|
|
@ -7,6 +7,7 @@ package integrations |
|
|
|
import ( |
|
|
|
import ( |
|
|
|
"bytes" |
|
|
|
"bytes" |
|
|
|
"io" |
|
|
|
"io" |
|
|
|
|
|
|
|
"net/http" |
|
|
|
"testing" |
|
|
|
"testing" |
|
|
|
|
|
|
|
|
|
|
|
"code.gitea.io/gitea/modules/json" |
|
|
|
"code.gitea.io/gitea/modules/json" |
|
|
@ -21,20 +22,20 @@ func TestNoClientID(t *testing.T) { |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
req := NewRequest(t, "GET", "/login/oauth/authorize") |
|
|
|
req := NewRequest(t, "GET", "/login/oauth/authorize") |
|
|
|
ctx := loginUser(t, "user2") |
|
|
|
ctx := loginUser(t, "user2") |
|
|
|
ctx.MakeRequest(t, req, 400) |
|
|
|
ctx.MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func TestLoginRedirect(t *testing.T) { |
|
|
|
func TestLoginRedirect(t *testing.T) { |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
req := NewRequest(t, "GET", "/login/oauth/authorize") |
|
|
|
req := NewRequest(t, "GET", "/login/oauth/authorize") |
|
|
|
assert.Contains(t, MakeRequest(t, req, 302).Body.String(), "/user/login") |
|
|
|
assert.Contains(t, MakeRequest(t, req, http.StatusSeeOther).Body.String(), "/user/login") |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func TestShowAuthorize(t *testing.T) { |
|
|
|
func TestShowAuthorize(t *testing.T) { |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
req := NewRequest(t, "GET", defaultAuthorize) |
|
|
|
req := NewRequest(t, "GET", defaultAuthorize) |
|
|
|
ctx := loginUser(t, "user4") |
|
|
|
ctx := loginUser(t, "user4") |
|
|
|
resp := ctx.MakeRequest(t, req, 200) |
|
|
|
resp := ctx.MakeRequest(t, req, http.StatusOK) |
|
|
|
|
|
|
|
|
|
|
|
htmlDoc := NewHTMLParser(t, resp.Body) |
|
|
|
htmlDoc := NewHTMLParser(t, resp.Body) |
|
|
|
htmlDoc.AssertElement(t, "#authorize-app", true) |
|
|
|
htmlDoc.AssertElement(t, "#authorize-app", true) |
|
|
@ -45,7 +46,7 @@ func TestRedirectWithExistingGrant(t *testing.T) { |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
defer prepareTestEnv(t)() |
|
|
|
req := NewRequest(t, "GET", defaultAuthorize) |
|
|
|
req := NewRequest(t, "GET", defaultAuthorize) |
|
|
|
ctx := loginUser(t, "user1") |
|
|
|
ctx := loginUser(t, "user1") |
|
|
|
resp := ctx.MakeRequest(t, req, 302) |
|
|
|
resp := ctx.MakeRequest(t, req, http.StatusSeeOther) |
|
|
|
u, err := resp.Result().Location() |
|
|
|
u, err := resp.Result().Location() |
|
|
|
assert.NoError(t, err) |
|
|
|
assert.NoError(t, err) |
|
|
|
assert.Equal(t, "thestate", u.Query().Get("state")) |
|
|
|
assert.Equal(t, "thestate", u.Query().Get("state")) |
|
|
@ -62,7 +63,7 @@ func TestAccessTokenExchange(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
resp := MakeRequest(t, req, 200) |
|
|
|
resp := MakeRequest(t, req, http.StatusOK) |
|
|
|
type response struct { |
|
|
|
type response struct { |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
@ -86,7 +87,7 @@ func TestAccessTokenExchangeWithoutPKCE(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
resp := MakeRequest(t, req, 200) |
|
|
|
resp := MakeRequest(t, req, http.StatusOK) |
|
|
|
type response struct { |
|
|
|
type response struct { |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
@ -109,7 +110,7 @@ func TestAccessTokenExchangeJSON(t *testing.T) { |
|
|
|
"redirect_uri": "a", |
|
|
|
"redirect_uri": "a", |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
@ -123,7 +124,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
// invalid client secret
|
|
|
|
// invalid client secret
|
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
"grant_type": "authorization_code", |
|
|
|
"grant_type": "authorization_code", |
|
|
@ -133,7 +134,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
// invalid redirect uri
|
|
|
|
// invalid redirect uri
|
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
"grant_type": "authorization_code", |
|
|
|
"grant_type": "authorization_code", |
|
|
@ -143,7 +144,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
// invalid authorization code
|
|
|
|
// invalid authorization code
|
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
"grant_type": "authorization_code", |
|
|
|
"grant_type": "authorization_code", |
|
|
@ -153,7 +154,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
"code": "???", |
|
|
|
"code": "???", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
// invalid grant_type
|
|
|
|
// invalid grant_type
|
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
"grant_type": "???", |
|
|
|
"grant_type": "???", |
|
|
@ -163,7 +164,7 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
MakeRequest(t, req, 400) |
|
|
|
MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { |
|
|
|
func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { |
|
|
@ -175,7 +176,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") |
|
|
|
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") |
|
|
|
resp := MakeRequest(t, req, 200) |
|
|
|
resp := MakeRequest(t, req, http.StatusOK) |
|
|
|
type response struct { |
|
|
|
type response struct { |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
@ -196,7 +197,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==") |
|
|
|
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==") |
|
|
|
resp = MakeRequest(t, req, 400) |
|
|
|
resp = MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
|
|
|
|
|
|
|
|
// missing header
|
|
|
|
// missing header
|
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ |
|
|
@ -205,7 +206,7 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
resp = MakeRequest(t, req, 400) |
|
|
|
resp = MakeRequest(t, req, http.StatusBadRequest) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func TestRefreshTokenInvalidation(t *testing.T) { |
|
|
|
func TestRefreshTokenInvalidation(t *testing.T) { |
|
|
@ -218,7 +219,7 @@ func TestRefreshTokenInvalidation(t *testing.T) { |
|
|
|
"code": "authcode", |
|
|
|
"code": "authcode", |
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
|
|
|
|
}) |
|
|
|
}) |
|
|
|
resp := MakeRequest(t, req, 200) |
|
|
|
resp := MakeRequest(t, req, http.StatusOK) |
|
|
|
type response struct { |
|
|
|
type response struct { |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
AccessToken string `json:"access_token"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
|
TokenType string `json:"token_type"` |
|
|
@ -244,16 +245,16 @@ func TestRefreshTokenInvalidation(t *testing.T) { |
|
|
|
assert.NoError(t, err) |
|
|
|
assert.NoError(t, err) |
|
|
|
|
|
|
|
|
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
MakeRequest(t, refreshReq, 200) |
|
|
|
MakeRequest(t, refreshReq, http.StatusOK) |
|
|
|
|
|
|
|
|
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
MakeRequest(t, refreshReq, 200) |
|
|
|
MakeRequest(t, refreshReq, http.StatusOK) |
|
|
|
|
|
|
|
|
|
|
|
// test with invalidation
|
|
|
|
// test with invalidation
|
|
|
|
setting.OAuth2.InvalidateRefreshTokens = true |
|
|
|
setting.OAuth2.InvalidateRefreshTokens = true |
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
MakeRequest(t, refreshReq, 200) |
|
|
|
MakeRequest(t, refreshReq, http.StatusOK) |
|
|
|
|
|
|
|
|
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) |
|
|
|
MakeRequest(t, refreshReq, 400) |
|
|
|
MakeRequest(t, refreshReq, http.StatusBadRequest) |
|
|
|
} |
|
|
|
} |
|
|
|