From fefc81d5fa1cbb461d27627d9f44e35c5e902f1c Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Thu, 17 Mar 2022 17:47:21 +0100
Subject: [PATCH] Unit tests for OIDC auth hooks (#2730)

---
 ...-Auth-and-issuer-OIDC-authorization_code.t | 18 ++++++-
 lemonldap-ng-portal/t/OidcHookPlugin.pm       | 51 +++++++++++++++----
 2 files changed, 58 insertions(+), 11 deletions(-)

diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
index 99a199ec9..acafdc9e8 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
@@ -38,6 +38,11 @@ LWP::Protocol::PSGI->register(
         }
         if ( $req->method =~ /^post$/i ) {
             my $s = $req->content;
+            if ( $req->uri eq '/token/oauth2' ) {
+                is( $req->param("my_param"),
+                    "my value", "oidcGenerateTokenRequest called" );
+                count(1);
+            }
             ok(
                 $res = $client->_post(
                     $url, IO::String->new($s),
@@ -198,6 +203,10 @@ ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
   or explain( $res, 'cn => Frédéric Accents' );
 count(2);
 
+is( $res->{userinfo_hook}, "op/french", "oidcGotUserInfo called" );
+is( $res->{id_token_hook}, "op/french", "oidcGotIDToken called" );
+count(2);
+
 my $id_token_decoded = id_token_payload( $res->{_oidc_id_token} );
 is( $id_token_decoded->{acr}, 'customacr-1', "Correct custom ACR" );
 count(1);
@@ -289,6 +298,10 @@ count(1);
 ( $url, $query ) =
   expectRedirection( $res, qr#^http://auth.op.com(/oauth2/authorize)\?(.*)$# );
 
+like( $query, qr/my_param=my\+value/,
+    "oidcGenerateAuthenticationRequest called" );
+count(1);
+
 # Test if consent was saved
 # -------------------------
 
@@ -349,7 +362,7 @@ sub op {
                         oidcRPMetaDataOptionsBypassConsent     => 0,
                         oidcRPMetaDataOptionsClientSecret      => "rpsecret",
                         oidcRPMetaDataOptionsUserIDAttr        => "",
-                        oidcRPMetaDataOptionsAccessTokenExpiration  => 3600,
+                        oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
                         oidcRPMetaDataOptionsPostLogoutRedirectUris =>
                           "http://auth.rp.com/?logout=1",
                         oidcRPMetaDataOptionsRule => '$uid eq "french"',
@@ -410,7 +423,8 @@ sub rp {
                 },
                 oidcOPMetaDataJSON => {
                     op => $metadata,
-                }
+                },
+                customPlugins => 't::OidcHookPlugin',
             }
         }
     );
diff --git a/lemonldap-ng-portal/t/OidcHookPlugin.pm b/lemonldap-ng-portal/t/OidcHookPlugin.pm
index 4828949a0..944fe48b7 100644
--- a/lemonldap-ng-portal/t/OidcHookPlugin.pm
+++ b/lemonldap-ng-portal/t/OidcHookPlugin.pm
@@ -8,13 +8,17 @@ use Data::Dumper;
 use Test::More;
 
 use constant hook => {
-    oidcGenerateCode              => 'modifyRedirectUri',
-    oidcGenerateIDToken           => 'addClaimToIDToken',
-    oidcGenerateUserInfoResponse  => 'addClaimToUserInfo',
-    oidcGotRequest                => 'addScopeToRequest',
-    oidcResolveScope              => 'addHardcodedScope',
-    oidcGenerateAccessToken       => 'addClaimToAccessToken',
-    oidcGotClientCredentialsGrant => 'oidcGotClientCredentialsGrant',
+    oidcGenerateCode                  => 'modifyRedirectUri',
+    oidcGenerateIDToken               => 'addClaimToIDToken',
+    oidcGenerateUserInfoResponse      => 'addClaimToUserInfo',
+    oidcGotRequest                    => 'addScopeToRequest',
+    oidcResolveScope                  => 'addHardcodedScope',
+    oidcGenerateAccessToken           => 'addClaimToAccessToken',
+    oidcGotClientCredentialsGrant     => 'oidcGotClientCredentialsGrant',
+    oidcGenerateAuthenticationRequest => 'genAuthRequest',
+    oidcGenerateTokenRequest          => 'genTokenRequest',
+    oidcGotUserInfo                   => 'modifyUserInfo',
+    oidcGotIDToken                    => 'modifyIDToken',
 };
 
 sub addClaimToIDToken {
@@ -26,7 +30,7 @@ sub addClaimToIDToken {
 sub addClaimToUserInfo {
     my ( $self, $req, $userinfo, $rp, $session_data ) = @_;
     $userinfo->{"userinfo_hook"} = 1;
-    $userinfo->{"_auth"} = $session_data->{_auth};
+    $userinfo->{"_auth"}         = $session_data->{_auth};
     return PE_OK;
 }
 
@@ -63,5 +67,34 @@ sub oidcGotClientCredentialsGrant {
     return PE_OK;
 }
 
-1;
+sub genTokenRequest {
+    my ( $self, $req, $op, $authorize_request_params ) = @_;
 
+    $authorize_request_params->{my_param} = "my value";
+    return PE_OK;
+}
+
+sub genAuthRequest {
+    my ( $self, $req, $op, $token_request_params ) = @_;
+
+    $token_request_params->{my_param} = "my value";
+    return PE_OK;
+}
+
+sub modifyIDToken {
+    my ( $self, $req, $op, $id_token_payload_hash ) = @_;
+
+    # do some post-processing on the `sub` claim
+    $req->sessionInfo->{id_token_hook} = "$op/" . $id_token_payload_hash->{sub};
+    return PE_OK;
+}
+
+sub modifyUserInfo {
+    my ( $self, $req, $op, $userinfo_content ) = @_;
+
+    # Custom attribute processing
+    $req->sessionInfo->{userinfo_hook} = "$op/" . $userinfo_content->{sub};
+    return PE_OK;
+}
+
+1;