506 lines
19 KiB
Ruby
506 lines
19 KiB
Ruby
require "test_helper"
|
|
|
|
class OidcJwtServiceTest < ActiveSupport::TestCase
|
|
def setup
|
|
@user = users(:alice)
|
|
@application = applications(:kavita_app)
|
|
@service = OidcJwtService
|
|
end
|
|
|
|
test "should generate id token with required claims" do
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
assert_not_nil token, "Should generate token"
|
|
assert token.length > 100, "Token should be substantial"
|
|
assert token.include?('.')
|
|
|
|
# Decode without verification for testing the payload
|
|
decoded = JWT.decode(token, nil, false).first
|
|
assert_equal @application.client_id, decoded['aud'], "Should have correct audience"
|
|
assert_equal @user.id.to_s, decoded['sub'], "Should have correct subject"
|
|
assert_equal @user.email_address, decoded['email'], "Should have correct email"
|
|
assert_equal true, decoded['email_verified'], "Should have email verified"
|
|
assert_equal @user.email_address, decoded['preferred_username'], "Should have preferred username"
|
|
assert_equal @user.email_address, decoded['name'], "Should have name"
|
|
assert_equal "https://localhost:3000", decoded['iss'], "Should have correct issuer"
|
|
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration"
|
|
end
|
|
|
|
test "should handle nonce in id token" do
|
|
nonce = "test-nonce-12345"
|
|
token = @service.generate_id_token(@user, @application, nonce: nonce)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
assert_equal nonce, decoded['nonce'], "Should preserve nonce in token"
|
|
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration with nonce"
|
|
end
|
|
|
|
test "should include groups in token when user has groups" do
|
|
@user.groups << groups(:admin_group)
|
|
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
assert_includes decoded['groups'], "admin", "Should include user's groups"
|
|
end
|
|
|
|
test "admin claim should not be included in token" do
|
|
@user.update!(admin: true)
|
|
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
refute decoded.key?('admin'), "Admin claim should not be included in ID tokens (use groups instead)"
|
|
end
|
|
|
|
test "should handle role-based claims when enabled" do
|
|
@application.update!(
|
|
role_mapping_enabled: true,
|
|
role_mapping_mode: "oidc_managed",
|
|
role_claim_name: "roles"
|
|
)
|
|
|
|
@application.assign_role_to_user!(@user, "editor", source: 'oidc', metadata: { synced_at: Time.current })
|
|
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
assert_includes decoded['roles'], "editor", "Should include user's role"
|
|
end
|
|
|
|
test "should include role metadata when configured" do
|
|
@application.update!(
|
|
role_mapping_enabled: true,
|
|
role_mapping_mode: "oidc_managed",
|
|
parsed_managed_permissions: {
|
|
"include_permissions" => true,
|
|
"include_metadata" => true
|
|
}
|
|
)
|
|
|
|
role = @application.application_roles.create!(
|
|
name: "editor",
|
|
display_name: "Content Editor",
|
|
permissions: ["read", "write"]
|
|
)
|
|
|
|
@application.assign_role_to_user!(
|
|
@user,
|
|
"editor",
|
|
source: 'oidc',
|
|
metadata: {
|
|
synced_at: Time.current,
|
|
department: "Content Team",
|
|
level: "2"
|
|
}
|
|
)
|
|
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
assert_equal "Content Editor", decoded['role_display_name'], "Should include role display name"
|
|
assert_includes decoded['role_permissions'], "read", "Should include read permission"
|
|
assert_includes decoded['role_permissions'], "write", "Should include write permission"
|
|
assert_equal "Content Team", decoded['role_department'], "Should include department"
|
|
assert_equal "2", decoded['role_level'], "Should include level"
|
|
end
|
|
|
|
test "should handle missing roles gracefully" do
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
refute_includes decoded, 'roles', "Should not have roles when not configured"
|
|
end
|
|
|
|
test "should load RSA private key from environment with escaped newlines" do
|
|
# Simulate how direnv exports multi-line strings with \n escape sequences
|
|
key_with_escaped_newlines = "-----BEGIN PRIVATE KEY-----\\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDg3SfOR4UW6wV2\\nyKnE/pN5/tvUC7Fpol5/NjJQHm24F8+r6iipdLWJrJ3T2oEzaKw/RTGYPBQvjj6c\\nz3+tc7QkJLOESJCA0WqgawE1WdKSx5ug3sP0Y7woTPipt+afGaV58YvV/sqFD1ft\\nU+2w8olBHqWphUCd/LakfvqHbwrmF58IASk4IbGceqQ7f98d/8C8TrR6k3SKQAto\\n0OWo+xuyJg0RoSS8S220/qyIukXxtHS89NQj3dgJI06fGCSATCu8uVdsKwBDNw3F\\nBSQEX3xhk8E/JXXZfwRFR1K3zUIVQu8haQ3YA52b0jkzE2xI6TaHVbuGdifmGAmX\\nb5jsJ/eNAgMBAAECggEAAWJb3PwlOUANWTe630Pp1OegV5M1Tn2vi+oQPosPl1iX\\nFlbymrj80EfaRPWo84oKnq0t1/RnogrbDa3txgdpSVCsEWk9N2SyoJXy8+MZu6Er\\nQHka8qfBVfe4PbHyRj3FSeQKvZOEvvOgNJkYpIFeb5zkHa1ISyloEWvAxr0njJbQ\\n0F2jML4sUeduYulCWI9dSJdB+yp8BsmOPu8VzUFthW/GPPuw4a4ngzoGtPV6f/kp\\ncjPa2YT8L8z6zXE0IiDU8bc5abC++QBNLJrMy55tM+zfgGyShandITbcpuWptIqT\\n2yhMulifOMw0hdV0cYRqetkWkevz07nrwnh/1FGjYQKBgQD9C/Ls720tULS7SIdh\\nuDWnrtMG4sidSbxWJTOqPUNZ9a0vaHnx/FwlmvURyCojn5leLByY8ZNN08DxKBVq\\nwH6ZJe7KGOik5wMtFV1zrhyHNpa/H/RrLaYAZqCVlGYyOVqNa7mA7oOIeqtbv9x+\\nOaEz3BnoXHOJOwM10h20Nos6bQKBgQDjfQCSQXcrkV8hKf+F65N7Kcf7JMlZQAA3\\n9dvJxxek683bhYTLZhubY/tegfhxlZGkgP3eHKI1XyUYBCNBnztn3t1zD0ovcqRX\\no21m5TaJ0fGW4X3iyi1IWioMBPXffR8tXk5+LnWVZ26RgmaBG1rgOJEQ5bHYMtHj\\n+jo9JLV9oQKBgQDt1nNHm2qEcxzMAsmsYVWc+8bA7BsfKxTn6yN6WQaa4T0cGBi2\\nBzoc5l59jiN9RB8E0nU2k6ieN+9bOw+WPMNA8tRUA8F2bOMhVrl1ZyrNM9PQZBp5\\nOniSW+OHc+nyPtILpjq/Im9isdmp7NUzlrsbYT7AlVTKoTrNNWZR4gpOqQKBgQC3\\nIWwSUS00H4TrV7nh/zDsl0fr/0Mv2/vRENTsbJ+2HjXMIII0k3Bp+WTkQdDU70kd\\nmtHDul1CheOAn+QZ8auLBLhU5dwcsjdmbaOmj6MF88J+aexDY+psMlli76NXVIyC\\no0ahAZmaunciIE2QZYsUsbTmW2J93vtkgY3cpu6LwQKBgDigl7dCQl38Vt7FhxjJ\\naC6wmmM8YX6y5f5t3caVVBizVhx8xOXQla96zB0nW6ibTpaIKCSdORxMGAoajTZ9\\n8Ww2gOfZpZeojU2YHTV/KFd7wHGYE8QaBKqP6DuibLnP5farjuwPeGvbjZW6e9cy\\nntHkSPI0VmhqsUQEMgPnYuCg\\n-----END PRIVATE KEY-----"
|
|
|
|
# Clear any cached keys
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
|
|
# Stub ENV to return the test key
|
|
original_value = ENV["OIDC_PRIVATE_KEY"]
|
|
ENV["OIDC_PRIVATE_KEY"] = key_with_escaped_newlines
|
|
|
|
# The service should convert \n to actual newlines and load successfully
|
|
private_key = OidcJwtService.send(:private_key)
|
|
|
|
assert_not_nil private_key
|
|
assert_kind_of OpenSSL::PKey::RSA, private_key
|
|
assert_equal 2048, private_key.n.num_bits
|
|
ensure
|
|
# Restore original value and clear cached key
|
|
ENV["OIDC_PRIVATE_KEY"] = original_value
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
end
|
|
|
|
test "should handle key with actual newlines" do
|
|
# Generate a real test key
|
|
test_key = OpenSSL::PKey::RSA.new(2048)
|
|
key_pem = test_key.to_pem
|
|
|
|
# Clear any cached keys
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
|
|
# Stub ENV to return the test key
|
|
original_value = ENV["OIDC_PRIVATE_KEY"]
|
|
ENV["OIDC_PRIVATE_KEY"] = key_pem
|
|
|
|
private_key = OidcJwtService.send(:private_key)
|
|
|
|
assert_not_nil private_key
|
|
assert_kind_of OpenSSL::PKey::RSA, private_key
|
|
assert_equal 2048, private_key.n.num_bits
|
|
ensure
|
|
# Restore original value and clear cached key
|
|
ENV["OIDC_PRIVATE_KEY"] = original_value
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
end
|
|
|
|
test "should raise error for invalid key format" do
|
|
# Clear any cached keys
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
|
|
# Stub ENV to return invalid key
|
|
original_value = ENV["OIDC_PRIVATE_KEY"]
|
|
ENV["OIDC_PRIVATE_KEY"] = "invalid-key-data"
|
|
|
|
error = assert_raises RuntimeError do
|
|
OidcJwtService.send(:private_key)
|
|
end
|
|
|
|
assert_match /Invalid OIDC private key format/, error.message
|
|
ensure
|
|
# Restore original value and clear cached key
|
|
ENV["OIDC_PRIVATE_KEY"] = original_value
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
end
|
|
|
|
test "should raise error in production when no key configured" do
|
|
# Skip this test if we can't properly stub Rails.env
|
|
skip "Skipping production env test" unless Rails.env.development? || Rails.env.test?
|
|
|
|
# Clear any cached keys
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
|
|
# Temporarily remove the key
|
|
original_value = ENV["OIDC_PRIVATE_KEY"]
|
|
ENV.delete("OIDC_PRIVATE_KEY")
|
|
|
|
# Stub Rails.env to be production
|
|
Rails.env = ActiveSupport::StringInquirer.new("production")
|
|
|
|
error = assert_raises RuntimeError do
|
|
OidcJwtService.send(:private_key)
|
|
end
|
|
|
|
assert_match /OIDC private key not configured/, error.message
|
|
ensure
|
|
# Restore original environment and clear cached key
|
|
ENV["OIDC_PRIVATE_KEY"] = original_value if original_value
|
|
Rails.env = ActiveSupport::StringInquirer.new(ENV.fetch("RAILS_ENV", "test"))
|
|
OidcJwtService.instance_variable_set(:@private_key, nil)
|
|
end
|
|
|
|
test "should generate RSA private key when missing" do
|
|
ENV.stub(:fetch, nil) { nil }
|
|
ENV.stub(:fetch, "OIDC_PRIVATE_KEY", nil) { nil }
|
|
Rails.application.credentials.stub(:oidc_private_key, nil) { nil }
|
|
|
|
private_key = @service.private_key
|
|
assert_not_nil private_key, "Should generate private key when missing"
|
|
assert private_key.is_a?(OpenSSL::PKey::RSA), "Should generate RSA private key"
|
|
assert_equal 2048, private_key.num_bits, "Should generate 2048-bit key"
|
|
end
|
|
|
|
test "should get corresponding public key" do
|
|
public_key = @service.public_key
|
|
assert_not_nil public_key, "Should have public key"
|
|
assert_equal "RSA", public_key.kty, "Should be RSA key"
|
|
assert_equal 256, public_key.n, "Should be 256-bit key"
|
|
end
|
|
|
|
test "should decode and verify id token" do
|
|
token = @service.generate_id_token(@user, @application)
|
|
decoded = @service.decode_id_token(token)
|
|
|
|
assert_not_nil decoded, "Should decode valid token"
|
|
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
|
|
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
|
|
assert decoded['exp'] > Time.current.to_i, "Token should not be expired"
|
|
end
|
|
|
|
test "should reject invalid id tokens" do
|
|
invalid_tokens = [
|
|
"invalid.token",
|
|
"header.payload.signature",
|
|
"eyJ0",
|
|
nil,
|
|
"Bearer"
|
|
]
|
|
|
|
invalid_tokens.each do |invalid_token|
|
|
assert_raises(JWT::DecodeError) do
|
|
@service.decode_id_token(invalid_token)
|
|
end
|
|
end
|
|
end
|
|
|
|
test "should handle expired tokens" do
|
|
travel_to 2.hours.from_now do
|
|
token = @service.generate_id_token(@user, @application, exp: 1.hour.from_now)
|
|
travel_back
|
|
|
|
assert_raises(JWT::ExpiredSignature) do
|
|
@service.decode_id_token(token)
|
|
end
|
|
end
|
|
end
|
|
|
|
test "should handle access token generation" do
|
|
token = @service.generate_id_token(@user, @application)
|
|
|
|
decoded = JWT.decode(token, nil, false).first
|
|
refute_includes decoded.keys, 'email_verified'
|
|
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
|
|
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
|
|
end
|
|
|
|
test "should handle JWT errors gracefully" do
|
|
original_algorithm = OpenSSL::PKey::RSA::DEFAULT_PRIVATE_KEY
|
|
|
|
OpenSSL::PKey::RSA.stub(:new, -> { raise "Key generation failed" }) do
|
|
OpenSSL::PKey::RSA.new(2048)
|
|
end
|
|
|
|
assert_raises(RuntimeError, message: /Key generation failed/) do
|
|
@service.private_key
|
|
end
|
|
|
|
OpenSSL::PKey::RSA.stub(:new, original_algorithm) do
|
|
restored_key = @service.private_key
|
|
assert_not_equal original_algorithm, restored_key, "Should restore after error"
|
|
end
|
|
end
|
|
|
|
test "should validate JWT configuration" do
|
|
@application.update!(client_id: "test-client")
|
|
|
|
error = assert_raises(StandardError, message: /no key found/) do
|
|
@service.generate_id_token(@user, @application)
|
|
end
|
|
assert_match /no key found/, error.message, "Should warn about missing private key"
|
|
end
|
|
|
|
test "should include app-specific custom claims in token" do
|
|
# Use bob and another_app to avoid fixture conflicts
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Create app-specific claim
|
|
ApplicationUserClaim.create!(
|
|
user: user,
|
|
application: app,
|
|
custom_claims: { "app_groups": ["admin"], "library_access": "all" }
|
|
)
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
assert_equal ["admin"], decoded["app_groups"]
|
|
assert_equal "all", decoded["library_access"]
|
|
end
|
|
|
|
test "app-specific claims should override user and group claims" do
|
|
# Use bob and another_app to avoid fixture conflicts
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Add user to group with claims
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: { "role": "viewer", "max_items": 10 })
|
|
user.groups << group
|
|
|
|
# Add user custom claims
|
|
user.update!(custom_claims: { "role": "editor", "theme": "dark" })
|
|
|
|
# Add app-specific claims (should override both)
|
|
ApplicationUserClaim.create!(
|
|
user: user,
|
|
application: app,
|
|
custom_claims: { "role": "admin", "app_specific": true }
|
|
)
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# App-specific claim should win
|
|
assert_equal "admin", decoded["role"]
|
|
# App-specific claim should be present
|
|
assert_equal true, decoded["app_specific"]
|
|
# User claim not overridden should still be present
|
|
assert_equal "dark", decoded["theme"]
|
|
# Group claim not overridden should still be present
|
|
assert_equal 10, decoded["max_items"]
|
|
end
|
|
|
|
test "should deep merge array claims from group and user" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Group has roles: ["user"]
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: { "roles" => ["user"], "permissions" => ["read"] })
|
|
user.groups << group
|
|
|
|
# User adds roles: ["admin"]
|
|
user.update!(custom_claims: { "roles" => ["admin"], "permissions" => ["write"] })
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# Roles should be combined (not overwritten)
|
|
assert_equal 2, decoded["roles"].length
|
|
assert_includes decoded["roles"], "user"
|
|
assert_includes decoded["roles"], "admin"
|
|
# Permissions should also be combined
|
|
assert_equal 2, decoded["permissions"].length
|
|
assert_includes decoded["permissions"], "read"
|
|
assert_includes decoded["permissions"], "write"
|
|
end
|
|
|
|
test "should deep merge array claims from multiple groups" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# First group has roles: ["user"]
|
|
group1 = groups(:admin_group)
|
|
group1.update!(custom_claims: { "roles" => ["user"] })
|
|
user.groups << group1
|
|
|
|
# Second group has roles: ["moderator"]
|
|
group2 = Group.create!(name: "moderators", description: "Moderators group")
|
|
group2.update!(custom_claims: { "roles" => ["moderator"] })
|
|
user.groups << group2
|
|
|
|
# User adds roles: ["admin"]
|
|
user.update!(custom_claims: { "roles" => ["admin"] })
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# All roles should be combined
|
|
assert_equal 3, decoded["roles"].length
|
|
assert_includes decoded["roles"], "user"
|
|
assert_includes decoded["roles"], "moderator"
|
|
assert_includes decoded["roles"], "admin"
|
|
end
|
|
|
|
test "should remove duplicate values when merging arrays" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Group has roles: ["user", "reader"]
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: { "roles" => ["user", "reader"] })
|
|
user.groups << group
|
|
|
|
# User also has "user" role (duplicate)
|
|
user.update!(custom_claims: { "roles" => ["user", "admin"] })
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# "user" should only appear once
|
|
assert_equal 3, decoded["roles"].length
|
|
assert_includes decoded["roles"], "user"
|
|
assert_includes decoded["roles"], "reader"
|
|
assert_includes decoded["roles"], "admin"
|
|
end
|
|
|
|
test "should override non-array values while merging arrays" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Group has roles array and max_items scalar
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: { "roles" => ["user"], "max_items" => 10, "theme" => "light" })
|
|
user.groups << group
|
|
|
|
# User overrides max_items and theme, adds to roles
|
|
user.update!(custom_claims: { "roles" => ["admin"], "max_items" => 100, "theme" => "dark" })
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# Arrays should be combined
|
|
assert_equal 2, decoded["roles"].length
|
|
assert_includes decoded["roles"], "user"
|
|
assert_includes decoded["roles"], "admin"
|
|
# Scalar values should be overridden (user wins)
|
|
assert_equal 100, decoded["max_items"]
|
|
assert_equal "dark", decoded["theme"]
|
|
end
|
|
|
|
test "should deep merge nested hashes in claims" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Group has nested config
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: {
|
|
"config" => {
|
|
"theme" => "light",
|
|
"notifications" => { "email" => true }
|
|
}
|
|
})
|
|
user.groups << group
|
|
|
|
# User adds to nested config
|
|
user.update!(custom_claims: {
|
|
"config" => {
|
|
"language" => "en",
|
|
"notifications" => { "sms" => true }
|
|
}
|
|
})
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# Nested hashes should be deep merged
|
|
assert_equal "light", decoded["config"]["theme"]
|
|
assert_equal "en", decoded["config"]["language"]
|
|
assert_equal true, decoded["config"]["notifications"]["email"]
|
|
assert_equal true, decoded["config"]["notifications"]["sms"]
|
|
end
|
|
|
|
test "app-specific claims should combine arrays with group and user claims" do
|
|
user = users(:bob)
|
|
app = applications(:another_app)
|
|
|
|
# Group has roles: ["user"]
|
|
group = groups(:admin_group)
|
|
group.update!(custom_claims: { "roles" => ["user"] })
|
|
user.groups << group
|
|
|
|
# User has roles: ["moderator"]
|
|
user.update!(custom_claims: { "roles" => ["moderator"] })
|
|
|
|
# App-specific has roles: ["app_admin"]
|
|
ApplicationUserClaim.create!(
|
|
user: user,
|
|
application: app,
|
|
custom_claims: { "roles" => ["app_admin"] }
|
|
)
|
|
|
|
token = @service.generate_id_token(user, app)
|
|
decoded = JWT.decode(token, nil, false).first
|
|
|
|
# All three sources should be combined
|
|
assert_equal 3, decoded["roles"].length
|
|
assert_includes decoded["roles"], "user"
|
|
assert_includes decoded["roles"], "moderator"
|
|
assert_includes decoded["roles"], "app_admin"
|
|
end
|
|
end |