Backfill test to show that the IDP chooser page is shown when only one IDP is on the FederationDomain

2025-12-23 06:15:47 +00:00 · 2025-02-11 16:41:52 -06:00
parent 876f626e7d
commit 1d99889418
1 changed files with 40 additions and 2 deletions
--- a/internal/federationdomain/endpoints/auth/auth_handler_test.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package auth
@@ -993,7 +993,45 @@ func TestAuthorizationEndpoint(t *testing.T) { //nolint:gocyclo
 			},
 		},
 		{
-			name: "with multiple IDPs available, request does not choose which IDP to use",
+			name: "with one IDP available, request does not choose which IDP to use, will redirect to the IDP chooser",
+			idps: testidplister.NewUpstreamIDPListerBuilder().
+				WithLDAP(upstreamLDAPIdentityProviderBuilder().Build()),
+			generateCSRF:                           happyCSRFGenerator,
+			generatePKCE:                           happyPKCEGenerator,
+			generateNonce:                          happyNonceGenerator,
+			stateEncoder:                           happyStateEncoder,
+			cookieEncoder:                          happyCookieEncoder,
+			method:                                 http.MethodGet,
+			path:                                   happyGetRequestPath, // does not include pinniped_idp_name param
+			wantStatus:                             http.StatusSeeOther,
+			wantContentType:                        htmlContentType,
+			wantCSRFValueInCookieHeader:            "", // there should not be a CSRF cookie set on the response
+			wantLocationHeader:                     urlWithQuery(downstreamIssuer+"/choose_identity_provider", happyGetRequestQueryMap),
+			wantUpstreamStateParamInLocationHeader: false, // it should copy the params of the original request, not add a new state param
+			wantBodyStringWithLocationInHref:       true,
+			wantAuditLogs: func(_ stateparam.Encoded, sessionID string) []testutil.WantedAuditLog {
+				return []testutil.WantedAuditLog{
+					testutil.WantAuditLog("HTTP Request Parameters", map[string]any{
+						"params": map[string]any{
+							"client_id":             "pinniped-cli",
+							"code_challenge":        "redacted",
+							"code_challenge_method": "S256",
+							"nonce":                 "redacted",
+							"redirect_uri":          "http://127.0.0.1/callback",
+							"response_type":         "code",
+							"scope":                 "openid profile email username groups",
+							"state":                 "redacted",
+						},
+					}),
+					testutil.WantAuditLog("HTTP Request Custom Headers Used", map[string]any{
+						"Pinniped-Username": false,
+						"Pinniped-Password": false,
+					}),
+				}
+			},
+		},
+		{
+			name: "with multiple IDPs available, request does not choose which IDP to use, will redirect to the IDP chooser",
 			idps: testidplister.NewUpstreamIDPListerBuilder().
 				WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()).
 				WithLDAP(upstreamLDAPIdentityProviderBuilder().Build()),