mirror of https://github.com/fatedier/frp
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 lines
1.7 KiB
65 lines
1.7 KiB
1 month ago
|
package auth_test
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"testing"
|
||
|
"time"
|
||
|
|
||
|
"github.com/coreos/go-oidc/v3/oidc"
|
||
|
"github.com/stretchr/testify/require"
|
||
|
|
||
|
"github.com/fatedier/frp/pkg/auth"
|
||
|
v1 "github.com/fatedier/frp/pkg/config/v1"
|
||
|
"github.com/fatedier/frp/pkg/msg"
|
||
|
)
|
||
|
|
||
|
type mockTokenVerifier struct{}
|
||
|
|
||
|
func (m *mockTokenVerifier) Verify(ctx context.Context, subject string) (*oidc.IDToken, error) {
|
||
|
return &oidc.IDToken{
|
||
|
Subject: subject,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
func TestPingWithEmptySubjectFromLoginFails(t *testing.T) {
|
||
|
r := require.New(t)
|
||
|
consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
|
||
|
err := consumer.VerifyPing(&msg.Ping{
|
||
|
PrivilegeKey: "ping-without-login",
|
||
|
Timestamp: time.Now().UnixMilli(),
|
||
|
})
|
||
|
r.Error(err)
|
||
|
r.Contains(err.Error(), "received different OIDC subject in login and ping")
|
||
|
}
|
||
|
|
||
|
func TestPingAfterLoginWithNewSubjectSucceeds(t *testing.T) {
|
||
|
r := require.New(t)
|
||
|
consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
|
||
|
err := consumer.VerifyLogin(&msg.Login{
|
||
|
PrivilegeKey: "ping-after-login",
|
||
|
})
|
||
|
r.NoError(err)
|
||
|
|
||
|
err = consumer.VerifyPing(&msg.Ping{
|
||
|
PrivilegeKey: "ping-after-login",
|
||
|
Timestamp: time.Now().UnixMilli(),
|
||
|
})
|
||
|
r.NoError(err)
|
||
|
}
|
||
|
|
||
|
func TestPingAfterLoginWithDifferentSubjectFails(t *testing.T) {
|
||
|
r := require.New(t)
|
||
|
consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
|
||
|
err := consumer.VerifyLogin(&msg.Login{
|
||
|
PrivilegeKey: "login-with-first-subject",
|
||
|
})
|
||
|
r.NoError(err)
|
||
|
|
||
|
err = consumer.VerifyPing(&msg.Ping{
|
||
|
PrivilegeKey: "ping-with-different-subject",
|
||
|
Timestamp: time.Now().UnixMilli(),
|
||
|
})
|
||
|
r.Error(err)
|
||
|
r.Contains(err.Error(), "received different OIDC subject in login and ping")
|
||
|
}
|