chore: move the go code into a subfolder

2025-08-12 04:17:32 +00:00 · 2025-08-05 15:20:32 -07:00
parent 4ad22ba456
commit cd2921de26
2978 changed files with 373 additions and 300 deletions
--- a/apps/api/internal/query/oidc_client_test.go
+++ b/apps/api/internal/query/oidc_client_test.go
@@ -0,0 +1,281 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	_ "embed"
+	"net/url"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var (
+	//go:embed testdata/oidc_client_jwt.json
+	testdataOidcClientJWT string
+	//go:embed testdata/oidc_client_jwt_loginversion.json
+	testdataOidcClientJWTLoginVersion string
+	//go:embed testdata/oidc_client_public.json
+	testdataOidcClientPublic string
+	//go:embed testdata/oidc_client_public_old_id.json
+	testdataOidcClientPublicOldId string
+	//go:embed testdata/oidc_client_secret.json
+	testdataOidcClientSecret string
+	//go:embed testdata/oidc_client_no_settings.json
+	testdataOidcClientNoSettings string
+)
+
+func TestQueries_ActiveOIDCClientByID(t *testing.T) {
+	expQuery := regexp.QuoteMeta(oidcClientQuery)
+	cols := []string{"client"}
+	pubkey := `-----BEGIN RSA PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ufAL1b72bIy1ar+Ws6b
+GohJJQFB7dfRapDqeqM8Ukp6CVdPzq/pOz1viAq50yzWZJryF+2wshFAKGF9A2/B
+2Yf9bJXPZ/KbkFrYT3NTvYDkvlaSTl9mMnzrU29s48F1PTWKfB+C3aMsOEG1BufV
+s63qF4nrEPjSbhljIco9FZq4XppIzhMQ0fDdA/+XygCJqvuaL0LibM1KrlUdnu71
+YekhSJjEPnvOisXIk4IXywoGIOwtjxkDvNItQvaMVldr4/kb6uvbgdWwq5EwBZXq
+low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
+6QIDAQAB
+-----END RSA PUBLIC KEY-----
+`
+
+	tests := []struct {
+		name    string
+		mock    sqlExpectation
+		want    *OIDCClient
+		wantErr error
+	}{
+		{
+			name:    "no rows",
+			mock:    mockQueryErr(expQuery, sql.ErrNoRows, "instanceID", "clientID", true),
+			wantErr: zerrors.ThrowNotFound(sql.ErrNoRows, "QUERY-wu6Ee", "Errors.App.NotFound"),
+		},
+		{
+			name:    "internal error",
+			mock:    mockQueryErr(expQuery, sql.ErrConnDone, "instanceID", "clientID", true),
+			wantErr: zerrors.ThrowInternal(sql.ErrConnDone, "QUERY-ieR7R", "Errors.Internal"),
+		},
+		{
+			name: "jwt client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientJWT}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236647088211886082",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236647088211951618",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode, domain.OIDCGrantTypeRefreshToken},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypePrivateKeyJWT,
+				PostLogoutRedirectURIs:   []string{"https://example.com/logout"},
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeJWT,
+				AccessTokenRoleAssertion: true,
+				IDTokenRoleAssertion:     true,
+				IDTokenUserinfoAssertion: true,
+				ClockSkew:                1000000000,
+				AdditionalOrigins:        []string{"https://example.com"},
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				PublicKeys:               map[string][]byte{"236647201860747266": []byte(pubkey)},
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "jwt client, login version",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientJWTLoginVersion}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236647088211886082",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236647088211951618",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode, domain.OIDCGrantTypeRefreshToken},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypePrivateKeyJWT,
+				PostLogoutRedirectURIs:   []string{"https://example.com/logout"},
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeJWT,
+				AccessTokenRoleAssertion: true,
+				IDTokenRoleAssertion:     true,
+				IDTokenUserinfoAssertion: true,
+				ClockSkew:                1000000000,
+				AdditionalOrigins:        []string{"https://example.com"},
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				PublicKeys:               map[string][]byte{"236647201860747266": []byte(pubkey)},
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+				LoginVersion: domain.LoginVersion1,
+				LoginBaseURI: func() *URL {
+					ret, _ := url.Parse("https://test.com/login")
+					retURL := URL(*ret)
+					return &retURL
+				}(),
+			},
+		},
+		{
+			name: "public client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublic}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646457053020162",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646457053085698",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "public client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublicOldId}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646457053020162",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646457053085698@tests",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "secret client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientSecret}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646858984783874",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646858984849410",
+				HashedSecret:             "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{0},
+				GrantTypes:               []domain.OIDCGrantType{0},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeBasic,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     false,
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "no oidc settings",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientNoSettings}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:   "239520764275982338",
+				AppID:        "239520764276441090",
+				State:        domain.AppStateActive,
+				ClientID:     "239520764779364354",
+				HashedSecret: "",
+				RedirectURIs: []string{
+					"http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
+					"http://test.localhost.com:9000/ui/console/auth/callback"},
+				ResponseTypes:   []domain.OIDCResponseType{0},
+				GrantTypes:      []domain.OIDCGrantType{0},
+				ApplicationType: domain.OIDCApplicationTypeUserAgent,
+				AuthMethodType:  domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs: []string{
+					"http://test2-qucuh5.localhost:9000/ui/console/signedout",
+					"http://test.localhost.com:9000/ui/console/signedout",
+				},
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "239520764276178946",
+				ProjectRoleAssertion:     false,
+				ProjectRoleKeys:          nil,
+				Settings:                 nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			execMock(t, tt.mock, func(db *sql.DB) {
+				q := &Queries{
+					client: &database.DB{
+						DB: db,
+					},
+				}
+				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")
+				got, err := q.ActiveOIDCClientByID(ctx, "clientID", true)
+				require.ErrorIs(t, err, tt.wantErr)
+				assert.Equal(t, tt.want, got)
+			})
+		})
+	}
+}