oidctest

package
v2.21.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2025 License: AGPL-3.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FakeIDPKey added in v2.20.0 

func FakeIDPKey() (*rsa.PrivateKey, error)

func OAuth2GetCode added in v2.9.0 

func OAuth2GetCode(rawAuthURL string, doRequest func(req *http.Request) (*http.Response, error)) (string, error)

OAuth2GetCode emulates a user clicking "allow" on the IDP page. When doing unit tests, it's easier to skip this step sometimes. It does make an actual request to the IDP, so it should be equivalent to doing this "manually" with actual requests.

func StatusError added in v2.1.5 

func StatusError(code int, err error) error

func With429 added in v2.9.0 

func With429(params With429Arguments) func(*FakeIDP)

With429 will emulate a 429 response for the selected paths.

func WithAccessTokenJWTHook added in v2.20.0 

func WithAccessTokenJWTHook(hook func(email string, exp time.Time) jwt.MapClaims) func(*FakeIDP)

func WithAuthorizedRedirectURL 

func WithAuthorizedRedirectURL(hook func(redirectURL string) error) func(*FakeIDP)

func WithCallbackPath added in v2.8.0 

func WithCallbackPath(path string) func(*FakeIDP)

func WithCustomClientAuth 

func WithCustomClientAuth(hook func(t testing.TB, req *http.Request) (url.Values, error)) func(*FakeIDP)

func WithDefaultExpire added in v2.7.0 

func WithDefaultExpire(d time.Duration) func(*FakeIDP)

func WithDefaultIDClaims added in v2.7.0 

func WithDefaultIDClaims(claims jwt.MapClaims) func(*FakeIDP)

func WithDynamicUserInfo 

func WithDynamicUserInfo(userInfoFunc func(email string) (jwt.MapClaims, error)) func(*FakeIDP)

func WithHookWellKnown added in v2.14.0 

func WithHookWellKnown(hook func(r *http.Request, j *ProviderJSON) error) func(*FakeIDP)

func WithIssuer 

func WithIssuer(issuer string) func(*FakeIDP)

func WithLogger added in v2.7.0 

func WithLogger(logger slog.Logger) func(*FakeIDP)

func WithLogging 

func WithLogging(t testing.TB, options *slogtest.Options) func(*FakeIDP)

WithLogging is optional, but will log some HTTP calls made to the IDP.

func WithMiddlewares added in v2.7.0 

func WithMiddlewares(mws ...func(http.Handler) http.Handler) func(*FakeIDP)

func WithMutateToken added in v2.3.0 

func WithMutateToken(mutateToken func(token map[string]interface{})) func(*FakeIDP)

WithExtra returns extra fields that be accessed on the returned Oauth Token. These extra fields can override the default fields (id_token, access_token, etc).

func WithRefresh added in v2.1.5 

func WithRefresh(hook func(email string) error) func(*FakeIDP)

WithRefresh is called when a refresh token is used. The email is the email of the user that is being refreshed assuming the claims are correct.

func WithServing 

func WithServing() func(*FakeIDP)

WithServing makes the IDP run an actual http server.

func WithStaticCredentials added in v2.7.0 

func WithStaticCredentials(id, secret string) func(*FakeIDP)

func WithStaticUserInfo 

func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP)

WithStaticUserInfo is optional, but will return the same user info for every user on the /userinfo endpoint.

Types

type ExternalAuthConfigOptions added in v2.5.0 

type ExternalAuthConfigOptions struct {
	// ValidatePayload is the payload that is used when the user calls the
	// equivalent of "userinfo" for oauth2. This is not standardized, so is
	// different for each provider type.
	//
	// The int,error payload can control the response if set.
	ValidatePayload func(email string) (interface{}, int, error)

	UseDeviceAuth bool
	// contains filtered or unexported fields
}

ExternalAuthConfigOptions exists to provide additional functionality ontop of the standard "validate" url. Some providers like github we actually parse the response from the validate URL to gain additional information.

func (*ExternalAuthConfigOptions) AddRoute added in v2.5.0 

func (o *ExternalAuthConfigOptions) AddRoute(route string, handle func(email string, rw http.ResponseWriter, r *http.Request)) *ExternalAuthConfigOptions

type FakeIDP 

type FakeIDP struct {
	// contains filtered or unexported fields
}

FakeIDP is a functional OIDC provider. It only supports 1 OIDC client.

func NewFakeIDP 

func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP

func (*FakeIDP) AppCredentials added in v2.7.0 

func (f *FakeIDP) AppCredentials() (clientID string, clientSecret string)

func (*FakeIDP) AttemptLogin 

func (f *FakeIDP) AttemptLogin(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

func (*FakeIDP) CreateAuthCode added in v2.7.0 

func (f *FakeIDP) CreateAuthCode(t testing.TB, state string) string

CreateAuthCode emulates a user clicking "allow" on the IDP page. When doing unit tests, it's easier to skip this step sometimes. It does make an actual request to the IDP, so it should be equivalent to doing this "manually" with actual requests.

func (*FakeIDP) DeviceLogin added in v2.8.0 

func (*FakeIDP) DeviceLogin(t testing.TB, client *codersdk.Client, externalAuthID string)

DeviceLogin does the oauth2 device flow for external auth providers.

func (*FakeIDP) ExternalAuthConfig added in v2.5.0 

func (f *FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom *ExternalAuthConfigOptions, opts ...func(cfg *externalauth.Config)) *externalauth.Config

ExternalAuthConfig is the config for external auth providers.

func (*FakeIDP) ExternalLogin added in v2.5.0 

func (f *FakeIDP) ExternalLogin(t testing.TB, client *codersdk.Client, opts ...func(r *http.Request))

ExternalLogin does the oauth2 flow for external auth providers. This requires an authenticated coder client.

func (*FakeIDP) GenerateAuthenticatedToken added in v2.1.5 

func (f *FakeIDP) GenerateAuthenticatedToken(claims jwt.MapClaims) (*oauth2.Token, error)

GenerateAuthenticatedToken skips all oauth2 flows, and just generates a valid token for some given claims.

func (*FakeIDP) HTTPClient 

func (f *FakeIDP) HTTPClient(rest *http.Client) *http.Client

HTTPClient does nothing if IsServing is used.

If IsServing is not used, then it will return a client that will make requests to the IDP all in memory. If a request is not to the IDP, then the passed in client will be used. If no client is passed in, then any regular network requests will fail.

func (*FakeIDP) IssuerURL added in v2.7.0 

func (f *FakeIDP) IssuerURL() *url.URL

func (*FakeIDP) Login 

func (f *FakeIDP) Login(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

Login does the full OIDC flow starting at the "LoginButton". The client argument is just to get the URL of the Coder instance.

The client passed in is just to get the url of the Coder instance. The actual client that is used is 100% unauthenticated and fresh.

func (*FakeIDP) LoginWithClient 

func (f *FakeIDP) LoginWithClient(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

LoginWithClient reuses the context of the passed in client. This means the same cookies will be used. This should be an unauthenticated client in most cases.

This is a niche case, but it is needed for testing ConvertLoginType.

func (*FakeIDP) OIDCCallback 

func (f *FakeIDP) OIDCCallback(t testing.TB, state string, idTokenClaims jwt.MapClaims) *http.Response

OIDCCallback will emulate the IDP redirecting back to the Coder callback. This is helpful if no Coderd exists because the IDP needs to redirect to something. Essentially this is used to fake the Coderd side of the exchange. The flow starts at the user hitting the OIDC login page.

func (*FakeIDP) OIDCConfig 

func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig

func (*FakeIDP) OIDCConfigSkipIssuerChecks added in v2.14.0 

func (f *FakeIDP) OIDCConfigSkipIssuerChecks(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig

func (*FakeIDP) OauthConfig added in v2.14.0 

func (f *FakeIDP) OauthConfig(t testing.TB, scopes []string) *oauth2.Config

func (*FakeIDP) PublicKey added in v2.14.0 

func (f *FakeIDP) PublicKey() crypto.PublicKey

func (*FakeIDP) RefreshUsed 

func (f *FakeIDP) RefreshUsed(refreshToken string) bool

RefreshUsed returns if the refresh token has been used. All refresh tokens can only be used once, then they are deleted.

func (*FakeIDP) SetCoderdCallback 

func (f *FakeIDP) SetCoderdCallback(callback func(req *http.Request) (*http.Response, error))

SetCoderdCallback is optional and only works if not using the IsServing. It will setup a fake "Coderd" for the IDP to call when the IDP redirects back after authenticating.

func (*FakeIDP) SetCoderdCallbackHandler 

func (f *FakeIDP) SetCoderdCallbackHandler(handler http.HandlerFunc)

func (*FakeIDP) SetRedirect 

func (f *FakeIDP) SetRedirect(t testing.TB, u string)

SetRedirect is required for the IDP to know where to redirect and call Coderd.

func (*FakeIDP) UpdateRefreshClaims 

func (f *FakeIDP) UpdateRefreshClaims(refreshToken string, claims jwt.MapClaims)

UpdateRefreshClaims allows the caller to change what claims are returned for a given refresh token. By default, all refreshes use the same claims as the original IDToken issuance.

func (*FakeIDP) WellknownConfig added in v2.1.5 

func (f *FakeIDP) WellknownConfig() ProviderJSON

type FakeIDPOpt 

type FakeIDPOpt func(idp *FakeIDP)

type LoginHelper 

type LoginHelper struct {
	// contains filtered or unexported fields
}

LoginHelper helps with logging in a user and refreshing their oauth tokens. It is mainly because refreshing oauth tokens is a bit tricky and requires some database manipulation.

func NewLoginHelper 

func NewLoginHelper(client *codersdk.Client, fake *FakeIDP) *LoginHelper

func (*LoginHelper) AttemptLogin added in v2.5.0 

func (h *LoginHelper) AttemptLogin(t *testing.T, idTokenClaims jwt.MapClaims) (*codersdk.Client, *http.Response)

AttemptLogin does not assert a successful login.

func (*LoginHelper) ExpireOauthToken 

func (*LoginHelper) ExpireOauthToken(t *testing.T, db database.Store, user *codersdk.Client) database.UserLink

ExpireOauthToken expires the oauth token for the given user.

func (*LoginHelper) ForceRefresh 

func (h *LoginHelper) ForceRefresh(t *testing.T, db database.Store, user *codersdk.Client, idToken jwt.MapClaims)

ForceRefresh forces the client to refresh its oauth token. It does this by expiring the oauth token, then doing an authenticated call. This will force the API Key middleware to refresh the oauth token.

A unit test assertion makes sure the refresh token is used.

func (*LoginHelper) Login 

func (h *LoginHelper) Login(t *testing.T, idTokenClaims jwt.MapClaims) (*codersdk.Client, *http.Response)

Login just helps by making an unauthenticated client and logging in with the given claims. All Logins should be unauthenticated, so this is a convenience method.

type ProviderJSON added in v2.1.5 

type ProviderJSON struct {
	Issuer        string   `json:"issuer"`
	AuthURL       string   `json:"authorization_endpoint"`
	TokenURL      string   `json:"token_endpoint"`
	JWKSURL       string   `json:"jwks_uri"`
	UserInfoURL   string   `json:"userinfo_endpoint"`
	DeviceCodeURL string   `json:"device_authorization_endpoint"`
	Algorithms    []string `json:"id_token_signing_alg_values_supported"`
	// This is custom
	ExternalAuthURL string `json:"external_auth_url"`
}

ProviderJSON is the .well-known/configuration JSON

type With429Arguments added in v2.9.0 

type With429Arguments struct {
	AllPaths      bool
	TokenPath     bool
	AuthorizePath bool
	KeysPath      bool
	UserInfoPath  bool
	DeviceAuth    bool
	DeviceVerify  bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.