MirrorHub/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-01 03:39:28 +01:00
Code Issues Releases Wiki Activity
gitea/tests/integration/api_oauth2_apps_test.go

175 lines
5.7 KiB
Go
Raw Normal View History

adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.package models
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
package integration
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
import (
"fmt"
"net/http"
"testing"
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
"code.gitea.io/gitea/models/auth"
Decouple unit test, remove intermediate `unittestbridge` package (#17662) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-11-16 09:53:21 +01:00
"code.gitea.io/gitea/models/unittest"
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge
2021-11-24 10:49:20 +01:00
user_model "code.gitea.io/gitea/models/user"
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
api "code.gitea.io/gitea/modules/structs"
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
"code.gitea.io/gitea/tests"
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
"github.com/stretchr/testify/assert"
)
func TestOAuth2Application(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
testAPICreateOAuth2Application(t)
testAPIListOAuth2Applications(t)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
testAPIGetOAuth2Application(t)
testAPIUpdateOAuth2Application(t)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
testAPIDeleteOAuth2Application(t)
}
func testAPICreateOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
appBody := api.CreateOAuth2ApplicationOptions{
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
ConfidentialClient: true,
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
}
req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody)
req = AddBasicAuthHeader(req, user.Name)
resp := MakeRequest(t, req, http.StatusCreated)
var createdApp *api.OAuth2Application
DecodeJSON(t, resp, &createdApp)
assert.EqualValues(t, appBody.Name, createdApp.Name)
Use `CryptoRandomBytes` instead of `CryptoRandomString` (#18439) - Switch to use `CryptoRandomBytes` instead of `CryptoRandomString`, OAuth's secrets are copied pasted and don't need to avoid dubious characters etc. - `CryptoRandomBytes` gives ![2^256 = 1.15 * 10^77](https://render.githubusercontent.com/render/math?math=2^256%20=%201.15%20\cdot%2010^77) `CryptoRandomString` gives ![62^44 = 7.33 * 10^78](https://render.githubusercontent.com/render/math?math=62^44%20=%207.33%20\cdot%2010^78) possible states. - Add a prefix, such that code scanners can easily grep these in source code. - 32 Bytes + prefix
2022-02-04 18:03:15 +01:00
assert.Len(t, createdApp.ClientSecret, 56)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
assert.Len(t, createdApp.ClientID, 36)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
assert.True(t, createdApp.ConfidentialClient)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
assert.NotEmpty(t, createdApp.Created)
assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0])
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{UID: user.ID, Name: createdApp.Name})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
}
func testAPIListOAuth2Applications(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
ConfidentialClient: true,
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2?token=%s", token)
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)
var appList api.OAuth2ApplicationList
DecodeJSON(t, resp, &appList)
expectedApp := appList[0]
assert.EqualValues(t, existApp.Name, expectedApp.Name)
assert.EqualValues(t, existApp.ClientID, expectedApp.ClientID)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
assert.Equal(t, existApp.ConfidentialClient, expectedApp.ConfidentialClient)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
assert.Len(t, expectedApp.ClientID, 36)
assert.Empty(t, expectedApp.ClientSecret)
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
}
func testAPIDeleteOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
oldApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
UID: user.ID,
Name: "test-app-1",
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", oldApp.ID, token)
req := NewRequest(t, "DELETE", urlStr)
session.MakeRequest(t, req, http.StatusNoContent)
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
unittest.AssertNotExistsBean(t, &auth.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name})
Fix delete nonexist oauth application 500 and prevent deadlock (#15384) * Fix delete nonexist oauth application 500 * Fix test * Close the session Signed-off-by: Andrew Thornton <art27@cantab.net> * Update integrations/api_oauth2_apps_test.go * Fix more missed sess.Close * Remove unnecessary blank line Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
2021-04-10 22:49:10 +02:00
// Delete again will return not found
req = NewRequest(t, "DELETE", urlStr)
session.MakeRequest(t, req, http.StatusNotFound)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
2020-02-29 07:19:32 +01:00
}
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
func testAPIGetOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
ConfidentialClient: true,
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", existApp.ID, token)
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)
var app api.OAuth2Application
DecodeJSON(t, resp, &app)
expectedApp := app
assert.EqualValues(t, existApp.Name, expectedApp.Name)
assert.EqualValues(t, existApp.ClientID, expectedApp.ClientID)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
assert.Equal(t, existApp.ConfidentialClient, expectedApp.ConfidentialClient)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
assert.Len(t, expectedApp.ClientID, 36)
assert.Empty(t, expectedApp.ClientSecret)
Fixed assert statements. (#16089)
2021-06-07 07:27:09 +02:00
assert.Len(t, expectedApp.RedirectURIs, 1)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
}
func testAPIUpdateOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
appBody := api.CreateOAuth2ApplicationOptions{
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com/",
"http://www.github.com/",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
ConfidentialClient: true,
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
}
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d", existApp.ID)
req := NewRequestWithJSON(t, "PATCH", urlStr, &appBody)
req = AddBasicAuthHeader(req, user.Name)
resp := MakeRequest(t, req, http.StatusOK)
var app api.OAuth2Application
DecodeJSON(t, resp, &app)
expectedApp := app
Fixed assert statements. (#16089)
2021-06-07 07:27:09 +02:00
assert.Len(t, expectedApp.RedirectURIs, 2)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
assert.EqualValues(t, expectedApp.RedirectURIs[0], appBody.RedirectURIs[0])
assert.EqualValues(t, expectedApp.RedirectURIs[1], appBody.RedirectURIs[1])
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 09:59:24 +02:00
assert.Equal(t, expectedApp.ConfidentialClient, appBody.ConfidentialClient)
Refactor auth package (#17962)
2022-01-02 14:12:35 +01:00
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-04-10 02:37:31 +02:00
}
Reference in a new issue Copy permalink