blob: 52a08b7c4876669b5c6e0d07eed50a075d9fc99d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
(use-modules (webid-oidc provider-confirmation)
(webid-oidc jti)
(webid-oidc jwk)
(webid-oidc jws)
(webid-oidc oidc-configuration)
(webid-oidc access-token)
(webid-oidc dpop-proof)
(webid-oidc resource-server)
(webid-oidc testing)
(web uri)
(web request)
(srfi srfi-19)
(web response)
(ice-9 optargs)
(ice-9 receive))
(with-test-environment
"resource-server"
(lambda ()
(define jti (make-jti-list))
(define client-key (generate-key #:n-size 2048))
(define idp-key (generate-key #:n-size 2048))
(define jwks (make-jwks (list idp-key)))
(define jwks-uri (string->uri "https://identity.provider/keys"))
(define oidc-config
(make-oidc-configuration
jwks-uri
(string->uri "https://identity.provider/authorize")
(string->uri "https://identity.provider/token")))
(define oidc-config-uri
(string->uri
"https://identity.provider/.well-known/openid-configuration"))
(define subject (string->uri "https://identity.provider/subject#me"))
(define* (http-get uri #:key (headers '()))
(define exp (time-utc->date (make-time time-utc 0 3600)))
(cond ((equal? uri oidc-config-uri)
(serve-oidc-configuration exp oidc-config))
((equal? uri jwks-uri)
(serve-jwks exp jwks))
(else (exit 1))))
(define access-token
(issue-access-token
idp-key
#:alg 'RS256
#:webid subject
#:iss "https://identity.provider"
#:iat 10
#:exp 3610
#:client-key client-key
#:client-id "https://client"))
(define uri (string->uri "https://resource.server/resource"))
(define server-uri (string->uri "https://resource.server/"))
(define method 'GET)
(define dpop-proof
(issue-dpop-proof
client-key
#:alg 'RS256
#:htm method
#:htu uri
#:iat (time-utc->date (make-time time-utc 0 15))))
(define rq
(call-with-input-string
(format #f "GET /resource HTTP/1.1\r\n\
Host: resource.server\r\n\
User-Agent: Test Suite\r\n\
Upgrade-Insecure-Requests: 1\r\n\
Cache-Control: max-age=0\r\n\
Authorization: DPoP ~a\r\n\
DPoP: ~a\r\n\r\n"
access-token
dpop-proof)
read-request))
(define rq-body "")
(define authenticator
(make-authenticator
jti
#:server-uri server-uri
#:current-time (lambda () (make-time time-utc 0 20))
#:http-get http-get))
(define parsed (authenticator rq rq-body))
(unless (uri? parsed)
(exit 2))
(unless (equal? parsed subject)
(exit 3))))
|