170 lines
6.4 KiB
Perl
170 lines
6.4 KiB
Perl
use Test::More;
|
|
use strict;
|
|
use IO::String;
|
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
|
PE_FIRSTACCESS
|
|
);
|
|
|
|
BEGIN {
|
|
require 't/test-lib.pm';
|
|
require 't/oidc-lib.pm';
|
|
}
|
|
|
|
my $res;
|
|
my $debug = "error";
|
|
|
|
my ($portal);
|
|
$portal = portal();
|
|
|
|
my $access_token;
|
|
|
|
# RP1, should only allow Auth code grant
|
|
expectReject( try_access_token_client( $portal, 'rpcode' ), 400 );
|
|
expectReject( try_access_token_password( $portal, 'rpcode' ), 400 );
|
|
expectRedirection( try_access_token_code( $portal, 'rpcode' ),
|
|
qr#http://.*code=([^\&]*)# );
|
|
|
|
# RP2, should only allow Client Credentials grant
|
|
expectJSON( try_access_token_client( $portal, 'rpclient' ) );
|
|
expectReject( try_access_token_password( $portal, 'rpclient' ), 400 );
|
|
expectPortalError( try_access_token_code( $portal, 'rpclient' ), 84 );
|
|
|
|
# RP3, should only allow Password grant
|
|
expectReject( try_access_token_client( $portal, 'rppassword' ), 400 );
|
|
expectJSON( try_access_token_password( $portal, 'rppassword' ) );
|
|
expectPortalError( try_access_token_code( $portal, 'rppassword' ), 84 );
|
|
|
|
clean_sessions();
|
|
|
|
done_testing( count() );
|
|
|
|
sub try_access_token_client {
|
|
my ( $portal, $rp ) = @_;
|
|
my $query = buildForm( {
|
|
client_id => $rp,
|
|
client_secret => $rp,
|
|
grant_type => 'client_credentials',
|
|
scope => 'profile',
|
|
}
|
|
);
|
|
|
|
## Get Access Token with Client Credentials
|
|
my $res = $portal->_post(
|
|
"/oauth2/token",
|
|
IO::String->new($query),
|
|
accept => 'application/json',
|
|
length => length($query),
|
|
);
|
|
return $res;
|
|
}
|
|
|
|
sub try_access_token_password {
|
|
my ( $portal, $rp ) = @_;
|
|
## Get Access Token with Password Grant
|
|
my $query = buildForm( {
|
|
client_id => $rp,
|
|
client_secret => $rp,
|
|
grant_type => 'password',
|
|
username => 'dwho',
|
|
password => 'dwho',
|
|
scope => 'profile',
|
|
}
|
|
);
|
|
my $res = $portal->_post(
|
|
"/oauth2/token",
|
|
IO::String->new($query),
|
|
accept => 'application/json',
|
|
length => length($query),
|
|
);
|
|
return $res;
|
|
}
|
|
|
|
sub try_access_token_code {
|
|
my ( $portal, $rp ) = @_;
|
|
|
|
my $id = login( $portal, 'dwho' );
|
|
|
|
my $params = {
|
|
response_type => "code",
|
|
|
|
# Include a weird scope name, to make sure they work (#2168)
|
|
scope => "openid profile",
|
|
client_id => $rp,
|
|
state => "af0ifjsldkj",
|
|
redirect_uri => "http://test"
|
|
};
|
|
my $query = buildForm($params);
|
|
my $res = $portal->_get(
|
|
"/oauth2/authorize",
|
|
query => "$query",
|
|
accept => 'text/html',
|
|
cookie => "lemonldap=$id",
|
|
);
|
|
return $res;
|
|
}
|
|
|
|
sub portal {
|
|
return LLNG::Manager::Test->new( {
|
|
ini => {
|
|
logLevel => $debug,
|
|
domain => 'op.com',
|
|
portal => 'http://auth.op.com',
|
|
authentication => 'Demo',
|
|
userDB => 'Same',
|
|
issuerDBOpenIDConnectActivation => 1,
|
|
oidcServiceAllowOnlyDeclaredScopes => 1,
|
|
oidcRPMetaDataOptions => {
|
|
rpcode => {
|
|
oidcRPMetaDataOptionsDisplayName => "RP",
|
|
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsClientID => "rpcode",
|
|
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
|
|
oidcRPMetaDataOptionsClientSecret => "rpcode",
|
|
oidcRPMetaDataOptionsUserIDAttr => "",
|
|
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsBypassConsent => 1,
|
|
oidcRPMetaDataOptionsAllowClientCredentialsGrant => 1,
|
|
oidcRPMetaDataOptionsAllowPasswordGrant => 1,
|
|
oidcRPMetaDataOptionsRedirectUris => "http://test",
|
|
oidcRPMetaDataOptionsRule =>
|
|
'$_oidc_grant_type eq "authorizationcode"',
|
|
},
|
|
rppassword => {
|
|
oidcRPMetaDataOptionsDisplayName => "RP",
|
|
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsClientID => "rppassword",
|
|
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
|
|
oidcRPMetaDataOptionsClientSecret => "rppassword",
|
|
oidcRPMetaDataOptionsUserIDAttr => "",
|
|
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsBypassConsent => 1,
|
|
oidcRPMetaDataOptionsAllowClientCredentialsGrant => 1,
|
|
oidcRPMetaDataOptionsAllowPasswordGrant => 1,
|
|
oidcRPMetaDataOptionsRedirectUris => "http://test",
|
|
oidcRPMetaDataOptionsRule =>
|
|
'$_oidc_grant_type eq "password"',
|
|
},
|
|
rpclient => {
|
|
oidcRPMetaDataOptionsDisplayName => "RP",
|
|
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsClientID => "rpclient",
|
|
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
|
|
oidcRPMetaDataOptionsClientSecret => "rpclient",
|
|
oidcRPMetaDataOptionsUserIDAttr => "",
|
|
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
|
|
oidcRPMetaDataOptionsBypassConsent => 1,
|
|
oidcRPMetaDataOptionsAllowClientCredentialsGrant => 1,
|
|
oidcRPMetaDataOptionsAllowPasswordGrant => 1,
|
|
oidcRPMetaDataOptionsRedirectUris => "http://test",
|
|
oidcRPMetaDataOptionsRule =>
|
|
'$_oidc_grant_type eq "clientcredentials"',
|
|
},
|
|
},
|
|
oidcServicePrivateKeySig => oidc_key_op_private_sig,
|
|
oidcServicePublicKeySig => oidc_key_op_public_sig,
|
|
}
|
|
}
|
|
);
|
|
}
|