test: add test/test_proto.c and migrate proto tests from test.c

zandbelt · zandbelt · commit b2864d286a73 · 2025-11-14T05:57:36.000+01:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+11/14/2025
+- test: add test/test_proto.c and migrate proto tests from test.c
+
 11/12/2025
 - test: add test/test_cache.c coverage tests
 
diff --git a/test/.gitignore b/test/.gitignore
@@ -20,3 +20,4 @@
 /test_cfg
 /test_http
 /test_cache
+/test_proto
diff --git a/test/Makefile.am b/test/Makefile.am
@@ -58,7 +58,8 @@ TESTS += \
 	test_util \
 	test_jose \
 	test_http \
-	test_cache
+	test_cache \
+	test_proto
 
 endif
 
diff --git a/test/test.c b/test/test.c
@@ -964,234 +964,6 @@ static char *test_jwt_decrypt_gcm(apr_pool_t *pool) {
 
 #endif
 
-static char *test_proto_validate_access_token(request_rec *r) {
-
-	// from http://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample
-	// A.3  Example using response_type=id_token token
-	const char *s = "eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogIml"
-			"zcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ"
-			"4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiA"
-			"ibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDE"
-			"zMTEyODA5NzAsCiAiYXRfaGFzaCI6ICI3N1FtVVB0alBmeld0RjJBbnBLOVJ"
-			"RIgp9.F9gRev0Dt2tKcrBkHy72cmRqnLdzw9FLCCSebV7mWs7o_sv2O5s6zM"
-			"ky2kmhHTVx9HmdvNnx9GaZ8XMYRFeYk8L5NZ7aYlA5W56nsG1iWOou_-gji0"
-			"ibWIuuf4Owaho3YSoi7EvsTuLFz6tq-dLyz0dKABMDsiCmJ5wqkPUDTE3QTX"
-			"jzbUmOzUDli-gCh5QPuZAq0cNW3pf_2n4zpvTYtbmj12cVcxGIMZby7TMWES"
-			"RjQ9_o3jvhVNcCGcE0KAQXejhA1ocJhNEvQNqMFGlBb6_0RxxKjDZ-Oa329e"
-			"GDidOvvp0h5hoES4a8IuGKS7NOcpp-aFwp0qVMDLI-Xnm-Pg";
-
-	oidc_jose_error_t err;
-	oidc_jwt_t *jwt = NULL;
-	TST_ASSERT_ERR("oidc_jwt_parse", oidc_jwt_parse(r->pool, s, &jwt, NULL, FALSE, &err), r->pool, err);
-
-	const char *access_token = "jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y";
-	TST_ASSERT("oidc_proto_validate_access_token",
-		   oidc_proto_idtoken_validate_access_token(r, NULL, jwt, "id_token token", access_token));
-
-	oidc_jwt_destroy(jwt);
-
-	return 0;
-}
-
-static char *test_proto_validate_code(request_rec *r) {
-
-	// from http://openid.net/specs/openid-connect-core-1_0.html#code-id_tokenExample
-	// A.4 Example using response_type=code id_token
-	const char *s = "eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogIml"
-			"zcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ"
-			"4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiA"
-			"ibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDE"
-			"zMTEyODA5NzAsCiAiY19oYXNoIjogIkxEa3RLZG9RYWszUGswY25YeENsdEE"
-			"iCn0.XW6uhdrkBgcGx6zVIrCiROpWURs-4goO1sKA4m9jhJIImiGg5muPUcN"
-			"egx6sSv43c5DSn37sxCRrDZZm4ZPBKKgtYASMcE20SDgvYJdJS0cyuFw7Ijp"
-			"_7WnIjcrl6B5cmoM6ylCvsLMwkoQAxVublMwH10oAxjzD6NEFsu9nipkszWh"
-			"sPePf_rM4eMpkmCbTzume-fzZIi5VjdWGGEmzTg32h3jiex-r5WTHbj-u5HL"
-			"7u_KP3rmbdYNzlzd1xWRYTUs4E8nOTgzAUwvwXkIQhOh5TPcSMBYy6X3E7-_"
-			"gr9Ue6n4ND7hTFhtjYs3cjNKIA08qm5cpVYFMFMG6PkhzLQ";
-
-	oidc_jose_error_t err;
-	oidc_jwt_t *jwt = NULL;
-	TST_ASSERT_ERR("oidc_jwt_parse", oidc_jwt_parse(r->pool, s, &jwt, NULL, FALSE, &err), r->pool, err);
-
-	const char *code = "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk";
-	TST_ASSERT("oidc_proto_validate_code", oidc_proto_idtoken_validate_code(r, NULL, jwt, "code id_token", code));
-
-	oidc_jwt_destroy(jwt);
-
-	return 0;
-}
-
-static char *test_proto_authorization_request(request_rec *r) {
-
-	oidc_provider_t *provider = oidc_cfg_provider_create(r->pool);
-
-	oidc_cfg_provider_issuer_set(r->pool, provider, "https://idp.example.com");
-	oidc_cfg_provider_authorization_endpoint_url_set(r->pool, provider, "https://idp.example.com/authorize");
-	oidc_cfg_provider_client_id_set(r->pool, provider, "client_id");
-	oidc_cfg_provider_auth_request_params_set(r->pool, provider, "jan=piet&foo=#");
-
-	const char *redirect_uri = "https://www.example.com/protected/";
-	const char *state = "12345";
-
-	oidc_proto_state_t *proto_state = oidc_proto_state_new();
-	oidc_proto_state_set_nonce(proto_state, "anonce");
-	oidc_proto_state_set_original_url(proto_state, "https://localhost/protected/index.php");
-	oidc_proto_state_set_original_method(proto_state, OIDC_METHOD_GET);
-	oidc_proto_state_set_issuer(proto_state, oidc_cfg_provider_issuer_get(provider));
-	oidc_proto_state_set_response_type(proto_state, oidc_cfg_provider_response_type_get(provider));
-	oidc_proto_state_set_timestamp_now(proto_state);
-
-	TST_ASSERT("oidc_proto_request_auth (1)",
-		   oidc_proto_request_auth(r, provider, NULL, redirect_uri, state, proto_state, NULL, NULL, NULL,
-					   NULL) == HTTP_MOVED_TEMPORARILY);
-
-	TST_ASSERT_STR("oidc_proto_request_auth (2)", apr_table_get(r->headers_out, "Location"),
-		       "https://idp.example.com/"
-		       "authorize?response_type=code&scope=openid&client_id=client_id&state=12345&redirect_uri=https%"
-		       "3A%2F%2Fwww.example.com%2Fprotected%2F&nonce=anonce&jan=piet&foo=bar");
-
-	return 0;
-}
-
-static char *test_logout_request(request_rec *r) {
-
-	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
-	oidc_session_t *session = NULL;
-
-	oidc_session_load(r, &session);
-	oidc_session_set_issuer(r, session, oidc_cfg_provider_issuer_get(oidc_cfg_provider_get(c)));
-
-	oidc_cfg_provider_end_session_endpoint_set(r->pool, oidc_cfg_provider_get(c),
-						   "https://idp.example.com/endsession");
-	oidc_cfg_provider_logout_request_params_set(r->pool, oidc_cfg_provider_get(c), "client_id=myclient&foo=bar");
-
-	r->args = "logout=https%3A%2F%2Fwww.example.com%2Floggedout";
-
-	TST_ASSERT("oidc_handle_logout (1)", oidc_logout(r, c, session) == HTTP_MOVED_TEMPORARILY);
-	TST_ASSERT_STR(
-	    "oidc_handle_logout (2)", apr_table_get(r->headers_out, "Location"),
-	    "https://idp.example.com/"
-	    "endsession?post_logout_redirect_uri=https%3A%2F%2Fwww.example.com%2Floggedout&client_id=myclient&foo=bar");
-
-	oidc_session_free(r, session);
-
-	return 0;
-}
-
-static char *test_proto_validate_nonce(request_rec *r) {
-
-	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
-	const char *nonce = "avSk7S69G4kEE8Km4bPiOjrfChHt6nO4Z397Lp_bQnc,";
-
-	/*
-	 * {
-	 *   "typ": "JWT",
-	 *   "alg": "RS256",
-	 *   "x5t": "Z1NCjojeiHAib-Gm8vFE6ya6lPM"
-	 * }
-	 * {
-	 *   "nonce": "avSk7S69G4kEE8Km4bPiOjrfChHt6nO4Z397Lp_bQnc,",
-	 *   "iat": 1411580876,
-	 *   "at_hash": "yTqsoONZbuWbN6TbgevuDQ",
-	 *   "sub": "6343a29c-5399-44a7-9b35-4990f4377c96",
-	 *   "amr": "password",
-	 *   "auth_time": 1411577267,
-	 *   "idp": "idsrv",
-	 *   "name": "ksonaty",
-	 *   "iss": "https://agsync.com",
-	 *   "aud": "agsync_implicit",
-	 *   "exp": 1411584475,
-	 *   "nbf": 1411580875
-	 * }
-	 */
-	char *s_jwt = apr_pstrdup(
-	    r->pool,
-	    "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IloxTkNqb2plaUhBaWItR204dkZFNnlhNmxQTSJ9."
-	    "eyJub25jZSI6ImF2U2s3UzY5RzRrRUU4S200YlBpT2pyZkNoSHQ2bk80WjM5N0xwX2JRbmMsIiwiaWF0IjoxNDExNTgwODc2LCJhdF9oYX"
-	    "NoIjoieVRxc29PTlpidVdiTjZUYmdldnVEUSIsInN1YiI6IjYzNDNhMjljLTUzOTktNDRhNy05YjM1LTQ5OTBmNDM3N2M5NiIsImFtciI6"
-	    "InBhc3N3b3JkIiwiYXV0aF90aW1lIjoxNDExNTc3MjY3LCJpZHAiOiJpZHNydiIsIm5hbWUiOiJrc29uYXR5IiwiaXNzIjoiaHR0cHM6Ly"
-	    "9hZ3N5bmMuY29tIiwiYXVkIjoiYWdzeW5jX2ltcGxpY2l0IiwiZXhwIjoxNDExNTg0NDc1LCJuYmYiOjE0MTE1ODA4NzV9.lEG-"
-	    "DgHHa0JuOEuOTBvCqyexjRVcKXBnJJm289o2HyTgclpH80DsOMED9RlXCFfuDY7nw9i2cxUmIMAV42AdTxkMPomK3chytcajvpAZJirlk6"
-	    "53bo9GTDXJSKZr5fwyEu--qahsoT5t9qvoWyFdYkvmMHFw1-"
-	    "mAHDGgVe23voc9jPuFFIhRRqIn4e8ikzN4VQeEV1UXJD02kYYFn2TRWURgiFyVeTr2r0MTn-auCEsFS_AfR1Bl_"
-	    "kmpMfqwrsicf5MTBvfPJeuSMt3t3d3LOGBkg36_z21X-ZRN7wy1KTjagr7iQ_y5csIpmtqs_QM55TTB9dW1HIosJPhiuMEJEA");
-	oidc_jwt_t *jwt = NULL;
-	oidc_jose_error_t err;
-	TST_ASSERT_ERR("oidc_jwt_parse", oidc_jwt_parse(r->pool, s_jwt, &jwt, NULL, FALSE, &err), r->pool, err);
-
-	TST_ASSERT("oidc_proto_idtoken_validate_nonce (1)",
-		   oidc_proto_idtoken_validate_nonce(r, c, oidc_cfg_provider_get(c), nonce, jwt));
-	TST_ASSERT("oidc_proto_idtoken_validate_nonce (2)",
-		   oidc_proto_idtoken_validate_nonce(r, c, oidc_cfg_provider_get(c), nonce, jwt) == FALSE);
-
-	oidc_jwt_destroy(jwt);
-
-	return 0;
-}
-
-static char *test_proto_validate_jwt(request_rec *r) {
-
-	oidc_jwt_t *jwt = NULL;
-	oidc_jose_error_t err;
-
-	const char *s_secret = "secret";
-	const char *s_issuer = "https://localhost";
-	apr_time_t now = apr_time_sec(apr_time_now());
-
-	const char *s_jwt_header = "{"
-				   "\"alg\": \"HS256\""
-				   "}";
-
-	const char *s_jwt_payload = "{"
-				    "\"nonce\": \"543210,\","
-				    "\"iat\": %" APR_TIME_T_FMT ","
-				    "\"sub\": \"alice\","
-				    "\"iss\": \"%s\","
-				    "\"aud\": \"bob\","
-				    "\"exp\": %" APR_TIME_T_FMT "}";
-	s_jwt_payload = apr_psprintf(r->pool, s_jwt_payload, now, s_issuer, now + 600);
-
-	char *s_jwt_header_encoded = NULL;
-	oidc_util_base64url_encode(r, &s_jwt_header_encoded, s_jwt_header, _oidc_strlen(s_jwt_header), 1);
-
-	char *s_jwt_payload_encoded = NULL;
-	oidc_util_base64url_encode(r, &s_jwt_payload_encoded, s_jwt_payload, _oidc_strlen(s_jwt_payload), 1);
-
-	char *s_jwt_message = apr_psprintf(r->pool, "%s.%s", s_jwt_header_encoded, s_jwt_payload_encoded);
-
-	unsigned int md_len = 0;
-	unsigned char md[EVP_MAX_MD_SIZE];
-	const EVP_MD *digest = EVP_get_digestbyname("sha256");
-
-	TST_ASSERT("HMAC", HMAC(digest, (const unsigned char *)s_secret, _oidc_strlen(s_secret),
-				(const unsigned char *)s_jwt_message, _oidc_strlen(s_jwt_message), md, &md_len) != 0);
-
-	char *s_jwt_signature_encoded = NULL;
-	oidc_util_base64url_encode(r, &s_jwt_signature_encoded, (const char *)md, md_len, 1);
-
-	char *s_jwt =
-	    apr_psprintf(r->pool, "%s.%s.%s", s_jwt_header_encoded, s_jwt_payload_encoded, s_jwt_signature_encoded);
-
-	TST_ASSERT_ERR("oidc_jwt_parse", oidc_jwt_parse(r->pool, s_jwt, &jwt, NULL, FALSE, &err), r->pool, err);
-
-	oidc_jwk_t *jwk = NULL;
-	TST_ASSERT_ERR("oidc_util_create_symmetric_key",
-		       oidc_util_key_symmetric_create(r, s_secret, 0, NULL, TRUE, &jwk) == TRUE, r->pool, err);
-	TST_ASSERT_ERR("oidc_util_create_symmetric_key (jwk)", jwk != NULL, r->pool, err);
-
-	TST_ASSERT_ERR("oidc_jwt_verify",
-		       oidc_jwt_verify(r->pool, jwt, oidc_util_key_symmetric_merge(r->pool, NULL, jwk), &err), r->pool,
-		       err);
-
-	TST_ASSERT_ERR("oidc_proto_validate_jwt", oidc_proto_jwt_validate(r, jwt, s_issuer, TRUE, TRUE, 10), r->pool,
-		       err);
-
-	oidc_jwk_destroy(jwk);
-	oidc_jwt_destroy(jwt);
-
-	return 0;
-}
-
 #if HAVE_APACHE_24
 
 static char *test_authz_worker(request_rec *r) {
@@ -1638,13 +1410,6 @@ static char *all_tests(apr_pool_t *pool, request_rec *r) {
 	TST_RUN(test_jwt_verify_rsa, pool);
 	TST_RUN(test_jwt_sign_verify, pool);
 
-	TST_RUN(test_proto_validate_access_token, r);
-	TST_RUN(test_proto_validate_code, r);
-
-	TST_RUN(test_proto_authorization_request, r);
-	TST_RUN(test_proto_validate_nonce, r);
-	TST_RUN(test_proto_validate_jwt, r);
-
 	TST_RUN(test_decode_json_object, r);
 
 	TST_RUN(test_remote_user, r);
@@ -1655,7 +1420,6 @@ static char *all_tests(apr_pool_t *pool, request_rec *r) {
 	TST_RUN(test_authz_worker, r);
 #endif
 
-	TST_RUN(test_logout_request, r);
 	TST_RUN(test_check_cookie_domain, r);
 
 	return 0;
diff --git a/test/test_proto.c b/test/test_proto.c
