MCPcopy Index your code
hub / github.com/coder/coder / TestOAuth2PrivilegeEscalation

Function TestOAuth2PrivilegeEscalation

coderd/oauth2_security_test.go:204–311  ·  view source on GitHub ↗

TestOAuth2PrivilegeEscalation tests that clients cannot escalate their privileges

(t *testing.T)

Source from the content-addressed store, hash-verified

202
203// TestOAuth2PrivilegeEscalation tests that clients cannot escalate their privileges
204func TestOAuth2PrivilegeEscalation(t *testing.T) {
205 t.Parallel()
206
207 t.Run("CannotEscalateScopeViaUpdate", func(t *testing.T) {
208 t.Parallel()
209
210 client := coderdtest.New(t, nil)
211 _ = coderdtest.CreateFirstUser(t, client)
212 ctx := t.Context()
213
214 // Register a basic client
215 clientName := fmt.Sprintf("test-client-%d", time.Now().UnixNano())
216 regReq := codersdk.OAuth2ClientRegistrationRequest{
217 RedirectURIs: []string{"https://example.com/callback"},
218 ClientName: clientName,
219 Scope: "read", // Limited scope
220 }
221 regResp, err := client.PostOAuth2ClientRegistration(ctx, regReq)
222 require.NoError(t, err)
223
224 // Try to escalate scope through update
225 updateReq := codersdk.OAuth2ClientRegistrationRequest{
226 RedirectURIs: []string{"https://example.com/callback"},
227 ClientName: clientName,
228 Scope: "read write admin", // Trying to escalate to admin
229 }
230
231 // This should succeed (scope changes are allowed in updates)
232 // but the system should validate scope permissions appropriately
233 updatedConfig, err := client.PutOAuth2ClientConfiguration(ctx, regResp.ClientID, regResp.RegistrationAccessToken, updateReq)
234 if err == nil {
235 // If update succeeds, verify the scope was set appropriately
236 // (The actual scope validation would happen during token issuance)
237 require.Contains(t, updatedConfig.Scope, "read")
238 }
239 })
240
241 t.Run("CustomSchemeRedirectURIs", func(t *testing.T) {
242 t.Parallel()
243
244 client := coderdtest.New(t, nil)
245 _ = coderdtest.CreateFirstUser(t, client)
246 ctx := t.Context()
247
248 // Test valid custom schemes per RFC 7591/8252
249 validCustomSchemeRequests := []codersdk.OAuth2ClientRegistrationRequest{
250 {
251 RedirectURIs: []string{"com.example.myapp://callback"},
252 ClientName: fmt.Sprintf("native-app-1-%d", time.Now().UnixNano()),
253 TokenEndpointAuthMethod: "none", // Required for public clients using custom schemes
254 },
255 {
256 RedirectURIs: []string{"com.example.app://oauth"},
257 ClientName: fmt.Sprintf("native-app-2-%d", time.Now().UnixNano()),
258 TokenEndpointAuthMethod: "none", // Required for public clients using custom schemes
259 },
260 {
261 RedirectURIs: []string{"urn:ietf:wg:oauth:2.0:oob"},

Callers

nothing calls this directly

Calls 8

NewFunction · 0.92
CreateFirstUserFunction · 0.92
RunMethod · 0.65
ContextMethod · 0.65
ContainsMethod · 0.45
ErrorMethod · 0.45

Tested by

no test coverage detected