From 4f95e6a372db1b43f991fdb8564a0332a06cab77 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Wed, 4 Nov 2020 10:30:53 -0500
Subject: [PATCH] auth_handler.go: add test for invalid downstream redirect uri

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 internal/oidc/auth/auth_handler_test.go | 27 +++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go
index 72acbe090..09bb192b8 100644
--- a/internal/oidc/auth/auth_handler_test.go
+++ b/internal/oidc/auth/auth_handler_test.go
@@ -39,6 +39,16 @@ func TestAuthorizationEndpoint(t *testing.T) {
       "status_code":       401
     }
 	`)
+
+		fositeInvalidRedirectURIErrorBody = here.Doc(`
+		{
+      "error":             "invalid_request",
+      "error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
+      "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
+      "error_hint":        "The \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
+      "status_code":       400
+    }
+	`)
 	)
 
 	upstreamAuthURL, err := url.Parse("https://some-upstream-idp:8443/auth")
@@ -194,6 +204,23 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			wantContentType: "application/json; charset=utf-8",
 			wantBodyJSON:    fositeInvalidClientErrorBody,
 		},
+		{
+			name:          "downstream redirect uri does not match what is configured for client",
+			issuer:        issuer,
+			idpListGetter: newIDPListGetter(upstreamOIDCIdentityProvider),
+			generateState: happyStateGenerator,
+			generatePKCE:  happyPKCEGenerator,
+			generateNonce: happyNonceGenerator,
+			method:        http.MethodGet,
+			path: fmt.Sprintf(
+				"/some/path?response_type=code&scope=%s&client_id=pinniped-cli&state=some-state-value&redirect_uri=%s",
+				url.QueryEscape("openid profile email"),
+				url.QueryEscape("http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client"),
+			),
+			wantStatus:      http.StatusBadRequest,
+			wantContentType: "application/json; charset=utf-8",
+			wantBodyJSON:    fositeInvalidRedirectURIErrorBody,
+		},
 		{
 			name:            "error while generating state",
 			issuer:          issuer,