closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8573 Commits
2 Branches
178 MiB
Tree: 601b0cf4c1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '601b0cf4c1'
${ noResults }
gitea/integrations/oauth_test.go

243 lines
9.0 KiB
Raw Normal View History

Integrate OAuth2 Provider (#5378)
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Add json tags for oauth2 form (#6627)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Add json tags for oauth2 form (#6627)
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package integrations
  6. 

  7. import (
  8. 	"encoding/json"
  9. 	"testing"
  10. 

  11. 	"code.gitea.io/gitea/modules/setting"
  12. 

  13. 	"github.com/stretchr/testify/assert"
  14. )
  15. 

  16. const defaultAuthorize = "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate"
  17. 

  18. func TestNoClientID(t *testing.T) {
  19. 	defer prepareTestEnv(t)()
  20. 	req := NewRequest(t, "GET", "/login/oauth/authorize")
  21. 	ctx := loginUser(t, "user2")
  22. 	ctx.MakeRequest(t, req, 400)
  23. }
  24. 

  25. func TestLoginRedirect(t *testing.T) {
  26. 	defer prepareTestEnv(t)()
  27. 	req := NewRequest(t, "GET", "/login/oauth/authorize")
  28. 	assert.Contains(t, MakeRequest(t, req, 302).Body.String(), "/user/login")
  29. }
  30. 

  31. func TestShowAuthorize(t *testing.T) {
  32. 	defer prepareTestEnv(t)()
  33. 	req := NewRequest(t, "GET", defaultAuthorize)
  34. 	ctx := loginUser(t, "user4")
  35. 	resp := ctx.MakeRequest(t, req, 200)
  36. 

  37. 	htmlDoc := NewHTMLParser(t, resp.Body)
  38. 	htmlDoc.AssertElement(t, "#authorize-app", true)
  39. 	htmlDoc.GetCSRF()
  40. }
  41. 

  42. func TestRedirectWithExistingGrant(t *testing.T) {
  43. 	defer prepareTestEnv(t)()
  44. 	req := NewRequest(t, "GET", defaultAuthorize)
  45. 	ctx := loginUser(t, "user1")
  46. 	resp := ctx.MakeRequest(t, req, 302)
  47. 	u, err := resp.Result().Location()
  48. 	assert.NoError(t, err)
  49. 	assert.Equal(t, "thestate", u.Query().Get("state"))
  50. 	assert.Truef(t, len(u.Query().Get("code")) > 30, "authorization code '%s' should be longer then 30", u.Query().Get("code"))
  51. }
  52. 

  53. func TestAccessTokenExchange(t *testing.T) {
  54. 	defer prepareTestEnv(t)()
  55. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  56. 		"grant_type":    "authorization_code",
  57. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  58. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  59. 		"redirect_uri":  "a",
  60. 		"code":          "authcode",
  61. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  62. 	})
  63. 	resp := MakeRequest(t, req, 200)
  64. 	type response struct {
  65. 		AccessToken  string `json:"access_token"`
  66. 		TokenType    string `json:"token_type"`
  67. 		ExpiresIn    int64  `json:"expires_in"`
  68. 		RefreshToken string `json:"refresh_token"`
  69. 	}
  70. 	parsed := new(response)
  71. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
  72. 	assert.True(t, len(parsed.AccessToken) > 10)
  73. 	assert.True(t, len(parsed.RefreshToken) > 10)
  74. }
  75. 

  76. func TestAccessTokenExchangeWithoutPKCE(t *testing.T) {
  77. 	defer prepareTestEnv(t)()
  78. 	req := NewRequestWithJSON(t, "POST", "/login/oauth/access_token", map[string]string{
  79. 		"grant_type":    "authorization_code",
  80. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  81. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  82. 		"redirect_uri":  "a",
  83. 		"code":          "authcode",
  84. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  85. 	})
  86. 	resp := MakeRequest(t, req, 200)
  87. 	type response struct {
  88. 		AccessToken  string `json:"access_token"`
  89. 		TokenType    string `json:"token_type"`
  90. 		ExpiresIn    int64  `json:"expires_in"`
  91. 		RefreshToken string `json:"refresh_token"`
  92. 	}
  93. 	parsed := new(response)
  94. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
  95. 	assert.True(t, len(parsed.AccessToken) > 10)
  96. 	assert.True(t, len(parsed.RefreshToken) > 10)
  97. }
  98. 

  99. func TestAccessTokenExchangeJSON(t *testing.T) {
  100. 	defer prepareTestEnv(t)()
  101. 	req := NewRequestWithJSON(t, "POST", "/login/oauth/access_token", map[string]string{
  102. 		"grant_type":    "authorization_code",
  103. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  104. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  105. 		"redirect_uri":  "a",
  106. 		"code":          "authcode",
  107. 	})
  108. 	MakeRequest(t, req, 400)
  109. }
  110. 

  111. func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) {
  112. 	defer prepareTestEnv(t)()
  113. 	// invalid client id

  114. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  115. 		"grant_type":    "authorization_code",
  116. 		"client_id":     "???",
  117. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  118. 		"redirect_uri":  "a",
  119. 		"code":          "authcode",
  120. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  121. 	})
  122. 	MakeRequest(t, req, 400)
  123. 	// invalid client secret

  124. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  125. 		"grant_type":    "authorization_code",
  126. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  127. 		"client_secret": "???",
  128. 		"redirect_uri":  "a",
  129. 		"code":          "authcode",
  130. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  131. 	})
  132. 	MakeRequest(t, req, 400)
  133. 	// invalid redirect uri

  134. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  135. 		"grant_type":    "authorization_code",
  136. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  137. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  138. 		"redirect_uri":  "???",
  139. 		"code":          "authcode",
  140. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  141. 	})
  142. 	MakeRequest(t, req, 400)
  143. 	// invalid authorization code

  144. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  145. 		"grant_type":    "authorization_code",
  146. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  147. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  148. 		"redirect_uri":  "a",
  149. 		"code":          "???",
  150. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  151. 	})
  152. 	MakeRequest(t, req, 400)
  153. 	// invalid grant_type

  154. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  155. 		"grant_type":    "???",
  156. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  157. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  158. 		"redirect_uri":  "a",
  159. 		"code":          "authcode",
  160. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  161. 	})
  162. 	MakeRequest(t, req, 400)
  163. }
  164. 

  165. func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
  166. 	defer prepareTestEnv(t)()
  167. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  168. 		"grant_type":    "authorization_code",
  169. 		"redirect_uri":  "a",
  170. 		"code":          "authcode",
  171. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  172. 	})
  173. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
  174. 	resp := MakeRequest(t, req, 200)
  175. 	type response struct {
  176. 		AccessToken  string `json:"access_token"`
  177. 		TokenType    string `json:"token_type"`
  178. 		ExpiresIn    int64  `json:"expires_in"`
  179. 		RefreshToken string `json:"refresh_token"`
  180. 	}
  181. 	parsed := new(response)
  182. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
  183. 	assert.True(t, len(parsed.AccessToken) > 10)
  184. 	assert.True(t, len(parsed.RefreshToken) > 10)
  185. 

  186. 	// use wrong client_secret

  187. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  188. 		"grant_type":    "authorization_code",
  189. 		"redirect_uri":  "a",
  190. 		"code":          "authcode",
  191. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  192. 	})
  193. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==")
  194. 	resp = MakeRequest(t, req, 400)
  195. 

  196. 	// missing header

  197. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  198. 		"grant_type":    "authorization_code",
  199. 		"redirect_uri":  "a",
  200. 		"code":          "authcode",
  201. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  202. 	})
  203. 	resp = MakeRequest(t, req, 400)
  204. }
  205. 

  206. func TestRefreshTokenInvalidation(t *testing.T) {
  207. 	defer prepareTestEnv(t)()
  208. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  209. 		"grant_type":    "authorization_code",
  210. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  211. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  212. 		"redirect_uri":  "a",
  213. 		"code":          "authcode",
  214. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally

  215. 	})
  216. 	resp := MakeRequest(t, req, 200)
  217. 	type response struct {
  218. 		AccessToken  string `json:"access_token"`
  219. 		TokenType    string `json:"token_type"`
  220. 		ExpiresIn    int64  `json:"expires_in"`
  221. 		RefreshToken string `json:"refresh_token"`
  222. 	}
  223. 	parsed := new(response)
  224. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
  225. 

  226. 	// test without invalidation

  227. 	setting.OAuth2.InvalidateRefreshTokens = false
  228. 

  229. 	refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  230. 		"grant_type":    "refresh_token",
  231. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
  232. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  233. 		"redirect_uri":  "a",
  234. 		"refresh_token": parsed.RefreshToken,
  235. 	})
  236. 	MakeRequest(t, refreshReq, 200)
  237. 	MakeRequest(t, refreshReq, 200)
  238. 

  239. 	// test with invalidation

  240. 	setting.OAuth2.InvalidateRefreshTokens = true
  241. 	MakeRequest(t, refreshReq, 200)
  242. 	MakeRequest(t, refreshReq, 400)
  243. }