Unit test for OIDC hooks (#2359)

lemonldap-ng-portal/t/32-OIDC-Hooks.t

+use lib 'inc';
+use Test::More;
+use strict;
+use IO::String;
+use LWP::UserAgent;
+use LWP::Protocol::PSGI;
+use MIME::Base64;
+use JSON;
+
+BEGIN {
+    require 't/test-lib.pm';
+    require 't/oidc-lib.pm';
+}
+
+my $debug = 'error';
+
+# Initialization
+my $op = LLNG::Manager::Test->new( {
+        ini => {
+            logLevel                        => $debug,
+            domain                          => 'idp.com',
+            portal                          => 'http://auth.op.com',
+            authentication                  => 'Demo',
+            userDB                          => 'Same',
+            issuerDBOpenIDConnectActivation => 1,
+            issuerDBOpenIDConnectRule       => '$uid eq "french"',
+            oidcRPMetaDataExportedVars      => {
+                rp => {
+                    email       => "mail",
+                    family_name => "cn",
+                    name        => "cn"
+                },
+                rp2 => {
+                    email       => "mail",
+                    family_name => "cn",
+                    name        => "cn"
+                }
+            },
+            oidcServiceMetaDataAuthorizeURI       => "authorize",
+            oidcServiceMetaDataCheckSessionURI    => "checksession.html",
+            oidcServiceMetaDataJWKSURI            => "jwks",
+            oidcServiceMetaDataEndSessionURI      => "logout",
+            oidcServiceMetaDataRegistrationURI    => "register",
+            oidcServiceMetaDataTokenURI           => "token",
+            oidcServiceMetaDataUserInfoURI        => "userinfo",
+            oidcServiceAllowHybridFlow            => 1,
+            oidcServiceAllowImplicitFlow          => 1,
+            oidcServiceAllowDynamicRegistration   => 1,
+            oidcServiceAllowAuthorizationCodeFlow => 1,
+            oidcRPMetaDataOptions                 => {
+                rp => {
+                    oidcRPMetaDataOptionsDisplayName           => "RP",
+                    oidcRPMetaDataOptionsIDTokenExpiration     => 3600,
+                    oidcRPMetaDataOptionsClientID              => "rpid",
+                    oidcRPMetaDataOptionsIDTokenSignAlg        => "HS512",
+                    oidcRPMetaDataOptionsClientSecret          => "rpsecret",
+                    oidcRPMetaDataOptionsUserIDAttr            => "",
+                    oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+                    oidcRPMetaDataOptionsBypassConsent         => 1,
+                },
+                oauth => {
+                    oidcRPMetaDataOptionsDisplayName  => "oauth",
+                    oidcRPMetaDataOptionsClientID     => "oauth",
+                    oidcRPMetaDataOptionsClientSecret => "service",
+                    oidcRPMetaDataOptionsUserIDAttr   => "",
+                }
+            },
+            oidcOPMetaDataOptions           => {},
+            oidcOPMetaDataJSON              => {},
+            oidcOPMetaDataJWKS              => {},
+            oidcServiceMetaDataAuthnContext => {
+                'loa-4' => 4,
+                'loa-1' => 1,
+                'loa-5' => 5,
+                'loa-2' => 2,
+                'loa-3' => 3
+            },
+            oidcServicePrivateKeySig => oidc_key_op_private_sig,
+            oidcServicePublicKeySig  => oidc_key_op_public_sig,
+            customPlugins => 't::OidcHookPlugin',
+        }
+    }
+);
+my $res;
+
+# Authenticate to LLNG
+my $url   = "/";
+my $query = "user=french&password=french";
+ok(
+    $res = $op->_post(
+        "/",
+        IO::String->new($query),
+        accept => 'text/html',
+        length => length($query),
+    ),
+    "Post authentication"
+);
+my $idpId = expectCookie($res);
+
+# Get code for RP1
+$query =
+"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp2.com%2F";
+ok(
+    $res = $op->_get(
+        "/oauth2/authorize",
+        query  => "$query",
+        accept => 'text/html',
+        cookie => "lemonldap=$idpId",
+    ),
+    "Get authorization code"
+);
+
+my ($code) = expectRedirection( $res, qr#http://rp2\.com/.*code=([^\&]*)# );
+
+# Exchange code for AT
+$query =
+"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
+
+ok(
+    $res = $op->_post(
+        "/oauth2/token",
+        IO::String->new($query),
+        accept => 'text/html',
+        length => length($query),
+        custom => {
+            HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
+        },
+    ),
+    "Post token"
+);
+my $json  = from_json( $res->[2]->[0] );
+my $token = $json->{access_token};
+ok( $token, 'Access token present' );
+my $id_token = $json->{id_token};
+ok( $id_token, 'ID token present' );
+my $id_token_payload = id_token_payload($id_token);
+is ($id_token_payload->{id_token_hook}, 1, "Found hooked claim in ID token");
+
+# Get userinfo
+$res = $op->_post(
+    "/oauth2/userinfo",
+    IO::String->new(''),
+    accept => 'application/json',
+    length => 0,
+    custom => {
+        HTTP_AUTHORIZATION => "Bearer " . $token,
+    },
+);
+
+$json = expectJSON($res);
+is ($json->{userinfo_hook}, 1, "Found hooked claim in Userinfo token");
+
+
+# Introspect to find scopes
+$query = "token=$token";
+ok(
+    $res = $op->_post(
+        "/oauth2/introspect",
+        IO::String->new($query),
+        accept => 'text/html',
+        length => length $query,
+        custom => {
+            HTTP_AUTHORIZATION => "Basic " . encode_base64("oauth:service"),
+        },
+    ),
+    "Post introspection"
+);
+
+expectOK($res);
+$json = from_json( $res->[2]->[0] );
+like($json->{scope}, qr/\bmy_hooked_scope\b/, "Found hook defined scope");
+
+clean_sessions();
+done_testing();
+

lemonldap-ng-portal/t/OidcHookPlugin.pm

+package t::OidcHookPlugin;
+
+use Mouse;
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
+use Data::Dumper;
+use Test::More;
+
+use constant hook => {
+    oidcGenerateIDToken          => 'addClaimToIDToken',
+    oidcGenerateUserInfoResponse => 'addClaimToUserInfo',
+    oidcGotRequest               => 'addScopeToRequest',
+};
+
+sub init {
+    my ($self) = @_;
+    return 1;
+}
+
+sub addClaimToIDToken {
+    my ( $self, $req, $payload, $rp ) = @_;
+    $payload->{"id_token_hook"} = 1;
+    return PE_OK;
+}
+
+sub addClaimToUserInfo {
+    my ( $self, $req, $userinfo ) = @_;
+    $userinfo->{"userinfo_hook"} = 1;
+    return PE_OK;
+}
+
+sub addScopeToRequest {
+    my ( $self, $req, $oidc_request ) = @_;
+    $oidc_request->{scope} = $oidc_request->{scope} . " my_hooked_scope";
+
+    return PE_OK;
+}
+
+1;
+