shaba/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-01-11 09:17:42 +03:00
Code Issues Projects Releases Wiki Activity
7e68bc8823
gitea/tests/integration/oauth_test.go

480 lines
20 KiB
Go
Raw Normal View History

Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// Copyright 2019 The Gitea Authors. All rights reserved.
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
package integration
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
import (
Introduce go chi web framework as frontend of macaron, so that we can move routes from macaron to chi step by step (#7420) * When route cannot be found on chi, go to macaron * Stick chi version to 1.5.0 * Follow router log setting
2020-11-13 15:51:07 +03:00
"bytes"
refactor: move from io/ioutil to io and os package (#17109) The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-09-22 08:38:34 +03:00
"io"
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
"net/http"
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
"testing"
Add an abstract json layout to make it's easier to change json library (#16528) * Add an abstract json layout to make it's easier to change json library * Fix import * Fix import sequence * Fix blank lines * Fix blank lines
2021-07-24 19:03:58 +03:00
"code.gitea.io/gitea/modules/json"
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
"code.gitea.io/gitea/modules/setting"
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
oauth2_provider "code.gitea.io/gitea/services/oauth2_provider"
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
"code.gitea.io/gitea/tests"
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
"github.com/stretchr/testify/assert"
)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAuthorizeNoClientID(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
req := NewRequest(t, "GET", "/login/oauth/authorize")
ctx := loginUser(t, "user2")
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp := ctx.MakeRequest(t, req, http.StatusBadRequest)
assert.Contains(t, resp.Body.String(), "Client ID not registered")
}
func TestAuthorizeUnregisteredRedirect(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=UNREGISTERED&response_type=code&state=thestate")
ctx := loginUser(t, "user1")
resp := ctx.MakeRequest(t, req, http.StatusBadRequest)
assert.Contains(t, resp.Body.String(), "Unregistered Redirect URI")
}
func TestAuthorizeUnsupportedResponseType(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=UNEXPECTED&state=thestate")
ctx := loginUser(t, "user1")
resp := ctx.MakeRequest(t, req, http.StatusSeeOther)
u, err := resp.Result().Location()
assert.NoError(t, err)
assert.Equal(t, "unsupported_response_type", u.Query().Get("error"))
assert.Equal(t, "Only code response type is supported.", u.Query().Get("error_description"))
}
func TestAuthorizeUnsupportedCodeChallengeMethod(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate&code_challenge_method=UNEXPECTED")
ctx := loginUser(t, "user1")
resp := ctx.MakeRequest(t, req, http.StatusSeeOther)
u, err := resp.Result().Location()
assert.NoError(t, err)
assert.Equal(t, "invalid_request", u.Query().Get("error"))
assert.Equal(t, "unsupported code challenge method", u.Query().Get("error_description"))
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
}
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAuthorizeLoginRedirect(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
req := NewRequest(t, "GET", "/login/oauth/authorize")
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
assert.Contains(t, MakeRequest(t, req, http.StatusSeeOther).Body.String(), "/user/login")
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
}
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAuthorizeShow(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate")
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
ctx := loginUser(t, "user4")
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := ctx.MakeRequest(t, req, http.StatusOK)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
htmlDoc := NewHTMLParser(t, resp.Body)
htmlDoc.AssertElement(t, "#authorize-app", true)
htmlDoc.GetCSRF()
}
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate")
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
ctx := loginUser(t, "user1")
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := ctx.MakeRequest(t, req, http.StatusSeeOther)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
u, err := resp.Result().Location()
assert.NoError(t, err)
assert.Equal(t, "thestate", u.Query().Get("state"))
assert.Truef(t, len(u.Query().Get("code")) > 30, "authorization code '%s' should be longer then 30", u.Query().Get("code"))
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
u.RawQuery = ""
assert.Equal(t, "https://example.com/xyzzy", u.String())
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
}
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 10:59:24 +03:00
func TestAuthorizePKCERequiredForPublicClient(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=ce5a1322-42a7-11ed-b878-0242ac120002&redirect_uri=http%3A%2F%2F127.0.0.1&response_type=code&state=thestate")
ctx := loginUser(t, "user1")
resp := ctx.MakeRequest(t, req, http.StatusSeeOther)
u, err := resp.Result().Location()
assert.NoError(t, err)
assert.Equal(t, "invalid_request", u.Query().Get("error"))
assert.Equal(t, "PKCE is required for public clients", u.Query().Get("error_description"))
}
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
func TestAccessTokenExchange(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := MakeRequest(t, req, http.StatusOK)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
Migrate to use jsoniter instead of encoding/json (#14841) * Migrate to use jsoniter * fix tests * update gitea.com/go-chi/binding Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
2021-03-02 00:08:10 +03:00
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
Allow for PKCE flow without client secret + add docs (#25033) The PKCE flow according to [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure authorization without the requirement to provide a client secret for the OAuth app. It is implemented in Gitea since #5378 (v1.8.0), however without being able to omit client secret. Since #21316 Gitea supports setting client type at OAuth app registration. As public clients are already forced to use PKCE since #21316, in this PR the client secret check is being skipped if a public client is detected. As Gitea seems to implement PKCE authorization correctly according to the spec, this would allow for PKCE flow without providing a client secret. Also add some docs for it, please check language as I'm not a native English speaker. Closes #17107 Closes #25047
2023-06-03 06:59:28 +03:00
assert.True(t, len(parsed.AccessToken) > 10)
assert.True(t, len(parsed.RefreshToken) > 10)
}
func TestAccessTokenExchangeWithPublicClient(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "ce5a1322-42a7-11ed-b878-0242ac120002",
"redirect_uri": "http://127.0.0.1",
"code": "authcodepublic",
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
})
resp := MakeRequest(t, req, http.StatusOK)
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
assert.True(t, len(parsed.AccessToken) > 10)
assert.True(t, len(parsed.RefreshToken) > 10)
}
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAccessTokenExchangeJSON(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Add json tags for oauth2 form (#6627)
2019-04-15 18:54:50 +03:00
req := NewRequestWithJSON(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Add json tags for oauth2 form (#6627)
2019-04-15 18:54:50 +03:00
})
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := MakeRequest(t, req, http.StatusOK)
Add json tags for oauth2 form (#6627)
2019-04-15 18:54:50 +03:00
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
Migrate to use jsoniter instead of encoding/json (#14841) * Migrate to use jsoniter * fix tests * update gitea.com/go-chi/binding Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
2021-03-02 00:08:10 +03:00
Add json tags for oauth2 form (#6627)
2019-04-15 18:54:50 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
assert.True(t, len(parsed.AccessToken) > 10)
assert.True(t, len(parsed.RefreshToken) > 10)
}
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
func TestAccessTokenExchangeWithoutPKCE(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp := MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError := new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
}
func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// invalid client id
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "???",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp := MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError := new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
assert.Equal(t, "cannot load client with client id: '???'", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// invalid client secret
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "???",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "invalid client secret", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// invalid redirect uri
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "???",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "unexpected redirect URI", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// invalid authorization code
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "???",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "client is not authorized", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
// invalid grant_type
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "???",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unsupported_grant_type", string(parsedError.ErrorCode))
assert.Equal(t, "Only refresh_token or authorization_code grant type is supported", parsedError.ErrorDescription)
Integrate OAuth2 Provider (#5378)
2019-03-08 19:42:50 +03:00
}
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := MakeRequest(t, req, http.StatusOK)
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
Migrate to use jsoniter instead of encoding/json (#14841) * Migrate to use jsoniter * fix tests * update gitea.com/go-chi/binding Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
2021-03-02 00:08:10 +03:00
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
assert.True(t, len(parsed.AccessToken) > 10)
assert.True(t, len(parsed.RefreshToken) > 10)
// use wrong client_secret
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==")
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError := new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "invalid client secret", parsedError.ErrorDescription)
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
// missing header
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
})
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
assert.Equal(t, "cannot load client with client id: ''", parsedError.ErrorDescription)
// client_id inconsistent with Authorization header
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"redirect_uri": "a",
"code": "authcode",
"client_id": "inconsistent",
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription)
// client_secret inconsistent with Authorization header
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"redirect_uri": "a",
"code": "authcode",
"client_secret": "inconsistent",
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
})
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription)
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-11 05:54:59 +03:00
}
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
func TestRefreshTokenInvalidation(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 22:18:23 +03:00
defer tests.PrepareTestEnv(t)()
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
})
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
2022-03-23 07:54:07 +03:00
resp := MakeRequest(t, req, http.StatusOK)
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
Migrate to use jsoniter instead of encoding/json (#14841) * Migrate to use jsoniter * fix tests * update gitea.com/go-chi/binding Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
2021-03-02 00:08:10 +03:00
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
// test without invalidation
setting.OAuth2.InvalidateRefreshTokens = false
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
// omit secret
"redirect_uri": "a",
"refresh_token": parsed.RefreshToken,
})
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError := new(oauth2_provider.AccessTokenError)
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription)
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"refresh_token": "UNEXPECTED",
})
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"refresh_token": parsed.RefreshToken,
})
Update docs and comments to remove macaron (#14491)
2021-01-29 18:35:30 +03:00
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
bs, err := io.ReadAll(req.Body)
Introduce go chi web framework as frontend of macaron, so that we can move routes from macaron to chi step by step (#7420) * When route cannot be found on chi, go to macaron * Stick chi version to 1.5.0 * Follow router log setting
2020-11-13 15:51:07 +03:00
assert.NoError(t, err)
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)
Introduce go chi web framework as frontend of macaron, so that we can move routes from macaron to chi step by step (#7420) * When route cannot be found on chi, go to macaron * Stick chi version to 1.5.0 * Follow router log setting
2020-11-13 15:51:07 +03:00
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
// test with invalidation
setting.OAuth2.InvalidateRefreshTokens = true
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)
Introduce go chi web framework as frontend of macaron, so that we can move routes from macaron to chi step by step (#7420) * When route cannot be found on chi, go to macaron * Stick chi version to 1.5.0 * Follow router log setting
2020-11-13 15:51:07 +03:00
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
// repeat request should fail
Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 08:28:46 +03:00
req.Body = io.NopCloser(bytes.NewReader(bs))
resp = MakeRequest(t, req, http.StatusBadRequest)
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148) Fix #30266 Replace #31533
2024-10-02 03:03:19 +03:00
parsedError = new(oauth2_provider.AccessTokenError)
Improve OAuth integration tests (#21390) In particular, test explicit error responses. No change to behaviour. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 07:22:43 +03:00
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "token was already used", parsedError.ErrorDescription)
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
2019-04-12 10:50:21 +03:00
}
fix OIDC introspection authentication (#31632) See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret.
2024-07-23 15:43:03 +03:00
func TestOAuthIntrospection(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
})
resp := MakeRequest(t, req, http.StatusOK)
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
assert.True(t, len(parsed.AccessToken) > 10)
assert.True(t, len(parsed.RefreshToken) > 10)
// successful request with a valid client_id/client_secret and a valid token
req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": parsed.AccessToken,
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp = MakeRequest(t, req, http.StatusOK)
type introspectResponse struct {
add `username` to OIDC introspection response (#31688) This field is specified as optional here: https://datatracker.ietf.org/doc/html/rfc7662#section-2.2 It's used by some OIDC integrations, e.g. https://emersion.fr/blog/2022/irc-and-oauth2/ Co-authored-by: Giteabot <teabot@gitea.io>
2024-07-25 15:36:05 +03:00
Active bool `json:"active"`
Scope string `json:"scope,omitempty"`
Username string `json:"username"`
fix OIDC introspection authentication (#31632) See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret.
2024-07-23 15:43:03 +03:00
}
introspectParsed := new(introspectResponse)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed))
assert.True(t, introspectParsed.Active)
add `username` to OIDC introspection response (#31688) This field is specified as optional here: https://datatracker.ietf.org/doc/html/rfc7662#section-2.2 It's used by some OIDC integrations, e.g. https://emersion.fr/blog/2022/irc-and-oauth2/ Co-authored-by: Giteabot <teabot@gitea.io>
2024-07-25 15:36:05 +03:00
assert.Equal(t, "user1", introspectParsed.Username)
fix OIDC introspection authentication (#31632) See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret.
2024-07-23 15:43:03 +03:00
// successful request with a valid client_id/client_secret, but an invalid token
req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": "xyzzy",
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp = MakeRequest(t, req, http.StatusOK)
introspectParsed = new(introspectResponse)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed))
assert.False(t, introspectParsed.Active)
// unsuccessful request with an invalid client_id/client_secret
req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": parsed.AccessToken,
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK")
resp = MakeRequest(t, req, http.StatusUnauthorized)
assert.Contains(t, resp.Body.String(), "no valid authorization")
}
Reference in New Issue Copy Permalink