TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 01:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: token revocation and OP certification (#2594)

Browse Source 
* fix: try using only user session if no user is set (id_token_hint) on prompt none

* fix caos errors As implementation

* implement request mode

* return explicit error on invalid refresh token use

* begin token revocation

* token revocation

* tests

* tests

* cleanup

* set op config

* add revocation endpoint to config

* add revocation endpoint to config

* migration version

* error handling in token revocation

* migration version

* update oidc lib to 1.0.0
This commit is contained in:
Livio Amstutz
2021-11-03 08:35:24 +01:00
committed by GitHub
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
internal/command/user.go
View File

@@ -223,7 +223,7 @@ func (c *Commands) AddUserToken(ctx context.Context, orgID, agentID, clientID, u
return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dbge4", "Errors.IDMissing")
}
userWriteModel := NewUserWriteModel(userID, orgID)
event, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, audience, scopes, lifetime)
event, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, "", audience, scopes, lifetime)
if err != nil {
return nil, err
}
@@ -234,7 +234,23 @@ func (c *Commands) AddUserToken(ctx context.Context, orgID, agentID, clientID, u
return accessToken, nil
}
func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteModel, agentID, clientID string, audience, scopes []string, lifetime time.Duration) (*user.UserTokenAddedEvent, *domain.Token, error) {
func (c *Commands) RevokeAccessToken(ctx context.Context, userID, orgID, tokenID string) (*domain.ObjectDetails, error) {
removeEvent, accessTokenWriteModel, err := c.removeAccessToken(ctx, userID, orgID, tokenID)
if err != nil {
return nil, err
}
events, err := c.eventstore.PushEvents(ctx, removeEvent)
if err != nil {
return nil, err
}
err = AppendAndReduce(accessTokenWriteModel, events...)
if err != nil {
return nil, err
}
return writeModelToObjectDetails(&accessTokenWriteModel.WriteModel), nil
}
func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteModel, agentID, clientID, refreshTokenID string, audience, scopes []string, lifetime time.Duration) (*user.UserTokenAddedEvent, *domain.Token, error) {
err := c.eventstore.FilterToQueryReducer(ctx, userWriteModel)
if err != nil {
return nil, nil, err
@@ -257,7 +273,7 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
}
userAgg := UserAggregateFromWriteModel(&userWriteModel.WriteModel)
return user.NewUserTokenAddedEvent(ctx, userAgg, tokenID, clientID, agentID, preferredLanguage, audience, scopes, expiration),
return user.NewUserTokenAddedEvent(ctx, userAgg, tokenID, clientID, agentID, preferredLanguage, refreshTokenID, audience, scopes, expiration),
&domain.Token{
ObjectRoot: models.ObjectRoot{
AggregateID: userWriteModel.AggregateID,
@@ -265,6 +281,7 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
TokenID: tokenID,
UserAgentID: agentID,
ApplicationID: clientID,
RefreshTokenID: refreshTokenID,
Audience: audience,
Scopes: scopes,
Expiration: expiration,
@@ -272,6 +289,22 @@ func (c *Commands) addUserToken(ctx context.Context, userWriteModel *UserWriteMo
}, nil
}
func (c *Commands) removeAccessToken(ctx context.Context, userID, orgID, tokenID string) (*user.UserTokenRemovedEvent, *UserAccessTokenWriteModel, error) {
if userID == "" || orgID == "" || tokenID == "" {
return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dng42", "Errors.IDMissing")
}
refreshTokenWriteModel := NewUserAccessTokenWriteModel(userID, orgID, tokenID)
err := c.eventstore.FilterToQueryReducer(ctx, refreshTokenWriteModel)
if err != nil {
return nil, nil, err
}
if refreshTokenWriteModel.UserState != domain.UserStateActive {
return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-BF4hd", "Errors.User.AccessToken.NotFound")
}
userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
return user.NewUserTokenRemovedEvent(ctx, userAgg, tokenID), refreshTokenWriteModel, nil
}
func (c *Commands) userDomainClaimed(ctx context.Context, userID string) (events []eventstore.EventPusher, _ *UserWriteModel, err error) {
existingUser, err := c.userWriteModelByID(ctx, userID, "")
if err != nil {

106
internal/command/user_human_access_token_model.go Normal file
View File

@@ -0,0 +1,106 @@
package command
import (
"time"
"github.com/caos/zitadel/internal/eventstore"
"github.com/caos/zitadel/internal/domain"
"github.com/caos/zitadel/internal/repository/user"
)
type UserAccessTokenWriteModel struct {
eventstore.WriteModel
TokenID string
ApplicationID string
UserAgentID string
Audience []string
Scopes []string
Expiration time.Time
PreferredLanguage string
UserState domain.UserState
}
func NewUserAccessTokenWriteModel(userID, resourceOwner, tokenID string) *UserAccessTokenWriteModel {
return &UserAccessTokenWriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
TokenID: tokenID,
}
}
func (wm *UserAccessTokenWriteModel) AppendEvents(events ...eventstore.EventReader) {
for _, event := range events {
switch e := event.(type) {
case *user.UserTokenAddedEvent:
if wm.TokenID != e.TokenID {
continue
}
wm.WriteModel.AppendEvents(e)
case *user.UserTokenRemovedEvent:
if wm.TokenID != e.TokenID {
continue
}
wm.WriteModel.AppendEvents(e)
case *user.HumanSignedOutEvent:
if wm.UserAgentID != e.UserAgentID {
continue
}
wm.WriteModel.AppendEvents(e)
case *user.UserLockedEvent,
*user.UserDeactivatedEvent,
*user.UserRemovedEvent:
wm.WriteModel.AppendEvents(e)
}
}
}
func (wm *UserAccessTokenWriteModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.UserTokenAddedEvent:
wm.TokenID = e.TokenID
wm.ApplicationID = e.ApplicationID
wm.UserAgentID = e.UserAgentID
wm.Audience = e.Audience
wm.Scopes = e.Scopes
wm.Expiration = e.Expiration
wm.PreferredLanguage = e.PreferredLanguage
wm.UserState = domain.UserStateActive
if e.Expiration.Before(time.Now()) {
wm.UserState = domain.UserStateDeleted
}
case *user.UserTokenRemovedEvent,
*user.HumanSignedOutEvent,
*user.UserLockedEvent,
*user.UserDeactivatedEvent,
*user.UserRemovedEvent:
wm.UserState = domain.UserStateDeleted
}
}
return wm.WriteModel.Reduce()
}
func (wm *UserAccessTokenWriteModel) Query() *eventstore.SearchQueryBuilder {
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(wm.AggregateID).
EventTypes(
user.UserTokenAddedType,
user.UserTokenRemovedType,
user.HumanSignedOutType,
user.UserLockedType,
user.UserDeactivatedType,
user.UserRemovedType).
Builder()
if wm.ResourceOwner != "" {
query.ResourceOwner(wm.ResourceOwner)
}
return query
}

166
internal/command/user_human_refresh_token.go
View File

@@ -10,22 +10,54 @@ import (
"github.com/caos/zitadel/internal/repository/user"
)
func (c *Commands) AddAccessAndRefreshToken(ctx context.Context, orgID, agentID, clientID, userID, refreshToken string, audience, scopes, authMethodsReferences []string, accessLifetime, refreshIdleExpiration, refreshExpiration time.Duration, authTime time.Time) (*domain.Token, string, error) {
func (c *Commands) AddAccessAndRefreshToken(
ctx context.Context,
orgID,
agentID,
clientID,
userID,
refreshToken string,
audience,
scopes,
authMethodsReferences []string,
accessLifetime,
refreshIdleExpiration,
refreshExpiration time.Duration,
authTime time.Time,
) (accessToken *domain.Token, newRefreshToken string, err error) {
if refreshToken == "" {
return c.AddNewRefreshTokenAndAccessToken(ctx, userID, orgID, agentID, clientID, audience, scopes, authMethodsReferences, refreshExpiration, accessLifetime, refreshIdleExpiration, authTime)
}
return c.RenewRefreshTokenAndAccessToken(ctx, userID, orgID, refreshToken, agentID, clientID, audience, scopes, refreshIdleExpiration, accessLifetime)
}
func (c *Commands) AddNewRefreshTokenAndAccessToken(
ctx context.Context,
userID,
orgID,
agentID,
clientID string,
audience,
scopes,
authMethodsReferences []string,
refreshExpiration,
accessLifetime,
refreshIdleExpiration time.Duration,
authTime time.Time,
) (accessToken *domain.Token, newRefreshToken string, err error) {
if userID == "" || agentID == "" || clientID == "" {
return nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-adg4r", "Errors.IDMissing")
}
userWriteModel := NewUserWriteModel(userID, orgID)
accessTokenEvent, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, audience, scopes, accessLifetime)
refreshTokenID, err := c.idGenerator.Next()
if err != nil {
return nil, "", err
}
creator := func() (eventstore.EventPusher, string, error) {
return c.addRefreshToken(ctx, accessToken, authMethodsReferences, authTime, refreshIdleExpiration, refreshExpiration)
accessTokenEvent, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, refreshTokenID, audience, scopes, accessLifetime)
if err != nil {
return nil, "", err
}
if refreshToken != "" {
creator = func() (eventstore.EventPusher, string, error) {
return c.renewRefreshToken(ctx, userID, orgID, refreshToken, refreshIdleExpiration)
}
}
refreshTokenEvent, token, err := creator()
refreshTokenEvent, newRefreshToken, err := c.addRefreshToken(ctx, accessToken, authMethodsReferences, authTime, refreshIdleExpiration, refreshExpiration)
if err != nil {
return nil, "", err
}
@@ -33,61 +65,35 @@ func (c *Commands) AddAccessAndRefreshToken(ctx context.Context, orgID, agentID,
if err != nil {
return nil, "", err
}
return accessToken, token, nil
return accessToken, newRefreshToken, nil
}
func (c *Commands) addRefreshToken(ctx context.Context, accessToken *domain.Token, authMethodsReferences []string, authTime time.Time, idleExpiration, expiration time.Duration) (*user.HumanRefreshTokenAddedEvent, string, error) {
tokenID, err := c.idGenerator.Next()
func (c *Commands) RenewRefreshTokenAndAccessToken(
ctx context.Context,
userID,
orgID,
refreshToken,
agentID,
clientID string,
audience,
scopes []string,
idleExpiration,
accessLifetime time.Duration,
) (accessToken *domain.Token, newRefreshToken string, err error) {
refreshTokenEvent, refreshTokenID, newRefreshToken, err := c.renewRefreshToken(ctx, userID, orgID, refreshToken, idleExpiration)
if err != nil {
return nil, "", err
}
refreshToken, err := domain.NewRefreshToken(accessToken.AggregateID, tokenID, c.keyAlgorithm)
userWriteModel := NewUserWriteModel(userID, orgID)
accessTokenEvent, accessToken, err := c.addUserToken(ctx, userWriteModel, agentID, clientID, refreshTokenID, audience, scopes, accessLifetime)
if err != nil {
return nil, "", err
}
refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(accessToken.AggregateID, accessToken.ResourceOwner, tokenID)
userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
return user.NewHumanRefreshTokenAddedEvent(ctx, userAgg, tokenID, accessToken.ApplicationID, accessToken.UserAgentID,
accessToken.PreferredLanguage, accessToken.Audience, accessToken.Scopes, authMethodsReferences, authTime, idleExpiration, expiration),
refreshToken, nil
}
func (c *Commands) renewRefreshToken(ctx context.Context, userID, orgID, refreshToken string, idleExpiration time.Duration) (event *user.HumanRefreshTokenRenewedEvent, newRefreshToken string, err error) {
if refreshToken == "" {
return nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-DHrr3", "Errors.IDMissing")
}
tokenUserID, tokenID, token, err := domain.FromRefreshToken(refreshToken, c.keyAlgorithm)
if err != nil {
return nil, "", caos_errs.ThrowInvalidArgument(err, "COMMAND-Dbfe4", "Errors.User.RefreshToken.Invalid")
}
if tokenUserID != userID {
return nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-Ht2g2", "Errors.User.RefreshToken.Invalid")
}
refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(userID, orgID, tokenID)
err = c.eventstore.FilterToQueryReducer(ctx, refreshTokenWriteModel)
_, err = c.eventstore.PushEvents(ctx, accessTokenEvent, refreshTokenEvent)
if err != nil {
return nil, "", err
}
if refreshTokenWriteModel.UserState != domain.UserStateActive {
return nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-BHnhs", "Errors.User.RefreshToken.Invalid")
}
if refreshTokenWriteModel.RefreshToken != token ||
refreshTokenWriteModel.IdleExpiration.Before(time.Now()) ||
refreshTokenWriteModel.Expiration.Before(time.Now()) {
return nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-Vr43e", "Errors.User.RefreshToken.Invalid")
}
newToken, err := c.idGenerator.Next()
if err != nil {
return nil, "", err
}
newRefreshToken, err = domain.RefreshToken(userID, tokenID, newToken, c.keyAlgorithm)
if err != nil {
return nil, "", err
}
userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
return user.NewHumanRefreshTokenRenewedEvent(ctx, userAgg, tokenID, newToken, idleExpiration), newRefreshToken, nil
return accessToken, newRefreshToken, nil
}
func (c *Commands) RevokeRefreshToken(ctx context.Context, userID, orgID, tokenID string) (*domain.ObjectDetails, error) {
@@ -122,6 +128,56 @@ func (c *Commands) RevokeRefreshTokens(ctx context.Context, userID, orgID string
return err
}
func (c *Commands) addRefreshToken(ctx context.Context, accessToken *domain.Token, authMethodsReferences []string, authTime time.Time, idleExpiration, expiration time.Duration) (*user.HumanRefreshTokenAddedEvent, string, error) {
refreshToken, err := domain.NewRefreshToken(accessToken.AggregateID, accessToken.RefreshTokenID, c.keyAlgorithm)
if err != nil {
return nil, "", err
}
refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(accessToken.AggregateID, accessToken.ResourceOwner, accessToken.RefreshTokenID)
userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
return user.NewHumanRefreshTokenAddedEvent(ctx, userAgg, accessToken.RefreshTokenID, accessToken.ApplicationID, accessToken.UserAgentID,
accessToken.PreferredLanguage, accessToken.Audience, accessToken.Scopes, authMethodsReferences, authTime, idleExpiration, expiration),
refreshToken, nil
}
func (c *Commands) renewRefreshToken(ctx context.Context, userID, orgID, refreshToken string, idleExpiration time.Duration) (event *user.HumanRefreshTokenRenewedEvent, refreshTokenID, newRefreshToken string, err error) {
if refreshToken == "" {
return nil, "", "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-DHrr3", "Errors.IDMissing")
}
tokenUserID, tokenID, token, err := domain.FromRefreshToken(refreshToken, c.keyAlgorithm)
if err != nil {
return nil, "", "", caos_errs.ThrowInvalidArgument(err, "COMMAND-Dbfe4", "Errors.User.RefreshToken.Invalid")
}
if tokenUserID != userID {
return nil, "", "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-Ht2g2", "Errors.User.RefreshToken.Invalid")
}
refreshTokenWriteModel := NewHumanRefreshTokenWriteModel(userID, orgID, tokenID)
err = c.eventstore.FilterToQueryReducer(ctx, refreshTokenWriteModel)
if err != nil {
return nil, "", "", err
}
if refreshTokenWriteModel.UserState != domain.UserStateActive {
return nil, "", "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-BHnhs", "Errors.User.RefreshToken.Invalid")
}
if refreshTokenWriteModel.RefreshToken != token ||
refreshTokenWriteModel.IdleExpiration.Before(time.Now()) ||
refreshTokenWriteModel.Expiration.Before(time.Now()) {
return nil, "", "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-Vr43e", "Errors.User.RefreshToken.Invalid")
}
newToken, err := c.idGenerator.Next()
if err != nil {
return nil, "", "", err
}
newRefreshToken, err = domain.RefreshToken(userID, tokenID, newToken, c.keyAlgorithm)
if err != nil {
return nil, "", "", err
}
userAgg := UserAggregateFromWriteModel(&refreshTokenWriteModel.WriteModel)
return user.NewHumanRefreshTokenRenewedEvent(ctx, userAgg, tokenID, newToken, idleExpiration), tokenID, newRefreshToken, nil
}
func (c *Commands) removeRefreshToken(ctx context.Context, userID, orgID, tokenID string) (*user.HumanRefreshTokenRemovedEvent, *HumanRefreshTokenWriteModel, error) {
if userID == "" || orgID == "" || tokenID == "" {
return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GVDgf", "Errors.IDMissing")

9
internal/command/user_human_refresh_token_model.go
View File

@@ -67,7 +67,11 @@ func (wm *HumanRefreshTokenWriteModel) Reduce() error {
}
wm.RefreshToken = e.RefreshToken
wm.IdleExpiration = e.CreationDate().Add(e.IdleExpiration)
case *user.HumanRefreshTokenRemovedEvent:
case *user.HumanRefreshTokenRemovedEvent,
*user.HumanSignedOutEvent,
*user.UserLockedEvent,
*user.UserDeactivatedEvent,
*user.UserRemovedEvent:
wm.UserState = domain.UserStateDeleted
}
}
@@ -83,6 +87,9 @@ func (wm *HumanRefreshTokenWriteModel) Query() *eventstore.SearchQueryBuilder {
user.HumanRefreshTokenAddedType,
user.HumanRefreshTokenRenewedType,
user.HumanRefreshTokenRemovedType,
user.HumanSignedOutType,
user.UserLockedType,
user.UserDeactivatedType,
user.UserRemovedType).
Builder()

157
internal/command/user_human_refresh_token_test.go
View File

@@ -9,7 +9,6 @@ import (
"github.com/caos/oidc/pkg/oidc"
"github.com/golang/mock/gomock"
"github.com/stretchr/testify/assert"
"golang.org/x/text/language"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/domain"
@@ -56,15 +55,13 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
res res
}{
{
name: "error access token, error",
name: "missing ID, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(),
),
eventstore: eventstoreExpect(t),
},
args: args{},
res: res{
err: caos_errs.IsNotFound,
err: caos_errs.IsErrorInvalidArgument,
},
},
{
@@ -73,8 +70,15 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
eventstore: eventstoreExpect(t,
expectFilter(),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "refreshTokenID1"),
},
args: args{
ctx: context.Background(),
orgID: "orgID",
agentID: "agentID",
userID: "userID",
clientID: "clientID",
},
args: args{},
res: res{
err: caos_errs.IsNotFound,
},
@@ -82,39 +86,7 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
{
name: "renew refresh token, invalid token, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "accessTokenID1"),
eventstore: eventstoreExpect(t),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
@@ -128,39 +100,7 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
{
name: "renew refresh token, invalid token (invalid userID), error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "accessTokenID1"),
eventstore: eventstoreExpect(t),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
@@ -177,36 +117,6 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
name: "renew refresh token, token inactive, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent(
context.Background(),
@@ -229,7 +139,6 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
)),
),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "accessTokenID1"),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
@@ -246,36 +155,6 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
name: "renew refresh token, token expired, error",
fields: fields{
eventstore: eventstoreExpect(t,
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanAddedEvent(
context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email",
true,
)),
),
expectFilter(
eventFromEventPusher(user.NewHumanRefreshTokenAddedEvent(
context.Background(),
@@ -293,7 +172,6 @@ func TestCommands_AddAccessAndRefreshToken(t *testing.T) {
)),
),
),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "accessTokenID1"),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
@@ -809,7 +687,6 @@ func TestCommands_addRefreshToken(t *testing.T) {
authTime := time.Now().Add(-1 * time.Hour)
type fields struct {
eventstore *eventstore.Eventstore
idGenerator id.Generator
keyAlgorithm crypto.EncryptionAlgorithm
}
type args struct {
@@ -836,7 +713,6 @@ func TestCommands_addRefreshToken(t *testing.T) {
name: "add refresh Token",
fields: fields{
eventstore: eventstoreExpect(t),
idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "refreshTokenID"),
keyAlgorithm: refreshTokenEncryptionAlgorithm(gomock.NewController(t)),
},
args: args{
@@ -849,6 +725,7 @@ func TestCommands_addRefreshToken(t *testing.T) {
TokenID: "accessTokenID1",
ApplicationID: "clientID",
UserAgentID: "agentID",
RefreshTokenID: "refreshTokenID",
Audience: []string{"clientID1"},
Expiration: time.Now().Add(5 * time.Minute),
Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess},
@@ -882,7 +759,6 @@ func TestCommands_addRefreshToken(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore,
idGenerator: tt.fields.idGenerator,
keyAlgorithm: tt.fields.keyAlgorithm,
}
gotEvent, gotRefreshToken, err := c.addRefreshToken(tt.args.ctx, tt.args.accessToken, tt.args.authMethodsReferences, tt.args.authTime, tt.args.idleExpiration, tt.args.expiration)
@@ -915,6 +791,7 @@ func TestCommands_renewRefreshToken(t *testing.T) {
}
type res struct {
event *user.HumanRefreshTokenRenewedEvent
refreshTokenID string
newRefreshToken string
err func(error) bool
}
@@ -1076,6 +953,7 @@ func TestCommands_renewRefreshToken(t *testing.T) {
"refreshToken1",
1*time.Hour,
),
refreshTokenID: "tokenID",
newRefreshToken: base64.RawURLEncoding.EncodeToString([]byte("userID:tokenID:refreshToken1")),
},
},
@@ -1087,7 +965,7 @@ func TestCommands_renewRefreshToken(t *testing.T) {
idGenerator: tt.fields.idGenerator,
keyAlgorithm: tt.fields.keyAlgorithm,
}
gotEvent, gotNewRefreshToken, err := c.renewRefreshToken(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.refreshToken, tt.args.idleExpiration)
gotEvent, gotRefreshTokenID, gotNewRefreshToken, err := c.renewRefreshToken(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.refreshToken, tt.args.idleExpiration)
if tt.res.err == nil {
assert.NoError(t, err)
}
@@ -1096,6 +974,7 @@ func TestCommands_renewRefreshToken(t *testing.T) {
}
if tt.res.err == nil {
assert.Equal(t, tt.res.event, gotEvent)
assert.Equal(t, tt.res.refreshTokenID, gotRefreshTokenID)
assert.Equal(t, tt.res.newRefreshToken, gotNewRefreshToken)
}
})

130
internal/command/user_test.go
View File

@@ -1335,6 +1335,136 @@ func TestCommandSide_AddUserToken(t *testing.T) {
}
}
func TestCommands_RevokeAccessToken(t *testing.T) {
type fields struct {
eventstore *eventstore.Eventstore
}
type args struct {
ctx context.Context
userID string
orgID string
tokenID string
}
type res struct {
want *domain.ObjectDetails
err func(error) bool
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"id missing error",
fields{
eventstoreExpect(t),
},
args{
context.Background(),
"userID",
"orgID",
"",
},
res{
nil,
caos_errs.IsErrorInvalidArgument,
},
},
{
"not active error",
fields{
eventstoreExpect(t,
expectFilter(
eventFromEventPusher(
user.NewUserTokenAddedEvent(context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"tokenID",
"clientID",
"agentID",
"de",
"refreshTokenID",
[]string{"clientID"},
[]string{"openid"},
time.Now(),
),
),
),
),
},
args{
context.Background(),
"userID",
"orgID",
"tokenID",
},
res{
nil,
caos_errs.IsNotFound,
},
},
{
"active ok",
fields{
eventstoreExpect(t,
expectFilter(
eventFromEventPusher(
user.NewUserTokenAddedEvent(context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"tokenID",
"clientID",
"agentID",
"de",
"refreshTokenID",
[]string{"clientID"},
[]string{"openid"},
time.Now().Add(5*time.Hour),
),
),
),
expectPush(
eventPusherToEvents(
user.NewUserTokenRemovedEvent(context.Background(),
&user.NewAggregate("userID", "orgID").Aggregate,
"tokenID",
),
),
),
),
},
args{
context.Background(),
"userID",
"orgID",
"tokenID",
},
res{
&domain.ObjectDetails{
ResourceOwner: "orgID",
},
nil,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore,
}
got, err := c.RevokeAccessToken(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.tokenID)
if tt.res.err == nil {
assert.NoError(t, err)
}
if tt.res.err != nil && !tt.res.err(err) {
t.Errorf("got wrong err: %v ", err)
}
if tt.res.err == nil {
assert.Equal(t, tt.res.want, got)
}
})
}
}
func TestCommandSide_UserDomainClaimedSent(t *testing.T) {
type fields struct {
eventstore *eventstore.Eventstore