MCPcopy Index your code
hub / github.com/coder/coder / TestIDPIssuerMismatch

Function TestIDPIssuerMismatch

coderd/coderdtest/oidctest/idp_test.go:76–150  ·  view source on GitHub ↗

TestIDPIssuerMismatch emulates a situation where the IDP issuer url does not match the one in the well-known config and claims. This can happen in some edge cases and in some azure configurations. This test just makes sure a fake IDP can set up this scenario.

(t *testing.T)

Source from the content-addressed store, hash-verified

74//
75// This test just makes sure a fake IDP can set up this scenario.
76func TestIDPIssuerMismatch(t *testing.T) {
77 t.Parallel()
78
79 const proxyURL = "https://proxy.com"
80 const primaryURL = "https://primary.com"
81
82 fake := oidctest.NewFakeIDP(t,
83 oidctest.WithIssuer(proxyURL),
84 oidctest.WithDefaultIDClaims(jwt.MapClaims{
85 "iss": primaryURL,
86 }),
87 oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
88 // host should be proxy.com, but we return the primaryURL
89 if r.Host != "proxy.com" {
90 return xerrors.Errorf("unexpected host: %s", r.Host)
91 }
92 j.Issuer = primaryURL
93 return nil
94 }),
95 oidctest.WithLogging(t, nil),
96 )
97
98 ctx := testutil.Context(t, testutil.WaitMedium)
99 // Do not use real network requests
100 cli := fake.HTTPClient(nil)
101 ctx = oidc.ClientContext(ctx, cli)
102
103 // Allow the issuer mismatch
104 verifierContext := oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
105 p, err := oidc.NewProvider(verifierContext, "https://proxy.com")
106 require.NoError(t, err, "failed to create OIDC provider")
107
108 oauthConfig := fake.OauthConfig(t, nil)
109 cfg := &coderd.OIDCConfig{
110 OAuth2Config: oauthConfig,
111 Provider: p,
112 Verifier: oidc.NewVerifier(fake.WellknownConfig().Issuer, &oidc.StaticKeySet{
113 PublicKeys: []crypto.PublicKey{fake.PublicKey()},
114 }, &oidc.Config{
115 SkipIssuerCheck: true,
116 ClientID: oauthConfig.ClientID,
117 SupportedSigningAlgs: []string{
118 "RS256",
119 },
120 }),
121 UsernameField: "preferred_username",
122 EmailField: "email",
123 AuthURLParams: map[string]string{"access_type": "offline"},
124 }
125
126 const expectedState = "random-state"
127 var token *oauth2.Token
128
129 fake.SetCoderdCallbackHandler(func(w http.ResponseWriter, r *http.Request) {
130 // Emulate OIDC flow
131 code := r.URL.Query().Get("code")
132 state := r.URL.Query().Get("state")
133 assert.Equal(t, expectedState, state, "state mismatch")

Callers

nothing calls this directly

Calls 15

HTTPClientMethod · 0.95
OauthConfigMethod · 0.95
WellknownConfigMethod · 0.95
PublicKeyMethod · 0.95
OIDCCallbackMethod · 0.95
NewFakeIDPFunction · 0.92
WithIssuerFunction · 0.92
WithDefaultIDClaimsFunction · 0.92
WithHookWellKnownFunction · 0.92
WithLoggingFunction · 0.92
ContextFunction · 0.92

Tested by

no test coverage detected