(t *testing.T)
| 92 | } |
| 93 | |
| 94 | func TestOIDCMCPTokenSource(t *testing.T) { |
| 95 | t.Parallel() |
| 96 | |
| 97 | logger := testutil.Logger(t) |
| 98 | |
| 99 | t.Run("NilConfig", func(t *testing.T) { |
| 100 | t.Parallel() |
| 101 | db, _ := dbtestutil.NewDB(t) |
| 102 | require.Nil(t, newOIDCMCPTokenSource(db, nil, logger)) |
| 103 | }) |
| 104 | |
| 105 | t.Run("NoLink", func(t *testing.T) { |
| 106 | // When the user has no OIDC link the source returns ("", nil) |
| 107 | // rather than an error so the caller can fall through to |
| 108 | // "no Authorization header". |
| 109 | t.Parallel() |
| 110 | db, _ := dbtestutil.NewDB(t) |
| 111 | store := dbauthzTestStore(t, db) |
| 112 | user := dbgen.User(t, db, database.User{LoginType: database.LoginTypeOIDC}) |
| 113 | |
| 114 | src := newOIDCMCPTokenSource(store, &testutil.OAuth2Config{}, logger) |
| 115 | ctx := dbauthz.AsChatd(context.Background()) |
| 116 | |
| 117 | tok, err := src.OIDCAccessToken(ctx, user.ID) |
| 118 | require.NoError(t, err) |
| 119 | require.Empty(t, tok) |
| 120 | }) |
| 121 | |
| 122 | t.Run("FreshToken", func(t *testing.T) { |
| 123 | // A non-expired token is returned as-is; no refresh is performed. |
| 124 | t.Parallel() |
| 125 | db, _ := dbtestutil.NewDB(t) |
| 126 | store := dbauthzTestStore(t, db) |
| 127 | user := dbgen.User(t, db, database.User{}) |
| 128 | dbgen.UserLink(t, db, database.UserLink{ |
| 129 | UserID: user.ID, |
| 130 | LoginType: database.LoginTypeOIDC, |
| 131 | OAuthAccessToken: "fresh", |
| 132 | OAuthRefreshToken: "refresh", |
| 133 | OAuthExpiry: dbtime.Now().Add(time.Hour), |
| 134 | }) |
| 135 | |
| 136 | src := newOIDCMCPTokenSource(store, &testutil.OAuth2Config{ |
| 137 | Token: &oauth2.Token{AccessToken: "should-not-be-used"}, |
| 138 | }, logger) |
| 139 | ctx := dbauthz.AsChatd(context.Background()) |
| 140 | |
| 141 | tok, err := src.OIDCAccessToken(ctx, user.ID) |
| 142 | require.NoError(t, err) |
| 143 | require.Equal(t, "fresh", tok) |
| 144 | }) |
| 145 | |
| 146 | t.Run("RefreshExpired", func(t *testing.T) { |
| 147 | // An expired token triggers a refresh; the new token is |
| 148 | // persisted via UpdateUserLink. This exercises the dbauthz |
| 149 | // elevation: chatd lacks ResourceSystem.Read and |
| 150 | // ResourceUser.UpdatePersonal so a non-elevated context |
| 151 | // would fail both reads and writes. |
nothing calls this directly
no test coverage detected