tests/authorization-endpoint-submit-form.scm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

;; disfluid, implementation of the Solid specification
;; Copyright (C) 2020, 2021  Vivien Kraus

;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the GNU Affero General Public License as
;; published by the Free Software Foundation, either version 3 of the
;; License, or (at your option) any later version.

;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU Affero General Public License for more details.

;; You should have received a copy of the GNU Affero General Public License
;; along with this program.  If not, see <https://www.gnu.org/licenses/>.

(define-module (tests authorization-endpoint-submit-form)
  #:use-module (webid-oidc authorization-endpoint)
  #:use-module (webid-oidc authorization-code)
  #:use-module (webid-oidc client-manifest)
  #:use-module (webid-oidc jwk)
  #:use-module (webid-oidc cache)
  #:use-module (webid-oidc jti)
  #:use-module (webid-oidc testing)
  #:use-module ((webid-oidc parameters) #:prefix p:)
  #:use-module ((webid-oidc stubs) #:prefix stubs:)
  #:use-module (web uri)
  #:use-module (web request)
  #:use-module (web response)
  #:use-module (srfi srfi-19)
  #:use-module (web response)
  #:use-module (ice-9 optargs)
  #:use-module (ice-9 receive)
  #:use-module (oop goops)
  #:declarative? #t
  #:duplicates (merge-generics))

(with-test-environment
 "authorization-endpoint-submit-form"
 (lambda ()
   (define subject (string->uri "https://authorization-endpoint-submit-form.scm/profile/card#me"))
   (define client (string->uri "https://authorization-endpoint-submit-form.scm/client/card#app"))
   (define redirect (string->uri "https://authorization-endpoint-submit-form.scm/client/redirect"))
   (define password "p4ssw0rd")
   (define encrypted-password (crypt password "$6$this.is.the.salt"))
   (define what-uri-to-expect client)
   (define served
     (receive (response response-body)
         (serve (make <client-manifest>
                  #:client-id client
                  #:redirect-uris (list redirect))
                (time-utc->date (make-time time-utc 0 3600)))
       (cons response response-body)))
   (define the-response (car served))
   (define the-response-body (cdr served))
   (define endpoint
     (make-authorization-endpoint
      subject encrypted-password "key-file.jwk"))
   (parameterize ((p:anonymous-http-request
                   (lambda* (uri #:key (headers '()) #:allow-other-keys)
                     (unless (equal? uri what-uri-to-expect)
                       (exit 2))
                     (values the-response the-response-body))))
     (use-cache
      (lambda ()
        (receive (response response-body)
            ;; The password is fake!
            (parameterize ((p:current-date 0))
              (endpoint
               (build-request (string->uri
                               (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a"
                                       (uri-encode (uri->string client))
                                       (uri-encode (uri->string redirect))))
                              #:headers '((content-type application/x-www-form-urlencoded))
                              #:method 'POST
                              #:port #t)
               "password=fake"))
          (when (eq? (response-code response) 302)
            (exit 3)))
        (receive (response response-body)
            (parameterize ((p:current-date 0))
              (endpoint
               (build-request (string->uri
                               (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a"
                                       (uri-encode (uri->string client))
                                       (uri-encode (uri->string redirect))))
                              #:headers '((content-type application/x-www-form-urlencoded))
                              #:method 'POST
                              #:port #t)
               "password=p4ssw0rd"))
          (unless (eq? (response-code response) 302)
            (exit 4))
          (let ((loc (response-location response)))
            (unless (uri? loc)
              (exit 5))
            (let ((loc-scheme (uri-scheme loc))
                  (loc-host (uri-host loc))
                  (loc-path (uri-path loc))
                  (loc-query (uri-query loc)))
              (unless (eq? loc-scheme 'https)
                (exit 6))
              (unless (string=? loc-host "authorization-endpoint-submit-form.scm")
                (exit 7))
              (unless (string=? loc-path "/client/redirect")
                (exit 8))
              (let* ((kv (string-split loc-query #\&))
                     (args (map (lambda (x)
                                  (map uri-decode (string-split x #\=)))
                                kv)))
                (unless (assoc-ref args "code")
                  (exit 9))
                (let ((parsed
                       (parameterize ((p:current-date 60))
                         (decode <authorization-code>
                                 (car (assoc-ref args "code"))
                                 #:issuer-key
                                 (call-with-input-file "key-file.jwk"
                                   (lambda (port)
                                     (jwk->key (stubs:json->scm port))))))))
                  (unless parsed
                    (exit 10))))))))))))