Merge a992efae0e
into 3334d140be
commit
8dce97c4ab
@ -0,0 +1,733 @@
|
||||
import {EnvironmentSnapshot} from "../testUtils";
|
||||
import {OIDCConfig} from "app/server/lib/OIDCConfig";
|
||||
import {SessionObj} from "app/server/lib/BrowserSession";
|
||||
import {Sessions} from "app/server/lib/Sessions";
|
||||
import log from "app/server/lib/log";
|
||||
import {assert} from "chai";
|
||||
import Sinon from "sinon";
|
||||
import {Client, generators} from "openid-client";
|
||||
import express from "express";
|
||||
import _ from "lodash";
|
||||
import {RequestWithLogin} from "app/server/lib/Authorizer";
|
||||
import { SendAppPage } from "app/server/lib/sendAppPage";
|
||||
|
||||
const NOOPED_SEND_APP_PAGE: SendAppPage = () => Promise.resolve();
|
||||
|
||||
class OIDCConfigStubbed extends OIDCConfig {
|
||||
public static async buildWithStub(client: Client = new ClientStub().asClient()) {
|
||||
return this.build(NOOPED_SEND_APP_PAGE, client);
|
||||
}
|
||||
public static async build(sendAppPage: SendAppPage, clientStub?: Client): Promise<OIDCConfigStubbed> {
|
||||
const result = new OIDCConfigStubbed(sendAppPage);
|
||||
if (clientStub) {
|
||||
result._initClient = Sinon.spy(() => {
|
||||
result._client = clientStub!;
|
||||
});
|
||||
}
|
||||
await result.initOIDC();
|
||||
return result;
|
||||
}
|
||||
|
||||
public _initClient: Sinon.SinonSpy;
|
||||
}
|
||||
|
||||
class ClientStub {
|
||||
public static FAKE_REDIRECT_URL = 'FAKE_REDIRECT_URL';
|
||||
public authorizationUrl = Sinon.stub().returns(ClientStub.FAKE_REDIRECT_URL);
|
||||
public callbackParams = Sinon.stub().returns(undefined);
|
||||
public callback = Sinon.stub().returns(undefined);
|
||||
public userinfo = Sinon.stub().returns(undefined);
|
||||
public endSessionUrl = Sinon.stub().returns(undefined);
|
||||
public issuer: {
|
||||
metadata: {
|
||||
end_session_endpoint: string | undefined;
|
||||
}
|
||||
} = {
|
||||
metadata: {
|
||||
end_session_endpoint: 'http://localhost:8484/logout',
|
||||
}
|
||||
};
|
||||
public asClient() {
|
||||
return this as unknown as Client;
|
||||
}
|
||||
public getAuthorizationUrlStub() {
|
||||
return this.authorizationUrl;
|
||||
}
|
||||
}
|
||||
|
||||
describe('OIDCConfig', () => {
|
||||
let oldEnv: EnvironmentSnapshot;
|
||||
let sandbox: Sinon.SinonSandbox;
|
||||
let logInfoStub: Sinon.SinonStub;
|
||||
let logErrorStub: Sinon.SinonStub;
|
||||
let logDebugStub: Sinon.SinonStub;
|
||||
|
||||
before(() => {
|
||||
oldEnv = new EnvironmentSnapshot();
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
sandbox = Sinon.createSandbox();
|
||||
logInfoStub = sandbox.stub(log, 'info');
|
||||
logErrorStub = sandbox.stub(log, 'error');
|
||||
logDebugStub = sandbox.stub(log, 'debug');
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
oldEnv.restore();
|
||||
sandbox.restore();
|
||||
});
|
||||
|
||||
function setEnvVars() {
|
||||
// Prevent any environment variable from leaking into the test:
|
||||
for (const envVar in process.env) {
|
||||
if (envVar.startsWith('GRIST_OIDC_')) {
|
||||
delete process.env[envVar];
|
||||
}
|
||||
}
|
||||
process.env.GRIST_OIDC_SP_HOST = 'http://localhost:8484';
|
||||
process.env.GRIST_OIDC_IDP_CLIENT_ID = 'client id';
|
||||
process.env.GRIST_OIDC_IDP_CLIENT_SECRET = 'secret';
|
||||
process.env.GRIST_OIDC_IDP_ISSUER = 'http://localhost:8000';
|
||||
}
|
||||
|
||||
describe('build', () => {
|
||||
it('should reject when required env variables are not passed', async () => {
|
||||
for (const envVar of [
|
||||
'GRIST_OIDC_SP_HOST',
|
||||
'GRIST_OIDC_IDP_ISSUER',
|
||||
'GRIST_OIDC_IDP_CLIENT_ID',
|
||||
'GRIST_OIDC_IDP_CLIENT_SECRET',
|
||||
]) {
|
||||
setEnvVars();
|
||||
delete process.env[envVar];
|
||||
const promise = OIDCConfig.build(NOOPED_SEND_APP_PAGE);
|
||||
await assert.isRejected(promise, `missing environment variable: ${envVar}`);
|
||||
}
|
||||
});
|
||||
|
||||
it('should reject when the client initialization fails', async () => {
|
||||
setEnvVars();
|
||||
sandbox.stub(OIDCConfigStubbed.prototype, '_initClient').rejects(new Error('client init failed'));
|
||||
const promise = OIDCConfigStubbed.build(NOOPED_SEND_APP_PAGE);
|
||||
await assert.isRejected(promise, 'client init failed');
|
||||
});
|
||||
|
||||
it('should create a client with passed information', async () => {
|
||||
setEnvVars();
|
||||
const config = await OIDCConfigStubbed.buildWithStub();
|
||||
assert.isTrue(config._initClient.calledOnce);
|
||||
assert.deepEqual(config._initClient.firstCall.args, [{
|
||||
clientId: process.env.GRIST_OIDC_IDP_CLIENT_ID,
|
||||
clientSecret: process.env.GRIST_OIDC_IDP_CLIENT_SECRET,
|
||||
issuerUrl: process.env.GRIST_OIDC_IDP_ISSUER,
|
||||
extraMetadata: {},
|
||||
}]);
|
||||
assert.isTrue(logInfoStub.calledOnce);
|
||||
assert.deepEqual(
|
||||
logInfoStub.firstCall.args,
|
||||
[`OIDCConfig: initialized with issuer ${process.env.GRIST_OIDC_IDP_ISSUER}`]
|
||||
);
|
||||
});
|
||||
|
||||
it('should create a client with passed information with extra configuration', async () => {
|
||||
setEnvVars();
|
||||
const extraMetadata = {
|
||||
userinfo_signed_response_alg: 'RS256',
|
||||
};
|
||||
process.env.GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA = JSON.stringify(extraMetadata);
|
||||
const config = await OIDCConfigStubbed.buildWithStub();
|
||||
assert.isTrue(config._initClient.calledOnce);
|
||||
assert.deepEqual(config._initClient.firstCall.args, [{
|
||||
clientId: process.env.GRIST_OIDC_IDP_CLIENT_ID,
|
||||
clientSecret: process.env.GRIST_OIDC_IDP_CLIENT_SECRET,
|
||||
issuerUrl: process.env.GRIST_OIDC_IDP_ISSUER,
|
||||
extraMetadata,
|
||||
}]);
|
||||
});
|
||||
|
||||
describe('End Session Endpoint', () => {
|
||||
[
|
||||
{
|
||||
itMsg: 'should fulfill when the end_session_endpoint is not known ' +
|
||||
'and GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true',
|
||||
end_session_endpoint: undefined,
|
||||
env: {
|
||||
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true'
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should fulfill when the end_session_endpoint is not known ' +
|
||||
'and GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true',
|
||||
end_session_endpoint: undefined,
|
||||
env: {
|
||||
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true'
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should fulfill when the end_session_endpoint is provided with GRIST_OIDC_IDP_END_SESSION_ENDPOINT',
|
||||
end_session_endpoint: undefined,
|
||||
env: {
|
||||
GRIST_OIDC_IDP_END_SESSION_ENDPOINT: 'http://localhost:8484/logout'
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should fulfill when the end_session_endpoint is provided with the issuer',
|
||||
end_session_endpoint: 'http://localhost:8484/logout',
|
||||
},
|
||||
{
|
||||
itMsg: 'should reject when the end_session_endpoint is not known',
|
||||
errorMsg: /If that is expected, please set GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT/,
|
||||
end_session_endpoint: undefined,
|
||||
}
|
||||
].forEach((ctx) => {
|
||||
it(ctx.itMsg, async () => {
|
||||
setEnvVars();
|
||||
Object.assign(process.env, ctx.env);
|
||||
const client = new ClientStub();
|
||||
client.issuer.metadata.end_session_endpoint = ctx.end_session_endpoint;
|
||||
const promise = OIDCConfigStubbed.buildWithStub(client.asClient());
|
||||
if (ctx.errorMsg) {
|
||||
await assert.isRejected(promise, ctx.errorMsg);
|
||||
assert.isFalse(logInfoStub.calledOnce);
|
||||
} else {
|
||||
await assert.isFulfilled(promise);
|
||||
assert.isTrue(logInfoStub.calledOnce);
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('GRIST_OIDC_IDP_ENABLED_PROTECTIONS', () => {
|
||||
it('should throw when GRIST_OIDC_IDP_ENABLED_PROTECTIONS contains unsupported values', async () => {
|
||||
setEnvVars();
|
||||
process.env.GRIST_OIDC_IDP_ENABLED_PROTECTIONS = 'STATE,NONCE,PKCE,invalid';
|
||||
const promise = OIDCConfig.build(NOOPED_SEND_APP_PAGE);
|
||||
await assert.isRejected(promise, 'OIDC: Invalid protection in GRIST_OIDC_IDP_ENABLED_PROTECTIONS: invalid');
|
||||
});
|
||||
|
||||
it('should successfully change the supported protections', async function () {
|
||||
setEnvVars();
|
||||
process.env.GRIST_OIDC_IDP_ENABLED_PROTECTIONS = 'NONCE';
|
||||
const config = await OIDCConfigStubbed.buildWithStub();
|
||||
assert.isTrue(config.supportsProtection("NONCE"));
|
||||
assert.isFalse(config.supportsProtection("PKCE"));
|
||||
assert.isFalse(config.supportsProtection("STATE"));
|
||||
});
|
||||
|
||||
it('should successfully accept an empty string', async function () {
|
||||
setEnvVars();
|
||||
process.env.GRIST_OIDC_IDP_ENABLED_PROTECTIONS = '';
|
||||
const config = await OIDCConfigStubbed.buildWithStub();
|
||||
assert.isFalse(config.supportsProtection("NONCE"));
|
||||
assert.isFalse(config.supportsProtection("PKCE"));
|
||||
assert.isFalse(config.supportsProtection("STATE"));
|
||||
});
|
||||
|
||||
it('if omitted, should defaults to "STATE,PKCE"', async function () {
|
||||
setEnvVars();
|
||||
const config = await OIDCConfigStubbed.buildWithStub();
|
||||
assert.isFalse(config.supportsProtection("NONCE"));
|
||||
assert.isTrue(config.supportsProtection("PKCE"));
|
||||
assert.isTrue(config.supportsProtection("STATE"));
|
||||
});
|
||||
});
|
||||
|
||||
describe('getLoginRedirectUrl', () => {
|
||||
const FAKE_NONCE = 'fake-nonce';
|
||||
const FAKE_STATE = 'fake-state';
|
||||
const FAKE_CODE_VERIFIER = 'fake-code-verifier';
|
||||
const FAKE_CODE_CHALLENGE = 'fake-code-challenge';
|
||||
const TARGET_URL = 'http://localhost:8484/';
|
||||
|
||||
beforeEach(() => {
|
||||
sandbox.stub(generators, 'nonce').returns(FAKE_NONCE);
|
||||
sandbox.stub(generators, 'state').returns(FAKE_STATE);
|
||||
sandbox.stub(generators, 'codeVerifier').returns(FAKE_CODE_VERIFIER);
|
||||
sandbox.stub(generators, 'codeChallenge').returns(FAKE_CODE_CHALLENGE);
|
||||
});
|
||||
|
||||
[
|
||||
{
|
||||
itMsg: 'should forge the url with default values',
|
||||
expectedCalledWith: [{
|
||||
scope: 'openid email profile',
|
||||
acr_values: undefined,
|
||||
code_challenge: FAKE_CODE_CHALLENGE,
|
||||
code_challenge_method: 'S256',
|
||||
state: FAKE_STATE,
|
||||
}],
|
||||
expectedSession: {
|
||||
oidc: {
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
state: FAKE_STATE,
|
||||
targetUrl: TARGET_URL,
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should forge the URL with passed GRIST_OIDC_IDP_SCOPES',
|
||||
env: {
|
||||
GRIST_OIDC_IDP_SCOPES: 'my scopes',
|
||||
},
|
||||
expectedCalledWith: [{
|
||||
scope: 'my scopes',
|
||||
acr_values: undefined,
|
||||
code_challenge: FAKE_CODE_CHALLENGE,
|
||||
code_challenge_method: 'S256',
|
||||
state: FAKE_STATE,
|
||||
}],
|
||||
expectedSession: {
|
||||
oidc: {
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
state: FAKE_STATE,
|
||||
targetUrl: TARGET_URL,
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should pass the nonce when GRIST_OIDC_IDP_ENABLED_PROTECTIONS includes NONCE',
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: 'STATE,NONCE,PKCE',
|
||||
},
|
||||
expectedCalledWith: [{
|
||||
scope: 'openid email profile',
|
||||
acr_values: undefined,
|
||||
code_challenge: FAKE_CODE_CHALLENGE,
|
||||
code_challenge_method: 'S256',
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE,
|
||||
}],
|
||||
expectedSession: {
|
||||
oidc: {
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
nonce: FAKE_NONCE,
|
||||
state: FAKE_STATE,
|
||||
targetUrl: TARGET_URL,
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should not pass the code_challenge when PKCE is omitted in GRIST_OIDC_IDP_ENABLED_PROTECTIONS',
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: 'STATE,NONCE',
|
||||
},
|
||||
expectedCalledWith: [{
|
||||
scope: 'openid email profile',
|
||||
acr_values: undefined,
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE,
|
||||
}],
|
||||
expectedSession: {
|
||||
oidc: {
|
||||
nonce: FAKE_NONCE,
|
||||
state: FAKE_STATE,
|
||||
targetUrl: TARGET_URL,
|
||||
}
|
||||
}
|
||||
},
|
||||
].forEach(ctx => {
|
||||
it(ctx.itMsg, async () => {
|
||||
setEnvVars();
|
||||
Object.assign(process.env, ctx.env);
|
||||
const clientStub = new ClientStub();
|
||||
const config = await OIDCConfigStubbed.buildWithStub(clientStub.asClient());
|
||||
const session = {};
|
||||
const req = {
|
||||
session
|
||||
} as unknown as express.Request;
|
||||
const url = await config.getLoginRedirectUrl(req, new URL(TARGET_URL));
|
||||
assert.equal(url, ClientStub.FAKE_REDIRECT_URL);
|
||||
assert.isTrue(clientStub.authorizationUrl.calledOnce);
|
||||
assert.deepEqual(clientStub.authorizationUrl.firstCall.args, ctx.expectedCalledWith);
|
||||
assert.deepEqual(session, ctx.expectedSession);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('handleCallback', () => {
|
||||
const FAKE_STATE = 'fake-state';
|
||||
const FAKE_NONCE = 'fake-nonce';
|
||||
const FAKE_CODE_VERIFIER = 'fake-code-verifier';
|
||||
const FAKE_USER_INFO = {
|
||||
email: 'fake-email',
|
||||
name: 'fake-name',
|
||||
email_verified: true,
|
||||
};
|
||||
const DEFAULT_SESSION = {
|
||||
oidc: {
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
state: FAKE_STATE
|
||||
}
|
||||
} as SessionObj;
|
||||
const DEFAULT_EXPECTED_CALLBACK_CHECKS = {
|
||||
state: FAKE_STATE,
|
||||
code_verifier: FAKE_CODE_VERIFIER
|
||||
};
|
||||
let fakeRes: {
|
||||
status: Sinon.SinonStub;
|
||||
send: Sinon.SinonStub;
|
||||
redirect: Sinon.SinonStub;
|
||||
};
|
||||
let fakeSessions: {
|
||||
getOrCreateSessionFromRequest: Sinon.SinonStub
|
||||
};
|
||||
let fakeScopedSession: {
|
||||
operateOnScopedSession: Sinon.SinonStub
|
||||
};
|
||||
|
||||
beforeEach(() => {
|
||||
fakeRes = {
|
||||
redirect: Sinon.stub(),
|
||||
status: Sinon.stub().returnsThis(),
|
||||
send: Sinon.stub().returnsThis(),
|
||||
};
|
||||
fakeScopedSession = {
|
||||
operateOnScopedSession: Sinon.stub().resolves(),
|
||||
};
|
||||
fakeSessions = {
|
||||
getOrCreateSessionFromRequest: Sinon.stub().returns(fakeScopedSession),
|
||||
};
|
||||
});
|
||||
|
||||
function checkUserProfile(expectedUserProfile: object) {
|
||||
return function ({user}: {user: any}) {
|
||||
assert.deepEqual(user.profile, expectedUserProfile,
|
||||
`user profile should have been populated with ${JSON.stringify(expectedUserProfile)}`);
|
||||
};
|
||||
}
|
||||
|
||||
function checkRedirect(expectedRedirection: string) {
|
||||
return function ({fakeRes}: {fakeRes: any}) {
|
||||
assert.deepEqual(fakeRes.redirect.firstCall.args, [expectedRedirection],
|
||||
`should have redirected to ${expectedRedirection}`);
|
||||
};
|
||||
}
|
||||
|
||||
[
|
||||
{
|
||||
itMsg: 'should resolve when the state and the code challenge are found in the session',
|
||||
session: DEFAULT_SESSION,
|
||||
},
|
||||
{
|
||||
itMsg: 'should reject when the state is not found in the session',
|
||||
session: {},
|
||||
expectedErrorMsg: /Login or logout failed to complete/,
|
||||
},
|
||||
{
|
||||
itMsg: 'should resolve when the state is missing and its check has been disabled',
|
||||
session: DEFAULT_SESSION,
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: '',
|
||||
},
|
||||
},
|
||||
{
|
||||
itMsg: 'should reject when the codeVerifier is missing from the session',
|
||||
session: {
|
||||
oidc: {
|
||||
state: FAKE_STATE
|
||||
}
|
||||
},
|
||||
expectedErrorMsg: /Login is stale/,
|
||||
},
|
||||
{
|
||||
itMsg: 'should resolve when the codeVerifier is missing and its check has been disabled',
|
||||
session: {
|
||||
oidc: {
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE
|
||||
}
|
||||
},
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: 'STATE,NONCE',
|
||||
},
|
||||
expectedCbChecks: {
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE
|
||||
},
|
||||
},
|
||||
{
|
||||
itMsg: 'should reject when nonce is missing from the session despite its check being enabled',
|
||||
session: DEFAULT_SESSION,
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: 'STATE,NONCE,PKCE',
|
||||
},
|
||||
expectedErrorMsg: /Login is stale/,
|
||||
}, {
|
||||
itMsg: 'should resolve when nonce is present in the session and its check is enabled',
|
||||
session: {
|
||||
oidc: {
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE,
|
||||
},
|
||||
},
|
||||
env: {
|
||||
GRIST_OIDC_IDP_ENABLED_PROTECTIONS: 'STATE,NONCE',
|
||||
},
|
||||
expectedCbChecks: {
|
||||
state: FAKE_STATE,
|
||||
nonce: FAKE_NONCE,
|
||||
},
|
||||
},
|
||||
{
|
||||
itMsg: 'should reject when the userinfo mail is not verified',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: {
|
||||
...FAKE_USER_INFO,
|
||||
email_verified: false,
|
||||
},
|
||||
expectedErrorMsg: /email not verified for/,
|
||||
extraChecks: function ({ sendAppPageStub }: { sendAppPageStub: Sinon.SinonStub }) {
|
||||
assert.match(sendAppPageStub.firstCall.args[2].config.errMessage, /Your email is not verified/);
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should resolve when the userinfo mail is not verified but its check disabled',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: {
|
||||
...FAKE_USER_INFO,
|
||||
email_verified: false,
|
||||
},
|
||||
env: {
|
||||
GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: 'true',
|
||||
}
|
||||
},
|
||||
{
|
||||
itMsg: 'should resolve when the userinfo mail is not verified but its check disabled',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: {
|
||||
...FAKE_USER_INFO,
|
||||
email_verified: false,
|
||||
},
|
||||
env: {
|
||||
GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: 'true',
|
||||
},
|
||||
},
|
||||
{
|
||||
itMsg: 'should fill user profile with email and name',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: FAKE_USER_INFO,
|
||||
extraChecks: checkUserProfile({
|
||||
email: FAKE_USER_INFO.email,
|
||||
name: FAKE_USER_INFO.name,
|
||||
})
|
||||
},
|
||||
{
|
||||
itMsg: 'should fill user profile with name constructed using ' +
|
||||
'given_name and family_name when GRIST_OIDC_SP_PROFILE_NAME_ATTR is not set',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: {
|
||||
...FAKE_USER_INFO,
|
||||
given_name: 'given_name',
|
||||
family_name: 'family_name',
|
||||
},
|
||||
extrachecks: checkUserProfile({
|
||||
email: 'fake-email',
|
||||
name: 'given_name family_name',
|
||||
})
|
||||
},
|
||||
{
|
||||
itMsg: 'should fill user profile with email and name when ' +
|
||||
'GRIST_OIDC_SP_PROFILE_NAME_ATTR and GRIST_OIDC_SP_PROFILE_EMAIL_ATTR are set',
|
||||
session: DEFAULT_SESSION,
|
||||
userInfo: {
|
||||
...FAKE_USER_INFO,
|
||||
fooMail: 'fake-email2',
|
||||
fooName: 'fake-name2',
|
||||
},
|
||||
env: {
|
||||
GRIST_OIDC_SP_PROFILE_NAME_ATTR: 'fooName',
|
||||
GRIST_OIDC_SP_PROFILE_EMAIL_ATTR: 'fooMail',
|
||||
},
|
||||
extraChecks: checkUserProfile({
|
||||
email: 'fake-email2',
|
||||
name: 'fake-name2',
|
||||
}),
|
||||
},
|
||||
{
|
||||
itMsg: 'should redirect by default to the root page',
|
||||
session: DEFAULT_SESSION,
|
||||
extraChecks: checkRedirect('/'),
|
||||
},
|
||||
{
|
||||
itMsg: 'should redirect to the targetUrl when it is present in the session',
|
||||
session: {
|
||||
oidc: {
|
||||
...DEFAULT_SESSION.oidc,
|
||||
targetUrl: 'http://localhost:8484/some/path'
|
||||
}
|
||||
},
|
||||
extraChecks: checkRedirect('http://localhost:8484/some/path'),
|
||||
},
|
||||
{
|
||||
itMsg: "should redact confidential information in the tokenSet in the logs",
|
||||
session: DEFAULT_SESSION,
|
||||
tokenSet: {
|
||||
id_token: 'fake-id-token',
|
||||
access_token: 'fake-access',
|
||||
whatever: 'fake-whatever',
|
||||
token_type: 'fake-token-type',
|
||||
expires_at: 1234567890,
|
||||
expires_in: 987654321,
|
||||
scope: 'fake-scope',
|
||||
},
|
||||
extraChecks: function () {
|
||||
assert.isTrue(logDebugStub.called);
|
||||
assert.deepEqual(logDebugStub.firstCall.args, [
|
||||
'Got tokenSet: %o', {
|
||||
id_token: 'REDACTED',
|
||||
access_token: 'REDACTED',
|
||||
whatever: 'REDACTED',
|
||||
token_type: this.tokenSet.token_type,
|
||||
expires_at: this.tokenSet.expires_at,
|
||||
expires_in: this.tokenSet.expires_in,
|
||||
scope: this.tokenSet.scope,
|
||||
}
|
||||
]);
|
||||
}
|
||||
},
|
||||
].forEach(ctx => {
|
||||
it(ctx.itMsg, async () => {
|
||||
setEnvVars();
|
||||
Object.assign(process.env, ctx.env);
|
||||
const clientStub = new ClientStub();
|
||||
const sendAppPageStub = Sinon.stub().resolves();
|
||||
const fakeParams = {
|
||||
state: FAKE_STATE,
|
||||
};
|
||||
const config = await OIDCConfigStubbed.build(sendAppPageStub as SendAppPage, clientStub.asClient());
|
||||
const session = _.clone(ctx.session); // session is modified, so clone it
|
||||
const req = {
|
||||
session,
|
||||
query: {
|
||||
state: FAKE_STATE,
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
}
|
||||
} as unknown as express.Request;
|
||||
clientStub.callbackParams.returns(fakeParams);
|
||||
const tokenSet = { id_token: 'id_token', ...ctx.tokenSet };
|
||||
clientStub.callback.resolves(tokenSet);
|
||||
clientStub.userinfo.returns(_.clone(ctx.userInfo ?? FAKE_USER_INFO));
|
||||
const user: { profile?: object } = {};
|
||||
fakeScopedSession.operateOnScopedSession.yields(user);
|
||||
|
||||
await config.handleCallback(
|
||||
fakeSessions as unknown as Sessions,
|
||||
req,
|
||||
fakeRes as unknown as express.Response
|
||||
);
|
||||
|
||||
if (ctx.expectedErrorMsg) {
|
||||
assert.isTrue(logErrorStub.calledOnce);
|
||||
assert.match(logErrorStub.firstCall.args[0], ctx.expectedErrorMsg);
|
||||
assert.isTrue(sendAppPageStub.calledOnceWith(req, fakeRes));
|
||||
assert.include(sendAppPageStub.firstCall.args[2], {
|
||||
path: 'error.html',
|
||||
status: 500,
|
||||
});
|
||||
} else {
|
||||
assert.isFalse(logErrorStub.called, 'no error should be logged. Got: ' + logErrorStub.firstCall?.args[0]);
|
||||
assert.isTrue(fakeRes.redirect.calledOnce, 'should redirect');
|
||||
assert.isTrue(clientStub.callback.calledOnce);
|
||||
assert.deepEqual(clientStub.callback.firstCall.args, [
|
||||
'http://localhost:8484/oauth2/callback',
|
||||
fakeParams,
|
||||
ctx.expectedCbChecks ?? DEFAULT_EXPECTED_CALLBACK_CHECKS
|
||||
]);
|
||||
assert.deepEqual(session, {
|
||||
oidc: {
|
||||
state: FAKE_STATE,
|
||||
idToken: tokenSet.id_token,
|
||||
}
|
||||
}, 'oidc info should only keep state and id_token in the session and for the logout');
|
||||
}
|
||||
ctx.extraChecks?.({ fakeRes, user, sendAppPageStub });
|
||||
});
|
||||
});
|
||||
|
||||
it('should log err.response when userinfo fails to parse response body', async () => {
|
||||
// See https://github.com/panva/node-openid-client/blob/47a549cb4e36ffe2ebfe2dc9d6b69a02643cc0a9/lib/client.js#L1293
|
||||
setEnvVars();
|
||||
const clientStub = new ClientStub();
|
||||
const sendAppPageStub = Sinon.stub().resolves();
|
||||
const config = await OIDCConfigStubbed.build(sendAppPageStub, clientStub.asClient());
|
||||
const req = {
|
||||
session: DEFAULT_SESSION,
|
||||
query: {
|
||||
state: FAKE_STATE,
|
||||
codeVerifier: FAKE_CODE_VERIFIER,
|
||||
}
|
||||
} as unknown as express.Request;
|
||||
clientStub.callbackParams.returns({state: FAKE_STATE});
|
||||
|
||||
const err: Error & {response?: {body: string }} = new Error('userinfo failed');
|
||||
err.response = { body: 'response here' };
|
||||
clientStub.userinfo.rejects(err);
|
||||
|
||||
await config.handleCallback(
|
||||
fakeSessions as unknown as Sessions,
|
||||
req,
|
||||
fakeRes as unknown as express.Response
|
||||
);
|
||||
|
||||
assert.isTrue(logErrorStub.calledTwice);
|
||||
assert.include(logErrorStub.firstCall.args[0], err.message);
|
||||
assert.include(logErrorStub.secondCall.args[0], err.response.body);
|
||||
assert.isTrue(sendAppPageStub.calledOnce, "An error should have been sent");
|
||||
});
|
||||
});
|
||||
|
||||
describe('getLogoutRedirectUrl', () => {
|
||||
const REDIRECT_URL = new URL('http://localhost:8484/docs/signed-out');
|
||||
const URL_RETURNED_BY_CLIENT = 'http://localhost:8484/logout_url_from_issuer';
|
||||
const ENV_VALUE_GRIST_OIDC_IDP_END_SESSION_ENDPOINT = 'http://localhost:8484/logout';
|
||||
const FAKE_SESSION = {
|
||||
oidc: {
|
||||
idToken: 'id_token',
|
||||
state: 'state',
|
||||
}
|
||||
} as SessionObj;
|
||||
|
||||
[
|
||||
{
|
||||
itMsg: 'should skip the end session endpoint when GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true',
|
||||
env: {
|
||||
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true',
|
||||
},
|
||||
expectedUrl: REDIRECT_URL.href,
|
||||
}, {
|
||||
itMsg: 'should use the GRIST_OIDC_IDP_END_SESSION_ENDPOINT when it is set',
|
||||
env: {
|
||||
GRIST_OIDC_IDP_END_SESSION_ENDPOINT: ENV_VALUE_GRIST_OIDC_IDP_END_SESSION_ENDPOINT
|
||||
},
|
||||
expectedUrl: ENV_VALUE_GRIST_OIDC_IDP_END_SESSION_ENDPOINT
|
||||
}, {
|
||||
itMsg: 'should call the end session endpoint with the expected parameters',
|
||||
expectedUrl: URL_RETURNED_BY_CLIENT,
|
||||
expectedLogoutParams: {
|
||||
post_logout_redirect_uri: REDIRECT_URL.href,
|
||||
id_token_hint: FAKE_SESSION.oidc!.idToken,
|
||||
state: FAKE_SESSION.oidc!.state,
|
||||
}
|
||||
}
|
||||
].forEach(ctx => {
|
||||
it(ctx.itMsg, async () => {
|
||||
setEnvVars();
|
||||
Object.assign(process.env, ctx.env);
|
||||
const clientStub = new ClientStub();
|
||||
clientStub.endSessionUrl.returns(URL_RETURNED_BY_CLIENT);
|
||||
const config = await OIDCConfigStubbed.buildWithStub(clientStub.asClient());
|
||||
const req = {
|
||||
session: FAKE_SESSION
|
||||
} as unknown as RequestWithLogin;
|
||||
const url = await config.getLogoutRedirectUrl(req, REDIRECT_URL);
|
||||
assert.equal(url, ctx.expectedUrl);
|
||||
if (ctx.expectedLogoutParams) {
|
||||
assert.isTrue(clientStub.endSessionUrl.calledOnce);
|
||||
assert.deepEqual(clientStub.endSessionUrl.firstCall.args, [ctx.expectedLogoutParams]);
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
Loading…
Reference in new issue