Check username claim is unchanged for oidc.

Also add integration tests for claims changing.
2026-01-06 13:36:54 +00:00 · 2021-12-14 11:59:52 -08:00
parent b098435290
commit 0cd086cf9c
5 changed files with 145 additions and 15 deletions
--- a/internal/upstreamoidc/upstreamoidc.go
+++ b/internal/upstreamoidc/upstreamoidc.go
@@ -242,7 +242,7 @@ func ExtractUpstreamSubjectFromDownstream(downstreamSubject string) (string, err
 	if !strings.Contains(downstreamSubject, "?sub=") {
 		return "", errors.New("downstream subject did not contain original upstream subject")
 	}
-	return strings.SplitN(downstreamSubject, "?sub=", 2)[1], nil // TODO test for ?sub= occurring twice (imagine if you ran the supervisor with another supervisor as the upstream idp...)
+	return strings.SplitN(downstreamSubject, "?sub=", 2)[1], nil
 }

 // ValidateToken will validate the ID token. It will also merge the claims from the userinfo endpoint response,
--- a/internal/upstreamoidc/upstreamoidc_test.go
+++ b/internal/upstreamoidc/upstreamoidc_test.go
@@ -910,6 +910,45 @@ func TestProviderConfig(t *testing.T) {
 		}
 	})

+	t.Run("ExtractUpstreamSubjectFromDownstream", func(t *testing.T) {
+		tests := []struct {
+			name                string
+			downstreamSubject   string
+			wantUpstreamSubject string
+			wantErr             string
+		}{
+			{
+				name:                "happy path",
+				downstreamSubject:   "https://some-issuer?sub=some-subject",
+				wantUpstreamSubject: "some-subject",
+			},
+			{
+				name:                "subject in a subject",
+				downstreamSubject:   "https://some-other-issuer?sub=https://some-issuer?sub=some-subject",
+				wantUpstreamSubject: "https://some-issuer?sub=some-subject",
+			},
+			{
+				name:              "doesn't contain sub=",
+				downstreamSubject: "something-invalid",
+				wantErr:           "downstream subject did not contain original upstream subject",
+			},
+		}
+		for _, tt := range tests {
+			tt := tt
+			t.Run(tt.name, func(t *testing.T) {
+				actualUpstreamSubject, err := ExtractUpstreamSubjectFromDownstream(tt.downstreamSubject)
+				if tt.wantErr != "" {
+					require.Error(t, err)
+					require.Equal(t, tt.wantErr, err.Error())
+				} else {
+					require.NoError(t, err)
+					require.Equal(t, tt.wantUpstreamSubject, actualUpstreamSubject)
+				}
+			})
+		}
+
+	})
+
 	t.Run("ExchangeAuthcodeAndValidateTokens", func(t *testing.T) {
 		tests := []struct {
 			name        string