package http import ( "context" stdhttp "net/http" "net/http/cookiejar" "net/http/httptest" "net/url" "path/filepath" "strings" "testing" "time" "gitea.dcglab.co.uk/steve/restic-manager/internal/crypto" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/config" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc/oidctest" "gitea.dcglab.co.uk/steve/restic-manager/internal/store" ) // newTestServerWithOIDC returns a Server wired to a stub IdP. // Returned ts is the httptest.Server fronting the actual server; // stub is the IdP for minting codes / configuring claims. func newTestServerWithOIDC(t *testing.T) (*Server, *httptest.Server, *oidctest.StubIdP) { t.Helper() dir := t.TempDir() st, err := store.Open(context.Background(), filepath.Join(dir, "rm.db")) if err != nil { t.Fatalf("store: %v", err) } t.Cleanup(func() { _ = st.Close() }) keyPath := filepath.Join(dir, "secret.key") if err := crypto.GenerateKeyFile(keyPath); err != nil { t.Fatalf("genkey: %v", err) } key, _ := crypto.LoadKeyFromFile(keyPath) aead, _ := crypto.NewAEAD(key) stub := oidctest.New(t) cfg := &config.OIDCConfig{ Issuer: stub.URL(), ClientID: "test-client", ClientSecret: "x", Scopes: []string{"openid"}, RoleClaim: "groups", RoleMapping: map[string]string{ "rm-admins": "admin", "rm-operators": "operator", "rm-viewers": "viewer", }, } ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() oidcClient, err := oidc.New(ctx, cfg, "http://test") if err != nil { t.Fatalf("oidc client: %v", err) } deps := Deps{ Cfg: config.Config{Listen: ":0", DataDir: dir, SecretKeyFile: keyPath, BaseURL: "http://test"}, Store: st, AEAD: aead, OIDC: oidcClient, } s := New(deps) ts := httptest.NewServer(s.srv.Handler) t.Cleanup(ts.Close) return s, ts, stub } func TestOIDCLoginRedirectsToIdP(t *testing.T) { t.Parallel() srv, ts, _ := newTestServerWithOIDC(t) c := &stdhttp.Client{CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error { return stdhttp.ErrUseLastResponse }} res, err := c.Get(ts.URL + "/auth/oidc/login") if err != nil { t.Fatalf("get: %v", err) } defer res.Body.Close() if res.StatusCode != stdhttp.StatusSeeOther { t.Errorf("status: got %d want 303", res.StatusCode) } loc := res.Header.Get("Location") if !strings.Contains(loc, "code_challenge=") || !strings.Contains(loc, "state=") { t.Errorf("location: %q", loc) } _ = srv } // runCallback drives the auth code flow against the stub: kicks off // /auth/oidc/login (capturing the state), mints a code at the stub // with the given claims, then GETs /auth/oidc/callback. Returns the // final response. func runCallback(t *testing.T, ts *httptest.Server, stub *oidctest.StubIdP, claims map[string]any) *stdhttp.Response { t.Helper() jar, _ := cookiejar.New(nil) c := &stdhttp.Client{Jar: jar, CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error { return stdhttp.ErrUseLastResponse }} res, err := c.Get(ts.URL + "/auth/oidc/login") if err != nil { t.Fatalf("login: %v", err) } res.Body.Close() authURL, _ := url.Parse(res.Header.Get("Location")) state := authURL.Query().Get("state") code := stub.MintCode(claims) res, err = c.Get(ts.URL + "/auth/oidc/callback?code=" + code + "&state=" + state) if err != nil { t.Fatalf("callback: %v", err) } return res } func TestOIDCCallbackHappyPathAdmin(t *testing.T) { t.Parallel() srv, ts, stub := newTestServerWithOIDC(t) res := runCallback(t, ts, stub, map[string]any{ "sub": "admin-sub", "preferred_username": "alice", "email": "alice@example.com", "groups": []string{"rm-admins"}, "aud": "test-client", }) defer res.Body.Close() if res.StatusCode != stdhttp.StatusSeeOther || res.Header.Get("Location") != "/" { t.Errorf("status: %d Location: %q", res.StatusCode, res.Header.Get("Location")) } u, err := srv.deps.Store.GetUserByOIDCSubject(t.Context(), "admin-sub") if err != nil || u.AuthSource != "oidc" || u.Role != "admin" || u.Username != "alice" { t.Errorf("user: %+v err: %v", u, err) } } func TestOIDCCallbackNoRoleMatchDeny(t *testing.T) { t.Parallel() _, ts, stub := newTestServerWithOIDC(t) res := runCallback(t, ts, stub, map[string]any{ "sub": "other-sub", "preferred_username": "bob", "groups": []string{"something-else"}, "aud": "test-client", }) defer res.Body.Close() if res.StatusCode != stdhttp.StatusSeeOther { t.Errorf("status: got %d want 303", res.StatusCode) } loc := res.Header.Get("Location") if !strings.Contains(loc, "oidc_error=no_role_match") { t.Errorf("location: %q", loc) } } func TestOIDCCallbackUsernameCollision(t *testing.T) { t.Parallel() srv, ts, stub := newTestServerWithOIDC(t) if err := srv.deps.Store.CreateUser(t.Context(), store.User{ ID: "local-alice", Username: "alice", PasswordHash: "x", Role: store.RoleViewer, CreatedAt: time.Now().UTC(), }); err != nil { t.Fatalf("seed: %v", err) } res := runCallback(t, ts, stub, map[string]any{ "sub": "remote-sub", "preferred_username": "alice", "groups": []string{"rm-admins"}, "aud": "test-client", }) defer res.Body.Close() loc := res.Header.Get("Location") if !strings.Contains(loc, "oidc_error=username_taken") { t.Errorf("location: %q", loc) } if _, err := srv.deps.Store.GetUserByOIDCSubject(t.Context(), "remote-sub"); err == nil { t.Error("collision should not have provisioned a user") } } func TestOIDCCallbackReturningUserRefreshesRole(t *testing.T) { t.Parallel() srv, ts, stub := newTestServerWithOIDC(t) res := runCallback(t, ts, stub, map[string]any{ "sub": "carol-sub", "preferred_username": "carol", "groups": []string{"rm-operators"}, "aud": "test-client", }) res.Body.Close() res = runCallback(t, ts, stub, map[string]any{ "sub": "carol-sub", "preferred_username": "carol", "groups": []string{"rm-admins"}, "aud": "test-client", }) res.Body.Close() u, _ := srv.deps.Store.GetUserByOIDCSubject(t.Context(), "carol-sub") if u.Role != "admin" { t.Errorf("role refresh: got %q want admin", u.Role) } }