diff options
Diffstat (limited to 'tests/client-workflow.scm')
-rw-r--r-- | tests/client-workflow.scm | 118 |
1 files changed, 116 insertions, 2 deletions
diff --git a/tests/client-workflow.scm b/tests/client-workflow.scm index 04a4455..15f480a 100644 --- a/tests/client-workflow.scm +++ b/tests/client-workflow.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -137,4 +137,118 @@ (equal? (request-uri final-request) (string->uri "https://server@client-workflow.scm/")) (eqv? (response-code final-response) 200)) - (exit 4))))))))) + (exit 4))))) + ;; 1 hour later, the access token should have expired. + (parameterize ((p:current-date 3600)) + (receive (response response-body) + (let ((handler + (client:request client + (string->uri "https://server@client-workflow.scm/alice#me") + (string->uri "https://server@client-workflow.scm") + #:http-request (cute sim:request simulation <...>)))) + (handler (build-request (string->uri "https://server@client-workflow.scm/")) + #f)) + (unless (eqv? (response-code response) 200) + ;; Only Alice can read that resource. + (exit 5))) + (match (sim:simulation-scroll-log! simulation) + ;; 1. and 2. The client starts sending the request, the server + ;; querries the identity provider and keys. + + ;; 3. The client directly sends the request. It fails because + ;; the access token expired. + + ;; 4. The client queries the OIDC configuration to get the + ;; token endpoint. + + ;; 5. The client gets an access token from the refresh token. + + ;; 6. 7. The client decodes the ID token, by getting the keys + ;; again. + + ;; 8. and 9. The client starts sending the new request, the + ;; server checks the access token. + + ;; 10. The client sends the request again, and it succeeds. + ((_ + _ + (naively-try-request _ naively-try-response _) + (get-token-endpoint-request _ get-token-endpoint-response _) + (refresh-request _ refresh-response _) + _ _ _ _ + (with-new-refresh-token-request _ with-new-refresh-token-response _)) + (unless + (and + ;; 3. The client realizes that the access token is + ;; expired. + (equal? (request-uri naively-try-request) + (string->uri "https://server@client-workflow.scm/")) + (eqv? (response-code naively-try-response) 401) + (eqv? (time-second (date->time-utc (response-date naively-try-response))) + 3600) + ;; 4. The client discovers the token endpoint. + (equal? (request-uri get-token-endpoint-request) + (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (eqv? (response-code get-token-endpoint-response) 200) + ;; 5. Refresh the access token. + (equal? (request-uri refresh-request) + (string->uri "https://server@client-workflow.scm/token")) + (eqv? (response-code refresh-response) 200) + ;; 10. Send again. + (equal? (request-uri with-new-refresh-token-request) + (string->uri "https://server@client-workflow.scm/")) + (eqv? (response-code with-new-refresh-token-response) 200)) + (exit 6))))) + ;; Wait another hour, and we’ll need to update the refresh + ;; token again, but this time it’s not there anymore. + (parameterize ((p:current-date 7200)) + (refresh:remove-refresh-token + (string->uri "https://server@client-workflow.scm/alice#me") + (string->uri "https://client@client-workflow.scm/id")) + (with-exception-handler + (lambda (error) + (unless (client:refresh-token-expired? error) + (exit 7))) + (lambda () + (let ((handler + (client:request client + (string->uri "https://server@client-workflow.scm/alice#me") + (string->uri "https://server@client-workflow.scm") + #:http-request (cute sim:request simulation <...>)))) + (handler (build-request (string->uri "https://server@client-workflow.scm/")) + #f)) + (exit 8)) + #:unwind? #t + #:unwind-for-type client:&refresh-token-expired) + (match (sim:simulation-scroll-log! simulation) + ;; 1. and 2. The client starts sending the request, the server + ;; querries the identity provider and keys. + + ;; 3. The client directly sends the request. It fails + ;; because the access token expired. + + ;; 4. The client queries the OIDC configuration to get the + ;; token endpoint. + + ;; 5. The client sends the token request, but it fails with + ;; 403. + ((_ + _ + (naively-try-request _ naively-try-response _) + (get-token-endpoint-request _ get-token-endpoint-response _) + (refresh-request _ refresh-response _)) + ;; 3. The client realizes that the access token is + ;; expired. + (equal? (request-uri naively-try-request) + (string->uri "https://server@client-workflow.scm/")) + (eqv? (response-code naively-try-response) 401) + (eqv? (time-second (date->time-utc (response-date naively-try-response))) + 7200) + ;; 4. The client discovers the token endpoint. + (equal? (request-uri get-token-endpoint-request) + (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (eqv? (response-code get-token-endpoint-response) 200) + ;; 5. The client tries to refresh. + (equal? (request-uri refresh-request) + (string->uri "https://server@client-workflow.scm/token")) + (eqv? (response-code refresh-response) 403)))))))) |