mirror of https://github.com/ory/hydra
238 lines
9.6 KiB
Go
238 lines
9.6 KiB
Go
// Copyright © 2022 Ory Corp
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package client_test
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/ory/x/assertx"
|
|
|
|
"github.com/ory/x/ioutilx"
|
|
|
|
"github.com/ory/x/snapshotx"
|
|
|
|
"github.com/ory/x/uuidx"
|
|
|
|
"github.com/mohae/deepcopy"
|
|
|
|
"github.com/ory/hydra/v2/x"
|
|
"github.com/ory/x/contextx"
|
|
"github.com/ory/x/pointerx"
|
|
|
|
"github.com/ory/hydra/v2/driver/config"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/ory/hydra/v2/internal"
|
|
|
|
hydra "github.com/ory/hydra-client-go/v2"
|
|
"github.com/ory/hydra/v2/client"
|
|
)
|
|
|
|
func createTestClient(prefix string) hydra.OAuth2Client {
|
|
return hydra.OAuth2Client{
|
|
ClientName: pointerx.Ptr(prefix + "name"),
|
|
ClientSecret: pointerx.Ptr(prefix + "secret"),
|
|
ClientUri: pointerx.Ptr(prefix + "uri"),
|
|
Contacts: []string{prefix + "peter", prefix + "pan"},
|
|
GrantTypes: []string{prefix + "client_credentials", prefix + "authorize_code"},
|
|
LogoUri: pointerx.Ptr(prefix + "logo"),
|
|
Owner: pointerx.Ptr(prefix + "an-owner"),
|
|
PolicyUri: pointerx.Ptr(prefix + "policy-uri"),
|
|
Scope: pointerx.Ptr(prefix + "foo bar baz"),
|
|
TosUri: pointerx.Ptr(prefix + "tos-uri"),
|
|
ResponseTypes: []string{prefix + "id_token", prefix + "code"},
|
|
RedirectUris: []string{"https://" + prefix + "redirect-url", "https://" + prefix + "redirect-uri"},
|
|
ClientSecretExpiresAt: pointerx.Ptr[int64](0),
|
|
TokenEndpointAuthMethod: pointerx.Ptr("client_secret_basic"),
|
|
UserinfoSignedResponseAlg: pointerx.Ptr("none"),
|
|
SubjectType: pointerx.Ptr("public"),
|
|
Metadata: map[string]interface{}{"foo": "bar"},
|
|
// because these values are not nullable in the SQL schema, we have to set them not nil
|
|
AllowedCorsOrigins: []string{},
|
|
Audience: []string{},
|
|
Jwks: map[string]interface{}{},
|
|
SkipConsent: pointerx.Ptr(false),
|
|
}
|
|
}
|
|
|
|
var defaultIgnoreFields = []string{"client_id", "registration_access_token", "registration_client_uri", "created_at", "updated_at"}
|
|
|
|
func TestClientSDK(t *testing.T) {
|
|
ctx := context.Background()
|
|
conf := internal.NewConfigurationWithDefaults()
|
|
conf.MustSet(ctx, config.KeySubjectTypesSupported, []string{"public"})
|
|
conf.MustSet(ctx, config.KeyDefaultClientScope, []string{"foo", "bar"})
|
|
conf.MustSet(ctx, config.KeyPublicAllowDynamicRegistration, true)
|
|
r := internal.NewRegistryMemory(t, conf, &contextx.Static{C: conf.Source(ctx)})
|
|
|
|
routerAdmin := x.NewRouterAdmin(conf.AdminURL)
|
|
routerPublic := x.NewRouterPublic()
|
|
handler := client.NewHandler(r)
|
|
handler.SetRoutes(routerAdmin, routerPublic)
|
|
server := httptest.NewServer(routerAdmin)
|
|
conf.MustSet(ctx, config.KeyAdminURL, server.URL)
|
|
|
|
c := hydra.NewAPIClient(hydra.NewConfiguration())
|
|
c.GetConfig().Servers = hydra.ServerConfigurations{{URL: server.URL}}
|
|
|
|
t.Run("case=client default scopes are set", func(t *testing.T) {
|
|
result, _, err := c.OAuth2Api.CreateOAuth2Client(ctx).OAuth2Client(hydra.OAuth2Client{}).Execute()
|
|
require.NoError(t, err)
|
|
assert.EqualValues(t, conf.DefaultClientScope(ctx), strings.Split(*result.Scope, " "))
|
|
|
|
_, err = c.OAuth2Api.DeleteOAuth2Client(ctx, *result.ClientId).Execute()
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("case=client is created and updated", func(t *testing.T) {
|
|
createClient := createTestClient("")
|
|
compareClient := createClient
|
|
// This is not yet supported:
|
|
// createClient.SecretExpiresAt = 10
|
|
|
|
// returned client is correct on Create
|
|
result, _, err := c.OAuth2Api.CreateOAuth2Client(ctx).OAuth2Client(createClient).Execute()
|
|
require.NoError(t, err)
|
|
assert.NotEmpty(t, result.UpdatedAt)
|
|
assert.NotEmpty(t, result.CreatedAt)
|
|
assert.NotEmpty(t, result.RegistrationAccessToken)
|
|
assert.NotEmpty(t, result.RegistrationClientUri)
|
|
assert.NotEmpty(t, result.ClientId)
|
|
createClient.ClientId = result.ClientId
|
|
|
|
assertx.EqualAsJSONExcept(t, compareClient, result, defaultIgnoreFields)
|
|
assert.EqualValues(t, "bar", result.Metadata.(map[string]interface{})["foo"])
|
|
|
|
// secret is not returned on GetOAuth2Client
|
|
compareClient.ClientSecret = x.ToPointer("")
|
|
gresult, _, err := c.OAuth2Api.GetOAuth2Client(context.Background(), *createClient.ClientId).Execute()
|
|
require.NoError(t, err)
|
|
assertx.EqualAsJSONExcept(t, compareClient, gresult, append(defaultIgnoreFields, "client_secret"))
|
|
|
|
// get client will return The request could not be authorized
|
|
gresult, _, err = c.OAuth2Api.GetOAuth2Client(context.Background(), "unknown").Execute()
|
|
require.Error(t, err)
|
|
assert.Empty(t, gresult)
|
|
assert.True(t, strings.Contains(err.Error(), "404"), err.Error())
|
|
|
|
// listing clients returns the only added one
|
|
results, _, err := c.OAuth2Api.ListOAuth2Clients(context.Background()).PageSize(100).Execute()
|
|
require.NoError(t, err)
|
|
assert.Len(t, results, 1)
|
|
assertx.EqualAsJSONExcept(t, compareClient, results[0], append(defaultIgnoreFields, "client_secret"))
|
|
|
|
// SecretExpiresAt gets overwritten with 0 on Update
|
|
compareClient.ClientSecret = createClient.ClientSecret
|
|
uresult, _, err := c.OAuth2Api.SetOAuth2Client(context.Background(), *createClient.ClientId).OAuth2Client(createClient).Execute()
|
|
require.NoError(t, err)
|
|
assertx.EqualAsJSONExcept(t, compareClient, uresult, append(defaultIgnoreFields, "client_secret"))
|
|
|
|
// create another client
|
|
updateClient := createTestClient("foo")
|
|
uresult, _, err = c.OAuth2Api.SetOAuth2Client(context.Background(), *createClient.ClientId).OAuth2Client(updateClient).Execute()
|
|
require.NoError(t, err)
|
|
assert.NotEqual(t, updateClient.ClientId, uresult.ClientId)
|
|
updateClient.ClientId = uresult.ClientId
|
|
assertx.EqualAsJSONExcept(t, updateClient, uresult, append(defaultIgnoreFields, "client_secret"))
|
|
|
|
// again, test if secret is not returned on Get
|
|
compareClient = updateClient
|
|
compareClient.ClientSecret = x.ToPointer("")
|
|
gresult, _, err = c.OAuth2Api.GetOAuth2Client(context.Background(), *updateClient.ClientId).Execute()
|
|
require.NoError(t, err)
|
|
assertx.EqualAsJSONExcept(t, compareClient, gresult, append(defaultIgnoreFields, "client_secret"))
|
|
|
|
// client can not be found after being deleted
|
|
_, err = c.OAuth2Api.DeleteOAuth2Client(context.Background(), *updateClient.ClientId).Execute()
|
|
require.NoError(t, err)
|
|
|
|
_, _, err = c.OAuth2Api.GetOAuth2Client(context.Background(), *updateClient.ClientId).Execute()
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("case=public client is transmitted without secret", func(t *testing.T) {
|
|
result, _, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(hydra.OAuth2Client{
|
|
TokenEndpointAuthMethod: x.ToPointer("none"),
|
|
}).Execute()
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, "", x.FromPointer[string](result.ClientSecret))
|
|
|
|
result, _, err = c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(createTestClient("")).Execute()
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, "secret", x.FromPointer[string](result.ClientSecret))
|
|
})
|
|
|
|
t.Run("case=id can not be set", func(t *testing.T) {
|
|
_, res, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(hydra.OAuth2Client{ClientId: x.ToPointer(uuidx.NewV4().String())}).Execute()
|
|
require.Error(t, err)
|
|
body, err := io.ReadAll(res.Body)
|
|
require.NoError(t, err)
|
|
snapshotx.SnapshotT(t, json.RawMessage(body))
|
|
})
|
|
|
|
t.Run("case=patch client legally", func(t *testing.T) {
|
|
op := "add"
|
|
path := "/redirect_uris/-"
|
|
value := "http://foo.bar"
|
|
|
|
client := createTestClient("")
|
|
created, _, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
|
|
require.NoError(t, err)
|
|
client.ClientId = created.ClientId
|
|
|
|
expected := deepcopy.Copy(client).(hydra.OAuth2Client)
|
|
expected.RedirectUris = append(expected.RedirectUris, value)
|
|
|
|
result, _, err := c.OAuth2Api.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
|
|
require.NoError(t, err)
|
|
expected.CreatedAt = result.CreatedAt
|
|
expected.UpdatedAt = result.UpdatedAt
|
|
expected.ClientSecret = result.ClientSecret
|
|
expected.ClientSecretExpiresAt = result.ClientSecretExpiresAt
|
|
assertx.EqualAsJSONExcept(t, expected, result, nil)
|
|
})
|
|
|
|
t.Run("case=patch client illegally", func(t *testing.T) {
|
|
op := "replace"
|
|
path := "/id"
|
|
value := "foo"
|
|
|
|
client := createTestClient("")
|
|
created, res, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
|
|
require.NoError(t, err, "%s", ioutilx.MustReadAll(res.Body))
|
|
client.ClientId = created.ClientId
|
|
|
|
_, _, err = c.OAuth2Api.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("case=patch should not alter secret if not requested", func(t *testing.T) {
|
|
op := "replace"
|
|
path := "/client_uri"
|
|
value := "http://foo.bar"
|
|
|
|
client := createTestClient("")
|
|
created, _, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
|
|
require.NoError(t, err)
|
|
client.ClientId = created.ClientId
|
|
|
|
result1, _, err := c.OAuth2Api.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
|
|
require.NoError(t, err)
|
|
result2, _, err := c.OAuth2Api.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
|
|
require.NoError(t, err)
|
|
|
|
// secret hashes shouldn't change between these PUT calls
|
|
require.Equal(t, result1.ClientSecret, result2.ClientSecret)
|
|
})
|
|
}
|