afan
/
gitea
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
gitea源码
1 提交
2 分支
目录树: 61128e8e94
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '61128e8e94'
${ noResults }
gitea/tests/integration/oauth_test.go

oauth_test.go 38KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"bytes"

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"io"

  11. 	"net/http"

  12. 	"net/http/httptest"

  13. 	"strings"

  14. 	"testing"

  15. 

  16. 	asymkey_model "code.gitea.io/gitea/models/asymkey"

  17. 	auth_model "code.gitea.io/gitea/models/auth"

  18. 	"code.gitea.io/gitea/models/db"

  19. 	"code.gitea.io/gitea/models/unittest"

  20. 	user_model "code.gitea.io/gitea/models/user"

  21. 	"code.gitea.io/gitea/modules/json"

  22. 	"code.gitea.io/gitea/modules/setting"

  23. 	api "code.gitea.io/gitea/modules/structs"

  24. 	"code.gitea.io/gitea/modules/test"

  25. 	"code.gitea.io/gitea/modules/util"

  26. 	"code.gitea.io/gitea/services/auth/source/oauth2"

  27. 	"code.gitea.io/gitea/services/oauth2_provider"

  28. 	"code.gitea.io/gitea/tests"

  29. 

  30. 	"github.com/markbates/goth"

  31. 	"github.com/markbates/goth/gothic"

  32. 	"github.com/stretchr/testify/assert"

  33. 	"github.com/stretchr/testify/require"

  34. )

  35. 

  36. func TestOAuth2Provider(t *testing.T) {

  37. 	defer tests.PrepareTestEnv(t)()

  38. 

  39. 	t.Run("AuthorizeNoClientID", testAuthorizeNoClientID)

  40. 	t.Run("AuthorizeUnregisteredRedirect", testAuthorizeUnregisteredRedirect)

  41. 	t.Run("AuthorizeUnsupportedResponseType", testAuthorizeUnsupportedResponseType)

  42. 	t.Run("AuthorizeUnsupportedCodeChallengeMethod", testAuthorizeUnsupportedCodeChallengeMethod)

  43. 	t.Run("AuthorizeLoginRedirect", testAuthorizeLoginRedirect)

  44. 

  45. 	t.Run("OAuth2WellKnown", testOAuth2WellKnown)

  46. }

  47. 

  48. func testAuthorizeNoClientID(t *testing.T) {

  49. 	req := NewRequest(t, "GET", "/login/oauth/authorize")

  50. 	ctx := loginUser(t, "user2")

  51. 	resp := ctx.MakeRequest(t, req, http.StatusBadRequest)

  52. 	assert.Contains(t, resp.Body.String(), "Client ID not registered")

  53. }

  54. 

  55. func testAuthorizeUnregisteredRedirect(t *testing.T) {

  56. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=UNREGISTERED&response_type=code&state=thestate")

  57. 	ctx := loginUser(t, "user1")

  58. 	resp := ctx.MakeRequest(t, req, http.StatusBadRequest)

  59. 	assert.Contains(t, resp.Body.String(), "Unregistered Redirect URI")

  60. }

  61. 

  62. func testAuthorizeUnsupportedResponseType(t *testing.T) {

  63. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=UNEXPECTED&state=thestate")

  64. 	ctx := loginUser(t, "user1")

  65. 	resp := ctx.MakeRequest(t, req, http.StatusSeeOther)

  66. 	u, err := resp.Result().Location()

  67. 	assert.NoError(t, err)

  68. 	assert.Equal(t, "unsupported_response_type", u.Query().Get("error"))

  69. 	assert.Equal(t, "Only code response type is supported.", u.Query().Get("error_description"))

  70. }

  71. 

  72. func testAuthorizeUnsupportedCodeChallengeMethod(t *testing.T) {

  73. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate&code_challenge_method=UNEXPECTED")

  74. 	ctx := loginUser(t, "user1")

  75. 	resp := ctx.MakeRequest(t, req, http.StatusSeeOther)

  76. 	u, err := resp.Result().Location()

  77. 	assert.NoError(t, err)

  78. 	assert.Equal(t, "invalid_request", u.Query().Get("error"))

  79. 	assert.Equal(t, "unsupported code challenge method", u.Query().Get("error_description"))

  80. }

  81. 

  82. func testAuthorizeLoginRedirect(t *testing.T) {

  83. 	req := NewRequest(t, "GET", "/login/oauth/authorize")

  84. 	assert.Contains(t, MakeRequest(t, req, http.StatusSeeOther).Body.String(), "/user/login")

  85. }

  86. 

  87. func TestAuthorizeShow(t *testing.T) {

  88. 	defer tests.PrepareTestEnv(t)()

  89. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate")

  90. 	ctx := loginUser(t, "user4")

  91. 	resp := ctx.MakeRequest(t, req, http.StatusOK)

  92. 

  93. 	htmlDoc := NewHTMLParser(t, resp.Body)

  94. 	AssertHTMLElement(t, htmlDoc, "#authorize-app", true)

  95. 	htmlDoc.GetCSRF()

  96. }

  97. 

  98. func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {

  99. 	defer tests.PrepareTestEnv(t)()

  100. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate")

  101. 	ctx := loginUser(t, "user1")

  102. 	resp := ctx.MakeRequest(t, req, http.StatusSeeOther)

  103. 	u, err := resp.Result().Location()

  104. 	assert.NoError(t, err)

  105. 	assert.Equal(t, "thestate", u.Query().Get("state"))

  106. 	assert.Greaterf(t, len(u.Query().Get("code")), 30, "authorization code '%s' should be longer then 30", u.Query().Get("code"))

  107. 	u.RawQuery = ""

  108. 	assert.Equal(t, "https://example.com/xyzzy", u.String())

  109. }

  110. 

  111. func TestAuthorizePKCERequiredForPublicClient(t *testing.T) {

  112. 	defer tests.PrepareTestEnv(t)()

  113. 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=ce5a1322-42a7-11ed-b878-0242ac120002&redirect_uri=http%3A%2F%2F127.0.0.1&response_type=code&state=thestate")

  114. 	ctx := loginUser(t, "user1")

  115. 	resp := ctx.MakeRequest(t, req, http.StatusSeeOther)

  116. 	u, err := resp.Result().Location()

  117. 	assert.NoError(t, err)

  118. 	assert.Equal(t, "invalid_request", u.Query().Get("error"))

  119. 	assert.Equal(t, "PKCE is required for public clients", u.Query().Get("error_description"))

  120. }

  121. 

  122. func TestAccessTokenExchange(t *testing.T) {

  123. 	defer tests.PrepareTestEnv(t)()

  124. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  125. 		"grant_type":    "authorization_code",

  126. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  127. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  128. 		"redirect_uri":  "a",

  129. 		"code":          "authcode",

  130. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  131. 	})

  132. 	resp := MakeRequest(t, req, http.StatusOK)

  133. 	type response struct {

  134. 		AccessToken  string `json:"access_token"`

  135. 		TokenType    string `json:"token_type"`

  136. 		ExpiresIn    int64  `json:"expires_in"`

  137. 		RefreshToken string `json:"refresh_token"`

  138. 	}

  139. 	parsed := new(response)

  140. 

  141. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  142. 	assert.Greater(t, len(parsed.AccessToken), 10)

  143. 	assert.Greater(t, len(parsed.RefreshToken), 10)

  144. }

  145. 

  146. func TestAccessTokenExchangeWithPublicClient(t *testing.T) {

  147. 	defer tests.PrepareTestEnv(t)()

  148. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  149. 		"grant_type":    "authorization_code",

  150. 		"client_id":     "ce5a1322-42a7-11ed-b878-0242ac120002",

  151. 		"redirect_uri":  "http://127.0.0.1",

  152. 		"code":          "authcodepublic",

  153. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  154. 	})

  155. 	resp := MakeRequest(t, req, http.StatusOK)

  156. 	type response struct {

  157. 		AccessToken  string `json:"access_token"`

  158. 		TokenType    string `json:"token_type"`

  159. 		ExpiresIn    int64  `json:"expires_in"`

  160. 		RefreshToken string `json:"refresh_token"`

  161. 	}

  162. 	parsed := new(response)

  163. 

  164. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  165. 	assert.Greater(t, len(parsed.AccessToken), 10)

  166. 	assert.Greater(t, len(parsed.RefreshToken), 10)

  167. }

  168. 

  169. func TestAccessTokenExchangeJSON(t *testing.T) {

  170. 	defer tests.PrepareTestEnv(t)()

  171. 	req := NewRequestWithJSON(t, "POST", "/login/oauth/access_token", map[string]string{

  172. 		"grant_type":    "authorization_code",

  173. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  174. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  175. 		"redirect_uri":  "a",

  176. 		"code":          "authcode",

  177. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  178. 	})

  179. 	resp := MakeRequest(t, req, http.StatusOK)

  180. 	type response struct {

  181. 		AccessToken  string `json:"access_token"`

  182. 		TokenType    string `json:"token_type"`

  183. 		ExpiresIn    int64  `json:"expires_in"`

  184. 		RefreshToken string `json:"refresh_token"`

  185. 	}

  186. 	parsed := new(response)

  187. 

  188. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  189. 	assert.Greater(t, len(parsed.AccessToken), 10)

  190. 	assert.Greater(t, len(parsed.RefreshToken), 10)

  191. }

  192. 

  193. func TestAccessTokenExchangeWithoutPKCE(t *testing.T) {

  194. 	defer tests.PrepareTestEnv(t)()

  195. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  196. 		"grant_type":    "authorization_code",

  197. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  198. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  199. 		"redirect_uri":  "a",

  200. 		"code":          "authcode",

  201. 	})

  202. 	resp := MakeRequest(t, req, http.StatusBadRequest)

  203. 	parsedError := new(oauth2_provider.AccessTokenError)

  204. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  205. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  206. 	assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription)

  207. }

  208. 

  209. func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) {

  210. 	defer tests.PrepareTestEnv(t)()

  211. 	// invalid client id

  212. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  213. 		"grant_type":    "authorization_code",

  214. 		"client_id":     "???",

  215. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  216. 		"redirect_uri":  "a",

  217. 		"code":          "authcode",

  218. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  219. 	})

  220. 	resp := MakeRequest(t, req, http.StatusBadRequest)

  221. 	parsedError := new(oauth2_provider.AccessTokenError)

  222. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  223. 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))

  224. 	assert.Equal(t, "cannot load client with client id: '???'", parsedError.ErrorDescription)

  225. 

  226. 	// invalid client secret

  227. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  228. 		"grant_type":    "authorization_code",

  229. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  230. 		"client_secret": "???",

  231. 		"redirect_uri":  "a",

  232. 		"code":          "authcode",

  233. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  234. 	})

  235. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  236. 	parsedError = new(oauth2_provider.AccessTokenError)

  237. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  238. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  239. 	assert.Equal(t, "invalid client secret", parsedError.ErrorDescription)

  240. 

  241. 	// invalid redirect uri

  242. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  243. 		"grant_type":    "authorization_code",

  244. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  245. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  246. 		"redirect_uri":  "???",

  247. 		"code":          "authcode",

  248. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  249. 	})

  250. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  251. 	parsedError = new(oauth2_provider.AccessTokenError)

  252. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  253. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  254. 	assert.Equal(t, "unexpected redirect URI", parsedError.ErrorDescription)

  255. 

  256. 	// invalid authorization code

  257. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  258. 		"grant_type":    "authorization_code",

  259. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  260. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  261. 		"redirect_uri":  "a",

  262. 		"code":          "???",

  263. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  264. 	})

  265. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  266. 	parsedError = new(oauth2_provider.AccessTokenError)

  267. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  268. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  269. 	assert.Equal(t, "client is not authorized", parsedError.ErrorDescription)

  270. 

  271. 	// invalid grant_type

  272. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  273. 		"grant_type":    "???",

  274. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  275. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  276. 		"redirect_uri":  "a",

  277. 		"code":          "authcode",

  278. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  279. 	})

  280. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  281. 	parsedError = new(oauth2_provider.AccessTokenError)

  282. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  283. 	assert.Equal(t, "unsupported_grant_type", string(parsedError.ErrorCode))

  284. 	assert.Equal(t, "Only refresh_token or authorization_code grant type is supported", parsedError.ErrorDescription)

  285. }

  286. 

  287. func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {

  288. 	defer tests.PrepareTestEnv(t)()

  289. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  290. 		"grant_type":    "authorization_code",

  291. 		"redirect_uri":  "a",

  292. 		"code":          "authcode",

  293. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  294. 	})

  295. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")

  296. 	resp := MakeRequest(t, req, http.StatusOK)

  297. 	type response struct {

  298. 		AccessToken  string `json:"access_token"`

  299. 		TokenType    string `json:"token_type"`

  300. 		ExpiresIn    int64  `json:"expires_in"`

  301. 		RefreshToken string `json:"refresh_token"`

  302. 	}

  303. 	parsed := new(response)

  304. 

  305. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  306. 	assert.Greater(t, len(parsed.AccessToken), 10)

  307. 	assert.Greater(t, len(parsed.RefreshToken), 10)

  308. 

  309. 	// use wrong client_secret

  310. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  311. 		"grant_type":    "authorization_code",

  312. 		"redirect_uri":  "a",

  313. 		"code":          "authcode",

  314. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  315. 	})

  316. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OmJsYWJsYQ==")

  317. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  318. 	parsedError := new(oauth2_provider.AccessTokenError)

  319. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  320. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  321. 	assert.Equal(t, "invalid client secret", parsedError.ErrorDescription)

  322. 

  323. 	// missing header

  324. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  325. 		"grant_type":    "authorization_code",

  326. 		"redirect_uri":  "a",

  327. 		"code":          "authcode",

  328. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  329. 	})

  330. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  331. 	parsedError = new(oauth2_provider.AccessTokenError)

  332. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  333. 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))

  334. 	assert.Equal(t, "cannot load client with client id: ''", parsedError.ErrorDescription)

  335. 

  336. 	// client_id inconsistent with Authorization header

  337. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  338. 		"grant_type":   "authorization_code",

  339. 		"redirect_uri": "a",

  340. 		"code":         "authcode",

  341. 		"client_id":    "inconsistent",

  342. 	})

  343. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")

  344. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  345. 	parsedError = new(oauth2_provider.AccessTokenError)

  346. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  347. 	assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))

  348. 	assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription)

  349. 

  350. 	// client_secret inconsistent with Authorization header

  351. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  352. 		"grant_type":    "authorization_code",

  353. 		"redirect_uri":  "a",

  354. 		"code":          "authcode",

  355. 		"client_secret": "inconsistent",

  356. 	})

  357. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")

  358. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  359. 	parsedError = new(oauth2_provider.AccessTokenError)

  360. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  361. 	assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))

  362. 	assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription)

  363. }

  364. 

  365. func TestRefreshTokenInvalidation(t *testing.T) {

  366. 	defer tests.PrepareTestEnv(t)()

  367. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  368. 		"grant_type":    "authorization_code",

  369. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  370. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  371. 		"redirect_uri":  "a",

  372. 		"code":          "authcode",

  373. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  374. 	})

  375. 	resp := MakeRequest(t, req, http.StatusOK)

  376. 	type response struct {

  377. 		AccessToken  string `json:"access_token"`

  378. 		TokenType    string `json:"token_type"`

  379. 		ExpiresIn    int64  `json:"expires_in"`

  380. 		RefreshToken string `json:"refresh_token"`

  381. 	}

  382. 	parsed := new(response)

  383. 

  384. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  385. 

  386. 	// test without invalidation

  387. 	setting.OAuth2.InvalidateRefreshTokens = false

  388. 

  389. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  390. 		"grant_type": "refresh_token",

  391. 		"client_id":  "da7da3ba-9a13-4167-856f-3899de0b0138",

  392. 		// omit secret

  393. 		"redirect_uri":  "a",

  394. 		"refresh_token": parsed.RefreshToken,

  395. 	})

  396. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  397. 	parsedError := new(oauth2_provider.AccessTokenError)

  398. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  399. 	assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))

  400. 	assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription)

  401. 

  402. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  403. 		"grant_type":    "refresh_token",

  404. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  405. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  406. 		"redirect_uri":  "a",

  407. 		"refresh_token": "UNEXPECTED",

  408. 	})

  409. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  410. 	parsedError = new(oauth2_provider.AccessTokenError)

  411. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  412. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  413. 	assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)

  414. 

  415. 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  416. 		"grant_type":    "refresh_token",

  417. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  418. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  419. 		"redirect_uri":  "a",

  420. 		"refresh_token": parsed.RefreshToken,

  421. 	})

  422. 

  423. 	bs, err := io.ReadAll(req.Body)

  424. 	assert.NoError(t, err)

  425. 

  426. 	req.Body = io.NopCloser(bytes.NewReader(bs))

  427. 	MakeRequest(t, req, http.StatusOK)

  428. 

  429. 	req.Body = io.NopCloser(bytes.NewReader(bs))

  430. 	MakeRequest(t, req, http.StatusOK)

  431. 

  432. 	// test with invalidation

  433. 	setting.OAuth2.InvalidateRefreshTokens = true

  434. 	req.Body = io.NopCloser(bytes.NewReader(bs))

  435. 	MakeRequest(t, req, http.StatusOK)

  436. 

  437. 	// repeat request should fail

  438. 	req.Body = io.NopCloser(bytes.NewReader(bs))

  439. 	resp = MakeRequest(t, req, http.StatusBadRequest)

  440. 	parsedError = new(oauth2_provider.AccessTokenError)

  441. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))

  442. 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))

  443. 	assert.Equal(t, "token was already used", parsedError.ErrorDescription)

  444. }

  445. 

  446. func TestOAuthIntrospection(t *testing.T) {

  447. 	defer tests.PrepareTestEnv(t)()

  448. 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  449. 		"grant_type":    "authorization_code",

  450. 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

  451. 		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",

  452. 		"redirect_uri":  "a",

  453. 		"code":          "authcode",

  454. 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",

  455. 	})

  456. 	resp := MakeRequest(t, req, http.StatusOK)

  457. 	type response struct {

  458. 		AccessToken  string `json:"access_token"`

  459. 		TokenType    string `json:"token_type"`

  460. 		ExpiresIn    int64  `json:"expires_in"`

  461. 		RefreshToken string `json:"refresh_token"`

  462. 	}

  463. 	parsed := new(response)

  464. 

  465. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))

  466. 	assert.Greater(t, len(parsed.AccessToken), 10)

  467. 	assert.Greater(t, len(parsed.RefreshToken), 10)

  468. 

  469. 	// successful request with a valid client_id/client_secret and a valid token

  470. 	req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{

  471. 		"token": parsed.AccessToken,

  472. 	})

  473. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")

  474. 	resp = MakeRequest(t, req, http.StatusOK)

  475. 	type introspectResponse struct {

  476. 		Active   bool   `json:"active"`

  477. 		Scope    string `json:"scope,omitempty"`

  478. 		Username string `json:"username"`

  479. 	}

  480. 	introspectParsed := new(introspectResponse)

  481. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed))

  482. 	assert.True(t, introspectParsed.Active)

  483. 	assert.Equal(t, "user1", introspectParsed.Username)

  484. 

  485. 	// successful request with a valid client_id/client_secret, but an invalid token

  486. 	req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{

  487. 		"token": "xyzzy",

  488. 	})

  489. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")

  490. 	resp = MakeRequest(t, req, http.StatusOK)

  491. 	introspectParsed = new(introspectResponse)

  492. 	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed))

  493. 	assert.False(t, introspectParsed.Active)

  494. 

  495. 	// unsuccessful request with an invalid client_id/client_secret

  496. 	req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{

  497. 		"token": parsed.AccessToken,

  498. 	})

  499. 	req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK")

  500. 	resp = MakeRequest(t, req, http.StatusUnauthorized)

  501. 	assert.Contains(t, resp.Body.String(), "no valid authorization")

  502. }

  503. 

  504. func TestOAuth_GrantScopesReadUserFailRepos(t *testing.T) {

  505. 	defer tests.PrepareTestEnv(t)()

  506. 

  507. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

  508. 	appBody := api.CreateOAuth2ApplicationOptions{

  509. 		Name: "oauth-provider-scopes-test",

  510. 		RedirectURIs: []string{

  511. 			"a",

  512. 		},

  513. 		ConfidentialClient: true,

  514. 	}

  515. 

  516. 	req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody).

  517. 		AddBasicAuth(user.Name)

  518. 	resp := MakeRequest(t, req, http.StatusCreated)

  519. 

  520. 	var app *api.OAuth2Application

  521. 	DecodeJSON(t, resp, &app)

  522. 

  523. 	grant := &auth_model.OAuth2Grant{

  524. 		ApplicationID: app.ID,

  525. 		UserID:        user.ID,

  526. 		Scope:         "openid read:user",

  527. 	}

  528. 

  529. 	err := db.Insert(t.Context(), grant)

  530. 	require.NoError(t, err)

  531. 

  532. 	assert.Contains(t, grant.Scope, "openid read:user")

  533. 

  534. 	ctx := loginUser(t, user.Name)

  535. 

  536. 	authorizeURL := fmt.Sprintf("/login/oauth/authorize?client_id=%s&redirect_uri=a&response_type=code&state=thestate", app.ClientID)

  537. 	authorizeReq := NewRequest(t, "GET", authorizeURL)

  538. 	authorizeResp := ctx.MakeRequest(t, authorizeReq, http.StatusSeeOther)

  539. 

  540. 	authcode := strings.Split(strings.Split(authorizeResp.Body.String(), "?code=")[1], "&amp")[0]

  541. 

  542. 	accessTokenReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  543. 		"grant_type":    "authorization_code",

  544. 		"client_id":     app.ClientID,

  545. 		"client_secret": app.ClientSecret,

  546. 		"redirect_uri":  "a",

  547. 		"code":          authcode,

  548. 	})

  549. 	accessTokenResp := ctx.MakeRequest(t, accessTokenReq, 200)

  550. 	type response struct {

  551. 		AccessToken  string `json:"access_token"`

  552. 		TokenType    string `json:"token_type"`

  553. 		ExpiresIn    int64  `json:"expires_in"`

  554. 		RefreshToken string `json:"refresh_token"`

  555. 	}

  556. 	parsed := new(response)

  557. 

  558. 	require.NoError(t, json.Unmarshal(accessTokenResp.Body.Bytes(), parsed))

  559. 	userReq := NewRequest(t, "GET", "/api/v1/user")

  560. 	userReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  561. 	userResp := MakeRequest(t, userReq, http.StatusOK)

  562. 

  563. 	type userResponse struct {

  564. 		Login string `json:"login"`

  565. 		Email string `json:"email"`

  566. 	}

  567. 

  568. 	userParsed := new(userResponse)

  569. 	require.NoError(t, json.Unmarshal(userResp.Body.Bytes(), userParsed))

  570. 	assert.Contains(t, userParsed.Email, "user2@example.com")

  571. 

  572. 	errorReq := NewRequest(t, "GET", "/api/v1/users/user2/repos")

  573. 	errorReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  574. 	errorResp := MakeRequest(t, errorReq, http.StatusForbidden)

  575. 

  576. 	type errorResponse struct {

  577. 		Message string `json:"message"`

  578. 	}

  579. 

  580. 	errorParsed := new(errorResponse)

  581. 	require.NoError(t, json.Unmarshal(errorResp.Body.Bytes(), errorParsed))

  582. 	assert.Contains(t, errorParsed.Message, "token does not have at least one of required scope(s), required=[read:repository]")

  583. }

  584. 

  585. func TestOAuth_GrantScopesReadRepositoryFailOrganization(t *testing.T) {

  586. 	defer tests.PrepareTestEnv(t)()

  587. 

  588. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

  589. 	appBody := api.CreateOAuth2ApplicationOptions{

  590. 		Name: "oauth-provider-scopes-test",

  591. 		RedirectURIs: []string{

  592. 			"a",

  593. 		},

  594. 		ConfidentialClient: true,

  595. 	}

  596. 

  597. 	req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody).

  598. 		AddBasicAuth(user.Name)

  599. 	resp := MakeRequest(t, req, http.StatusCreated)

  600. 

  601. 	var app *api.OAuth2Application

  602. 	DecodeJSON(t, resp, &app)

  603. 

  604. 	grant := &auth_model.OAuth2Grant{

  605. 		ApplicationID: app.ID,

  606. 		UserID:        user.ID,

  607. 		Scope:         "openid read:user read:repository",

  608. 	}

  609. 

  610. 	err := db.Insert(t.Context(), grant)

  611. 	require.NoError(t, err)

  612. 

  613. 	assert.Contains(t, grant.Scope, "openid read:user read:repository")

  614. 

  615. 	ctx := loginUser(t, user.Name)

  616. 

  617. 	authorizeURL := fmt.Sprintf("/login/oauth/authorize?client_id=%s&redirect_uri=a&response_type=code&state=thestate", app.ClientID)

  618. 	authorizeReq := NewRequest(t, "GET", authorizeURL)

  619. 	authorizeResp := ctx.MakeRequest(t, authorizeReq, http.StatusSeeOther)

  620. 

  621. 	authcode := strings.Split(strings.Split(authorizeResp.Body.String(), "?code=")[1], "&amp")[0]

  622. 	accessTokenReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  623. 		"grant_type":    "authorization_code",

  624. 		"client_id":     app.ClientID,

  625. 		"client_secret": app.ClientSecret,

  626. 		"redirect_uri":  "a",

  627. 		"code":          authcode,

  628. 	})

  629. 	accessTokenResp := ctx.MakeRequest(t, accessTokenReq, http.StatusOK)

  630. 	type response struct {

  631. 		AccessToken  string `json:"access_token"`

  632. 		TokenType    string `json:"token_type"`

  633. 		ExpiresIn    int64  `json:"expires_in"`

  634. 		RefreshToken string `json:"refresh_token"`

  635. 	}

  636. 	parsed := new(response)

  637. 

  638. 	require.NoError(t, json.Unmarshal(accessTokenResp.Body.Bytes(), parsed))

  639. 	userReq := NewRequest(t, "GET", "/api/v1/users/user2/repos")

  640. 	userReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  641. 	userResp := MakeRequest(t, userReq, http.StatusOK)

  642. 

  643. 	type repo struct {

  644. 		FullRepoName string `json:"full_name"`

  645. 		Private      bool   `json:"private"`

  646. 	}

  647. 

  648. 	var reposCaptured []repo

  649. 	require.NoError(t, json.Unmarshal(userResp.Body.Bytes(), &reposCaptured))

  650. 

  651. 	reposExpected := []repo{

  652. 		{

  653. 			FullRepoName: "user2/repo1",

  654. 			Private:      false,

  655. 		},

  656. 		{

  657. 			FullRepoName: "user2/repo2",

  658. 			Private:      true,

  659. 		},

  660. 		{

  661. 			FullRepoName: "user2/repo15",

  662. 			Private:      true,

  663. 		},

  664. 		{

  665. 			FullRepoName: "user2/repo16",

  666. 			Private:      true,

  667. 		},

  668. 		{

  669. 			FullRepoName: "user2/repo20",

  670. 			Private:      true,

  671. 		},

  672. 		{

  673. 			FullRepoName: "user2/utf8",

  674. 			Private:      false,

  675. 		},

  676. 		{

  677. 			FullRepoName: "user2/commits_search_test",

  678. 			Private:      false,

  679. 		},

  680. 		{

  681. 			FullRepoName: "user2/git_hooks_test",

  682. 			Private:      false,

  683. 		},

  684. 		{

  685. 			FullRepoName: "user2/glob",

  686. 			Private:      false,

  687. 		},

  688. 		{

  689. 			FullRepoName: "user2/lfs",

  690. 			Private:      true,

  691. 		},

  692. 		{

  693. 			FullRepoName: "user2/scoped_label",

  694. 			Private:      true,

  695. 		},

  696. 		{

  697. 			FullRepoName: "user2/readme-test",

  698. 			Private:      true,

  699. 		},

  700. 		{

  701. 			FullRepoName: "user2/repo-release",

  702. 			Private:      false,

  703. 		},

  704. 		{

  705. 			FullRepoName: "user2/commitsonpr",

  706. 			Private:      false,

  707. 		},

  708. 	}

  709. 	assert.Equal(t, reposExpected, reposCaptured)

  710. 

  711. 	errorReq := NewRequest(t, "GET", "/api/v1/users/user2/orgs")

  712. 	errorReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  713. 	errorResp := MakeRequest(t, errorReq, http.StatusForbidden)

  714. 

  715. 	type errorResponse struct {

  716. 		Message string `json:"message"`

  717. 	}

  718. 

  719. 	errorParsed := new(errorResponse)

  720. 	require.NoError(t, json.Unmarshal(errorResp.Body.Bytes(), errorParsed))

  721. 	assert.Contains(t, errorParsed.Message, "token does not have at least one of required scope(s), required=[read:user read:organization]")

  722. }

  723. 

  724. func TestOAuth_GrantScopesClaimPublicOnlyGroups(t *testing.T) {

  725. 	defer tests.PrepareTestEnv(t)()

  726. 

  727. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})

  728. 

  729. 	appBody := api.CreateOAuth2ApplicationOptions{

  730. 		Name: "oauth-provider-scopes-test",

  731. 		RedirectURIs: []string{

  732. 			"a",

  733. 		},

  734. 		ConfidentialClient: true,

  735. 	}

  736. 

  737. 	appReq := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody).

  738. 		AddBasicAuth(user.Name)

  739. 	appResp := MakeRequest(t, appReq, http.StatusCreated)

  740. 

  741. 	var app *api.OAuth2Application

  742. 	DecodeJSON(t, appResp, &app)

  743. 

  744. 	grant := &auth_model.OAuth2Grant{

  745. 		ApplicationID: app.ID,

  746. 		UserID:        user.ID,

  747. 		Scope:         "openid groups read:user public-only",

  748. 	}

  749. 

  750. 	err := db.Insert(t.Context(), grant)

  751. 	require.NoError(t, err)

  752. 

  753. 	assert.ElementsMatch(t, []string{"openid", "groups", "read:user", "public-only"}, strings.Split(grant.Scope, " "))

  754. 

  755. 	ctx := loginUser(t, user.Name)

  756. 

  757. 	authorizeURL := fmt.Sprintf("/login/oauth/authorize?client_id=%s&redirect_uri=a&response_type=code&state=thestate", app.ClientID)

  758. 	authorizeReq := NewRequest(t, "GET", authorizeURL)

  759. 	authorizeResp := ctx.MakeRequest(t, authorizeReq, http.StatusSeeOther)

  760. 

  761. 	authcode := strings.Split(strings.Split(authorizeResp.Body.String(), "?code=")[1], "&amp")[0]

  762. 

  763. 	accessTokenReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  764. 		"grant_type":    "authorization_code",

  765. 		"client_id":     app.ClientID,

  766. 		"client_secret": app.ClientSecret,

  767. 		"redirect_uri":  "a",

  768. 		"code":          authcode,

  769. 	})

  770. 	accessTokenResp := ctx.MakeRequest(t, accessTokenReq, http.StatusOK)

  771. 	type response struct {

  772. 		AccessToken  string `json:"access_token"`

  773. 		TokenType    string `json:"token_type"`

  774. 		ExpiresIn    int64  `json:"expires_in"`

  775. 		RefreshToken string `json:"refresh_token"`

  776. 		IDToken      string `json:"id_token,omitempty"`

  777. 	}

  778. 	parsed := new(response)

  779. 	require.NoError(t, json.Unmarshal(accessTokenResp.Body.Bytes(), parsed))

  780. 	parts := strings.Split(parsed.IDToken, ".")

  781. 

  782. 	payload, _ := base64.RawURLEncoding.DecodeString(parts[1])

  783. 	type IDTokenClaims struct {

  784. 		Groups []string `json:"groups"`

  785. 	}

  786. 

  787. 	claims := new(IDTokenClaims)

  788. 	require.NoError(t, json.Unmarshal(payload, claims))

  789. 

  790. 	userinfoReq := NewRequest(t, "GET", "/login/oauth/userinfo")

  791. 	userinfoReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  792. 	userinfoResp := MakeRequest(t, userinfoReq, http.StatusOK)

  793. 

  794. 	type userinfoResponse struct {

  795. 		Login  string   `json:"login"`

  796. 		Email  string   `json:"email"`

  797. 		Groups []string `json:"groups"`

  798. 	}

  799. 

  800. 	userinfoParsed := new(userinfoResponse)

  801. 	require.NoError(t, json.Unmarshal(userinfoResp.Body.Bytes(), userinfoParsed))

  802. 	assert.Contains(t, userinfoParsed.Email, "user2@example.com")

  803. 

  804. 	// test both id_token and call to /login/oauth/userinfo

  805. 	for _, publicGroup := range []string{

  806. 		"org17",

  807. 		"org17:test_team",

  808. 		"org3",

  809. 		"org3:owners",

  810. 		"org3:team1",

  811. 		"org3:teamcreaterepo",

  812. 	} {

  813. 		assert.Contains(t, claims.Groups, publicGroup)

  814. 		assert.Contains(t, userinfoParsed.Groups, publicGroup)

  815. 	}

  816. 	for _, privateGroup := range []string{

  817. 		"private_org35",

  818. 		"private_org35_team24",

  819. 	} {

  820. 		assert.NotContains(t, claims.Groups, privateGroup)

  821. 		assert.NotContains(t, userinfoParsed.Groups, privateGroup)

  822. 	}

  823. }

  824. 

  825. func TestOAuth_GrantScopesClaimAllGroups(t *testing.T) {

  826. 	defer tests.PrepareTestEnv(t)()

  827. 

  828. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})

  829. 

  830. 	appBody := api.CreateOAuth2ApplicationOptions{

  831. 		Name: "oauth-provider-scopes-test",

  832. 		RedirectURIs: []string{

  833. 			"a",

  834. 		},

  835. 		ConfidentialClient: true,

  836. 	}

  837. 

  838. 	appReq := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody).

  839. 		AddBasicAuth(user.Name)

  840. 	appResp := MakeRequest(t, appReq, http.StatusCreated)

  841. 

  842. 	var app *api.OAuth2Application

  843. 	DecodeJSON(t, appResp, &app)

  844. 

  845. 	grant := &auth_model.OAuth2Grant{

  846. 		ApplicationID: app.ID,

  847. 		UserID:        user.ID,

  848. 		Scope:         "openid groups",

  849. 	}

  850. 

  851. 	err := db.Insert(t.Context(), grant)

  852. 	require.NoError(t, err)

  853. 

  854. 	assert.ElementsMatch(t, []string{"openid", "groups"}, strings.Split(grant.Scope, " "))

  855. 

  856. 	ctx := loginUser(t, user.Name)

  857. 

  858. 	authorizeURL := fmt.Sprintf("/login/oauth/authorize?client_id=%s&redirect_uri=a&response_type=code&state=thestate", app.ClientID)

  859. 	authorizeReq := NewRequest(t, "GET", authorizeURL)

  860. 	authorizeResp := ctx.MakeRequest(t, authorizeReq, http.StatusSeeOther)

  861. 

  862. 	authcode := strings.Split(strings.Split(authorizeResp.Body.String(), "?code=")[1], "&amp")[0]

  863. 

  864. 	accessTokenReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{

  865. 		"grant_type":    "authorization_code",

  866. 		"client_id":     app.ClientID,

  867. 		"client_secret": app.ClientSecret,

  868. 		"redirect_uri":  "a",

  869. 		"code":          authcode,

  870. 	})

  871. 	accessTokenResp := ctx.MakeRequest(t, accessTokenReq, http.StatusOK)

  872. 	type response struct {

  873. 		AccessToken  string `json:"access_token"`

  874. 		TokenType    string `json:"token_type"`

  875. 		ExpiresIn    int64  `json:"expires_in"`

  876. 		RefreshToken string `json:"refresh_token"`

  877. 		IDToken      string `json:"id_token,omitempty"`

  878. 	}

  879. 	parsed := new(response)

  880. 	require.NoError(t, json.Unmarshal(accessTokenResp.Body.Bytes(), parsed))

  881. 	parts := strings.Split(parsed.IDToken, ".")

  882. 

  883. 	payload, _ := base64.RawURLEncoding.DecodeString(parts[1])

  884. 	type IDTokenClaims struct {

  885. 		Groups []string `json:"groups"`

  886. 	}

  887. 

  888. 	claims := new(IDTokenClaims)

  889. 	require.NoError(t, json.Unmarshal(payload, claims))

  890. 

  891. 	userinfoReq := NewRequest(t, "GET", "/login/oauth/userinfo")

  892. 	userinfoReq.SetHeader("Authorization", "Bearer "+parsed.AccessToken)

  893. 	userinfoResp := MakeRequest(t, userinfoReq, http.StatusOK)

  894. 

  895. 	type userinfoResponse struct {

  896. 		Login  string   `json:"login"`

  897. 		Email  string   `json:"email"`

  898. 		Groups []string `json:"groups"`

  899. 	}

  900. 

  901. 	userinfoParsed := new(userinfoResponse)

  902. 	require.NoError(t, json.Unmarshal(userinfoResp.Body.Bytes(), userinfoParsed))

  903. 	assert.Contains(t, userinfoParsed.Email, "user2@example.com")

  904. 

  905. 	// test both id_token and call to /login/oauth/userinfo

  906. 	for _, group := range []string{

  907. 		"org17",

  908. 		"org17:test_team",

  909. 		"org3",

  910. 		"org3:owners",

  911. 		"org3:team1",

  912. 		"org3:teamcreaterepo",

  913. 		"private_org35",

  914. 		"private_org35:team24",

  915. 	} {

  916. 		assert.Contains(t, claims.Groups, group)

  917. 		assert.Contains(t, userinfoParsed.Groups, group)

  918. 	}

  919. }

  920. 

  921. func testOAuth2WellKnown(t *testing.T) {

  922. 	urlOpenidConfiguration := "/.well-known/openid-configuration"

  923. 

  924. 	defer test.MockVariableValue(&setting.AppURL, "https://try.gitea.io/")()

  925. 	req := NewRequest(t, "GET", urlOpenidConfiguration)

  926. 	resp := MakeRequest(t, req, http.StatusOK)

  927. 	var respMap map[string]any

  928. 	DecodeJSON(t, resp, &respMap)

  929. 	assert.Equal(t, "https://try.gitea.io", respMap["issuer"])

  930. 	assert.Equal(t, "https://try.gitea.io/login/oauth/authorize", respMap["authorization_endpoint"])

  931. 	assert.Equal(t, "https://try.gitea.io/login/oauth/access_token", respMap["token_endpoint"])

  932. 	assert.Equal(t, "https://try.gitea.io/login/oauth/keys", respMap["jwks_uri"])

  933. 	assert.Equal(t, "https://try.gitea.io/login/oauth/userinfo", respMap["userinfo_endpoint"])

  934. 	assert.Equal(t, "https://try.gitea.io/login/oauth/introspect", respMap["introspection_endpoint"])

  935. 	assert.Equal(t, []any{"RS256"}, respMap["id_token_signing_alg_values_supported"])

  936. 

  937. 	defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()

  938. 	MakeRequest(t, NewRequest(t, "GET", urlOpenidConfiguration), http.StatusNotFound)

  939. }

  940. 

  941. func addOAuth2Source(t *testing.T, authName string, cfg oauth2.Source) {

  942. 	cfg.Provider = util.IfZero(cfg.Provider, "gitea")

  943. 	err := auth_model.CreateSource(t.Context(), &auth_model.Source{

  944. 		Type:     auth_model.OAuth2,

  945. 		Name:     authName,

  946. 		IsActive: true,

  947. 		Cfg:      &cfg,

  948. 	})

  949. 	require.NoError(t, err)

  950. }

  951. 

  952. func TestSignInOauthCallbackSyncSSHKeys(t *testing.T) {

  953. 	defer tests.PrepareTestEnv(t)()

  954. 

  955. 	var mockServer *httptest.Server

  956. 	mockServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  957. 		switch r.URL.Path {

  958. 		case "/.well-known/openid-configuration":

  959. 			_, _ = w.Write([]byte(`{

  960. 				"issuer": "` + mockServer.URL + `",

  961. 				"authorization_endpoint": "` + mockServer.URL + `/authorize",

  962. 				"token_endpoint": "` + mockServer.URL + `/token",

  963. 				"userinfo_endpoint": "` + mockServer.URL + `/userinfo"

  964. 			}`))

  965. 		default:

  966. 			http.NotFound(w, r)

  967. 		}

  968. 	}))

  969. 	defer mockServer.Close()

  970. 

  971. 	ctx := t.Context()

  972. 	oauth2Source := oauth2.Source{

  973. 		Provider:                      "openidConnect",

  974. 		ClientID:                      "test-client-id",

  975. 		SSHPublicKeyClaimName:         "sshpubkey",

  976. 		FullNameClaimName:             "name",

  977. 		OpenIDConnectAutoDiscoveryURL: mockServer.URL + "/.well-known/openid-configuration",

  978. 	}

  979. 	addOAuth2Source(t, "test-oidc-source", oauth2Source)

  980. 	authSource, err := auth_model.GetActiveOAuth2SourceByAuthName(ctx, "test-oidc-source")

  981. 	require.NoError(t, err)

  982. 

  983. 	sshKey1 := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf"

  984. 	sshKey2 := "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7kM1R02+4ertDKGKEDcKG0s+2vyDDcIvceJ0Gqv5f1AAAABHNzaDo="

  985. 	sshKey3 := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHjnNEfE88W1pvBLdV3otv28x760gdmPao3lVD5uAt9"

  986. 	cases := []struct {

  987. 		testName           string

  988. 		mockFullName       string

  989. 		mockRawData        map[string]any

  990. 		expectedSSHPubKeys []string

  991. 	}{

  992. 		{

  993. 			testName:           "Login1",

  994. 			mockFullName:       "FullName1",

  995. 			mockRawData:        map[string]any{"sshpubkey": []any{sshKey1 + " any-comment"}},

  996. 			expectedSSHPubKeys: []string{sshKey1},

  997. 		},

  998. 		{

  999. 			testName:           "Login2",

  1000. 			mockFullName:       "FullName2",

  1001. 			mockRawData:        map[string]any{"sshpubkey": []any{sshKey2 + " any-comment", sshKey3}},

  1002. 			expectedSSHPubKeys: []string{sshKey2, sshKey3},

  1003. 		},

  1004. 		{

  1005. 			testName:           "Login3",

  1006. 			mockFullName:       "FullName3",

  1007. 			mockRawData:        map[string]any{},

  1008. 			expectedSSHPubKeys: []string{},

  1009. 		},

  1010. 	}

  1011. 

  1012. 	session := emptyTestSession(t)

  1013. 	for _, c := range cases {

  1014. 		t.Run(c.testName, func(t *testing.T) {

  1015. 			defer test.MockVariableValue(&setting.OAuth2Client.Username, "")()

  1016. 			defer test.MockVariableValue(&setting.OAuth2Client.EnableAutoRegistration, true)()

  1017. 			defer test.MockVariableValue(&gothic.CompleteUserAuth, func(res http.ResponseWriter, req *http.Request) (goth.User, error) {

  1018. 				return goth.User{

  1019. 					Provider: authSource.Cfg.(*oauth2.Source).Provider,

  1020. 					UserID:   "oidc-userid",

  1021. 					Email:    "oidc-email@example.com",

  1022. 					RawData:  c.mockRawData,

  1023. 					Name:     c.mockFullName,

  1024. 				}, nil

  1025. 			})()

  1026. 			req := NewRequest(t, "GET", "/user/oauth2/test-oidc-source/callback?code=XYZ&state=XYZ")

  1027. 			session.MakeRequest(t, req, http.StatusSeeOther)

  1028. 			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "oidc-userid"})

  1029. 			keys, _, err := db.FindAndCount[asymkey_model.PublicKey](ctx, asymkey_model.FindPublicKeyOptions{

  1030. 				ListOptions:   db.ListOptionsAll,

  1031. 				OwnerID:       user.ID,

  1032. 				LoginSourceID: authSource.ID,

  1033. 			})

  1034. 			require.NoError(t, err)

  1035. 			var sshPubKeys []string

  1036. 			for _, key := range keys {

  1037. 				sshPubKeys = append(sshPubKeys, key.Content)

  1038. 			}

  1039. 			assert.ElementsMatch(t, c.expectedSSHPubKeys, sshPubKeys)

  1040. 			assert.Equal(t, c.mockFullName, user.FullName)

  1041. 		})

  1042. 	}

  1043. }