github.com/Axway/agent-sdk@v1.1.101/pkg/authz/oauth/clientmetadatabuilder_test.go

github.com/Axway/agent-sdk@v1.1.101/pkg/authz/oauth/clientmetadatabuilder_test.go (about)

     1  package oauth
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/Axway/agent-sdk/pkg/config"
     7  	"github.com/Axway/agent-sdk/pkg/util"
     8  	"github.com/stretchr/testify/assert"
     9  )
    10  
    11  func TestClientBuilder(t *testing.T) {
    12  	publicKey, err := util.ReadPublicKeyBytes("testdata/publickey")
    13  	assert.Nil(t, err)
    14  
    15  	certificate, err := util.ReadPublicKeyBytes("testdata/client_cert.pem")
    16  	assert.Nil(t, err)
    17  
    18  	cases := []struct {
    19  		name                  string
    20  		grantTypes            []string
    21  		tokenAuthMethod       string
    22  		responseType          []string
    23  		redirectURIs          []string
    24  		scopes                []string
    25  		logoURI               string
    26  		publicKey             []byte
    27  		certificate           []byte
    28  		certificateMetadata   string
    29  		tlsClientAuthSanDNS   string
    30  		tlsClientAuthSanEmail string
    31  		tlsClientAuthSanIP    string
    32  		tlsClientAuthSanURI   string
    33  		expectErr             bool
    34  	}{
    35  		{
    36  			name:       "test_build_with_authorization_code_no_redirect",
    37  			grantTypes: []string{GrantTypeAuthorizationCode},
    38  			expectErr:  true,
    39  		},
    40  		{
    41  			name:         "test_build_with_authorization_code_response_type_code",
    42  			grantTypes:   []string{GrantTypeAuthorizationCode},
    43  			responseType: []string{AuthResponseCode},
    44  			redirectURIs: []string{"http://localhost"},
    45  		},
    46  		{
    47  			name:         "test_build_with_implicit_response_type_token",
    48  			grantTypes:   []string{GrantTypeImplicit},
    49  			responseType: []string{AuthResponseToken},
    50  			redirectURIs: []string{"http://localhost"},
    51  		},
    52  		{
    53  			name:            "test_build_client_secret",
    54  			grantTypes:      []string{GrantTypeClientCredentials},
    55  			tokenAuthMethod: config.ClientSecretPost,
    56  			responseType:    []string{},
    57  			redirectURIs:    []string{"http://localhost"},
    58  			scopes:          []string{"scope1", "scope2"},
    59  			logoURI:         "http://localhost",
    60  		},
    61  		{
    62  			name:            "test_build_with_private_key_jwt_no_jwks",
    63  			grantTypes:      []string{GrantTypeClientCredentials},
    64  			tokenAuthMethod: config.PrivateKeyJWT,
    65  			responseType:    []string{},
    66  			expectErr:       true,
    67  		},
    68  		{
    69  			name:            "test_build_with_private_key_jwt_invalid_jwks",
    70  			grantTypes:      []string{GrantTypeClientCredentials},
    71  			tokenAuthMethod: config.PrivateKeyJWT,
    72  			responseType:    []string{},
    73  			publicKey:       []byte("invalid-public-key"),
    74  			expectErr:       true,
    75  		},
    76  		{
    77  			name:            "test_build_with_private_key_jwt_valid_jwks",
    78  			grantTypes:      []string{GrantTypeClientCredentials},
    79  			tokenAuthMethod: config.PrivateKeyJWT,
    80  			responseType:    []string{},
    81  			publicKey:       publicKey,
    82  		},
    83  		{
    84  			name:            "test_build_with_tls_client_auth_no_jwks",
    85  			grantTypes:      []string{GrantTypeClientCredentials},
    86  			tokenAuthMethod: config.TLSClientAuth,
    87  			responseType:    []string{},
    88  			expectErr:       true,
    89  		},
    90  		{
    91  			name:            "test_build_with_tls_client_auth_invalid_jwks",
    92  			grantTypes:      []string{GrantTypeClientCredentials},
    93  			tokenAuthMethod: config.TLSClientAuth,
    94  			responseType:    []string{},
    95  			certificate:     []byte("invalid-client-cert"),
    96  			expectErr:       true,
    97  		},
    98  		{
    99  			name:                  "test_build_with_tls_client_auth_valid_jwks_with_subject_dn",
   100  			grantTypes:            []string{GrantTypeClientCredentials},
   101  			tokenAuthMethod:       config.TLSClientAuth,
   102  			responseType:          []string{},
   103  			certificate:           certificate,
   104  			tlsClientAuthSanDNS:   "san-dns",
   105  			tlsClientAuthSanEmail: "san-email",
   106  			tlsClientAuthSanIP:    "san-ip",
   107  			tlsClientAuthSanURI:   "san-uri",
   108  		},
   109  		{
   110  			name:                  "test_build_with_tls_client_auth_valid_jwks_with_san_dns",
   111  			grantTypes:            []string{GrantTypeClientCredentials},
   112  			tokenAuthMethod:       config.TLSClientAuth,
   113  			responseType:          []string{},
   114  			certificate:           certificate,
   115  			certificateMetadata:   TLSClientAuthSanDNS,
   116  			tlsClientAuthSanDNS:   "san-dns",
   117  			tlsClientAuthSanEmail: "san-email",
   118  			tlsClientAuthSanIP:    "san-ip",
   119  			tlsClientAuthSanURI:   "san-uri",
   120  		},
   121  		{
   122  			name:                  "test_build_with_tls_client_auth_valid_jwks_with_san_email",
   123  			grantTypes:            []string{GrantTypeClientCredentials},
   124  			tokenAuthMethod:       config.TLSClientAuth,
   125  			responseType:          []string{},
   126  			certificate:           certificate,
   127  			certificateMetadata:   TLSClientAuthSanEmail,
   128  			tlsClientAuthSanDNS:   "san-dns",
   129  			tlsClientAuthSanEmail: "san-email",
   130  			tlsClientAuthSanIP:    "san-ip",
   131  			tlsClientAuthSanURI:   "san-uri",
   132  		},
   133  		{
   134  			name:                  "test_build_with_tls_client_auth_valid_jwks_with_san_ip",
   135  			grantTypes:            []string{GrantTypeClientCredentials},
   136  			tokenAuthMethod:       config.TLSClientAuth,
   137  			responseType:          []string{},
   138  			certificate:           certificate,
   139  			certificateMetadata:   TLSClientAuthSanIP,
   140  			tlsClientAuthSanDNS:   "san-dns",
   141  			tlsClientAuthSanEmail: "san-email",
   142  			tlsClientAuthSanIP:    "san-ip",
   143  			tlsClientAuthSanURI:   "san-uri",
   144  		},
   145  		{
   146  			name:                  "test_build_with_tls_client_auth_valid_jwks_with_san_uri",
   147  			grantTypes:            []string{GrantTypeClientCredentials},
   148  			tokenAuthMethod:       config.TLSClientAuth,
   149  			responseType:          []string{},
   150  			certificate:           certificate,
   151  			certificateMetadata:   TLSClientAuthSanURI,
   152  			tlsClientAuthSanDNS:   "san-dns",
   153  			tlsClientAuthSanEmail: "san-email",
   154  			tlsClientAuthSanIP:    "san-ip",
   155  			tlsClientAuthSanURI:   "san-uri",
   156  		},
   157  		{
   158  			name:                "test_build_with_tls_client_auth_valid_jwks_with_no_san_dns",
   159  			grantTypes:          []string{GrantTypeClientCredentials},
   160  			tokenAuthMethod:     config.TLSClientAuth,
   161  			responseType:        []string{},
   162  			certificate:         certificate,
   163  			certificateMetadata: TLSClientAuthSanDNS,
   164  			expectErr:           true,
   165  		},
   166  		{
   167  			name:                "test_build_with_tls_client_auth_valid_jwks_with_no_san_email",
   168  			grantTypes:          []string{GrantTypeClientCredentials},
   169  			tokenAuthMethod:     config.TLSClientAuth,
   170  			responseType:        []string{},
   171  			certificate:         certificate,
   172  			certificateMetadata: TLSClientAuthSanEmail,
   173  			expectErr:           true,
   174  		},
   175  		{
   176  			name:                "test_build_with_tls_client_auth_valid_jwks_with_no_san_ip",
   177  			grantTypes:          []string{GrantTypeClientCredentials},
   178  			tokenAuthMethod:     config.TLSClientAuth,
   179  			responseType:        []string{},
   180  			certificate:         certificate,
   181  			certificateMetadata: TLSClientAuthSanIP,
   182  			expectErr:           true,
   183  		},
   184  		{
   185  			name:                "test_build_with_tls_client_auth_valid_jwks_with_no_san_uri",
   186  			grantTypes:          []string{GrantTypeClientCredentials},
   187  			tokenAuthMethod:     config.TLSClientAuth,
   188  			responseType:        []string{},
   189  			certificate:         certificate,
   190  			certificateMetadata: TLSClientAuthSanURI,
   191  			expectErr:           true,
   192  		},
   193  	}
   194  	for _, tc := range cases {
   195  		builder := NewClientMetadataBuilder().
   196  			SetClientName(tc.name).
   197  			SetGrantTypes(tc.grantTypes).
   198  			SetTokenEndpointAuthMethod(tc.tokenAuthMethod).
   199  			SetResponseType(tc.responseType).
   200  			SetRedirectURIs(tc.redirectURIs).
   201  			SetScopes(tc.scopes).
   202  			SetLogoURI(tc.logoURI)
   203  		if tc.publicKey != nil {
   204  			builder.SetJWKS(tc.publicKey)
   205  		}
   206  		if tc.certificate != nil {
   207  			builder.SetJWKS(tc.certificate).
   208  				SetCertificateMetadata(tc.certificateMetadata).
   209  				SetTLSClientAuthSanDNS(tc.tlsClientAuthSanDNS).
   210  				SetTLSClientAuthSanEmail(tc.tlsClientAuthSanEmail).
   211  				SetTLSClientAuthSanIP(tc.tlsClientAuthSanIP).
   212  				SetTLSClientAuthSanURI(tc.tlsClientAuthSanURI)
   213  		}
   214  
   215  		client, err := builder.Build()
   216  		if tc.expectErr {
   217  			assert.NotNil(t, err)
   218  		} else {
   219  			assert.Nil(t, err)
   220  			assert.NotNil(t, client)
   221  			assert.Equal(t, tc.name, client.GetClientName())
   222  			assert.Equal(t, tc.grantTypes, client.GetGrantTypes())
   223  			assert.Equal(t, tc.tokenAuthMethod, client.GetTokenEndpointAuthMethod())
   224  			assert.Equal(t, tc.responseType, client.GetResponseTypes())
   225  			assert.Equal(t, tc.redirectURIs, client.GetRedirectURIs())
   226  			assert.Equal(t, tc.scopes, client.GetScopes())
   227  			assert.Equal(t, tc.logoURI, client.GetLogoURI())
   228  
   229  			// assert client metadata
   230  			if tc.publicKey != nil {
   231  				assert.NotEmpty(t, client.GetJwks())
   232  			}
   233  			if tc.certificate != nil {
   234  				assert.NotEmpty(t, client.GetJwks())
   235  				switch tc.certificateMetadata {
   236  				case TLSClientAuthSanDNS:
   237  					assert.Equal(t, tc.tlsClientAuthSanDNS, client.GetTLSClientAuthSanDNS())
   238  					assert.Equal(t, "", client.GetTLSClientAuthSanEmail())
   239  					assert.Equal(t, "", client.GetTLSClientAuthSanIP())
   240  					assert.Equal(t, "", client.GetTLSClientAuthSanURI())
   241  				case TLSClientAuthSanEmail:
   242  					assert.Equal(t, tc.tlsClientAuthSanEmail, client.GetTLSClientAuthSanEmail())
   243  					assert.Equal(t, "", client.GetTLSClientAuthSanDNS())
   244  					assert.Equal(t, "", client.GetTLSClientAuthSanIP())
   245  					assert.Equal(t, "", client.GetTLSClientAuthSanURI())
   246  				case TLSClientAuthSanIP:
   247  					assert.Equal(t, tc.tlsClientAuthSanIP, client.GetTLSClientAuthSanIP())
   248  					assert.Equal(t, "", client.GetTLSClientAuthSanDNS())
   249  					assert.Equal(t, "", client.GetTLSClientAuthSanEmail())
   250  					assert.Equal(t, "", client.GetTLSClientAuthSanURI())
   251  				case TLSClientAuthSanURI:
   252  					assert.Equal(t, tc.tlsClientAuthSanURI, client.GetTLSClientAuthSanURI())
   253  					assert.Equal(t, "", client.GetTLSClientAuthSanDNS())
   254  					assert.Equal(t, "", client.GetTLSClientAuthSanEmail())
   255  					assert.Equal(t, "", client.GetTLSClientAuthSanIP())
   256  				}
   257  			}
   258  		}
   259  	}
   260  }