Unit tests for #2177

2020-04-24 10:59:25 +02:00 · 2020-04-24 10:59:25 +02:00 · 8143c5168b
commit 8143c5168b
parent a3821fc560
3 changed files with 51 additions and 14 deletions
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
@ -143,12 +143,22 @@ ok( $prms{access_token},  ' access_token found' );
 ok( $prms{state},         ' state found' );
 count(5);

-my $id_token_payload = id_token_payload($prms{id_token});
-is ($id_token_payload->{acr}, "customacr-1", "Check ACR value");
-count(1);
+my $id_token_payload = id_token_payload( $prms{id_token} );
+is( $id_token_payload->{acr}, "customacr-1", "Check ACR value" );
+ok( ( grep { $_ eq "rpid" } @{ $id_token_payload->{aud} } ),
+    'Check that clientid is in audience' );
+ok( (
+        grep { $_ eq "http://my.extra.audience/test" }
+          @{ $id_token_payload->{aud} }
+    ),
+    'Check for additional audiences'
+);
+ok( ( grep { $_ eq "urn:extra2" } @{ $id_token_payload->{aud} } ),
+    'Check for additional audiences' );
+count(4);

 # Check attributes in ID Token
-my $id_token_decoded = id_token_payload($prms{id_token});
+my $id_token_decoded = id_token_payload( $prms{id_token} );
 ok( $id_token_decoded->{sub} eq "dwho", 'Check sub value' );
 ok( !$id_token_decoded->{name},         'Claim name must not be in ID token' );
 count(2);
@ -234,7 +244,9 @@ sub op {
                oidcServiceAllowAuthorizationCodeFlow => 1,
                oidcRPMetaDataOptions                 => {
                    rp => {
-                        oidcRPMetaDataOptionsDisplayName       => "RP",
+                        oidcRPMetaDataOptionsDisplayName => "RP",
+                        oidcRPMetaDataOptionsAdditionalAudiences =>
+                          "http://my.extra.audience/test urn:extra2",
                        oidcRPMetaDataOptionsIDTokenExpiration => 3600,
                        oidcRPMetaDataOptionsClientID          => "rpid",
                        oidcRPMetaDataOptionsIDTokenSignAlg    => "HS512",
@ -248,11 +260,11 @@ sub op {
                oidcOPMetaDataJSON              => {},
                oidcOPMetaDataJWKS              => {},
                oidcServiceMetaDataAuthnContext => {
-                    'loa-4' => 4,
+                    'loa-4'       => 4,
                    'customacr-1' => 1,
-                    'loa-5' => 5,
-                    'loa-2' => 2,
-                    'loa-3' => 3
+                    'loa-5'       => 5,
+                    'loa-2'       => 2,
+                    'loa-3'       => 3
                },
                oidcServicePrivateKeySig => oidc_key_op_private_sig,
                oidcServicePublicKeySig  => oidc_key_op_public_sig,
--- a/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
@ -53,6 +53,9 @@ my $op = LLNG::Manager::Test->new( {
                    oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
                    oidcRPMetaDataOptionsBypassConsent         => 1,
                    oidcRPMetaDataOptionsIDTokenForceClaims    => 1,
+                    oidcRPMetaDataOptionsAdditionalAudiences =>
+                      "http://my.extra.audience/test urn:extra2",
+
                }
            },
            oidcOPMetaDataOptions           => {},
@ -227,7 +230,17 @@ count(3);
 $id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );
-count(1);
+ok( ( grep { $_ eq "rpid" } @{ $id_token_payload->{aud} } ),
+    'Check that clientid is in audience' );
+ok( (
+        grep { $_ eq "http://my.extra.audience/test" }
+          @{ $id_token_payload->{aud} }
+    ),
+    'Check for additional audiences'
+);
+ok( ( grep { $_ eq "urn:extra2" } @{ $id_token_payload->{aud} } ),
+    'Check for additional audiences' );
+count(4);

 ## Get userinfo again
 ok(
@ -263,12 +276,12 @@ ok(
 count(1);
 $json = expectJSON($res);

-is( $json->{active},    1 );
-is( $json->{client_id}, 'rpid' );
-is( $json->{sub},       'french' );
+is( $json->{active},    1,        'Token is active' );
+is( $json->{client_id}, 'rpid',   'Introspection contains client_id' );
+is( $json->{sub},       'french', 'Introspection contains sub' );

 # #2168
-ok( grep { $_ eq "!weird:scope.name~" } ( split /\s+/, $json->{scope} ),
+ok( ( grep { $_ eq "!weird:scope.name~" } ( split /\s+/, $json->{scope} ) ),
    "Scope contains weird scope name" );
 count(4);

--- a/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
@ -54,6 +54,8 @@ my $op = LLNG::Manager::Test->new( {
                    oidcRPMetaDataOptionsBypassConsent         => 1,
                    oidcRPMetaDataOptionsRefreshToken          => 1,
                    oidcRPMetaDataOptionsIDTokenForceClaims    => 1,
+                    oidcRPMetaDataOptionsAdditionalAudiences =>
+                      "http://my.extra.audience/test urn:extra2",
                }
            },
            oidcOPMetaDataOptions           => {},
@ -119,6 +121,16 @@ ok( $id_token,      "Got ID token" );
 my $id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );
+ok( ( grep { $_ eq "rpid" } @{ $id_token_payload->{aud} } ),
+    'Check that clientid is in audience' );
+ok( (
+        grep { $_ eq "http://my.extra.audience/test" }
+          @{ $id_token_payload->{aud} }
+    ),
+    'Check for additional audiences'
+);
+ok( ( grep { $_ eq "urn:extra2" } @{ $id_token_payload->{aud} } ),
+    'Check for additional audiences' );

 # Get userinfo
 $res = $op->_post(