From 874f938fc7ca25f7adcbe5bdb9f500663ed3e4b1 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Wed, 12 May 2021 13:55:54 -0700 Subject: [PATCH] unit test for garbage collection time for refresh and access tokens --- internal/oidc/token/token_handler_test.go | 30 +++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index 3f47e9871..0521bbfa8 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -9,8 +9,10 @@ import ( "crypto/elliptic" "crypto/rand" "crypto/sha256" + "encoding/base32" "encoding/base64" "encoding/json" + "fmt" "io" "io/ioutil" "net/http" @@ -1201,7 +1203,7 @@ func requireTokenEndpointBehavior( wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token") requireInvalidAuthCodeStorage(t, authCode, oauthStore) - requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) + requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets) requireInvalidPKCEStorage(t, authCode, oauthStore) requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) @@ -1215,7 +1217,7 @@ func requireTokenEndpointBehavior( requireValidIDToken(t, parsedResponseBody, jwtSigningKey, wantAtHashClaimInIDToken, wantNonceValueInIDToken, parsedResponseBody["access_token"].(string)) } if wantRefreshToken { - requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes) + requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantRequestedScopes, test.wantGrantedScopes, secrets) } testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1) @@ -1450,6 +1452,7 @@ func requireValidRefreshTokenStorage( storage oauth2.CoreStorage, wantRequestedScopes []string, wantGrantedScopes []string, + secrets v1.SecretInterface, ) { t.Helper() @@ -1471,6 +1474,8 @@ func requireValidRefreshTokenStorage( wantGrantedScopes, true, ) + + requireGarbageCollectTimeInDelta(t, refreshTokenString, "refresh-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) } func requireValidAccessTokenStorage( @@ -1479,6 +1484,7 @@ func requireValidAccessTokenStorage( storage oauth2.CoreStorage, wantRequestedScopes []string, wantGrantedScopes []string, + secrets v1.SecretInterface, ) { t.Helper() @@ -1519,6 +1525,8 @@ func requireValidAccessTokenStorage( wantGrantedScopes, true, ) + + requireGarbageCollectTimeInDelta(t, accessTokenString, "access-token", secrets, time.Now().Add(9*time.Hour).Add(2*time.Minute), 1*time.Minute) } func requireInvalidAccessTokenStorage( @@ -1681,6 +1689,24 @@ func requireValidStoredRequest( require.Empty(t, session.Subject) } +func requireGarbageCollectTimeInDelta(t *testing.T, tokenString string, typeLabel string, secrets v1.SecretInterface, wantExpirationTime time.Time, deltaTime time.Duration) { + t.Helper() + signature := getFositeDataSignature(t, tokenString) + signatureBytes, err := base64.RawURLEncoding.DecodeString(signature) + require.NoError(t, err) + // lower case base32 encoding insures that our secret name is valid per ValidateSecretName in k/k + var b32 = base32.StdEncoding.WithPadding(base32.NoPadding) + signatureAsValidName := strings.ToLower(b32.EncodeToString(signatureBytes)) + secretName := fmt.Sprintf("pinniped-storage-%s-%s", typeLabel, signatureAsValidName) + secret, err := secrets.Get(context.Background(), secretName, metav1.GetOptions{}) + require.NoError(t, err) + refreshTokenGCTimeString := secret.Annotations["storage.pinniped.dev/garbage-collect-after"] + refreshTokenGCTime, err := time.Parse(crud.SecretLifetimeAnnotationDateFormat, refreshTokenGCTimeString) + require.NoError(t, err) + + testutil.RequireTimeInDelta(t, refreshTokenGCTime, wantExpirationTime, deltaTime) +} + func requireValidIDToken( t *testing.T, body map[string]interface{},