-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathindex.test.ts
More file actions
149 lines (135 loc) · 5.46 KB
/
index.test.ts
File metadata and controls
149 lines (135 loc) · 5.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
import {
authScenariosList,
backcompatScenariosList,
draftScenariosList
} from './index';
import {
runClientAgainstScenario,
InlineClientRunner
} from './test_helpers/testClient';
import { runClient as badPrmClient } from '../../../../examples/clients/typescript/auth-test-bad-prm';
import { runClient as noCimdClient } from '../../../../examples/clients/typescript/auth-test-no-cimd';
import { runClient as ignoreScopeClient } from '../../../../examples/clients/typescript/auth-test-ignore-scope';
import { runClient as partialScopesClient } from '../../../../examples/clients/typescript/auth-test-partial-scopes';
import { runClient as ignore403Client } from '../../../../examples/clients/typescript/auth-test-ignore-403';
import { runClient as noRetryLimitClient } from '../../../../examples/clients/typescript/auth-test-no-retry-limit';
import { runClient as noPkceClient } from '../../../../examples/clients/typescript/auth-test-no-pkce';
import { getHandler } from '../../../../examples/clients/typescript/everything-client';
import { setLogLevel } from '../../../../examples/clients/typescript/helpers/logger';
beforeAll(() => {
setLogLevel('error');
});
const skipScenarios = new Set<string>([
// Add scenarios that should be skipped here
]);
const allowClientErrorScenarios = new Set<string>([
// Client is expected to give up (error) after limited retries, but check should pass
'auth/scope-retry-limit',
// Client is expected to error when PRM resource doesn't match server URL
'auth/resource-mismatch'
]);
describe('Client Auth Scenarios', () => {
// Generate individual test for each auth scenario
for (const scenario of authScenariosList) {
test(`${scenario.name} passes`, async () => {
if (skipScenarios.has(scenario.name)) {
// TODO: skip in a native way?
return;
}
const clientFn = getHandler(scenario.name);
if (!clientFn) {
throw new Error(`No handler registered for scenario: ${scenario.name}`);
}
const runner = new InlineClientRunner(clientFn);
await runClientAgainstScenario(runner, scenario.name, {
allowClientError: allowClientErrorScenarios.has(scenario.name)
});
});
}
});
describe('Client Back-compat Scenarios', () => {
for (const scenario of backcompatScenariosList) {
test(`${scenario.name} passes`, async () => {
const clientFn = getHandler(scenario.name);
if (!clientFn) {
throw new Error(`No handler registered for scenario: ${scenario.name}`);
}
const runner = new InlineClientRunner(clientFn);
await runClientAgainstScenario(runner, scenario.name);
});
}
});
describe('Client Draft Scenarios', () => {
for (const scenario of draftScenariosList) {
test(`${scenario.name} passes`, async () => {
const clientFn = getHandler(scenario.name);
if (!clientFn) {
throw new Error(`No handler registered for scenario: ${scenario.name}`);
}
const runner = new InlineClientRunner(clientFn);
await runClientAgainstScenario(runner, scenario.name, {
allowClientError: allowClientErrorScenarios.has(scenario.name)
});
});
}
});
describe('Negative tests', () => {
test('bad client requests root PRM location', async () => {
const runner = new InlineClientRunner(badPrmClient);
await runClientAgainstScenario(runner, 'auth/metadata-default', {
expectedFailureSlugs: ['prm-priority-order']
});
});
test('client ignores scope from WWW-Authenticate header', async () => {
const runner = new InlineClientRunner(ignoreScopeClient);
await runClientAgainstScenario(runner, 'auth/scope-from-www-authenticate', {
expectedFailureSlugs: ['scope-from-www-authenticate']
});
});
test('client only requests subset of scopes_supported', async () => {
const runner = new InlineClientRunner(partialScopesClient);
await runClientAgainstScenario(runner, 'auth/scope-from-scopes-supported', {
expectedFailureSlugs: ['scope-from-scopes-supported']
});
});
test('client requests scope even if scopes_supported is empty', async () => {
const runner = new InlineClientRunner(partialScopesClient);
await runClientAgainstScenario(
runner,
'auth/scope-omitted-when-undefined',
{
expectedFailureSlugs: ['scope-omitted-when-undefined']
}
);
});
test('client only responds to 401, not 403', async () => {
const runner = new InlineClientRunner(ignore403Client);
await runClientAgainstScenario(runner, 'auth/scope-step-up', {
expectedFailureSlugs: ['scope-step-up-escalation']
});
});
test('client uses DCR instead of CIMD when server supports it', async () => {
const runner = new InlineClientRunner(noCimdClient);
await runClientAgainstScenario(runner, 'auth/basic-cimd', {
expectedFailureSlugs: ['cimd-client-id-used']
});
});
test('client retries auth infinitely without limit', async () => {
const runner = new InlineClientRunner(noRetryLimitClient);
await runClientAgainstScenario(runner, 'auth/scope-retry-limit', {
expectedFailureSlugs: ['scope-retry-limit'],
allowClientError: true
});
});
test('client does not use PKCE', async () => {
const runner = new InlineClientRunner(noPkceClient);
await runClientAgainstScenario(runner, 'auth/metadata-default', {
expectedFailureSlugs: [
'pkce-code-challenge-sent',
'pkce-s256-method-used',
'pkce-code-verifier-sent',
'pkce-verifier-matches-challenge'
]
});
});
});