handlers: add a test for OIDC discovery

2025-07-29 22:01:14 +03:00 · 2023-02-22 14:59:15 +01:00
parent 1e9ce8d6d6
commit 03583d2936
4 changed files with 75 additions and 14 deletions
--- a/crates/handlers/src/oauth2/discovery.rs
+++ b/crates/handlers/src/oauth2/discovery.rs
@ -153,3 +153,27 @@ pub(crate) async fn get(

    Json(metadata)
 }
+
+#[cfg(test)]
+mod tests {
+    use hyper::{Request, StatusCode};
+    use oauth2_types::oidc::ProviderMetadata;
+    use sqlx::PgPool;
+
+    use crate::test_utils::{init_tracing, RequestBuilderExt, ResponseExt, TestState};
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_valid_discovery_metadata(pool: PgPool) {
+        init_tracing();
+        let state = TestState::from_pool(pool).await.unwrap();
+
+        let request = Request::get("/.well-known/openid-configuration").empty();
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::OK);
+
+        let metadata: ProviderMetadata = response.json();
+        metadata
+            .validate(state.url_builder.oidc_issuer().as_str())
+            .expect("Invalid metadata");
+    }
+}
--- a/crates/handlers/src/oauth2/registration.rs
+++ b/crates/handlers/src/oauth2/registration.rs
@ -234,7 +234,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::BAD_REQUEST);
-        let response: ClientError = serde_json::from_str(response.body()).unwrap();
+        let response: ClientError = response.json();
        assert_eq!(response.error, ClientErrorCode::InvalidRequest);

        // Invalid client metadata
@ -245,7 +245,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::BAD_REQUEST);
-        let response: ClientError = serde_json::from_str(response.body()).unwrap();
+        let response: ClientError = response.json();
        assert_eq!(response.error, ClientErrorCode::InvalidClientMetadata);

        // Invalid redirect URI
@ -259,7 +259,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::BAD_REQUEST);
-        let response: ClientError = serde_json::from_str(response.body()).unwrap();
+        let response: ClientError = response.json();
        assert_eq!(response.error, ClientErrorCode::InvalidRedirectUri);

        // Incoherent response types
@ -274,7 +274,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::BAD_REQUEST);
-        let response: ClientError = serde_json::from_str(response.body()).unwrap();
+        let response: ClientError = response.json();
        assert_eq!(response.error, ClientErrorCode::InvalidClientMetadata);
    }

@ -297,7 +297,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::CREATED);
-        let response: ClientRegistrationResponse = serde_json::from_str(response.body()).unwrap();
+        let response: ClientRegistrationResponse = response.json();
        assert!(response.client_secret.is_none());

        // A successful registration with client_secret based authentication should
@ -314,7 +314,7 @@ mod tests {

        let response = state.request(request).await;
        response.assert_status(StatusCode::CREATED);
-        let response: ClientRegistrationResponse = serde_json::from_str(response.body()).unwrap();
+        let response: ClientRegistrationResponse = response.json();
        assert!(response.client_secret.is_some());
    }
 }
--- a/crates/handlers/src/oauth2/revoke.rs
+++ b/crates/handlers/src/oauth2/revoke.rs
@ -233,8 +233,7 @@ mod tests {
        let response = state.request(request).await;
        response.assert_status(StatusCode::CREATED);

-        let client_registration: ClientRegistrationResponse =
-            serde_json::from_str(response.body()).unwrap();
+        let client_registration: ClientRegistrationResponse = response.json();

        let client_id = client_registration.client_id;
        let client_secret = client_registration.client_secret.unwrap();
@ -313,7 +312,7 @@ mod tests {
        let response = state.request(request).await;
        response.assert_status(StatusCode::OK);

-        let token: AccessTokenResponse = serde_json::from_str(response.body()).unwrap();
+        let token: AccessTokenResponse = response.json();

        // Check that the token is valid
        assert!(state.is_access_token_valid(&token.access_token).await);
@ -395,7 +394,7 @@ mod tests {
        let response = state.request(request).await;
        response.assert_status(StatusCode::OK);

-        let token: AccessTokenResponse = serde_json::from_str(response.body()).unwrap();
+        let token: AccessTokenResponse = response.json();

        // Use the refresh token to get a new access token.
        let request =
@ -410,7 +409,7 @@ mod tests {
        response.assert_status(StatusCode::OK);

        let old_token = token;
-        let token: AccessTokenResponse = serde_json::from_str(response.body()).unwrap();
+        let token: AccessTokenResponse = response.json();
        assert!(state.is_access_token_valid(&token.access_token).await);
        assert!(!state.is_access_token_valid(&old_token.access_token).await);

--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@ -19,8 +19,8 @@ use axum::{
    body::HttpBody,
    extract::{FromRef, FromRequestParts},
 };
-use headers::{Authorization, ContentType, HeaderMapExt};
-use hyper::{Request, Response, StatusCode};
+use headers::{Authorization, ContentType, HeaderMapExt, HeaderName, HeaderValue};
+use hyper::{header::CONTENT_TYPE, Request, Response, StatusCode};
 use mas_axum_utils::http_client_factory::HttpClientFactory;
 use mas_email::{MailTransport, Mailer};
 use mas_keystore::{Encrypter, JsonWebKey, JsonWebKeySet, Keystore, PrivateKey};
@ -31,7 +31,7 @@ use mas_storage_pg::PgRepository;
 use mas_templates::Templates;
 use rand::SeedableRng;
 use rand_chacha::ChaChaRng;
-use serde::Serialize;
+use serde::{de::DeserializeOwned, Serialize};
 use sqlx::PgPool;
 use tokio::sync::Mutex;
 use tower::{Service, ServiceExt};
@ -366,6 +366,22 @@ pub(crate) trait ResponseExt {
    ///
    /// Panics if the response has a different status code.
    fn assert_status(&self, status: StatusCode);
+
+    /// Asserts that the response has the given header value.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the response does not have the given header or if the header
+    /// value does not match.
+    fn assert_header_value(&self, header: HeaderName, value: &str);
+
+    /// Get the response body as JSON.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the response is missing the `Content-Type: application/json`,
+    /// or if the body is not valid JSON.
+    fn json<T: DeserializeOwned>(&self) -> T;
 }

 impl ResponseExt for Response<String> {
@ -380,4 +396,26 @@ impl ResponseExt for Response<String> {
            self.body()
        );
    }
+
+    #[track_caller]
+    fn assert_header_value(&self, header: HeaderName, value: &str) {
+        let actual_value = self
+            .headers()
+            .get(&header)
+            .unwrap_or_else(|| panic!("Missing header {header}"));
+
+        assert_eq!(
+            actual_value,
+            value,
+            "Header mismatch: got {:?}, expected {:?}",
+            self.headers().get(header),
+            value
+        );
+    }
+
+    #[track_caller]
+    fn json<T: DeserializeOwned>(&self) -> T {
+        self.assert_header_value(CONTENT_TYPE, "application/json");
+        serde_json::from_str(self.body()).expect("JSON deserialization failed")
+    }
 }