Skip to content

Commit

Permalink
seperates test case
Browse files Browse the repository at this point in the history
  • Loading branch information
@liverpool8056
liverpool8056 committed Aug 10, 2023
1 parent e27a926 commit 34715ad
Show file tree
Hide file tree
Showing 2 changed files with 152 additions and 87 deletions.
2 changes: 1 addition & 1 deletion kong/plugins/oauth2/access.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -771,7 +771,7 @@ local function issue_token(conf)
if not table_contains(conf.scopes, scope) then
response_params = {
[ERROR] = "invalid_scope",
error_description = "scope mismatch",
error_description = "Scope mismatch",
}
break
end
Expand Down
237 changes: 151 additions & 86 deletions spec/03-plugins/25-oauth2/03-access_spec.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,7 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
local service18 = admin_api.services:insert()
local service19 = admin_api.services:insert()
local service20 = admin_api.services:insert()
local service21 = admin_api.services:insert()

local route1 = assert(admin_api.routes:insert({
hosts = { "oauth2.com" },
Expand Down Expand Up @@ -398,6 +399,12 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
service = service20,
}))

local route21 = assert(admin_api.routes:insert({
hosts = { "oauth2_21.com" },
protocols = { "http", "https" },
service = service21,
}))

local service_grpc = assert(admin_api.services:insert {
name = "grpc",
url = helpers.grpcbin_url,
Expand Down Expand Up @@ -597,7 +604,15 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
admin_api.oauth2_plugins:insert({
route = { id = route20.id },
config = {
scopes = { "scope18", "scope20" },
scopes = { "scope20" },
global_credentials = true,
}
})

admin_api.oauth2_plugins:insert({
route = { id = route21.id },
config = {
scopes = { "scope20", "scope21" },
global_credentials = true,
}
})
Expand Down Expand Up @@ -2950,97 +2965,147 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
})
assert.res_status(401, res)
end)
describe("refreshing token", function()
local request_client, token
it("fails when scope is mismatching", function ()
-- provision code
local code, body, res
request_client = helpers.proxy_ssl_client()
body = {
provision_key = "provision123",
client_id = "clientid123",
response_type = "code",
scope = "scope18",
state = "hello",
authenticated_userid = "userid123",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/authorize",
body = body,
headers = kong.table.merge({
["Host"] = "oauth2_18.com",
["Content-Type"] = "application/json"
})
})
res = assert(cjson.decode(assert.res_status(200, res)))
if res.redirect_uri then
local iterator, err = ngx.re.gmatch(res.redirect_uri, "^http://google\\.com/kong\\?code=([\\w]{32,32})&state=hello$")
assert.is_nil(err)
local m, err = iterator()
assert.is_nil(err)
code = m[1]
end

-- provision token
body = {
code = code,
it("refreshing token fails when scope is mismatching", function ()
-- provision code
local code, body, res
local request_client = helpers.proxy_ssl_client()
body = {
provision_key = "provision123",
client_id = "clientid123",
client_secret = "secret123",
grant_type = "authorization_code",
redirect_uri = "http://google.com/kong",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = body,
headers = {
["Host"] = "oauth2_18.com",
["Content-Type"] = "application/json"
}
response_type = "code",
scope = "scope18",
state = "hello",
authenticated_userid = "userid123",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/authorize",
body = body,
headers = kong.table.merge({
["Host"] = "oauth2_18.com",
["Content-Type"] = "application/json"
})
token = assert(cjson.decode(assert.res_status(200, res)))
})
res = assert(cjson.decode(assert.res_status(200, res)))
if res.redirect_uri then
local iterator, err = ngx.re.gmatch(res.redirect_uri, "^http://google\\.com/kong\\?code=([\\w]{32,32})&state=hello$")
assert.is_nil(err)
local m, err = iterator()
assert.is_nil(err)
code = m[1]
end

-- refresh token with mismatching scope
res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = {
refresh_token = token.refresh_token,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "refresh_token",
},
headers = {
["Host"] = "oauth2_19.com",
["Content-Type"] = "application/json"
}
})
res = assert(cjson.decode(assert.res_status(400, res)))
assert.same({
error = "invalid_scope",
error_description = "scope mismatch"
}, res)
end)
it("succeeds when scope is a subset", function()
-- refresh token with mismatching scope
local res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = {
refresh_token = token.refresh_token,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "refresh_token",
},
headers = {
["Host"] = "oauth2_20.com",
["Content-Type"] = "application/json"
}
-- provision token
body = {
code = code,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "authorization_code",
redirect_uri = "http://google.com/kong",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = body,
headers = {
["Host"] = "oauth2_18.com",
["Content-Type"] = "application/json"
}
})
local token = assert(cjson.decode(assert.res_status(200, res)))

-- refresh token with mismatching scope
res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = {
refresh_token = token.refresh_token,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "refresh_token",
},
headers = {
["Host"] = "oauth2_19.com",
["Content-Type"] = "application/json"
}
})
res = assert(cjson.decode(assert.res_status(400, res)))
assert.same({
error = "invalid_scope",
error_description = "Scope mismatch"
}, res)
request_client:close()
end)

it("refreshing token succeeds when scope is a subset", function()
-- provision code
local code, body, res
local request_client = helpers.proxy_ssl_client()
body = {
provision_key = "provision123",
client_id = "clientid123",
response_type = "code",
scope = "scope20",
state = "hello",
authenticated_userid = "userid123",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/authorize",
body = body,
headers = kong.table.merge({
["Host"] = "oauth2_20.com",
["Content-Type"] = "application/json"
})
assert(cjson.decode(assert.res_status(200, res)))
end)
})
res = assert(cjson.decode(assert.res_status(200, res)))
if res.redirect_uri then
local iterator, err = ngx.re.gmatch(res.redirect_uri, "^http://google\\.com/kong\\?code=([\\w]{32,32})&state=hello$")
assert.is_nil(err)
local m, err = iterator()
assert.is_nil(err)
code = m[1]
end

-- provision token
body = {
code = code,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "authorization_code",
redirect_uri = "http://google.com/kong",
}
res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = body,
headers = {
["Host"] = "oauth2_20.com",
["Content-Type"] = "application/json"
}
})
local token = assert(cjson.decode(assert.res_status(200, res)))

-- refresh token with mismatching scope
local res = assert(request_client:send {
method = "POST",
path = "/oauth2/token",
body = {
refresh_token = token.refresh_token,
client_id = "clientid123",
client_secret = "secret123",
grant_type = "refresh_token",
},
headers = {
["Host"] = "oauth2_21.com",
["Content-Type"] = "application/json"
}
})
assert(cjson.decode(assert.res_status(200, res)))
request_client:close()
end)

it("fails when a correct access_token is being sent in the wrong header", function()
local token = provision_token("oauth2_11.com",nil,"clientid1011","secret1011")

Expand Down

0 comments on commit 34715ad

Please sign in to comment.