mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-23 16:46:46 +00:00
999e81b74b
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves the authorization v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- The `organization_id` to create an authorization is now required to be
always passed. There's no implicit fallback to the project's
organization anymore.
- The `user_id` filter has been removed in favor of the recently added
`in_user_ids` filter.
- The returned `Authorization` object has been reworked to return
`project`, `organization` and `roles` as objects like the granted `user`
already was.
- Additionally the `roles` now not only contain the granted `role_keys`,
but also the `display_name` and `group`. To implement this the query has
been updated internally. Existing APIs are unchanged and still return
just the keys.
# Additional Changes
None
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- closes #10746
- requires backport to v4.x
(cherry picked from commit c9ac1ce344)
743 lines
31 KiB
Go
743 lines
31 KiB
Go
//go:build integration
|
|
|
|
package saml_test
|
|
|
|
import (
|
|
"context"
|
|
"net/url"
|
|
"regexp"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/crewjam/saml"
|
|
"github.com/crewjam/saml/samlsp"
|
|
"github.com/muhlemmer/gu"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/zitadel/zitadel/internal/integration"
|
|
filter "github.com/zitadel/zitadel/pkg/grpc/filter/v2beta"
|
|
mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
|
|
"github.com/zitadel/zitadel/pkg/grpc/object/v2"
|
|
project_v2beta "github.com/zitadel/zitadel/pkg/grpc/project/v2beta"
|
|
saml_pb "github.com/zitadel/zitadel/pkg/grpc/saml/v2"
|
|
"github.com/zitadel/zitadel/pkg/grpc/session/v2"
|
|
)
|
|
|
|
func TestServer_GetSAMLRequest(t *testing.T) {
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
require.NoError(t, err)
|
|
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
acsPost := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[1]
|
|
|
|
_, _, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
|
|
_, _, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
|
|
|
|
tests := []struct {
|
|
name string
|
|
dep func() (time.Time, string, error)
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "Not found",
|
|
dep: func() (time.Time, string, error) {
|
|
return time.Time{}, "123", nil
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "success, redirect binding",
|
|
dep: func() (time.Time, string, error) {
|
|
return Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
|
},
|
|
},
|
|
{
|
|
name: "success, post binding",
|
|
dep: func() (time.Time, string, error) {
|
|
return Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
creationTime, authRequestID, err := tt.dep()
|
|
require.NoError(t, err)
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(LoginCTX, time.Minute)
|
|
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
|
|
got, err := Client.GetSAMLRequest(LoginCTX, &saml_pb.GetSAMLRequestRequest{
|
|
SamlRequestId: authRequestID,
|
|
})
|
|
if tt.wantErr {
|
|
assert.Error(ttt, err)
|
|
return
|
|
}
|
|
assert.NoError(ttt, err)
|
|
authRequest := got.GetSamlRequest()
|
|
assert.NotNil(ttt, authRequest)
|
|
assert.Equal(ttt, authRequestID, authRequest.GetId())
|
|
assert.WithinRange(ttt, authRequest.GetCreationDate().AsTime(), creationTime.Add(-time.Second), creationTime.Add(time.Second))
|
|
}, retryDuration, tick, "timeout waiting for expected saml request result")
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestServer_CreateResponse(t *testing.T) {
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
require.NoError(t, err)
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
acsPost := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[1]
|
|
|
|
_, rootURLPost, spMiddlewarePost := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPPostBinding, false, false)
|
|
_, rootURLRedirect, spMiddlewareRedirect := createSAMLApplication(CTX, t, idpMetadata, saml.HTTPRedirectBinding, false, false)
|
|
sessionResp := createSession(LoginCTX, t, Instance.Users[integration.UserTypeLogin].ID)
|
|
|
|
tests := []struct {
|
|
name string
|
|
ctx context.Context
|
|
req *saml_pb.CreateResponseRequest
|
|
AuthError string
|
|
want *saml_pb.CreateResponseResponse
|
|
wantURL *url.URL
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "Not found",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: "123",
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "session not found",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: "foo",
|
|
SessionToken: "bar",
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "session token invalid",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: "bar",
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "fail callback, post",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
Error: &saml_pb.AuthorizationError{
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
},
|
|
},
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: regexp.QuoteMeta(`https://` + rootURLPost + `/saml/acs`),
|
|
Binding: &saml_pb.CreateResponseResponse_Post{Post: &saml_pb.PostResponse{
|
|
RelayState: "notempty",
|
|
SamlResponse: "notempty",
|
|
}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "fail callback, post, already failed",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
Instance.FailSAMLAuthRequest(LoginCTX, authRequestID, saml_pb.ErrorReason_ERROR_REASON_AUTH_N_FAILED)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
Error: &saml_pb.AuthorizationError{
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "fail callback, redirect",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
Error: &saml_pb.AuthorizationError{
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
},
|
|
},
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/` + rootURLRedirect + `\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "fail callback, no permission, error",
|
|
ctx: CTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Error{
|
|
Error: &saml_pb.AuthorizationError{
|
|
Error: saml_pb.ErrorReason_ERROR_REASON_REQUEST_DENIED,
|
|
ErrorDescription: gu.Ptr("nope"),
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "callback, redirect",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewareRedirect, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, integration.RelayState(), saml.HTTPRedirectBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/` + rootURLRedirect + `\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "callback, post",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: regexp.QuoteMeta(`https://` + rootURLPost + `/saml/acs`),
|
|
Binding: &saml_pb.CreateResponseResponse_Post{Post: &saml_pb.PostResponse{
|
|
RelayState: "notempty",
|
|
SamlResponse: "notempty",
|
|
}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "callback, post",
|
|
ctx: LoginCTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
Instance.SuccessfulSAMLAuthRequest(LoginCTX, Instance.Users[integration.UserTypeLogin].ID, authRequestID)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "callback, no permission, error",
|
|
ctx: CTX,
|
|
req: &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: func() string {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(spMiddlewarePost, Instance.Users[integration.UserTypeLogin].ID, acsPost, integration.RelayState(), saml.HTTPPostBinding)
|
|
require.NoError(t, err)
|
|
return authRequestID
|
|
}(),
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := Client.CreateResponse(tt.ctx, tt.req)
|
|
if tt.wantErr {
|
|
require.Error(t, err)
|
|
return
|
|
}
|
|
require.NoError(t, err)
|
|
integration.AssertDetails(t, tt.want, got)
|
|
if tt.want != nil {
|
|
assert.Regexp(t, regexp.MustCompile(tt.want.Url), got.GetUrl())
|
|
if tt.want.GetPost() != nil {
|
|
assert.NotEmpty(t, got.GetPost().GetRelayState())
|
|
assert.NotEmpty(t, got.GetPost().GetSamlResponse())
|
|
}
|
|
if tt.want.GetRedirect() != nil {
|
|
assert.NotNil(t, got.GetRedirect())
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestServer_CreateResponse_Permission(t *testing.T) {
|
|
idpMetadata, err := Instance.GetSAMLIDPMetadata()
|
|
require.NoError(t, err)
|
|
acsRedirect := idpMetadata.IDPSSODescriptors[0].SingleSignOnServices[0]
|
|
|
|
tests := []struct {
|
|
name string
|
|
dep func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest
|
|
want *saml_pb.CreateResponseResponse
|
|
wantURL *url.URL
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "usergrant to project and different resourceowner with different project grant",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
projectID2, _, _ := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
Instance.CreateProjectGrant(ctx, t, projectID2, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "usergrant to project and different resourceowner with project grant",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "usergrant to project grant and different resourceowner with project grant",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectGrantUserGrant(ctx, t, projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "no usergrant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "no usergrant and same resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "usergrant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "usergrant and same resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, true)
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "projectRoleCheck, usergrant and same resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
user := Instance.CreateHumanUser(ctx)
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "projectRoleCheck, no usergrant and same resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "projectRoleCheck, usergrant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectUserGrant(ctx, t, Instance.DefaultOrg.GetId(), projectID, user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "projectRoleCheck, no usergrant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "projectRoleCheck, usergrant on project grant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
createProjectGrantUserGrant(ctx, t, projectID, orgResp.GetOrganizationId(), user.GetUserId())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "projectRoleCheck, no usergrant on project grant and different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, true, false)
|
|
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
Instance.CreateProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "hasProjectCheck, same resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
|
user := Instance.CreateHumanUser(ctx)
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "hasProjectCheck, different resourceowner",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
_, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "hasProjectCheck, different resourceowner with project grant",
|
|
dep: func(ctx context.Context, t *testing.T) *saml_pb.CreateResponseRequest {
|
|
projectID, _, sp := createSAMLApplication(ctx, t, idpMetadata, saml.HTTPRedirectBinding, false, true)
|
|
orgResp := Instance.CreateOrganization(ctx, integration.OrganizationName(), integration.Email())
|
|
createProjectGrant(ctx, t, projectID, orgResp.GetOrganizationId())
|
|
user := Instance.CreateHumanUserVerified(ctx, orgResp.GetOrganizationId(), integration.Email(), integration.Phone())
|
|
|
|
return createSessionAndSmlRequestForCallback(ctx, t, sp, Instance.Users[integration.UserTypeLogin].ID, acsRedirect, user.GetUserId(), saml.HTTPRedirectBinding)
|
|
},
|
|
want: &saml_pb.CreateResponseResponse{
|
|
Url: `https:\/\/(.*)\/saml\/acs\?RelayState=(.*)&SAMLResponse=(.*)&SigAlg=(.*)&Signature=(.*)`,
|
|
Binding: &saml_pb.CreateResponseResponse_Redirect{Redirect: &saml_pb.RedirectResponse{}},
|
|
Details: &object.Details{
|
|
ChangeDate: timestamppb.Now(),
|
|
ResourceOwner: Instance.ID(),
|
|
},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
req := tt.dep(IAMCTX, t)
|
|
|
|
got, err := Client.CreateResponse(LoginCTX, req)
|
|
if tt.wantErr {
|
|
require.Error(t, err)
|
|
return
|
|
}
|
|
require.NoError(t, err)
|
|
integration.AssertDetails(t, tt.want, got)
|
|
if tt.want != nil {
|
|
assert.Regexp(t, regexp.MustCompile(tt.want.Url), got.GetUrl())
|
|
if tt.want.GetPost() != nil {
|
|
assert.NotEmpty(t, got.GetPost().GetRelayState())
|
|
assert.NotEmpty(t, got.GetPost().GetSamlResponse())
|
|
}
|
|
if tt.want.GetRedirect() != nil {
|
|
assert.NotNil(t, got.GetRedirect())
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func createSession(ctx context.Context, t *testing.T, userID string) *session.CreateSessionResponse {
|
|
sessionResp, err := Instance.Client.SessionV2.CreateSession(ctx, &session.CreateSessionRequest{
|
|
Checks: &session.Checks{
|
|
User: &session.CheckUser{
|
|
Search: &session.CheckUser_UserId{
|
|
UserId: userID,
|
|
},
|
|
},
|
|
},
|
|
})
|
|
require.NoError(t, err)
|
|
return sessionResp
|
|
}
|
|
|
|
func createSessionAndSmlRequestForCallback(ctx context.Context, t *testing.T, sp *samlsp.Middleware, loginClient string, acsRedirect saml.Endpoint, userID, binding string) *saml_pb.CreateResponseRequest {
|
|
_, authRequestID, err := Instance.CreateSAMLAuthRequest(sp, loginClient, acsRedirect, integration.RelayState(), binding)
|
|
require.NoError(t, err)
|
|
sessionResp := createSession(ctx, t, userID)
|
|
return &saml_pb.CreateResponseRequest{
|
|
SamlRequestId: authRequestID,
|
|
ResponseKind: &saml_pb.CreateResponseRequest_Session{
|
|
Session: &saml_pb.Session{
|
|
SessionId: sessionResp.GetSessionId(),
|
|
SessionToken: sessionResp.GetSessionToken(),
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func createSAMLSP(t *testing.T, idpMetadata *saml.EntityDescriptor, binding string) (string, *samlsp.Middleware) {
|
|
rootURL := "example." + integration.DomainName()
|
|
spMiddleware, err := integration.CreateSAMLSP("https://"+rootURL, idpMetadata, binding)
|
|
require.NoError(t, err)
|
|
return rootURL, spMiddleware
|
|
}
|
|
|
|
func createSAMLApplication(ctx context.Context, t *testing.T, idpMetadata *saml.EntityDescriptor, binding string, projectRoleCheck, hasProjectCheck bool) (string, string, *samlsp.Middleware) {
|
|
project := Instance.CreateProject(ctx, t, "", integration.ProjectName(), projectRoleCheck, hasProjectCheck)
|
|
rootURL, sp := createSAMLSP(t, idpMetadata, binding)
|
|
_, err := Instance.CreateSAMLClient(ctx, project.GetId(), sp)
|
|
require.NoError(t, err)
|
|
return project.GetId(), rootURL, sp
|
|
}
|
|
|
|
func createProjectGrant(ctx context.Context, t *testing.T, projectID, grantedOrgID string) {
|
|
Instance.CreateProjectGrant(ctx, t, projectID, grantedOrgID)
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
|
resp, err := Instance.Client.Projectv2Beta.ListProjectGrants(ctx, &project_v2beta.ListProjectGrantsRequest{
|
|
Filters: []*project_v2beta.ProjectGrantSearchFilter{
|
|
{Filter: &project_v2beta.ProjectGrantSearchFilter_InProjectIdsFilter{InProjectIdsFilter: &filter.InIDsFilter{
|
|
Ids: []string{projectID},
|
|
}}},
|
|
{Filter: &project_v2beta.ProjectGrantSearchFilter_ProjectGrantResourceOwnerFilter{ProjectGrantResourceOwnerFilter: &filter.IDFilter{
|
|
Id: grantedOrgID,
|
|
}}},
|
|
},
|
|
})
|
|
assert.NoError(collect, err)
|
|
assert.Len(collect, resp.GetProjectGrants(), 1)
|
|
}, retryDuration, tick)
|
|
}
|
|
|
|
func createProjectUserGrant(ctx context.Context, t *testing.T, organizationID, projectID, userID string) {
|
|
resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
|
_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, organizationID), &mgmt.GetUserGrantByIDRequest{
|
|
UserId: userID,
|
|
GrantId: resp.GetId(),
|
|
})
|
|
assert.NoError(collect, err)
|
|
}, retryDuration, tick)
|
|
}
|
|
|
|
func createProjectGrantUserGrant(ctx context.Context, t *testing.T, projectID, grantedOrgID, userID string) {
|
|
resp := Instance.CreateAuthorizationProjectGrant(t, ctx, projectID, grantedOrgID, userID)
|
|
|
|
retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
|
|
require.EventuallyWithT(t, func(collect *assert.CollectT) {
|
|
_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, grantedOrgID), &mgmt.GetUserGrantByIDRequest{
|
|
UserId: userID,
|
|
GrantId: resp.GetId(),
|
|
})
|
|
assert.NoError(collect, err)
|
|
}, retryDuration, tick)
|
|
}
|