nikrozman/element-web
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Prepare for repo merge

Browse Source 
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Michael Telatynski
2024-10-15 11:35:21 +01:00
parent 0f670b8dc0
commit b084ff2313
807 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
test/unit-tests/utils/oidc/TokenRefresher-test.ts Normal file
View File

@@ -0,0 +1,88 @@
/*
Copyright 2024 New Vector Ltd.
Copyright 2023 The Matrix.org Foundation C.I.C.
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
Please see LICENSE files in the repository root for full details.
*/
import fetchMock from "fetch-mock-jest";
import { mocked } from "jest-mock";
import { TokenRefresher } from "../../../src/utils/oidc/TokenRefresher";
import { persistAccessTokenInStorage, persistRefreshTokenInStorage } from "../../../src/utils/tokens/tokens";
import { mockPlatformPeg } from "../../test-utils";
import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
jest.mock("../../../src/utils/tokens/tokens", () => ({
persistAccessTokenInStorage: jest.fn(),
persistRefreshTokenInStorage: jest.fn(),
}));
describe("TokenRefresher", () => {
const clientId = "test-client-id";
const issuer = "https://auth.com/";
const redirectUri = "https://test.com";
const deviceId = "test-device-id";
const userId = "@alice:server.org";
const accessToken = "test-access-token";
const refreshToken = "test-refresh-token";
const authConfig = makeDelegatedAuthConfig(issuer);
const idTokenClaims = {
aud: "123",
iss: issuer,
sub: "123",
exp: 123,
iat: 456,
};
beforeEach(() => {
fetchMock.get(`${issuer}.well-known/openid-configuration`, authConfig.metadata);
fetchMock.get(`${issuer}jwks`, {
status: 200,
headers: {
"Content-Type": "application/json",
},
keys: [],
});
mocked(persistAccessTokenInStorage).mockResolvedValue(undefined);
mocked(persistRefreshTokenInStorage).mockResolvedValue(undefined);
});
afterEach(() => {
jest.restoreAllMocks();
});
it("should persist tokens with a pickle key", async () => {
const pickleKey = "test-pickle-key";
const getPickleKey = jest.fn().mockResolvedValue(pickleKey);
mockPlatformPeg({ getPickleKey });
const refresher = new TokenRefresher(issuer, clientId, redirectUri, deviceId, idTokenClaims, userId);
await refresher.oidcClientReady;
await refresher.persistTokens({ accessToken, refreshToken });
expect(getPickleKey).toHaveBeenCalledWith(userId, deviceId);
expect(persistAccessTokenInStorage).toHaveBeenCalledWith(accessToken, pickleKey);
expect(persistRefreshTokenInStorage).toHaveBeenCalledWith(refreshToken, pickleKey);
});
it("should persist tokens without a pickle key", async () => {
const getPickleKey = jest.fn().mockResolvedValue(null);
mockPlatformPeg({ getPickleKey });
const refresher = new TokenRefresher(issuer, clientId, redirectUri, deviceId, idTokenClaims, userId);
await refresher.oidcClientReady;
await refresher.persistTokens({ accessToken, refreshToken });
expect(getPickleKey).toHaveBeenCalledWith(userId, deviceId);
expect(persistAccessTokenInStorage).toHaveBeenCalledWith(accessToken, undefined);
expect(persistRefreshTokenInStorage).toHaveBeenCalledWith(refreshToken, undefined);
});
});

164
test/unit-tests/utils/oidc/authorize-test.ts Normal file
View File

@@ -0,0 +1,164 @@
/*
Copyright 2024 New Vector Ltd.
Copyright 2023 The Matrix.org Foundation C.I.C.
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
Please see LICENSE files in the repository root for full details.
*/
import fetchMock from "fetch-mock-jest";
import { completeAuthorizationCodeGrant } from "matrix-js-sdk/src/oidc/authorize";
import * as randomStringUtils from "matrix-js-sdk/src/randomstring";
import { BearerTokenResponse } from "matrix-js-sdk/src/oidc/validate";
import { mocked } from "jest-mock";
import { Crypto } from "@peculiar/webcrypto";
import { getRandomValues } from "node:crypto";
import { completeOidcLogin, startOidcLogin } from "../../../src/utils/oidc/authorize";
import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
import { OidcClientError } from "../../../src/utils/oidc/error";
import { mockPlatformPeg } from "../../test-utils";
jest.unmock("matrix-js-sdk/src/randomstring");
jest.mock("matrix-js-sdk/src/oidc/authorize", () => ({
...jest.requireActual("matrix-js-sdk/src/oidc/authorize"),
completeAuthorizationCodeGrant: jest.fn(),
}));
const webCrypto = new Crypto();
describe("OIDC authorization", () => {
const issuer = "https://auth.com/";
const homeserverUrl = "https://matrix.org";
const identityServerUrl = "https://is.org";
const clientId = "xyz789";
const baseUrl = "https://test.com";
const delegatedAuthConfig = makeDelegatedAuthConfig(issuer);
// to restore later
const realWindowLocation = window.location;
beforeEach(() => {
// @ts-ignore allow delete of non-optional prop
delete window.location;
// @ts-ignore ugly mocking
window.location = {
href: baseUrl,
origin: baseUrl,
};
jest.spyOn(randomStringUtils, "randomString").mockRestore();
mockPlatformPeg();
Object.defineProperty(window, "crypto", {
value: {
getRandomValues,
randomUUID: jest.fn().mockReturnValue("not-random-uuid"),
subtle: webCrypto.subtle,
},
});
});
beforeAll(() => {
fetchMock.get(
`${delegatedAuthConfig.metadata.issuer}.well-known/openid-configuration`,
delegatedAuthConfig.metadata,
);
});
afterAll(() => {
window.location = realWindowLocation;
});
describe("startOidcLogin()", () => {
it("navigates to authorization endpoint with correct parameters", async () => {
await startOidcLogin(delegatedAuthConfig, clientId, homeserverUrl);
const expectedScopeWithoutDeviceId = `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:`;
const authUrl = new URL(window.location.href);
expect(authUrl.searchParams.get("response_mode")).toEqual("query");
expect(authUrl.searchParams.get("response_type")).toEqual("code");
expect(authUrl.searchParams.get("client_id")).toEqual(clientId);
expect(authUrl.searchParams.get("code_challenge_method")).toEqual("S256");
// scope ends with a 10char randomstring deviceId
const scope = authUrl.searchParams.get("scope")!;
expect(scope.substring(0, scope.length - 10)).toEqual(expectedScopeWithoutDeviceId);
expect(scope.substring(scope.length - 10)).toBeTruthy();
// random string, just check they are set
expect(authUrl.searchParams.has("state")).toBeTruthy();
expect(authUrl.searchParams.has("nonce")).toBeTruthy();
expect(authUrl.searchParams.has("code_challenge")).toBeTruthy();
});
});
describe("completeOidcLogin()", () => {
const state = "test-state-444";
const code = "test-code-777";
const queryDict = {
code,
state: state,
};
const tokenResponse: BearerTokenResponse = {
access_token: "abc123",
refresh_token: "def456",
id_token: "ghi789",
scope: "test",
token_type: "Bearer",
expires_at: 12345,
};
beforeEach(() => {
mocked(completeAuthorizationCodeGrant)
.mockClear()
.mockResolvedValue({
oidcClientSettings: {
clientId,
issuer,
},
tokenResponse,
homeserverUrl,
identityServerUrl,
idTokenClaims: {
aud: "123",
iss: issuer,
sub: "123",
exp: 123,
iat: 456,
},
});
});
it("should throw when query params do not include state and code", async () => {
await expect(async () => await completeOidcLogin({})).rejects.toThrow(
OidcClientError.InvalidQueryParameters,
);
});
it("should make request complete authorization code grant", async () => {
await completeOidcLogin(queryDict);
expect(completeAuthorizationCodeGrant).toHaveBeenCalledWith(code, state);
});
it("should return accessToken, configured homeserver and identityServer", async () => {
const result = await completeOidcLogin(queryDict);
expect(result).toEqual({
accessToken: tokenResponse.access_token,
refreshToken: tokenResponse.refresh_token,
homeserverUrl,
identityServerUrl,
issuer,
clientId,
idToken: "ghi789",
idTokenClaims: result.idTokenClaims,
});
});
});
});

107
test/unit-tests/utils/oidc/persistOidcSettings-test.ts Normal file
View File

@@ -0,0 +1,107 @@
/*
Copyright 2024 New Vector Ltd.
Copyright 2023 The Matrix.org Foundation C.I.C.
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
Please see LICENSE files in the repository root for full details.
*/
import { IdTokenClaims } from "oidc-client-ts";
import { decodeIdToken } from "matrix-js-sdk/src/matrix";
import { mocked } from "jest-mock";
import {
getStoredOidcClientId,
getStoredOidcIdToken,
getStoredOidcIdTokenClaims,
getStoredOidcTokenIssuer,
persistOidcAuthenticatedSettings,
} from "../../../src/utils/oidc/persistOidcSettings";
jest.mock("matrix-js-sdk/src/matrix");
describe("persist OIDC settings", () => {
jest.spyOn(Storage.prototype, "getItem");
jest.spyOn(Storage.prototype, "setItem");
beforeEach(() => {
localStorage.clear();
});
const clientId = "test-client-id";
const issuer = "https://auth.org/";
const idToken = "test-id-token";
const idTokenClaims: IdTokenClaims = {
// audience is this client
aud: "123",
// issuer matches
iss: issuer,
sub: "123",
exp: 123,
iat: 456,
};
describe("persistOidcAuthenticatedSettings", () => {
it("should set clientId and issuer in localStorage", () => {
persistOidcAuthenticatedSettings(clientId, issuer, idToken);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_id_token", idToken);
});
});
describe("getStoredOidcTokenIssuer()", () => {
it("should return issuer from localStorage", () => {
localStorage.setItem("mx_oidc_token_issuer", issuer);
expect(getStoredOidcTokenIssuer()).toEqual(issuer);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_token_issuer");
});
it("should return undefined when no issuer in localStorage", () => {
expect(getStoredOidcTokenIssuer()).toBeUndefined();
});
});
describe("getStoredOidcClientId()", () => {
it("should return clientId from localStorage", () => {
localStorage.setItem("mx_oidc_client_id", clientId);
expect(getStoredOidcClientId()).toEqual(clientId);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_client_id");
});
it("should throw when no clientId in localStorage", () => {
expect(() => getStoredOidcClientId()).toThrow("Oidc client id not found in storage");
});
});
describe("getStoredOidcIdToken()", () => {
it("should return token from localStorage", () => {
localStorage.setItem("mx_oidc_id_token", idToken);
expect(getStoredOidcIdToken()).toEqual(idToken);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token");
});
it("should return undefined when no token in localStorage", () => {
expect(getStoredOidcIdToken()).toBeUndefined();
});
});
describe("getStoredOidcIdTokenClaims()", () => {
it("should return claims from localStorage", () => {
localStorage.setItem("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims));
expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
});
it("should return claims extracted from id_token in localStorage", () => {
localStorage.setItem("mx_oidc_id_token", idToken);
mocked(decodeIdToken).mockReturnValue(idTokenClaims);
expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
expect(decodeIdToken).toHaveBeenCalledWith(idToken);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
});
it("should return undefined when no claims in localStorage", () => {
expect(getStoredOidcIdTokenClaims()).toBeUndefined();
});
});
});

128
test/unit-tests/utils/oidc/registerClient-test.ts Normal file
View File

@@ -0,0 +1,128 @@
/*
Copyright 2024 New Vector Ltd.
Copyright 2023 The Matrix.org Foundation C.I.C.
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
Please see LICENSE files in the repository root for full details.
*/
import fetchMockJest from "fetch-mock-jest";
import { OidcError } from "matrix-js-sdk/src/oidc/error";
import { OidcClientConfig } from "matrix-js-sdk/src/matrix";
import { getOidcClientId } from "../../../src/utils/oidc/registerClient";
import { mockPlatformPeg } from "../../test-utils";
import PlatformPeg from "../../../src/PlatformPeg";
import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
describe("getOidcClientId()", () => {
const issuer = "https://auth.com/";
const clientName = "Element";
const baseUrl = "https://just.testing";
const dynamicClientId = "xyz789";
const staticOidcClients = {
[issuer]: {
client_id: "abc123",
},
};
const delegatedAuthConfig = makeDelegatedAuthConfig(issuer);
beforeEach(() => {
fetchMockJest.mockClear();
fetchMockJest.resetBehavior();
mockPlatformPeg();
Object.defineProperty(PlatformPeg.get(), "baseUrl", {
get(): string {
return baseUrl;
},
});
Object.defineProperty(PlatformPeg.get(), "defaultOidcClientUri", {
get(): string {
return baseUrl;
},
});
Object.defineProperty(PlatformPeg.get(), "getOidcCallbackUrl", {
value: () => ({
href: baseUrl,
}),
});
});
it("should return static clientId when configured", async () => {
expect(await getOidcClientId(delegatedAuthConfig, staticOidcClients)).toEqual("abc123");
// didn't try to register
expect(fetchMockJest).toHaveFetchedTimes(0);
});
it("should throw when no static clientId is configured and no registration endpoint", async () => {
const authConfigWithoutRegistration: OidcClientConfig = makeDelegatedAuthConfig(
"https://issuerWithoutStaticClientId.org/",
);
authConfigWithoutRegistration.registrationEndpoint = undefined;
await expect(getOidcClientId(authConfigWithoutRegistration, staticOidcClients)).rejects.toThrow(
OidcError.DynamicRegistrationNotSupported,
);
// didn't try to register
expect(fetchMockJest).toHaveFetchedTimes(0);
});
it("should handle when staticOidcClients object is falsy", async () => {
const authConfigWithoutRegistration: OidcClientConfig = {
...delegatedAuthConfig,
registrationEndpoint: undefined,
};
await expect(getOidcClientId(authConfigWithoutRegistration)).rejects.toThrow(
OidcError.DynamicRegistrationNotSupported,
);
// didn't try to register
expect(fetchMockJest).toHaveFetchedTimes(0);
});
it("should make correct request to register client", async () => {
fetchMockJest.post(delegatedAuthConfig.registrationEndpoint!, {
status: 200,
body: JSON.stringify({ client_id: dynamicClientId }),
});
expect(await getOidcClientId(delegatedAuthConfig)).toEqual(dynamicClientId);
// didn't try to register
expect(fetchMockJest).toHaveBeenCalledWith(
delegatedAuthConfig.registrationEndpoint!,
expect.objectContaining({
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
},
method: "POST",
}),
);
expect(JSON.parse(fetchMockJest.mock.calls[0][1]!.body as string)).toEqual(
expect.objectContaining({
client_name: clientName,
client_uri: baseUrl,
response_types: ["code"],
grant_types: ["authorization_code", "refresh_token"],
redirect_uris: [baseUrl],
id_token_signed_response_alg: "RS256",
token_endpoint_auth_method: "none",
application_type: "web",
logo_uri: `${baseUrl}/vector-icons/1024.png`,
}),
);
});
it("should throw when registration request fails", async () => {
fetchMockJest.post(delegatedAuthConfig.registrationEndpoint!, {
status: 500,
});
await expect(getOidcClientId(delegatedAuthConfig)).rejects.toThrow(OidcError.DynamicRegistrationFailed);
});
it("should throw when registration response is invalid", async () => {
fetchMockJest.post(delegatedAuthConfig.registrationEndpoint!, {
status: 200,
// no clientId in response
body: "{}",
});
await expect(getOidcClientId(delegatedAuthConfig)).rejects.toThrow(OidcError.DynamicRegistrationInvalid);
});
});