TestOAuth2PrivilegeEscalation tests that clients cannot escalate their privileges
(t *testing.T)
| 202 | |
| 203 | // TestOAuth2PrivilegeEscalation tests that clients cannot escalate their privileges |
| 204 | func TestOAuth2PrivilegeEscalation(t *testing.T) { |
| 205 | t.Parallel() |
| 206 | |
| 207 | t.Run("CannotEscalateScopeViaUpdate", func(t *testing.T) { |
| 208 | t.Parallel() |
| 209 | |
| 210 | client := coderdtest.New(t, nil) |
| 211 | _ = coderdtest.CreateFirstUser(t, client) |
| 212 | ctx := t.Context() |
| 213 | |
| 214 | // Register a basic client |
| 215 | clientName := fmt.Sprintf("test-client-%d", time.Now().UnixNano()) |
| 216 | regReq := codersdk.OAuth2ClientRegistrationRequest{ |
| 217 | RedirectURIs: []string{"https://example.com/callback"}, |
| 218 | ClientName: clientName, |
| 219 | Scope: "read", // Limited scope |
| 220 | } |
| 221 | regResp, err := client.PostOAuth2ClientRegistration(ctx, regReq) |
| 222 | require.NoError(t, err) |
| 223 | |
| 224 | // Try to escalate scope through update |
| 225 | updateReq := codersdk.OAuth2ClientRegistrationRequest{ |
| 226 | RedirectURIs: []string{"https://example.com/callback"}, |
| 227 | ClientName: clientName, |
| 228 | Scope: "read write admin", // Trying to escalate to admin |
| 229 | } |
| 230 | |
| 231 | // This should succeed (scope changes are allowed in updates) |
| 232 | // but the system should validate scope permissions appropriately |
| 233 | updatedConfig, err := client.PutOAuth2ClientConfiguration(ctx, regResp.ClientID, regResp.RegistrationAccessToken, updateReq) |
| 234 | if err == nil { |
| 235 | // If update succeeds, verify the scope was set appropriately |
| 236 | // (The actual scope validation would happen during token issuance) |
| 237 | require.Contains(t, updatedConfig.Scope, "read") |
| 238 | } |
| 239 | }) |
| 240 | |
| 241 | t.Run("CustomSchemeRedirectURIs", func(t *testing.T) { |
| 242 | t.Parallel() |
| 243 | |
| 244 | client := coderdtest.New(t, nil) |
| 245 | _ = coderdtest.CreateFirstUser(t, client) |
| 246 | ctx := t.Context() |
| 247 | |
| 248 | // Test valid custom schemes per RFC 7591/8252 |
| 249 | validCustomSchemeRequests := []codersdk.OAuth2ClientRegistrationRequest{ |
| 250 | { |
| 251 | RedirectURIs: []string{"com.example.myapp://callback"}, |
| 252 | ClientName: fmt.Sprintf("native-app-1-%d", time.Now().UnixNano()), |
| 253 | TokenEndpointAuthMethod: "none", // Required for public clients using custom schemes |
| 254 | }, |
| 255 | { |
| 256 | RedirectURIs: []string{"com.example.app://oauth"}, |
| 257 | ClientName: fmt.Sprintf("native-app-2-%d", time.Now().UnixNano()), |
| 258 | TokenEndpointAuthMethod: "none", // Required for public clients using custom schemes |
| 259 | }, |
| 260 | { |
| 261 | RedirectURIs: []string{"urn:ietf:wg:oauth:2.0:oob"}, |
nothing calls this directly
no test coverage detected