Added test coverage for custom token granter, enhancer, auth registry and tenancy loader.

Author: TimShi

pkg/integrate/httpclient/client_test.go

@@ -34,6 +34,7 @@ import (
 	"go.uber.org/fx"
 	"net/http"
 	"net/url"
+	"path"
 	"testing"
 	"time"
 )
@@ -112,6 +113,7 @@ func TestWithMockedServer(t *testing.T) {
 		test.GomegaSubTest(SubTestWithRetry(&di), "TestWithRetry"),
 		test.GomegaSubTest(SubTestWithTimeout(&di), "TestWithTimeout"),
 		test.GomegaSubTest(SubTestWithURLEncoded(&di), "TestWithURLEncoded"),
+		test.GomegaSubTest(SubTestWithAbsoluteUrl(&di), "TestWithAbsoluteUrl"),
 	)
 }
 
@@ -390,6 +392,44 @@ func SubTestWithURLEncoded(di *TestDI) test.GomegaSubTestFunc {
 	}
 }
 
+func SubTestWithAbsoluteUrl(di *TestDI) test.GomegaSubTestFunc {
+	return func(ctx context.Context, t *testing.T, g *gomega.WithT) {
+		client, e := di.HttpClient.WithNoTargetResolver()
+		g.Expect(e).To(Succeed(), "client without target resolver should be available")
+
+		random := utils.RandomString(20)
+		now := time.Now().Format(time.RFC3339)
+		reqBody := makeEchoRequestBody()
+		opts := append([]httpclient.RequestOptions{
+			httpclient.WithHeader("X-Data", random),
+			httpclient.WithParam("time", now),
+			httpclient.WithParam("data", random),
+			httpclient.WithBody(reqBody),
+		})
+
+		uri, e := url.Parse(fmt.Sprintf(`http://localhost:%d%s`, webtest.CurrentPort(ctx), webtest.CurrentContextPath(ctx)))
+		g.Expect(e).ToNot(HaveOccurred())
+
+		uri.Path = path.Join(uri.Path, TestPath)
+		req := httpclient.NewRequest(uri.String(), http.MethodPost, opts...)
+
+		resp, e := client.Execute(ctx, req, httpclient.JsonBody(&EchoResponse{}))
+		g.Expect(e).To(Succeed(), "execute request shouldn't fail")
+
+		expected := EchoResponse{
+			Headers: map[string]string{
+				"X-Data": random,
+			},
+			Form: map[string]string{
+				"time": now,
+				"data": random,
+			},
+			ReqBody: reqBody,
+		}
+		assertResponse(t, g, resp, http.StatusOK, &expected)
+	}
+}
+
 /*************************
 	Request/Response
  *************************/

pkg/security/config/integration_test.go

@@ -37,6 +37,7 @@ import (
 	"github.com/cisco-open/go-lanai/pkg/security/idp/passwdidp"
 	"github.com/cisco-open/go-lanai/pkg/security/logout"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/authorize"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/clientauth"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/token"
@@ -59,6 +60,7 @@ import (
 	. "github.com/cisco-open/go-lanai/test/utils/gomega"
 	"github.com/cisco-open/go-lanai/test/webtest"
 	"github.com/crewjam/saml"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
 	"github.com/onsi/gomega"
 	. "github.com/onsi/gomega"
@@ -157,6 +159,7 @@ type intDI struct {
 	Mocking         sectest.MockingProperties
 	TokenReader     oauth2.TokenStoreReader
 	SessionStore    session.Store
+	AuthReg         auth.AuthorizationRegistry `optional:"true"`
 }
 
 func TestWithMockedServer(t *testing.T) {
@@ -189,6 +192,7 @@ func TestWithMockedServer(t *testing.T) {
 				testdata.NewAuthServerConfigurer, //This configurer will set up mocked client store, mocked tenant store etc.
 				testdata.NewResServerConfigurer,
 				testdata.NewMockedApprovalStore,
+				auth.NewLegacyTokenEnhancer,
 			),
 		),
 		test.GomegaSubTest(SubTestOAuth2AuthorizeWithPasswdIDP(di), "TestOAuth2AuthorizeWithPasswdIDP"),
@@ -234,6 +238,7 @@ func TestWithMockedServerWithoutFinalizer(t *testing.T) {
 				sectest.BindMockingProperties,
 				testdata.NewAuthServerConfigurer,
 				testdata.NewResServerConfigurer,
+				auth.NewLegacyTokenEnhancer,
 			),
 		),
 		// a user has access to two tenants, switch from one to the other
@@ -242,6 +247,39 @@ func TestWithMockedServerWithoutFinalizer(t *testing.T) {
 	)
 }
 
+func TestWithMockedServerWithCustomTokenGranter(t *testing.T) {
+	di := &intDI{}
+	test.RunTest(context.Background(), t,
+		apptest.Bootstrap(),
+		apptest.WithTimeout(2*time.Minute),
+		webtest.WithMockedServer(),
+		sectest.WithMockedMiddleware(sectest.MWEnableSession()),
+		apptest.WithModules(
+			authserver.Module, resserver.Module,
+			passwdidp.Module, extsamlidp.Module, authorize.Module, samlidp.Module,
+			passwd.Module, formlogin.Module, logout.Module,
+			samlctx.Module, samlsp.Module,
+			basicauth.Module, clientauth.Module,
+			token.Module, access.Module, errorhandling.Module,
+			request_cache.Module, csrf.Module, session.Module,
+			redis.Module,
+		),
+		apptest.WithDI(di),
+		apptest.WithFxOptions(
+			fx.Provide(
+				IntegrationTestMocksProvider(),
+				sectest.BindMockingProperties,
+				testdata.NewAuthServerConfigurer,
+				testdata.NewResServerConfigurer,
+				testdata.NewCustomTokenEnhancer,
+				testdata.NewCustomAuthRegistry,
+				testdata.NewCustomTokenGranter,
+			),
+		),
+		test.GomegaSubTest(SubTestCustomTokenGranter(di), "TestCustomTokenGranter"),
+	)
+}
+
 /*************************
 	Sub Tests
  *************************/
@@ -914,6 +952,31 @@ func SubTestOauth2SwitchTenant(
 	}
 }
 
+func SubTestCustomTokenGranter(
+	di *intDI,
+) test.GomegaSubTestFunc {
+	return func(ctx context.Context, t *testing.T, g *gomega.WithT) {
+		req := webtest.NewRequest(ctx, http.MethodPost, "/v2/token", customGrantReqBody(), withClientAuth("custom-grant-client", TestClientSecret), tokenReqOptions())
+		resp := webtest.MustExec(ctx, req)
+		g.Expect(resp).ToNot(BeNil(), "response should not be nil")
+		g.Expect(resp.Response.StatusCode).To(Equal(http.StatusOK), "response should have correct status code")
+
+		body, e := io.ReadAll(resp.Response.Body)
+		g.Expect(e).To(Succeed(), `token response body should be readable`)
+		g.Expect(body).To(HaveJsonPath("$.access_token"), "token response should have access_token")
+
+		accessToken := oauth2.NewDefaultAccessToken("")
+		e = json.Unmarshal(body, accessToken)
+		g.Expect(e).ToNot(HaveOccurred())
+
+		tk, _, e := jwt.NewParser().ParseUnverified(accessToken.Value(), jwt.MapClaims{})
+		g.Expect(e).ToNot(HaveOccurred())
+		g.Expect(tk.Claims.(jwt.MapClaims)["MyClaim"]).To(Equal("my_claim_value"))
+
+		g.Expect(di.AuthReg.(*testdata.CustomAuthRegistry).RegistrationCount).To(Equal(1))
+	}
+}
+
 /*************************
 	Helpers
  *************************/
@@ -1103,6 +1166,12 @@ func passwordGrantReqBody(tenantId string, username string, password string) io.
 	return strings.NewReader(values.Encode())
 }
 
+func customGrantReqBody() io.Reader {
+	values := url.Values{}
+	values.Set(oauth2.ParameterGrantType, "custom_grant")
+	return strings.NewReader(values.Encode())
+}
+
 func tokenReqOptions() webtest.RequestOptions {
 	return func(req *http.Request) {
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

pkg/security/config/testdata/application-test.yml

@@ -93,6 +93,11 @@ mocking:
       redirect-uris: ["localhost:*/**"]
       tenants: ["id-tenant-3"]
       scopes: "scope_a,scope_b"
+    custom-grant-client:
+      id: "custom-grant-client"
+      secret: "test-secret"
+      access-token-validity: 3600s
+      grant-types: "custom_grant"
   accounts:
     system:
       username: "system"

pkg/security/config/testdata/authserver_configurer.go

@@ -49,6 +49,9 @@ type authDI struct {
 	Properties          authserver.AuthServerProperties
 	PasswdIDPProperties passwdidp.PwdAuthProperties
 	SamlIDPProperties   extsamlidp.SamlAuthProperties
+	CustomTokenGranter  auth.TokenGranter          `optional:"true"`
+	CustomTokenEnhancer auth.TokenEnhancer         `optional:"true"`
+	CustomAuthRegistry  auth.AuthorizationRegistry `optional:"true"`
 }
 
 func NewAuthServerConfigurer(di authDI) authserver.AuthorizationServerConfigurer {
@@ -71,7 +74,15 @@ func NewAuthServerConfigurer(di authDI) authserver.AuthorizationServerConfigurer
 		config.ProviderStore = sectest.MockedProviderStore{}
 		config.UserPasswordEncoder = di.PasswordEncoder
 		config.SessionSettingService = StaticSessionSettingService(1)
-		config.CustomTokenEnhancer = []auth.TokenEnhancer{auth.NewLegacyTokenEnhancer()}
+		if di.CustomTokenEnhancer != nil {
+			config.CustomTokenEnhancer = []auth.TokenEnhancer{di.CustomTokenEnhancer}
+		}
+		if di.CustomTokenGranter != nil {
+			config.CustomTokenGranter = []auth.TokenGranter{di.CustomTokenGranter}
+		}
+		if di.CustomAuthRegistry != nil {
+			config.CustomAuthRegistry = di.CustomAuthRegistry
+		}
 	}
 }
 

pkg/security/config/testdata/custom_auth_registry.go

@@ -0,0 +1,56 @@
+package testdata
+
+import (
+	"context"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth"
+)
+
+type CustomAuthRegistry struct {
+	RegistrationCount int
+}
+
+func NewCustomAuthRegistry() auth.AuthorizationRegistry {
+	return &CustomAuthRegistry{}
+}
+
+func (c *CustomAuthRegistry) RegisterRefreshToken(ctx context.Context, token oauth2.RefreshToken, oauth oauth2.Authentication) error {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RegisterAccessToken(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) error {
+	c.RegistrationCount++
+	return nil
+}
+
+func (c *CustomAuthRegistry) ReadStoredAuthorization(ctx context.Context, token oauth2.RefreshToken) (oauth2.Authentication, error) {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) FindSessionId(ctx context.Context, token oauth2.Token) (string, error) {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RevokeRefreshToken(ctx context.Context, token oauth2.RefreshToken) error {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RevokeAccessToken(ctx context.Context, token oauth2.AccessToken) error {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RevokeAllAccessTokens(ctx context.Context, token oauth2.RefreshToken) error {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RevokeUserAccess(ctx context.Context, username string, revokeRefreshToken bool) error {
+	panic("implement me")
+}
+
+func (c *CustomAuthRegistry) RevokeClientAccess(ctx context.Context, clientId string, revokeRefreshToken bool) error {
+	panic("implement me")
+}
+
+func (c CustomAuthRegistry) RevokeSessionAccess(ctx context.Context, sessionId string, revokeRefreshToken bool) error {
+	panic("implement me")
+}

pkg/security/config/testdata/custom_token_enhancer.go

@@ -0,0 +1,62 @@
+package testdata
+
+import (
+	"context"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth"
+)
+
+type CustomClaims struct {
+	oauth2.FieldClaimsMapper
+	oauth2.Claims
+	MyClaim string `claim:"MyClaim"`
+}
+
+func (c *CustomClaims) MarshalJSON() ([]byte, error) {
+	return c.FieldClaimsMapper.DoMarshalJSON(c)
+}
+
+func (c *CustomClaims) UnmarshalJSON(bytes []byte) error {
+	return c.FieldClaimsMapper.DoUnmarshalJSON(c, bytes)
+}
+
+func (c *CustomClaims) Get(claim string) interface{} {
+	return c.FieldClaimsMapper.Get(c, claim)
+}
+
+func (c *CustomClaims) Has(claim string) bool {
+	return c.FieldClaimsMapper.Has(c, claim)
+}
+
+func (c *CustomClaims) Set(claim string, value interface{}) {
+	c.FieldClaimsMapper.Set(c, claim, value)
+}
+
+func (c *CustomClaims) Values() map[string]interface{} {
+	return c.FieldClaimsMapper.Values(c)
+}
+
+type CustomTokenEnhancer struct{}
+
+func NewCustomTokenEnhancer() auth.TokenEnhancer {
+	return &CustomTokenEnhancer{}
+}
+
+func (c *CustomTokenEnhancer) Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error) {
+	t, ok := token.(*oauth2.DefaultAccessToken)
+	if !ok {
+		return nil, oauth2.NewInternalError("unsupported token implementation %T", t)
+	}
+
+	if t.Claims() == nil {
+		return nil, oauth2.NewInternalError("need to be placed after BasicClaimsEnhancer")
+	}
+
+	customClaims := &CustomClaims{
+		Claims: t.Claims(),
+	}
+	customClaims.MyClaim = "my_claim_value"
+
+	t.SetClaims(customClaims)
+	return t, nil
+}