@ -374,7 +374,7 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour)) intentID, token, _, _, err := sink.SuccessfulOAuthIntent(Instance.ID(), idpID, "id", User.GetUserId(), time.Now().Add(time.Hour))
require.NoError(t, err) require.NoError(t, err)
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -403,7 +403,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId()) Instance.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
// session with intent check must now succeed // session with intent check must now succeed
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -423,7 +423,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) { func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId() idpID := Instance.AddGenericOAuthProvider(IAMOwnerCTX, gofakeit.AppName()).GetId()
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -436,7 +436,7 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
intent := Instance.CreateIntent(CTX, idpID) intent := Instance.CreateIntent(CTX, idpID)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{ _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{ IdpIntent: &session.CheckIDPIntent{
@@ -557,13 +557,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
userExisting := createFullUser(CTX) userExisting := createFullUser(CTX)
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionToken := createResp.GetSessionToken() sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -579,7 +579,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
}) })
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -595,7 +595,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -617,7 +617,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -631,13 +631,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
}) })
userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret) userImport := Instance.CreateHumanUserWithTOTP(CTX, totpSecret)
createRespImport, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createRespImport, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionTokenImport := createRespImport.GetSessionToken() sessionTokenImport := createRespImport.GetSessionToken()
verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "") verifyCurrentSession(t, createRespImport.GetSessionId(), sessionTokenImport, createRespImport.GetDetails().GetSequence(), time.Minute, nil, nil, 0, "")
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(), SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -654,7 +654,7 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createRespImport.GetSessionId(), SessionId: createRespImport.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -670,13 +670,13 @@ func TestServer_SetSession_flow_totp(t *testing.T) {
func TestServer_SetSession_flow(t *testing.T) { func TestServer_SetSession_flow(t *testing.T) {
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
sessionToken := createResp.GetSessionToken() sessionToken := createResp.GetSessionToken()
verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId()) verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
t.Run("check user", func(t *testing.T) { t.Run("check user", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
@@ -692,7 +692,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check webauthn, user verified (passkey)", func(t *testing.T) { t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -708,7 +708,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -734,7 +734,7 @@ func TestServer_SetSession_flow(t *testing.T) {
session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED, session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
} { } {
t.Run(userVerificationRequirement.String(), func(t *testing.T) { t.Run(userVerificationRequirement.String(), func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
WebAuthN: &session.RequestChallenges_WebAuthN{ WebAuthN: &session.RequestChallenges_WebAuthN{
@@ -750,7 +750,7 @@ func TestServer_SetSession_flow(t *testing.T) {
assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false) assertionData, err := Instance.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false)
require.NoError(t, err) require.NoError(t, err)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
WebAuthN: &session.CheckWebAuthN{ WebAuthN: &session.CheckWebAuthN{
@@ -768,7 +768,7 @@ func TestServer_SetSession_flow(t *testing.T) {
t.Run("check TOTP", func(t *testing.T) { t.Run("check TOTP", func(t *testing.T) {
code, err := totp.GenerateCode(totpSecret, time.Now()) code, err := totp.GenerateCode(totpSecret, time.Now())
require.NoError(t, err) require.NoError(t, err)
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
Totp: &session.CheckTOTP{ Totp: &session.CheckTOTP{
@@ -782,7 +782,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check OTP SMS", func(t *testing.T) { t.Run("check OTP SMS", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true}, OtpSms: &session.RequestChallenges_OTPSMS{ReturnCode: true},
@@ -795,7 +795,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpSms() otp := resp.GetChallenges().GetOtpSms()
require.NotEmpty(t, otp) require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
OtpSms: &session.CheckOTP{ OtpSms: &session.CheckOTP{
@@ -809,7 +809,7 @@ func TestServer_SetSession_flow(t *testing.T) {
}) })
t.Run("check OTP Email", func(t *testing.T) { t.Run("check OTP Email", func(t *testing.T) {
resp, err := Client.SetSession(CTX, &session.SetSessionRequest{ resp, err := Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Challenges: &session.RequestChallenges{ Challenges: &session.RequestChallenges{
OtpEmail: &session.RequestChallenges_OTPEmail{ OtpEmail: &session.RequestChallenges_OTPEmail{
@@ -824,7 +824,7 @@ func TestServer_SetSession_flow(t *testing.T) {
otp := resp.GetChallenges().GetOtpEmail() otp := resp.GetChallenges().GetOtpEmail()
require.NotEmpty(t, otp) require.NotEmpty(t, otp)
resp, err = Client.SetSession(CTX, &session.SetSessionRequest{ resp, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Checks: &session.Checks{ Checks: &session.Checks{
OtpEmail: &session.CheckOTP{ OtpEmail: &session.CheckOTP{
@@ -839,13 +839,13 @@ func TestServer_SetSession_flow(t *testing.T) {
} }
func TestServer_SetSession_expired(t *testing.T) { func TestServer_SetSession_expired(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
require.NoError(t, err) require.NoError(t, err)
// test session token works // test session token works
_, err = Client.SetSession(CTX, &session.SetSessionRequest{ _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
@@ -853,7 +853,7 @@ func TestServer_SetSession_expired(t *testing.T) {
// ensure session expires and does not work anymore // ensure session expires and does not work anymore
time.Sleep(20 * time.Second) time.Sleep(20 * time.Second)
_, err = Client.SetSession(CTX, &session.SetSessionRequest{ _, err = Client.SetSession(LoginCTX, &session.SetSessionRequest{
SessionId: createResp.GetSessionId(), SessionId: createResp.GetSessionId(),
Lifetime: durationpb.New(20 * time.Second), Lifetime: durationpb.New(20 * time.Second),
}) })
@@ -861,7 +861,7 @@ func TestServer_SetSession_expired(t *testing.T) {
} }
func TestServer_DeleteSession_token(t *testing.T) { func TestServer_DeleteSession_token(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{ _, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
@@ -881,14 +881,14 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
// create two users for the test and a session each to get tokens for authorization // create two users for the test and a session each to get tokens for authorization
user1 := Instance.CreateHumanUser(CTX) user1 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false) Instance.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword, false)
_, token1, _, _ := Instance.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword) _, token1, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user1.GetUserId(), integration.UserPassword)
user2 := Instance.CreateHumanUser(CTX) user2 := Instance.CreateHumanUser(CTX)
Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false) Instance.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword, false)
_, token2, _, _ := Instance.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword) _, token2, _, _ := Instance.CreatePasswordSession(t, LoginCTX, user2.GetUserId(), integration.UserPassword)
// create a new session for the first user // create a new session for the first user
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -913,7 +913,7 @@ func TestServer_DeleteSession_own_session(t *testing.T) {
} }
func TestServer_DeleteSession_with_permission(t *testing.T) { func TestServer_DeleteSession_with_permission(t *testing.T) {
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{ Search: &session.CheckUser_UserId{
@@ -933,7 +933,7 @@ func TestServer_DeleteSession_with_permission(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) {
// create new, empty session // create new, empty session
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{}) createResp, err := Client.CreateSession(LoginCTX, &session.CreateSessionRequest{})
require.NoError(t, err) require.NoError(t, err)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken())) ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
@@ -948,7 +948,7 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
} }
func Test_ZITADEL_API_success(t *testing.T) { func Test_ZITADEL_API_success(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute) retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -964,7 +964,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
} }
func Test_ZITADEL_API_session_not_found(t *testing.T) { func Test_ZITADEL_API_session_not_found(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId()) id, token, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, User.GetUserId())
// test session token works // test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)
@@ -995,7 +995,7 @@ func Test_ZITADEL_API_session_not_found(t *testing.T) {
} }
func Test_ZITADEL_API_session_expired(t *testing.T) { func Test_ZITADEL_API_session_expired(t *testing.T) {
id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, CTX, User.GetUserId(), 20*time.Second) id, token, _, _ := Instance.CreateVerifiedWebAuthNSessionWithLifetime(t, LoginCTX, User.GetUserId(), 20*time.Second)
// test session token works // test session token works
ctx := integration.WithAuthorizationToken(context.Background(), token) ctx := integration.WithAuthorizationToken(context.Background(), token)

10
internal/api/grpc/session/v2beta/session.go
View File

@@ -11,7 +11,6 @@ import (
"google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb" "google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/authz"
object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta" object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta"
"github.com/zitadel/zitadel/internal/command" "github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain" "github.com/zitadel/zitadel/internal/domain"
@@ -89,7 +88,7 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest)
return nil, err return nil, err
} }
set, err := s.command.UpdateSession(ctx, req.GetSessionId(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration()) set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata(), req.GetLifetime().AsDuration())
if err != nil { if err != nil {
return nil, err return nil, err
} }
@@ -255,18 +254,13 @@ func listSessionsRequestToQuery(ctx context.Context, req *session.ListSessionsRe
} }
func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) { func sessionQueriesToQuery(ctx context.Context, queries []*session.SearchQuery) (_ []query.SearchQuery, err error) {
q := make([]query.SearchQuery, len(queries)+1) q := make([]query.SearchQuery, len(queries))
for i, v := range queries { for i, v := range queries {
q[i], err = sessionQueryToQuery(v) q[i], err = sessionQueryToQuery(v)
if err != nil { if err != nil {
return nil, err return nil, err
} }
} }
creatorQuery, err := query.NewSessionCreatorSearchQuery(authz.GetCtxData(ctx).UserID)
if err != nil {
return nil, err
}
q[len(queries)] = creatorQuery
return q, nil return q, nil
} }

14
internal/api/grpc/session/v2beta/session_test.go
View File

@@ -339,9 +339,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) {
Limit: 0, Limit: 0,
Asc: false, Asc: false,
}, },
Queries: []query.SearchQuery{ Queries: []query.SearchQuery{},
mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
},
}, },
}, },
{ {
@@ -359,9 +357,7 @@ func Test_listSessionsRequestToQuery(t *testing.T) {
SortingColumn: query.SessionColumnCreationDate, SortingColumn: query.SessionColumnCreationDate,
Asc: false, Asc: false,
}, },
Queries: []query.SearchQuery{ Queries: []query.SearchQuery{},
mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
},
}, },
}, },
{ {
@@ -410,7 +406,6 @@ func Test_listSessionsRequestToQuery(t *testing.T) {
mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn),
mustNewTextQuery(t, query.SessionColumnUserID, "10", query.TextEquals), mustNewTextQuery(t, query.SessionColumnUserID, "10", query.TextEquals),
mustNewTimestampQuery(t, query.SessionColumnCreationDate, creationDate, query.TimestampGreater), mustNewTimestampQuery(t, query.SessionColumnCreationDate, creationDate, query.TimestampGreater),
mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
}, },
}, },
}, },
@@ -462,9 +457,7 @@ func Test_sessionQueriesToQuery(t *testing.T) {
args: args{ args: args{
ctx: authz.NewMockContext("123", "456", "789"), ctx: authz.NewMockContext("123", "456", "789"),
}, },
want: []query.SearchQuery{ want: []query.SearchQuery{},
mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
},
}, },
{ {
name: "invalid argument", name: "invalid argument",
@@ -496,7 +489,6 @@ func Test_sessionQueriesToQuery(t *testing.T) {
want: []query.SearchQuery{ want: []query.SearchQuery{
mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn), mustNewListQuery(t, query.SessionColumnID, []interface{}{"1", "2", "3"}, query.ListIn),
mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn), mustNewListQuery(t, query.SessionColumnID, []interface{}{"4", "5", "6"}, query.ListIn),
mustNewTextQuery(t, query.SessionColumnCreator, "789", query.TextEquals),
}, },
}, },
} }

20
internal/api/grpc/user/v2/integration_test/otp_test.go
View File

@@ -17,11 +17,11 @@ import (
func TestServer_AddOTPSMS(t *testing.T) { func TestServer_AddOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
_, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX) userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX) userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
UserId: userSelf.GetUserId(), UserId: userSelf.GetUserId(),
@@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
func TestServer_AddOTPEmail(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
_, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ _, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX) userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
func TestServer_RemoveOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -335,7 +335,7 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX) userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{ _, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
UserId: userSelf.GetUserId(), UserId: userSelf.GetUserId(),

2
internal/api/grpc/user/v2/integration_test/passkey_test.go
View File

@@ -28,7 +28,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
// We also need a user session // We also need a user session
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
type args struct { type args struct {
ctx context.Context ctx context.Context

2
internal/api/grpc/user/v2/integration_test/phone_test.go
View File

@@ -256,7 +256,7 @@ func TestServer_RemovePhone(t *testing.T) {
doubleRemoveUser := Instance.CreateHumanUser(CTX) doubleRemoveUser := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
tests := []struct { tests := []struct {
name string name string

12
internal/api/grpc/user/v2/integration_test/totp_test.go
View File

@@ -20,12 +20,12 @@ import (
func TestServer_RegisterTOTP(t *testing.T) { func TestServer_RegisterTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
type args struct { type args struct {
@@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) {
func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{ reg, err := Client.RegisterTOTP(ctx, &user.RegisterTOTPRequest{
@@ -118,7 +118,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
@@ -209,11 +209,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
func TestServer_RemoveTOTP(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
_, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ _, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
UserId: userVerified.GetUserId(), UserId: userVerified.GetUserId(),

6
internal/api/grpc/user/v2/integration_test/u2f_test.go
View File

@@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) {
// We also need a user session // We also need a user session
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -183,7 +183,7 @@ func TestServer_VerifyU2FRegistration(t *testing.T) {
func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) { func ctxFromNewUserWithRegisteredU2F(t *testing.T) (context.Context, string, *user.RegisterU2FResponse) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{

4
internal/api/grpc/user/v2/integration_test/user_test.go
View File

@@ -33,6 +33,7 @@ import (
var ( var (
CTX context.Context CTX context.Context
IamCTX context.Context IamCTX context.Context
LoginCTX context.Context
UserCTX context.Context UserCTX context.Context
SystemCTX context.Context SystemCTX context.Context
SystemUserWithNoPermissionsCTX context.Context SystemUserWithNoPermissionsCTX context.Context
@@ -50,6 +51,7 @@ func TestMain(m *testing.M) {
SystemUserWithNoPermissionsCTX = integration.WithSystemUserWithNoPermissionsAuthorization(ctx) SystemUserWithNoPermissionsCTX = integration.WithSystemUserWithNoPermissionsAuthorization(ctx)
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
SystemCTX = integration.WithSystemAuthorization(ctx) SystemCTX = integration.WithSystemAuthorization(ctx)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
Client = Instance.Client.UserV2 Client = Instance.Client.UserV2
@@ -2705,7 +2707,7 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) { func ctxFromNewUserWithRegisteredPasswordlessLegacy(t *testing.T) (context.Context, string, *auth.AddMyPasswordlessResponse) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{}) pkr, err := Instance.Client.Auth.AddMyPasswordless(ctx, &auth.AddMyPasswordlessRequest{})

18
internal/api/grpc/user/v2beta/integration_test/otp_test.go
View File

@@ -17,11 +17,11 @@ import (
func TestServer_AddOTPSMS(t *testing.T) { func TestServer_AddOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
_, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err := Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -30,7 +30,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX) userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err = Client.VerifyPhone(CTX, &user.VerifyPhoneRequest{
@@ -123,7 +123,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
func TestServer_RemoveOTPSMS(t *testing.T) { func TestServer_RemoveOTPSMS(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
@@ -137,7 +137,7 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
userSelf := Instance.CreateHumanUser(CTX) userSelf := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userSelf.GetUserId()) Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId()) _, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userSelf.GetUserId())
userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf) userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
_, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{ _, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{
UserId: userSelf.GetUserId(), UserId: userSelf.GetUserId(),
@@ -213,11 +213,11 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
func TestServer_AddOTPEmail(t *testing.T) { func TestServer_AddOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
_, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ _, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -226,7 +226,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerified2 := Instance.CreateHumanUser(CTX) userVerified2 := Instance.CreateHumanUser(CTX)
_, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{ _, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
@@ -321,7 +321,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
func TestServer_RemoveOTPEmail(t *testing.T) { func TestServer_RemoveOTPEmail(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())

2
internal/api/grpc/user/v2beta/integration_test/passkey_test.go
View File

@@ -27,7 +27,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
// We also need a user session // We also need a user session
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
type args struct { type args struct {
ctx context.Context ctx context.Context

2
internal/api/grpc/user/v2beta/integration_test/phone_test.go
View File

@@ -258,7 +258,7 @@ func TestServer_RemovePhone(t *testing.T) {
doubleRemoveUser := Instance.CreateHumanUser(CTX) doubleRemoveUser := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
tests := []struct { tests := []struct {
name string name string

12
internal/api/grpc/user/v2beta/integration_test/totp_test.go
View File

@@ -20,12 +20,12 @@ import (
func TestServer_RegisterTOTP(t *testing.T) { func TestServer_RegisterTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
type args struct { type args struct {
@@ -106,7 +106,7 @@ func TestServer_RegisterTOTP(t *testing.T) {
func TestServer_VerifyTOTPRegistration(t *testing.T) { func TestServer_VerifyTOTPRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
var reg *user.RegisterTOTPResponse var reg *user.RegisterTOTPResponse
@@ -123,7 +123,7 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
otherUser := Instance.CreateHumanUser(CTX).GetUserId() otherUser := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser) ctxOtherUser := integration.WithAuthorizationToken(CTX, sessionTokenOtherUser)
regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{ regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
@@ -214,11 +214,11 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
func TestServer_RemoveTOTP(t *testing.T) { func TestServer_RemoveTOTP(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
userVerified := Instance.CreateHumanUser(CTX) userVerified := Instance.CreateHumanUser(CTX)
Instance.RegisterUserPasskey(CTX, userVerified.GetUserId()) Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId()) _, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userVerified.GetUserId())
userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified) userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
_, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{ _, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
UserId: userVerified.GetUserId(), UserId: userVerified.GetUserId(),

6
internal/api/grpc/user/v2beta/integration_test/u2f_test.go
View File

@@ -22,9 +22,9 @@ func TestServer_RegisterU2F(t *testing.T) {
// We also need a user session // We also need a user session
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
Instance.RegisterUserPasskey(CTX, otherUser) Instance.RegisterUserPasskey(CTX, otherUser)
_, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, otherUser) _, sessionTokenOtherUser, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, otherUser)
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -108,7 +108,7 @@ func TestServer_RegisterU2F(t *testing.T) {
func TestServer_VerifyU2FRegistration(t *testing.T) { func TestServer_VerifyU2FRegistration(t *testing.T) {
userID := Instance.CreateHumanUser(CTX).GetUserId() userID := Instance.CreateHumanUser(CTX).GetUserId()
Instance.RegisterUserPasskey(CTX, userID) Instance.RegisterUserPasskey(CTX, userID)
_, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userID) _, sessionToken, _, _ := Instance.CreateVerifiedWebAuthNSession(t, LoginCTX, userID)
ctx := integration.WithAuthorizationToken(CTX, sessionToken) ctx := integration.WithAuthorizationToken(CTX, sessionToken)
pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{ pkr, err := Client.RegisterU2F(ctx, &user.RegisterU2FRequest{

2
internal/api/grpc/user/v2beta/integration_test/user_test.go
View File

@@ -31,6 +31,7 @@ import (
var ( var (
CTX context.Context CTX context.Context
IamCTX context.Context IamCTX context.Context
LoginCTX context.Context
UserCTX context.Context UserCTX context.Context
SystemCTX context.Context SystemCTX context.Context
Instance *integration.Instance Instance *integration.Instance
@@ -46,6 +47,7 @@ func TestMain(m *testing.M) {
UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission) UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner) IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
LoginCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
SystemCTX = integration.WithSystemAuthorization(ctx) SystemCTX = integration.WithSystemAuthorization(ctx)
CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner) CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
Client = Instance.Client.UserV2beta Client = Instance.Client.UserV2beta

2
internal/api/oidc/integration_test/oidc_test.go
View File

@@ -90,7 +90,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) {
func Test_ZITADEL_API_missing_authentication(t *testing.T) { func Test_ZITADEL_API_missing_authentication(t *testing.T) {
clientID, _ := createClient(t, Instance) clientID, _ := createClient(t, Instance)
authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope) authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
createResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{ createResp, err := Instance.Client.SessionV2.CreateSession(CTXLOGIN, &session.CreateSessionRequest{
Checks: &session.Checks{ Checks: &session.Checks{
User: &session.CheckUser{ User: &session.CheckUser{
Search: &session.CheckUser_UserId{UserId: User.GetUserId()}, Search: &session.CheckUser_UserId{UserId: User.GetUserId()},

5
internal/command/auth_request.go
View File

@@ -137,6 +137,11 @@ func (c *Commands) FailAuthRequest(ctx context.Context, id string, reason domain
if writeModel.AuthRequestState != domain.AuthRequestStateAdded { if writeModel.AuthRequestState != domain.AuthRequestStateAdded {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled") return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled")
} }
if authz.GetCtxData(ctx).UserID != writeModel.LoginClient {
if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil {
return nil, nil, err
}
}
err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent( err = c.pushAppendAndReduce(ctx, writeModel, authrequest.NewFailedEvent(
ctx, ctx,
&authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, &authrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate,

46
internal/command/auth_request_test.go
View File

@@ -911,7 +911,8 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
func TestCommands_FailAuthRequest(t *testing.T) { func TestCommands_FailAuthRequest(t *testing.T) {
mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient")
type fields struct { type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore eventstore func(*testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
} }
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -945,6 +946,45 @@ func TestCommands_FailAuthRequest(t *testing.T) {
wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"), wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sx202nt", "Errors.AuthRequest.AlreadyHandled"),
}, },
}, },
{
"missing permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
authrequest.NewAddedEvent(mockCtx, &authrequest.NewAggregate("V2_id", "instanceID").Aggregate,
"login",
"clientID",
"redirectURI",
"state",
"nonce",
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
nil,
nil,
nil,
true,
"issuer",
),
),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: mockCtx,
id: "V2_id",
reason: domain.OIDCErrorReasonLoginRequired,
},
res{
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{ {
"failed", "failed",
fields{ fields{
@@ -977,6 +1017,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
domain.OIDCErrorReasonLoginRequired), domain.OIDCErrorReasonLoginRequired),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args{ args{
ctx: mockCtx, ctx: mockCtx,
@@ -1006,7 +1047,8 @@ func TestCommands_FailAuthRequest(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
c := &Commands{ c := &Commands{
eventstore: tt.fields.eventstore(t), eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
} }
details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason) details, got, err := c.FailAuthRequest(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.res.wantErr) require.ErrorIs(t, err, tt.res.wantErr)

3
internal/command/device_auth.go
View File

@@ -136,6 +136,9 @@ func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domai
if !model.State.Exists() { if !model.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound") return nil, zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound")
} }
if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil {
return nil, err
}
pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason)) pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewCanceledEvent(ctx, model.aggregate, reason))
if err != nil { if err != nil {
return nil, err return nil, err

29
internal/command/device_auth_test.go
View File

@@ -578,7 +578,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
pushErr := errors.New("pushErr") pushErr := errors.New("pushErr")
type fields struct { type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore eventstore func(*testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
} }
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -602,6 +603,26 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"), wantErr: zerrors.ThrowNotFound(nil, "COMMAND-gee5A", "Errors.DeviceAuth.NotFound"),
}, },
{
name: "missing permission, error",
fields: fields{
eventstore: expectEventstore(
expectFilter(eventFromEventPusherWithInstanceID(
"instance1",
deviceauth.NewAddedEvent(
ctx,
deviceauth.NewAggregate("123", "instance1"),
"client_id", "123", "456", now,
[]string{"a", "b", "c"},
[]string{"projectID", "clientID"}, true,
),
)),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
{ {
name: "push error", name: "push error",
fields: fields{ fields: fields{
@@ -623,6 +644,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
), ),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantErr: pushErr, wantErr: pushErr,
@@ -648,6 +670,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
), ),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args: args{ctx, "123", domain.DeviceAuthCanceledDenied}, args: args{ctx, "123", domain.DeviceAuthCanceledDenied},
wantDetails: &domain.ObjectDetails{ wantDetails: &domain.ObjectDetails{
@@ -675,6 +698,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
), ),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args: args{ctx, "123", domain.DeviceAuthCanceledExpired}, args: args{ctx, "123", domain.DeviceAuthCanceledExpired},
wantDetails: &domain.ObjectDetails{ wantDetails: &domain.ObjectDetails{
@@ -685,7 +709,8 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
c := &Commands{ c := &Commands{
eventstore: tt.fields.eventstore(t), eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
} }
gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason) gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.wantErr) require.ErrorIs(t, err, tt.wantErr)

3
internal/command/saml_request.go
View File

@@ -119,6 +119,9 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain
if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded { if writeModel.SAMLRequestState != domain.SAMLRequestStateAdded {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled") return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled")
} }
if err := c.checkPermission(ctx, domain.PermissionSessionLink, writeModel.ResourceOwner, ""); err != nil {
return nil, nil, err
}
err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent( err = c.pushAppendAndReduce(ctx, writeModel, samlrequest.NewFailedEvent(
ctx, ctx,
&samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate, &samlrequest.NewAggregate(id, authz.GetInstance(ctx).InstanceID()).Aggregate,

43
internal/command/saml_request_test.go
View File

@@ -786,7 +786,8 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
func TestCommands_FailSAMLRequest(t *testing.T) { func TestCommands_FailSAMLRequest(t *testing.T) {
mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient") mockCtx := authz.NewMockContext("instanceID", "orgID", "loginClient")
type fields struct { type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore eventstore func(t *testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
} }
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -820,7 +821,40 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
res{ res{
wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"), wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-32lGj1Fhjt", "Errors.SAMLRequest.AlreadyHandled"),
}, },
}, { },
{
"missing permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
samlrequest.NewAddedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate,
"login",
"application",
"acs",
"relaystate",
"request",
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: mockCtx,
id: "V2_id",
reason: domain.SAMLErrorReasonAuthNFailed,
description: "desc",
},
res{
wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{
"already failed", "already failed",
fields{ fields{
eventstore: expectEventstore( eventstore: expectEventstore(
@@ -843,6 +877,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
), ),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args{ args{
ctx: mockCtx, ctx: mockCtx,
@@ -879,6 +914,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
), ),
), ),
), ),
checkPermission: newMockPermissionCheckAllowed(),
}, },
args{ args{
ctx: mockCtx, ctx: mockCtx,
@@ -908,7 +944,8 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
c := &Commands{ c := &Commands{
eventstore: tt.fields.eventstore(t), eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
} }
details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason) details, got, err := c.FailSAMLRequest(tt.args.ctx, tt.args.id, tt.args.reason)
require.ErrorIs(t, err, tt.res.wantErr) require.ErrorIs(t, err, tt.res.wantErr)

37
internal/command/session.go
View File

@@ -285,7 +285,13 @@ func (s *SessionCommands) commands(ctx context.Context) (string, []eventstore.Co
return token, s.eventCommands, nil return token, s.eventCommands, nil
} }
func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, metadata map[string][]byte, userAgent *domain.UserAgent, lifetime time.Duration) (set *SessionChanged, err error) { func (c *Commands) CreateSession(
ctx context.Context,
cmds []SessionCommand,
metadata map[string][]byte,
userAgent *domain.UserAgent,
lifetime time.Duration,
) (set *SessionChanged, err error) {
sessionID, err := c.idGenerator.Next() sessionID, err := c.idGenerator.Next()
if err != nil { if err != nil {
return nil, err return nil, err
@@ -295,17 +301,29 @@ func (c *Commands) CreateSession(ctx context.Context, cmds []SessionCommand, met
if err != nil { if err != nil {
return nil, err return nil, err
} }
if err = c.checkSessionWritePermission(ctx, sessionWriteModel, ""); err != nil {
return nil, err
}
cmd := c.NewSessionCommands(cmds, sessionWriteModel) cmd := c.NewSessionCommands(cmds, sessionWriteModel)
cmd.Start(ctx, userAgent) cmd.Start(ctx, userAgent)
return c.updateSession(ctx, cmd, metadata, lifetime) return c.updateSession(ctx, cmd, metadata, lifetime)
} }
func (c *Commands) UpdateSession(ctx context.Context, sessionID string, cmds []SessionCommand, metadata map[string][]byte, lifetime time.Duration) (set *SessionChanged, err error) { func (c *Commands) UpdateSession(
ctx context.Context,
sessionID, sessionToken string,
cmds []SessionCommand,
metadata map[string][]byte,
lifetime time.Duration,
) (set *SessionChanged, err error) {
sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()) sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID())
err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel) err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if err = c.checkSessionWritePermission(ctx, sessionWriteModel, sessionToken); err != nil {
return nil, err
}
cmd := c.NewSessionCommands(cmds, sessionWriteModel) cmd := c.NewSessionCommands(cmds, sessionWriteModel)
return c.updateSession(ctx, cmd, metadata, lifetime) return c.updateSession(ctx, cmd, metadata, lifetime)
} }
@@ -380,6 +398,21 @@ func (c *Commands) updateSession(ctx context.Context, checks *SessionCommands, m
return changed, nil return changed, nil
} }
// checkSessionWritePermission will check that the provided sessionToken is correct or
// if empty, check that the caller is granted the "session.write" permission on the resource owner of the authenticated user.
// In case the user is not set and the userResourceOwner is not set (also the case for the session creation),
// it will check permission on the instance.
func (c *Commands) checkSessionWritePermission(ctx context.Context, model *SessionWriteModel, sessionToken string) error {
if sessionToken != "" {
return c.sessionTokenVerifier(ctx, sessionToken, model.AggregateID, model.TokenID)
}
userResourceOwner, err := c.sessionUserResourceOwner(ctx, model)
if err != nil {
return err
}
return c.checkPermission(ctx, domain.PermissionSessionWrite, userResourceOwner, model.UserID)
}
// checkSessionTerminationPermission will check that the provided sessionToken is correct or // checkSessionTerminationPermission will check that the provided sessionToken is correct or
// if empty, check that the caller is either terminating the own session or // if empty, check that the caller is either terminating the own session or
// is granted the "session.delete" permission on the resource owner of the authenticated user. // is granted the "session.delete" permission on the resource owner of the authenticated user.

109
internal/command/session_test.go
View File

@@ -145,8 +145,9 @@ func TestSessionCommands_getHumanWriteModel(t *testing.T) {
func TestCommands_CreateSession(t *testing.T) { func TestCommands_CreateSession(t *testing.T) {
type fields struct { type fields struct {
idGenerator id.Generator idGenerator id.Generator
tokenCreator func(sessionID string) (string, string, error) tokenCreator func(sessionID string) (string, string, error)
checkPermission domain.PermissionCheck
} }
type args struct { type args struct {
ctx context.Context ctx context.Context
@@ -194,6 +195,22 @@ func TestCommands_CreateSession(t *testing.T) {
err: zerrors.ThrowInternal(nil, "id", "filter failed"), err: zerrors.ThrowInternal(nil, "id", "filter failed"),
}, },
}, },
{
"missing permission",
fields{
idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: context.Background(),
},
[]expect{
expectFilter(),
},
res{
err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{ {
"negative lifetime", "negative lifetime",
fields{ fields{
@@ -203,6 +220,7 @@ func TestCommands_CreateSession(t *testing.T) {
"token", "token",
nil nil
}, },
checkPermission: newMockPermissionCheckAllowed(),
}, },
args{ args{
ctx: authz.NewMockContext("instance1", "", ""), ctx: authz.NewMockContext("instance1", "", ""),
@@ -230,6 +248,7 @@ func TestCommands_CreateSession(t *testing.T) {
"token", "token",
nil nil
}, },
checkPermission: newMockPermissionCheckAllowed(),
}, },
args{ args{
ctx: authz.NewMockContext("instance1", "", ""), ctx: authz.NewMockContext("instance1", "", ""),
@@ -275,6 +294,7 @@ func TestCommands_CreateSession(t *testing.T) {
eventstore: expectEventstore(tt.expect...)(t), eventstore: expectEventstore(tt.expect...)(t),
idGenerator: tt.fields.idGenerator, idGenerator: tt.fields.idGenerator,
sessionTokenCreator: tt.fields.tokenCreator, sessionTokenCreator: tt.fields.tokenCreator,
checkPermission: tt.fields.checkPermission,
} }
got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime) got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata, tt.args.userAgent, tt.args.lifetime)
require.ErrorIs(t, err, tt.res.err) require.ErrorIs(t, err, tt.res.err)
@@ -285,15 +305,17 @@ func TestCommands_CreateSession(t *testing.T) {
func TestCommands_UpdateSession(t *testing.T) { func TestCommands_UpdateSession(t *testing.T) {
type fields struct { type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore eventstore func(*testing.T) *eventstore.Eventstore
tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
checkPermission domain.PermissionCheck
} }
type args struct { type args struct {
ctx context.Context ctx context.Context
sessionID string sessionID string
checks []SessionCommand sessionToken string
metadata map[string][]byte checks []SessionCommand
lifetime time.Duration metadata map[string][]byte
lifetime time.Duration
} }
type res struct { type res struct {
want *SessionChanged want *SessionChanged
@@ -319,6 +341,67 @@ func TestCommands_UpdateSession(t *testing.T) {
err: zerrors.ThrowInternal(nil, "id", "filter failed"), err: zerrors.ThrowInternal(nil, "id", "filter failed"),
}, },
}, },
{
"invalid session token",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
session.NewAddedEvent(context.Background(),
&session.NewAggregate("sessionID", "instance1").Aggregate,
&domain.UserAgent{
FingerprintID: gu.Ptr("fp1"),
IP: net.ParseIP("1.2.3.4"),
Description: gu.Ptr("firefox"),
Header: http.Header{"foo": []string{"bar"}},
},
)),
eventFromEventPusher(
session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
"tokenID")),
),
),
tokenVerifier: newMockTokenVerifierInvalid(),
},
args{
ctx: context.Background(),
sessionID: "sessionID",
sessionToken: "invalid",
},
res{
err: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
},
},
{
"no token, no permission",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
session.NewAddedEvent(context.Background(),
&session.NewAggregate("sessionID", "instance1").Aggregate,
&domain.UserAgent{
FingerprintID: gu.Ptr("fp1"),
IP: net.ParseIP("1.2.3.4"),
Description: gu.Ptr("firefox"),
Header: http.Header{"foo": []string{"bar"}},
},
)),
eventFromEventPusher(
session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "instance1").Aggregate,
"tokenID")),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: context.Background(),
sessionID: "sessionID",
},
res{
err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
},
},
{ {
"no change", "no change",
fields{ fields{
@@ -344,8 +427,9 @@ func TestCommands_UpdateSession(t *testing.T) {
}, },
}, },
args{ args{
ctx: context.Background(), ctx: context.Background(),
sessionID: "sessionID", sessionID: "sessionID",
sessionToken: "token",
}, },
res{ res{
want: &SessionChanged{ want: &SessionChanged{
@@ -364,8 +448,9 @@ func TestCommands_UpdateSession(t *testing.T) {
c := &Commands{ c := &Commands{
eventstore: tt.fields.eventstore(t), eventstore: tt.fields.eventstore(t),
sessionTokenVerifier: tt.fields.tokenVerifier, sessionTokenVerifier: tt.fields.tokenVerifier,
checkPermission: tt.fields.checkPermission,
} }
got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.checks, tt.args.metadata, tt.args.lifetime) got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata, tt.args.lifetime)
require.ErrorIs(t, err, tt.res.err) require.ErrorIs(t, err, tt.res.err)
assert.Equal(t, tt.res.want, got) assert.Equal(t, tt.res.want, got)
}) })