integration tests and benchmarks

chlowell · chlowell · commit f4357102d8e5 · 2023-05-03T13:25:15.000-07:00
diff --git a/extensions/integration_test.go b/extensions/integration_test.go
@@ -0,0 +1,161 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package extensions
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/AzureAD/microsoft-authentication-extensions-for-go/extensions/accessor/file"
+	"github.com/AzureAD/microsoft-authentication-extensions-for-go/extensions/cache"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
+	"github.com/stretchr/testify/require"
+)
+
+var ctx = context.Background()
+
+func TestConfidentialClient(t *testing.T) {
+	t.Parallel()
+	p := filepath.Join(t.TempDir(), t.Name())
+	a, err := file.New(p)
+	require.NoError(t, err)
+	c, err := cache.New(a, p+".timestamp")
+	require.NoError(t, err)
+	cred, err := confidential.NewCredFromSecret("*")
+	require.NoError(t, err)
+	client, err := confidential.New(
+		"https://login.microsoftonline.com/tenant", "clientID", cred, confidential.WithCache(c), confidential.WithHTTPClient(&mockSTS{}),
+	)
+	require.NoError(t, err)
+
+	gr := 20
+	wg := sync.WaitGroup{}
+	for i := 0; i < gr; i++ {
+		wg.Add(1)
+		go func(n int) {
+			defer wg.Done()
+			if t.Failed() {
+				return
+			}
+			s := fmt.Sprint(n)
+			ar, err := client.AcquireTokenByCredential(ctx, []string{s})
+			switch {
+			case err != nil:
+				t.Error(err)
+			case ar.AccessToken != s:
+				t.Errorf("possible test bug: expected %q from STS, got %q", s, ar.AccessToken)
+			default:
+				ar, err = client.AcquireTokenSilent(ctx, []string{s})
+				if err != nil {
+					t.Error(err)
+				} else if ar.AccessToken != s {
+					t.Errorf("possible cache corruption: expected %q, got %q", s, ar.AccessToken)
+				}
+			}
+		}(i)
+	}
+	wg.Wait()
+	if t.Failed() {
+		return
+	}
+
+	// cache should have an access token from each goroutine
+	lost := gr
+	for i := 0; i < gr; i++ {
+		s := fmt.Sprint(i)
+		ar, err := client.AcquireTokenSilent(ctx, []string{s})
+		if err == nil {
+			lost--
+			if ar.AccessToken != s {
+				t.Errorf("possible cache corruption: expected %q, got %q", s, ar.AccessToken)
+			}
+		}
+	}
+	require.Equal(t, 0, lost, "lost %d/%d tokens", lost, gr)
+}
+
+func TestPublicClient(t *testing.T) {
+	t.Parallel()
+	p := filepath.Join(t.TempDir(), t.Name())
+	a, err := file.New(p)
+	require.NoError(t, err)
+	c, err := cache.New(a, p+".timestamp")
+	require.NoError(t, err)
+	sts := mockSTS{}
+	client, err := public.New("clientID", public.WithCache(c), public.WithHTTPClient(&sts))
+	require.NoError(t, err)
+
+	gr := 20
+	wg := sync.WaitGroup{}
+	for i := 0; i < gr; i++ {
+		wg.Add(1)
+		go func(n int) {
+			defer wg.Done()
+			if t.Failed() {
+				return
+			}
+			s := fmt.Sprint(n)
+			ar, err := client.AcquireTokenByUsernamePassword(ctx, []string{s}, s, "password")
+			switch {
+			case err != nil:
+				t.Error(err)
+			case ar.AccessToken != s:
+				t.Errorf("possible test bug: expected %q from STS, got %q", s, ar.AccessToken)
+			default:
+				ar, err = client.AcquireTokenSilent(ctx, []string{s}, public.WithSilentAccount(ar.Account))
+				if err != nil {
+					t.Error(err)
+				} else if ar.AccessToken != s {
+					t.Errorf("possible cache corruption: expected %q, got %q", s, ar.AccessToken)
+				}
+			}
+		}(i)
+	}
+	wg.Wait()
+	if t.Failed() {
+		return
+	}
+
+	accounts, err := client.Accounts(ctx)
+	require.NoError(t, err)
+	require.Equal(t, gr, len(accounts), "should have a cached account for each goroutine")
+
+	// Verify no access token cached above was lost due to a race. Silent auth should return a cached
+	// access token given any scope above. A token request during this loop indicates the client
+	// exchanged a refresh token to reacquire the access token it should have found in the cache.
+	lostATs, reqs := 0, 0
+	sts.tokenRequestCallback = func(*http.Request) { reqs++ }
+	for _, a := range accounts {
+		s, _, found := strings.Cut(a.HomeAccountID, ".")
+		require.True(t, found, "unexpected home account ID %q", a.HomeAccountID)
+		ar, err := client.AcquireTokenSilent(ctx, []string{s}, public.WithSilentAccount(a))
+		if err != nil {
+			// the cache has no access token for the expected scope and no refresh token for the account
+			lostATs++
+		} else if ar.AccessToken != s {
+			t.Errorf("possible cache corruption: expected %q, got %q", s, ar.AccessToken)
+		}
+	}
+	require.Equal(t, 0, lostATs+reqs, "lost %d/%d access tokens", reqs, gr)
+
+	// The cache has all the expected access tokens but may have lost refresh tokens, so we try silent
+	// auth again for each account, passing a new scope to force the client to use a refresh token.
+	lostRTs := 0
+	for _, a := range accounts {
+		s := "novelscope"
+		ar, err := client.AcquireTokenSilent(ctx, []string{s}, public.WithSilentAccount(a))
+		if err != nil {
+			lostRTs++
+		} else if ar.AccessToken != s {
+			t.Errorf("possible cache corruption: expected %q, got %q", s, ar.AccessToken)
+		}
+	}
+	require.Equal(t, 0, lostRTs, "lost %d/%d refresh tokens", lostRTs, gr)
+}
diff --git a/extensions/mock_test.go b/extensions/mock_test.go
@@ -0,0 +1,144 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package extensions
+
+import (
+	"bytes"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+// mockSTS returns mock Azure AD responses so tests don't have to account for MSAL metadata requests
+type mockSTS struct {
+	tokenRequestCallback func(*http.Request)
+}
+
+func (m *mockSTS) Do(req *http.Request) (*http.Response, error) {
+	res := http.Response{StatusCode: http.StatusOK}
+	switch s := strings.Split(req.URL.Path, "/"); s[len(s)-1] {
+	case "instance":
+		res.Body = io.NopCloser(bytes.NewReader(instanceMetadata("tenant")))
+	case "openid-configuration":
+		res.Body = io.NopCloser(bytes.NewReader(tenantMetadata("tenant")))
+	case "token":
+		if m.tokenRequestCallback != nil {
+			m.tokenRequestCallback(req)
+		}
+		if err := req.ParseForm(); err != nil {
+			return nil, err
+		}
+		scope := strings.Split(req.FormValue("scope"), " ")[0]
+		userinfo := ""
+		if upn := req.FormValue("username"); upn != "" {
+			clientinfo := base64.RawStdEncoding.EncodeToString([]byte(fmt.Sprintf(`{"uid":"%s","utid":"utid"}`, upn)))
+			userinfo = fmt.Sprintf(`, "client_info":"%s", "id_token":"x.e30", "refresh_token": "rt"`, clientinfo)
+		}
+		res.Body = io.NopCloser(bytes.NewReader([]byte(fmt.Sprintf(`{"access_token": %q, "expires_in": 3600%s}`, scope, userinfo))))
+	default:
+		// User realm metadata request paths look like "/common/UserRealm/user@domain".
+		// Matching on the UserRealm segment avoids having to know the UPN.
+		if s[len(s)-2] == "UserRealm" {
+			res.Body = io.NopCloser(
+				strings.NewReader(`{"account_type":"Managed","cloud_audience_urn":"urn","cloud_instance_name":"...","domain_name":"..."}`),
+			)
+		} else {
+			panic("unexpected request " + req.URL.String())
+		}
+	}
+	return &res, nil
+}
+
+func (m *mockSTS) CloseIdleConnections() {}
+
+func instanceMetadata(tenant string) []byte {
+	return []byte(strings.ReplaceAll(`{
+		"tenant_discovery_endpoint": "https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration",
+		"api-version": "1.1",
+		"metadata": [
+			{
+				"preferred_network": "login.microsoftonline.com",
+				"preferred_cache": "login.windows.net",
+				"aliases": [
+					"login.microsoftonline.com",
+					"login.windows.net",
+					"login.microsoft.com",
+					"sts.windows.net"
+				]
+			}
+		]
+	}`, "{tenant}", tenant))
+}
+
+func tenantMetadata(tenant string) []byte {
+	return []byte(strings.ReplaceAll(`{
+		"token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
+		"token_endpoint_auth_methods_supported": [
+			"client_secret_post",
+			"private_key_jwt",
+			"client_secret_basic"
+		],
+		"jwks_uri": "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys",
+		"response_modes_supported": [
+			"query",
+			"fragment",
+			"form_post"
+		],
+		"subject_types_supported": [
+			"pairwise"
+		],
+		"id_token_signing_alg_values_supported": [
+			"RS256"
+		],
+		"response_types_supported": [
+			"code",
+			"id_token",
+			"code id_token",
+			"id_token token"
+		],
+		"scopes_supported": [
+			"openid",
+			"profile",
+			"email",
+			"offline_access"
+		],
+		"issuer": "https://login.microsoftonline.com/{tenant}/v2.0",
+		"request_uri_parameter_supported": false,
+		"userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
+		"authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
+		"device_authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode",
+		"http_logout_supported": true,
+		"frontchannel_logout_supported": true,
+		"end_session_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout",
+		"claims_supported": [
+			"sub",
+			"iss",
+			"cloud_instance_name",
+			"cloud_instance_host_name",
+			"cloud_graph_host_name",
+			"msgraph_host",
+			"aud",
+			"exp",
+			"iat",
+			"auth_time",
+			"acr",
+			"nonce",
+			"preferred_username",
+			"name",
+			"tid",
+			"ver",
+			"at_hash",
+			"c_hash",
+			"email"
+		],
+		"kerberos_endpoint": "https://login.microsoftonline.com/{tenant}/kerberos",
+		"tenant_region_scope": "NA",
+		"cloud_instance_name": "microsoftonline.com",
+		"cloud_graph_host_name": "graph.windows.net",
+		"msgraph_host": "graph.microsoft.com",
+		"rbac_url": "https://pas.windows.net"
+	}`, "{tenant}", tenant))
+}
diff --git a/extensions/perf_test.go b/extensions/perf_test.go
