BookStack Code Mirror - bookstack/blobdiff

index d10582d8c7da8951fb5b3683fbcf2376bf56d4c7..345d1dc780b8a1e218b8c57a83340bc97cb7b9ca 100644 (file)

--- a/tests/Auth/OidcTest.php

+++ b/tests/Auth/OidcTest.php

@@ -44,7 +44,7 @@ class OidcTest extends TestCase

'oidc.groups_claim' => 'group',

'oidc.remove_from_groups' => false,

'oidc.external_id_claim' => 'sub',

- 'oidc.end_session_endpoint' => null,

+ 'oidc.end_session_endpoint' => false,

]);

}

@@ -486,8 +486,9 @@ class OidcTest extends TestCase

$resp = $this->get('/');

$this->withHtml($resp)->assertElementExists('header form[action$="/oidc/logout"] button');

}

- public function test_logout_with_autodiscovery()

+ public function test_logout_with_autodiscovery_with_oidc_logout_enabled()

{

+ config()->set(['oidc.end_session_endpoint' => true]);

$this->withAutodiscovery();

$transactions = $this->mockHttpClient([

@@ -499,9 +500,10 @@ class OidcTest extends TestCase

$resp->assertRedirect('https://auth.example.com/oidc/logout?post_logout_redirect_uri=' . urlencode(url('/')));

$this->assertEquals(2, $transactions->requestCount());

+ $this->assertFalse(auth()->check());

}

- public function test_logout_with_autodiscovery_but_oidc_logout_disabled()

+ public function test_logout_with_autodiscovery_with_oidc_logout_disabled()

{

$this->withAutodiscovery();

config()->set(['oidc.end_session_endpoint' => false]);

@@ -513,6 +515,7 @@ class OidcTest extends TestCase

$resp = $this->asEditor()->post('/oidc/logout');

$resp->assertRedirect('/');

+ $this->assertFalse(auth()->check());

}

public function test_logout_without_autodiscovery_but_with_endpoint_configured()

@@ -521,6 +524,16 @@ class OidcTest extends TestCase

$resp = $this->asEditor()->post('/oidc/logout');

$resp->assertRedirect('https://example.com/logout?post_logout_redirect_uri=' . urlencode(url('/')));

+ $this->assertFalse(auth()->check());

+ }

+ public function test_logout_without_autodiscovery_with_configured_endpoint_adds_to_query_if_existing()

+ {

+ config()->set(['oidc.end_session_endpoint' => 'https://example.com/logout?a=b']);

+ $resp = $this->asEditor()->post('/oidc/logout');

+ $resp->assertRedirect('https://example.com/logout?a=b&post_logout_redirect_uri=' . urlencode(url('/')));

+ $this->assertFalse(auth()->check());

}

public function test_logout_with_autodiscovery_and_auto_initiate_returns_to_auto_prevented_login()

@@ -530,6 +543,7 @@ class OidcTest extends TestCase

'auth.auto_initiate' => true,

'services.google.client_id' => false,

'services.github.client_id' => false,

+ 'oidc.end_session_endpoint' => true,

]);

$this->mockHttpClient([

@@ -541,6 +555,39 @@ class OidcTest extends TestCase

$redirectUrl = url('/login?prevent_auto_init=true');

$resp->assertRedirect('https://auth.example.com/oidc/logout?post_logout_redirect_uri=' . urlencode($redirectUrl));

+ $this->assertFalse(auth()->check());

+ }

+ public function test_logout_endpoint_url_overrides_autodiscovery_endpoint()

+ {

+ config()->set(['oidc.end_session_endpoint' => 'https://a.example.com']);

+ $this->withAutodiscovery();

+ $transactions = $this->mockHttpClient([

+ $this->getAutoDiscoveryResponse(),

+ $this->getJwksResponse(),

+ ]);

+ $resp = $this->asEditor()->post('/oidc/logout');

+ $resp->assertRedirect('https://a.example.com?post_logout_redirect_uri=' . urlencode(url('/')));

+ $this->assertEquals(2, $transactions->requestCount());

+ $this->assertFalse(auth()->check());

+ }

+ public function test_logout_with_autodiscovery_does_not_use_rp_logout_if_no_url_via_autodiscovery()

+ {

+ config()->set(['oidc.end_session_endpoint' => true]);

+ $this->withAutodiscovery();

+ $this->mockHttpClient([

+ $this->getAutoDiscoveryResponse(['end_session_endpoint' => null]),

+ $this->getJwksResponse(),

+ ]);

+ $resp = $this->asEditor()->post('/oidc/logout');

+ $resp->assertRedirect('/');

+ $this->assertFalse(auth()->check());

}

public function test_logout_redirect_contains_id_token_hint_if_existing()

@@ -608,6 +655,34 @@ class OidcTest extends TestCase

]);

}

+ public function test_pkce_used_on_authorize_and_access()

+ {

+ // Start auth

+ $resp = $this->post('/oidc/login');

+ $state = session()->get('oidc_state');

+ $pkceCode = session()->get('oidc_pkce_code');

+ $this->assertGreaterThan(30, strlen($pkceCode));

+ $expectedCodeChallenge = trim(strtr(base64_encode(hash('sha256', $pkceCode, true)), '+/', '-_'), '=');

+ $redirect = $resp->headers->get('Location');

+ $redirectParams = [];

+ parse_str(parse_url($redirect, PHP_URL_QUERY), $redirectParams);

+ $this->assertEquals($expectedCodeChallenge, $redirectParams['code_challenge']);

+ $this->assertEquals('S256', $redirectParams['code_challenge_method']);

+ $transactions = $this->mockHttpClient([$this->getMockAuthorizationResponse([

+ 'email' => '[email protected]',

+ 'sub' => 'benny1010101',

+ ])]);

+ $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);

+ $tokenRequest = $transactions->latestRequest();

+ $bodyParams = [];

+ parse_str($tokenRequest->getBody(), $bodyParams);

+ $this->assertEquals($pkceCode, $bodyParams['code_verifier']);

+ }

protected function withAutodiscovery()

{

config()->set([