Fetch a client manifest on the web

4 files changed, 188 insertions, 1 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 37a4a82..8ccfa68 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -23,7 +23,10 @@ TESTS = %reldir%/load-library.scm \
   %reldir%/dpop-proof-iat-in-future.scm \
   %reldir%/dpop-proof-iat-too-late.scm \
   %reldir%/dpop-proof-wrong-key.scm \
-  %reldir%/dpop-proof-replay.scm
+  %reldir%/dpop-proof-replay.scm \
+  %reldir%/client-manifest-public.scm \
+  %reldir%/client-manifest.scm \
+  %reldir%/client-manifest-fraudulent.scm
 
 EXTRA_DIST += $(TESTS)
 
diff --git a/tests/client-manifest-fraudulent.scm b/tests/client-manifest-fraudulent.scm
new file mode 100644
index 0000000..c12643e
--- /dev/null
+++ b/tests/client-manifest-fraudulent.scm
@@ -0,0 +1,66 @@
+(use-modules (webid-oidc client-manifest)
+             (webid-oidc cache)
+             (webid-oidc testing)
+             (webid-oidc errors)
+             (web uri)
+             (srfi srfi-19)
+             (web response)
+             (ice-9 optargs)
+             (ice-9 receive))
+
+;; In this example, the client_id of the oidcRegistration does not
+;; match the base URI.
+
+(with-test-environment
+ "client-manifest-fraudulent"
+ (lambda ()
+   (define the-current-time 0)
+   (define (current-time)
+     (make-time time-utc 0 the-current-time))
+   (define what-to-respond
+     (build-response #:headers '((content-type text/turtle))))
+   (define what-to-respond-body
+     "@prefix solid: <http://www.w3.org/ns/solid/terms#> .
+
+<#app> solid:oidcRegistration \"\"\"{
+    \"client_id\" : \"https://app.example.com/id#app\",
+    \"redirect_uris\" : [\"https://app.example.com/callback\"],
+    \"client_name\" : \"Solid Application Name\",
+    \"client_uri\" : \"https://app.example.com/\",
+    \"logo_uri\" : \"https://app.example.com/logo.png\",
+    \"tos_uri\" : \"https://app.example.com/tos.html\",
+    \"scope\" : \"openid profile offline_access\",
+    \"grant_types\" : [\"refresh_token\",\"authorization_code\"],
+    \"response_types\" : [\"code\"],
+    \"default_max_age\" : 60000,
+    \"require_auth_time\" : true
+    }\"\"\" .
+")
+   (define headers-to-expect
+     '((accept (text/turtle))))
+   (define uri-to-expect
+     (string->uri "https://fraudulent-app.example.com/id#app"))
+   (define* (respond uri #:key (headers '()))
+     (when (string? uri)
+       (set! uri (string->uri uri)))
+     (unless (equal? uri uri-to-expect)
+       (exit 1))
+     (unless (equal? headers headers-to-expect)
+       (exit 2))
+     (values what-to-respond what-to-respond-body))
+   (define cache-http-get
+     (with-cache
+      #:current-time current-time
+      #:http-get respond))
+   (with-exception-handler
+       (lambda (error)
+         (unless ((record-predicate &inconsistent-client-manifest-id)
+                  ((record-accessor &cannot-fetch-client-manifest 'cause) error))
+           (exit 3)))
+     (lambda ()
+       (get-client-manifest
+        (string->uri "https://fraudulent-app.example.com/id#app")
+        #:http-get cache-http-get)
+       (exit 4))
+     #:unwind? #t
+     #:unwind-for-type &cannot-fetch-client-manifest)))
diff --git a/tests/client-manifest-public.scm b/tests/client-manifest-public.scm
new file mode 100644
index 0000000..e285782
--- /dev/null
+++ b/tests/client-manifest-public.scm
@@ -0,0 +1,33 @@
+(use-modules (webid-oidc client-manifest)
+             (webid-oidc testing)
+             (webid-oidc errors)
+             (web uri)
+             (srfi srfi-19)
+             (web response))
+
+(with-test-environment
+ "client-manifest-public"
+ (lambda ()
+   (define mf
+     (get-client-manifest
+      (string->uri "http://www.w3.org/ns/solid/terms#PublicOidcClient")
+      #:http-get
+      (lambda args
+        (exit 1))))
+   (define id (client-manifest-client-id mf))
+   (unless (equal? id (string->uri "http://www.w3.org/ns/solid/terms#PublicOidcClient"))
+     (exit 2))
+   (unless (client-manifest-check-redirect-uri mf "https://example.com")
+     (exit 3))
+   (with-exception-handler
+       (lambda (error)
+         (unless ((record-predicate &cannot-serve-public-manifest) error)
+           (exit 4)))
+     (lambda ()
+       (serve-client-manifest
+        (time-utc->date
+         (make-time time-utc 0 0))
+        mf)
+       (exit 5))
+     #:unwind? #t
+     #:unwind-for-type &cannot-serve-public-manifest)))
diff --git a/tests/client-manifest.scm b/tests/client-manifest.scm
new file mode 100644
index 0000000..cee586c
--- /dev/null
+++ b/tests/client-manifest.scm
@@ -0,0 +1,85 @@
+(use-modules (webid-oidc client-manifest)
+             (webid-oidc cache)
+             (webid-oidc testing)
+             (webid-oidc errors)
+             (web uri)
+             (srfi srfi-19)
+             (web response)
+             (ice-9 optargs)
+             (ice-9 receive))
+
+(with-test-environment
+ "client-manifest"
+ (lambda ()
+   (define what-to-respond
+     (build-response #:headers '((content-type text/turtle))))
+   (define what-to-respond-body
+     "@prefix solid: <http://www.w3.org/ns/solid/terms#> .
+
+<#app> solid:oidcRegistration \"\"\"{
+    \"client_id\" : \"https://app.example.com/id#app\",
+    \"redirect_uris\" : [\"https://app.example.com/callback\"],
+    \"client_name\" : \"Solid Application Name\",
+    \"client_uri\" : \"https://app.example.com/\",
+    \"logo_uri\" : \"https://app.example.com/logo.png\",
+    \"tos_uri\" : \"https://app.example.com/tos.html\",
+    \"scope\" : \"openid profile offline_access\",
+    \"grant_types\" : [\"refresh_token\",\"authorization_code\"],
+    \"response_types\" : [\"code\"],
+    \"default_max_age\" : 60000,
+    \"require_auth_time\" : true
+    }\"\"\" .
+")
+   (define* (respond uri #:key (headers '()))
+     (unless (equal? headers '((accept (text/turtle))))
+       (exit 1))
+     (when (string? uri)
+       (set! uri (string->uri uri)))
+     (unless (equal? uri
+                     (string->uri "https://app.example.com/id#app"))
+       (exit 2))
+     (values what-to-respond what-to-respond-body))
+   (define current-time 0)
+   (define cache-http-get
+     (with-cache
+      #:current-time
+      (lambda ()
+        (make-time time-utc 0 current-time))
+      #:http-get respond))
+   (define mf
+     (get-client-manifest 
+      (string->uri "https://app.example.com/id#app")
+      #:http-get cache-http-get))
+   (define id (client-manifest-client-id mf))
+   (unless (equal? id (string->uri "https://app.example.com/id#app"))
+     (exit 3))
+   (unless (client-manifest-check-redirect-uri mf "https://app.example.com/callback")
+     (exit 4))
+   (with-exception-handler
+       (lambda (error)
+         (unless ((record-predicate &unauthorized-redirection-uri) error)
+           (exit 5)))
+     (lambda ()
+       (client-manifest-check-redirect-uri mf "https://fraudulent-app.example.com/callback")
+       (exit 55))
+     #:unwind? #t
+     #:unwind-for-type &unauthorized-redirection-uri)
+   (receive (response response-body)
+       (serve-client-manifest
+        (time-utc->date (make-time time-utc 0 3600))
+        mf)
+     (unless (equal? (response-content-type response) '(text/turtle))
+       (exit 6))
+     (set! what-to-respond response)
+     (set! what-to-respond-body response-body)
+     (set! current-time 10)
+     (let ((re-parsed (get-client-manifest
+                       (string->uri "https://app.example.com/id#app")
+                       #:http-get cache-http-get)))
+       (map (lambda (key)
+              (unless (equal? (assq-ref mf key)
+                              (assq-ref re-parsed key))
+                (exit 9)))
+            '(client_id redirect_uris client_name client_uri
+                        logo_uri tos_uri scope grant_types response_types
+                        default_max_age require_auth_time))))))