Add tests for Wire `OIDC` and `DPoP` token persistence

5 months ago · 7d5a79190d
parent 768a08965d
commit 7d5a79190d
2 changed files with 400 additions and 8 deletions
--- a/acme/db/nosql/wire.go
+++ b/acme/db/nosql/wire.go
@ -21,14 +21,14 @@ type dbDpopToken struct {
 func (db *DB) getDBDpopToken(_ context.Context, orderID string) (*dbDpopToken, error) {
 	b, err := db.db.Get(wireDpopTokenTable, []byte(orderID))
 	if nosql.IsErrNotFound(err) {
-		return nil, acme.NewError(acme.ErrorMalformedType, "dpop %s not found", orderID)
+		return nil, acme.NewError(acme.ErrorMalformedType, "dpop token %q not found", orderID)
 	} else if err != nil {
-		return nil, errors.Wrapf(err, "error loading dpop %s", orderID)
+		return nil, errors.Wrapf(err, "error loading dpop %q", orderID)
 	}

 	d := new(dbDpopToken)
 	if err := json.Unmarshal(b, d); err != nil {
-		return nil, errors.Wrapf(err, "error unmarshaling dpop %s into dbDpopToken", orderID)
+		return nil, errors.Wrapf(err, "error unmarshaling dpop %q into dbDpopToken", orderID)
 	}
 	return d, nil
 }
@ -50,7 +50,7 @@ func (db *DB) GetDpopToken(ctx context.Context, orderID string) (map[string]any,
 func (db *DB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error {
 	content, err := json.Marshal(dpop)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed marshaling dpop token: %w", err)
 	}

 	now := clock.Now()
@ -75,13 +75,13 @@ type dbOidcToken struct {
 func (db *DB) getDBOidcToken(_ context.Context, orderID string) (*dbOidcToken, error) {
 	b, err := db.db.Get(wireOidcTokenTable, []byte(orderID))
 	if nosql.IsErrNotFound(err) {
-		return nil, acme.NewError(acme.ErrorMalformedType, "oidc token %s not found", orderID)
+		return nil, acme.NewError(acme.ErrorMalformedType, "oidc token %q not found", orderID)
 	} else if err != nil {
-		return nil, errors.Wrapf(err, "error loading oidc token %s", orderID)
+		return nil, errors.Wrapf(err, "error loading oidc token %q", orderID)
 	}
 	o := new(dbOidcToken)
 	if err := json.Unmarshal(b, o); err != nil {
-		return nil, errors.Wrapf(err, "error unmarshaling oidc token %s into dbOidcToken", orderID)
+		return nil, errors.Wrapf(err, "error unmarshaling oidc token %q into dbOidcToken", orderID)
 	}
 	return o, nil
 }
@ -103,7 +103,7 @@ func (db *DB) GetOidcToken(ctx context.Context, orderID string) (map[string]any,
 func (db *DB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error {
 	content, err := json.Marshal(idToken)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed marshaling oidc token: %w", err)
 	}

 	now := clock.Now()
--- a/acme/db/nosql/wire_test.go
+++ b/acme/db/nosql/wire_test.go
@ -0,0 +1,392 @@
+package nosql
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/smallstep/certificates/acme"
+	certificatesdb "github.com/smallstep/certificates/db"
+	"github.com/smallstep/nosql"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDB_GetDpopToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		expected    map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/acme-not-found": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expectedErr: &acme.Error{
+					Type:   "urn:ietf:params:acme:error:malformed",
+					Status: 400,
+					Detail: "The request message was malformed",
+					Err:    errors.New(`dpop token "orderID" not found`),
+				},
+			}
+		},
+		"fail/unmarshal-error": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbDpopToken{
+				ID:        "orderID",
+				Content:   []byte("{}"),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireDpopTokenTable, []byte("orderID"), b[1:]) // start at index 1; corrupt JSON data
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`error unmarshaling dpop "orderID" into dbDpopToken: invalid character ':' after top-level value`),
+			}
+		},
+		"fail/db.Get": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MGet: func(bucket, key []byte) ([]byte, error) {
+					assert.Equal(t, wireDpopTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`error loading dpop "orderID": fail`),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbDpopToken{
+				ID:        "orderID",
+				Content:   []byte(`{"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com"}`),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireDpopTokenTable, []byte("orderID"), b)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expected: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			got, err := tc.db.GetDpopToken(context.Background(), tc.orderID)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				ae := &acme.Error{}
+				if errors.As(err, &ae) {
+					ee, _ := tc.expectedErr.(*acme.Error)
+					assert.Equal(t, ee.Detail, ae.Detail)
+					assert.Equal(t, ee.Type, ae.Type)
+					assert.Equal(t, ee.Status, ae.Status)
+				}
+				assert.Nil(t, got)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, got)
+		})
+	}
+}
+
+func TestDB_CreateDpopToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		dpop        map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/db.Save": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+					assert.Equal(t, wireDpopTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, false, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+				expectedErr: errors.New("failed saving dpop token: error saving acme dpop: fail"),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+			}
+		},
+		"ok/nil": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop:    nil,
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			err := tc.db.CreateDpopToken(context.Background(), tc.orderID, tc.dpop)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+
+			dpop, err := tc.db.getDBDpopToken(context.Background(), tc.orderID)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.orderID, dpop.ID)
+			var m map[string]any
+			err = json.Unmarshal(dpop.Content, &m)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.dpop, m)
+		})
+	}
+}
+
+func TestDB_GetOidcToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		expected    map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/acme-not-found": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expectedErr: &acme.Error{
+					Type:   "urn:ietf:params:acme:error:malformed",
+					Status: 400,
+					Detail: "The request message was malformed",
+					Err:    errors.New(`oidc token "orderID" not found`),
+				},
+			}
+		},
+		"fail/unmarshal-error": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbOidcToken{
+				ID:        "orderID",
+				Content:   []byte("{}"),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireOidcTokenTable, []byte("orderID"), b[1:]) // start at index 1; corrupt JSON data
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`error unmarshaling oidc token "orderID" into dbOidcToken: invalid character ':' after top-level value`),
+			}
+		},
+		"fail/db.Get": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MGet: func(bucket, key []byte) ([]byte, error) {
+					assert.Equal(t, wireOidcTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`error loading oidc token "orderID": fail`),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbOidcToken{
+				ID:        "orderID",
+				Content:   []byte(`{"name": "Alice Smith", "handle": "@alice.smith"}`),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireOidcTokenTable, []byte("orderID"), b)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expected: map[string]any{
+					"name":   "Alice Smith",
+					"handle": "@alice.smith",
+				},
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			got, err := tc.db.GetOidcToken(context.Background(), tc.orderID)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				ae := &acme.Error{}
+				if errors.As(err, &ae) {
+					ee, _ := tc.expectedErr.(*acme.Error)
+					assert.Equal(t, ee.Detail, ae.Detail)
+					assert.Equal(t, ee.Type, ae.Type)
+					assert.Equal(t, ee.Status, ae.Status)
+				}
+				assert.Nil(t, got)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, got)
+		})
+	}
+}
+
+func TestDB_CreateOidcToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		oidc        map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/db.Save": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+					assert.Equal(t, wireOidcTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, false, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc: map[string]any{
+					"name":   "Alice Smith",
+					"handle": "@alice.smith",
+				},
+				expectedErr: errors.New("failed saving oidc token: error saving acme oidc: fail"),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc: map[string]any{
+					"name":   "Alice Smith",
+					"handle": "@alice.smith",
+				},
+			}
+		},
+		"ok/nil": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc:    nil,
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			err := tc.db.CreateOidcToken(context.Background(), tc.orderID, tc.oidc)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+
+			oidc, err := tc.db.getDBOidcToken(context.Background(), tc.orderID)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.orderID, oidc.ID)
+			var m map[string]any
+			err = json.Unmarshal(oidc.Content, &m)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.oidc, m)
+		})
+	}
+}