Fix issue with expirary json

Emyrk · Emyrk · commit 4b31e28eff23 · 2023-08-24T16:06:12.000-05:00
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
@@ -63,6 +63,9 @@ type FakeIDP struct {
 	hookUserInfo  func(email string) jwt.MapClaims
 	fakeCoderd    func(req *http.Request) (*http.Response, error)
 	hookOnRefresh func(email string) error
+	// Custom authentication for the client. This is useful if you want
+	// to test something like PKI auth vs a client_secret.
+	hookAuthenticateClient func(t testing.TB, req *http.Request) (url.Values, error)
 	// Optional if you want to use a real http network request assuming
 	// it is not directed to the IDP.
 	defaultClient *http.Client
@@ -79,6 +82,12 @@ func WithRefreshHook(hook func(email string) error) func(*FakeIDP) {
 	}
 }
 
+func WithCustomClientAuth(hook func(t testing.TB, req *http.Request) (url.Values, error)) func(*FakeIDP) {
+	return func(f *FakeIDP) {
+		f.hookAuthenticateClient = hook
+	}
+}
+
 // WithLogging is optional, but will log some HTTP calls made to the IDP.
 func WithLogging(t testing.TB, options *slogtest.Options) func(*FakeIDP) {
 	return func(f *FakeIDP) {
@@ -109,6 +118,12 @@ func WithServing() func(*FakeIDP) {
 	}
 }
 
+func WithIssuer(issuer string) func(*FakeIDP) {
+	return func(f *FakeIDP) {
+		f.issuer = issuer
+	}
+}
+
 const (
 	authorizePath = "/oauth2/authorize"
 	tokenPath     = "/oauth2/token"
@@ -137,7 +152,6 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {
 		hookOnRefresh:        func(_ string) error { return nil },
 		hookUserInfo:         func(email string) jwt.MapClaims { return jwt.MapClaims{} },
 	}
-	idp.handler = idp.httpHandler(t)
 
 	for _, opt := range opts {
 		opt(idp)
@@ -147,6 +161,7 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {
 		idp.issuer = "https://coder.com"
 	}
 
+	idp.handler = idp.httpHandler(t)
 	idp.updateIssuerURL(t, idp.issuer)
 	if idp.serve {
 		idp.realServer(t)
@@ -355,6 +370,10 @@ func (f *FakeIDP) authenticateBearerTokenRequest(t testing.TB, req *http.Request
 func (f *FakeIDP) authenticateOIDClientRequest(t testing.TB, req *http.Request) (url.Values, error) {
 	t.Helper()
 
+	if f.hookAuthenticateClient != nil {
+		return f.hookAuthenticateClient(t, req)
+	}
+
 	data, _ := io.ReadAll(req.Body)
 	values, err := url.ParseQuery(string(data))
 	if !assert.NoError(t, err, "parse token request values") {
@@ -541,7 +560,6 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 			"refresh_token": refreshToken,
 			"token_type":    "Bearer",
 			"expires_in":    int64(time.Minute * 5),
-			"expiry":        exp.Unix(),
 			"id_token":      f.encodeClaims(t, claims),
 		}
 		// Store the claims for the next refresh
diff --git a/coderd/oauthpki/oidcpki.go b/coderd/oauthpki/oidcpki.go
@@ -215,7 +215,10 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	var tokenRes struct {
-		oauth2.Token
+		AccessToken  string `json:"access_token"`
+		TokenType    string `json:"token_type,omitempty"`
+		RefreshToken string `json:"refresh_token,omitempty"`
+
 		// Extra fields returned by the refresh that are needed
 		IDToken   string `json:"id_token"`
 		ExpiresIn int64  `json:"expires_in"` // relative seconds from now
diff --git a/coderd/oauthpki/okidcpki_test.go b/coderd/oauthpki/okidcpki_test.go
@@ -12,12 +12,15 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/v2/coderd"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
 	"github.com/coder/coder/v2/coderd/oauthpki"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -123,6 +126,57 @@ func TestAzureADPKIOIDC(t *testing.T) {
 	require.Error(t, err, "error expected")
 }
 
+// TestAzureAKPKIWithCoderd uses a fake IDP and a real Coderd to test PKI auth.
+func TestAzureAKPKIWithCoderd(t *testing.T) {
+	t.Parallel()
+
+	scopes := []string{"openid", "email", "profile", "offline_access"}
+	fake := oidctest.NewFakeIDP(t,
+		oidctest.WithIssuer("https://login.microsoftonline.com/fake_app"),
+		oidctest.WithCustomClientAuth(func(t testing.TB, req *http.Request) (url.Values, error) {
+			values := assertJWTAuth(t, req)
+			if values == nil {
+				return nil, xerrors.New("authorizatin failed in request")
+			}
+			return values, nil
+		}),
+		oidctest.WithServing(),
+	)
+	cfg := fake.OIDCConfig(t, scopes, func(cfg *coderd.OIDCConfig) {
+		cfg.AllowSignups = true
+	})
+
+	oauthCfg := cfg.OAuth2Config.(*oauth2.Config)
+	// Create the oauthpki config
+	pki, err := oauthpki.NewOauth2PKIConfig(oauthpki.ConfigParams{
+		ClientID:       oauthCfg.ClientID,
+		TokenURL:       oauthCfg.Endpoint.TokenURL,
+		Scopes:         scopes,
+		PemEncodedKey:  []byte(testClientKey),
+		PemEncodedCert: []byte(testClientCert),
+		Config:         oauthCfg,
+	})
+	require.NoError(t, err)
+	cfg.OAuth2Config = pki
+
+	owner, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
+		OIDCConfig: cfg,
+	})
+
+	// Create a user and login
+	const email = "alice@coder.com"
+	claims := jwt.MapClaims{
+		"email": email,
+	}
+	helper := oidctest.NewLoginHelper(owner, fake)
+	user, _ := helper.Login(t, claims)
+
+	// Try refreshing the token more than once.
+	for i := 0; i < 2; i++ {
+		helper.ForceRefresh(t, api.Database, user, claims)
+	}
+}
+
 // TestSavedAzureADPKIOIDC was created by capturing actual responses from an Azure
 // AD instance and saving them to replay, removing some details.
 // The reason this is done is that this is the only way to assert values
@@ -269,7 +323,7 @@ func (f fakeRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 
 // assertJWTAuth will assert the basic JWT auth assertions. It will return the
 // url.Values from the request body for any additional assertions to be made.
-func assertJWTAuth(t *testing.T, r *http.Request) url.Values {
+func assertJWTAuth(t testing.TB, r *http.Request) url.Values {
 	body, err := io.ReadAll(r.Body)
 	if !assert.NoError(t, err) {
 		return nil
