diff options
Diffstat (limited to 'tests/client-workflow.scm')
-rw-r--r-- | tests/client-workflow.scm | 117 |
1 files changed, 80 insertions, 37 deletions
diff --git a/tests/client-workflow.scm b/tests/client-workflow.scm index ed1c1b4..63d505a 100644 --- a/tests/client-workflow.scm +++ b/tests/client-workflow.scm @@ -19,9 +19,15 @@ #:use-module ((webid-oidc client accounts) #:prefix client:) #:use-module ((webid-oidc jwk) #:prefix jwk:) #:use-module (webid-oidc testing) + #:use-module (webid-oidc oidc-configuration) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint resource-server) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (webid-oidc server endpoint client) + #:use-module (webid-oidc server endpoint authentication) #:use-module ((webid-oidc stubs) #:prefix stubs:) #:use-module ((webid-oidc refresh-token) #:prefix refresh:) - #:use-module ((webid-oidc simulation) #:prefix sim:) + #:use-module (webid-oidc simulation) #:use-module ((webid-oidc parameters) #:prefix p:) #:use-module (web uri) #:use-module (web request) @@ -33,6 +39,7 @@ #:use-module (ice-9 hash-table) #:use-module (ice-9 match) #:use-module (oop goops) + #:declarative? #t #:duplicates (merge-generics)) ;; In this example, a user firsts requests an account, then logs in @@ -59,39 +66,75 @@ (with-test-environment "client-workflow" (lambda () - (let ((simulation (sim:make-simulation)) + (let ((simulation + (make <simulation> + #:endpoint + (make <router> + #:routed + (list + (make <identity-provider> + #:host "server.client-workflow.scm" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "https://server.client-workflow.scm/keys" + #:authorization-endpoint "https://server.client-workflow.scm/authorize" + #:token-endpoint "https://server.client-workflow.scm/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "https://server.client-workflow.scm/alice#me" + #:encrypted-password (crypt "password" "$6$password") + #:key-file "key-file.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "https://server.client-workflow.scm" + #:key-file "key-file.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "key-file.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "https://server.client-workflow.scm" + #:owner "https://server.client-workflow.scm/alice#me") + #:server-uri "https://server.client-workflow.scm")) + (make <client-id> + #:host "client.client-workflow.scm" + #:client-id "https://client.client-workflow.scm/id" + #:redirect-uris '("https://client.client-workflow.scm/authorized") + #:client-name "Client workflow test" + #:client-uri "https://client.client-workflow.scm/about" + #:grant-types '(authorization_code refresh_token) + #:response-types '(code)))))) (account #f)) - (sim:add-server! simulation - (string->uri "https://server@client-workflow.scm") - (string->uri "https://server@client-workflow.scm/alice#me")) - (sim:add-client! simulation - (string->uri "https://client@client-workflow.scm") - (string->uri "https://client@client-workflow.scm/id") - (string->uri "https://client@client-workflow.scm/authorized") - "Client workflow test" - (string->uri "https://client@client-workflow.scm/about")) (parameterize ((client:client (make <client:client> - #:client-id "https://client@client-workflow.scm/id" + #:client-id "https://client.client-workflow.scm/id" #:redirect-uri - (string->uri "https://client@client-workflow.scm/authorized"))) + (string->uri "https://client.client-workflow.scm/authorized"))) (p:anonymous-http-request - (cute sim:request simulation <...>))) + (cute (@ (webid-oidc simulation) request) simulation <...>))) (parameterize ((p:current-date 0) (client:authorization-process (lambda* (uri #:key reason) - (sim:grant-authorization simulation uri)))) + (grant-authorization simulation uri)))) (receive (new-account response response-body) (begin (set! account - (make <client:account> #:issuer "https://server@client-workflow.scm")) + (make <client:account> #:issuer "https://server.client-workflow.scm")) (client:request account - (string->uri "https://server@client-workflow.scm/"))) + (string->uri "https://server.client-workflow.scm/"))) (set! account new-account) (unless (eqv? (response-code response) 200) ;; Only Alice can read that resource. (exit 3))) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. The client gets the oidc configuration of the ;; server. @@ -124,39 +167,39 @@ (and ;; 1. Get the authorization endpoint. (equal? (request-uri get-oidc-config-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-oidc-config-response) 200) ;; 2. The server checks the client ID. (equal? (request-uri get-client-id-request) - (string->uri "https://client@client-workflow.scm/id")) + (string->uri "https://client.client-workflow.scm/id")) (eqv? (response-code get-client-id-response) 200) ;; 3. The authorization request completes. (string-prefix? - "https://server@client-workflow.scm/authorize?" + "https://server.client-workflow.scm/authorize?" (uri->string (request-uri authorization-request))) (eq? (request-method authorization-request) 'POST) (eqv? (response-code authorization-response) 302) (string-prefix? - "https://client@client-workflow.scm/authorized?" + "https://client.client-workflow.scm/authorized?" (uri->string (response-location authorization-response))) ;; 4. Token negociation. (equal? (request-uri token-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code token-response) 200) ;; 5. The final request. (equal? (request-uri final-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code final-response) 200)) (exit 4))))) ;; 1 hour later, the access token should have expired. (parameterize ((p:current-date 3600)) (receive (new-account response response-body) - (client:request account (string->uri "https://server@client-workflow.scm/")) + (client:request account (string->uri "https://server.client-workflow.scm/")) (set! account new-account) (unless (eqv? (response-code response) 200) ;; Only Alice can read that resource. (exit 5))) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. and 2. The client starts sending the request, the server ;; querries the identity provider and keys. @@ -187,39 +230,39 @@ ;; 3. The client realizes that the access token is ;; expired. (equal? (request-uri naively-try-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code naively-try-response) 401) (eqv? (time-second (date->time-utc (response-date naively-try-response))) 3600) ;; 4. The client discovers the token endpoint. (equal? (request-uri get-token-endpoint-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-token-endpoint-response) 200) ;; 5. Refresh the access token. (equal? (request-uri refresh-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code refresh-response) 200) ;; 10. Send again. (equal? (request-uri with-new-refresh-token-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code with-new-refresh-token-response) 200)) (exit 6))))) ;; Wait another hour, and we’ll need to update the refresh ;; token again, but this time it’s not there anymore. (parameterize ((p:current-date 7200)) (refresh:remove-refresh-token - (string->uri "https://server@client-workflow.scm/alice#me") - (string->uri "https://client@client-workflow.scm/id")) + (string->uri "https://server.client-workflow.scm/alice#me") + (string->uri "https://client.client-workflow.scm/id")) (with-exception-handler (lambda (error) (unless (client:refresh-token-expired? error) (exit 7))) (lambda () - (client:request account (string->uri "https://server@client-workflow.scm/")) + (client:request account (string->uri "https://server.client-workflow.scm/")) (exit 8)) #:unwind? #t #:unwind-for-type client:&refresh-token-expired) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. and 2. The client starts sending the request, the server ;; querries the identity provider and keys. @@ -239,15 +282,15 @@ ;; 3. The client realizes that the access token is ;; expired. (equal? (request-uri naively-try-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code naively-try-response) 401) (eqv? (time-second (date->time-utc (response-date naively-try-response))) 7200) ;; 4. The client discovers the token endpoint. (equal? (request-uri get-token-endpoint-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-token-endpoint-response) 200) ;; 5. The client tries to refresh. (equal? (request-uri refresh-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code refresh-response) 403)))))))) |