master

分支 (34)

标签 (130)

管理

管理

master

contributing-05-12-20-10-00-36

contributing-04-16-20-19-31-31

fix-storage

fix-err

contributing-04-13-20-09-21-56

contributing-04-12-20-10-41-32

contributing-04-04-20-15-45-22

contributing-04-05-20-09-45-31

contributing-04-04-20-12-02-41

contributing-03-18-20-19-08-24

fix-386

contributing-02-02-20-22-55-43

contributing-01-20-20-10-24-59

contributing-01-20-20-10-13-24

contributing-08-19-19-19-01-07

contributing-08-11-19-13-19-43

contributing-08-10-19-00-52-57

contributing-08-10-19-00-48-22

contributing-08-05-19-18-31-41

v0.32.1

v0.32.0

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.8

v0.29.7

v0.29.6

v0.29.4

v0.29.5

v0.29.3

v0.29.2

fosite
/
authorize_helper_test.go

/*
 * Copyright © 2015-2018 Aeneas Rekkas <[email protected]>
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * @author		Aeneas Rekkas <[email protected]>
 * @copyright 	2015-2018 Aeneas Rekkas <[email protected]>
 * @license 	Apache-2.0
 *
 */

package fosite

import (
	"net/url"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestIsLocalhost(t *testing.T) {
	for k, c := range []struct {
		expect bool
		rawurl string
	}{
		{expect: false, rawurl: "https://foo.bar"},
		{expect: true, rawurl: "https://localhost"},
		{expect: true, rawurl: "https://localhost:1234"},
		{expect: true, rawurl: "https://127.0.0.1:1234"},
		{expect: true, rawurl: "https://127.0.0.1"},
		{expect: true, rawurl: "https://test.localhost:1234"},
		{expect: true, rawurl: "https://test.localhost"},
	} {
		u, _ := url.Parse(c.rawurl)
		assert.Equal(t, c.expect, IsLocalhost(u), "case %d", k)
	}
}

// Test for
// * https://tools.ietf.org/html/rfc6749#section-3.1.2
//   The endpoint URI MAY include an
//   "application/x-www-form-urlencoded" formatted (per Appendix B) query
//   component ([RFC3986] Section 3.4), which MUST be retained when adding
//   additional query parameters.
func TestGetRedirectURI(t *testing.T) {
	for k, c := range []struct {
		in       string
		isError  bool
		expected string
	}{
		{in: "", isError: false, expected: ""},
		{in: "https://google.com/", isError: false, expected: "https://google.com/"},
		{in: "https://google.com/?foo=bar%20foo+baz", isError: false, expected: "https://google.com/?foo=bar foo baz"},
	} {
		values := url.Values{}
		values.Set("redirect_uri", c.in)
		res, err := GetRedirectURIFromRequestValues(values)
		assert.Equal(t, c.isError, err != nil, "%s", err)
		if err == nil {
			assert.Equal(t, c.expected, res)
		}
		t.Logf("Passed test case %d", k)
	}
}

// rfc6749 10.6.
// Authorization Code Redirection URI Manipulation
// The authorization server	MUST require public clients and SHOULD require confidential clients
// to register their redirection URIs.  If a redirection URI is provided
// in the request, the authorization server MUST validate it against the
// registered value.
//
// rfc6819 4.4.1.7.
// Threat: Authorization "code" Leakage through Counterfeit Client
// The authorization server may also enforce the usage and validation
// of pre-registered redirect URIs (see Section 5.2.3.5).
func TestDoesClientWhiteListRedirect(t *testing.T) {
	for k, c := range []struct {
		client   Client
		url      string
		isError  bool
		expected string
	}{
		{
			client:  &DefaultClient{RedirectURIs: []string{""}},
			url:     "https://foo.com/cb",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"wta://auth"}},
			url:      "wta://auth",
			expected: "wta://auth",
			isError:  false,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"wta:///auth"}},
			url:      "wta:///auth",
			expected: "wta:///auth",
			isError:  false,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"wta://foo/auth"}},
			url:      "wta://foo/auth",
			expected: "wta://foo/auth",
			isError:  false,
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"https://bar.com/cb"}},
			url:     "https://foo.com/cb",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"https://bar.com/cb"}},
			url:      "",
			isError:  false,
			expected: "https://bar.com/cb",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{""}},
			url:     "",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"https://bar.com/cb"}},
			url:      "https://bar.com/cb",
			isError:  false,
			expected: "https://bar.com/cb",
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"https://bar.Com/cb"}},
			url:      "https://bar.com/cb",
			isError:  false,
			expected: "https://bar.com/cb",
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"https://bar.com/cb"}},
			url:      "https://bar.Com/cb",
			isError:  false,
			expected: "https://bar.Com/cb",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"https://bar.com/cb"}},
			url:     "https://bar.com/cb123",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://[::1]"}},
			url:      "http://[::1]:1024",
			isError:  false,
			expected: "http://[::1]:1024",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"http://[::1]"}},
			url:     "http://[::1]:1024/cb",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://[::1]/cb"}},
			url:      "http://[::1]:1024/cb",
			isError:  false,
			expected: "http://[::1]:1024/cb",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"http://[::1]"}},
			url:     "http://foo.bar/bar",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://127.0.0.1"}},
			url:      "http://127.0.0.1:1024",
			isError:  false,
			expected: "http://127.0.0.1:1024",
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://127.0.0.1/cb"}},
			url:      "http://127.0.0.1:64000/cb",
			isError:  false,
			expected: "http://127.0.0.1:64000/cb",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"http://127.0.0.1"}},
			url:     "http://127.0.0.1:64000/cb",
			isError: true,
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://127.0.0.1"}},
			url:      "http://127.0.0.1",
			isError:  false,
			expected: "http://127.0.0.1",
		},
		{
			client:   &DefaultClient{RedirectURIs: []string{"http://127.0.0.1/Cb"}},
			url:      "http://127.0.0.1:8080/Cb",
			isError:  false,
			expected: "http://127.0.0.1:8080/Cb",
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"http://127.0.0.1"}},
			url:     "http://foo.bar/bar",
			isError: true,
		},
		{
			client:  &DefaultClient{RedirectURIs: []string{"http://127.0.0.1"}},
			url:     ":/invalid.uri)bar",
			isError: true,
		},
	} {
		redir, err := MatchRedirectURIWithClientRedirectURIs(c.url, c.client)
		assert.Equal(t, c.isError, err != nil, "%d: %s", k, err)
		if err == nil {
			require.NotNil(t, redir, "%d", k)
			assert.Equal(t, c.expected, redir.String(), "%d", k)
		}
		t.Logf("Passed test case %d", k)
	}
}

func TestIsRedirectURISecure(t *testing.T) {
	for d, c := range []struct {
		u   string
		err bool
	}{
		{u: "http://google.com", err: true},
		{u: "https://google.com", err: false},
		{u: "http://localhost", err: false},
		{u: "http://test.localhost", err: false},
		{u: "http://127.0.0.1/", err: false},
		{u: "http://testlocalhost", err: true},
		{u: "wta://auth", err: false},
	} {
		uu, err := url.Parse(c.u)
		require.NoError(t, err)
		assert.Equal(t, !c.err, IsRedirectURISecure(uu), "case %d", d)
	}
}