test validateOIDCIssuerWellKnown

Kerry Archibald · Kerry Archibald · commit 2287e0cd7127 · 2023-05-31T17:34:19.000+12:00
diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts
@@ -15,89 +15,165 @@ limitations under the License.
 */
 
 import { M_AUTHENTICATION } from "../../../src";
-import { OidcDiscoveryError, validateWellKnownAuthentication } from "../../../src/oidc/validate";
+import { logger } from "../../../src/logger";
+import {
+    OidcDiscoveryError,
+    validateOIDCIssuerWellKnown,
+    validateWellKnownAuthentication,
+} from "../../../src/oidc/validate";
 
-describe('validateWellKnownAuthentication()', () => {
+describe("validateWellKnownAuthentication()", () => {
     const baseWk = {
-        "m.homeserver" : {
-            base_url: "https://hs.org"
-        }
-    }
-    it('should throw not supported error when wellKnown has no m.authentication section', () => {
+        "m.homeserver": {
+            base_url: "https://hs.org",
+        },
+    };
+    it("should throw not supported error when wellKnown has no m.authentication section", () => {
         expect(() => validateWellKnownAuthentication(baseWk)).toThrow(OidcDiscoveryError.NotSupported);
     });
 
-    it('should throw misconfigured error when authentication issuer is not a string', () => {
+    it("should throw misconfigured error when authentication issuer is not a string", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.stable!]: {
-                issuer: { url: 'test.com' }
-            }
-        }
+                issuer: { url: "test.com" },
+            },
+        };
         expect(() => validateWellKnownAuthentication(wk)).toThrow(OidcDiscoveryError.Misconfigured);
     });
 
-    it('should throw misconfigured error when authentication account is not a string', () => {
+    it("should throw misconfigured error when authentication account is not a string", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.stable!]: {
                 issuer: "test.com",
-                account: { url: "test" }
-            }
-        }
+                account: { url: "test" },
+            },
+        };
         expect(() => validateWellKnownAuthentication(wk)).toThrow(OidcDiscoveryError.Misconfigured);
     });
 
-    it('should return valid config when wk uses stable m.authentication', () => {
+    it("should return valid config when wk uses stable m.authentication", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.stable!]: {
                 issuer: "test.com",
                 account: "account.com",
-            }
-        }
+            },
+        };
         expect(validateWellKnownAuthentication(wk)).toEqual({
             issuer: "test.com",
-            account: "account.com"
+            account: "account.com",
         });
     });
 
-    it('should return valid config when m.authentication account is falsy', () => {
+    it("should return valid config when m.authentication account is falsy", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.stable!]: {
                 issuer: "test.com",
-            }
-        }
+            },
+        };
         expect(validateWellKnownAuthentication(wk)).toEqual({
             issuer: "test.com",
         });
     });
 
-    it('should remove unexpected properties', () => {
+    it("should remove unexpected properties", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.stable!]: {
                 issuer: "test.com",
-                somethingElse: "test"
-            }
-        }
+                somethingElse: "test",
+            },
+        };
         expect(validateWellKnownAuthentication(wk)).toEqual({
             issuer: "test.com",
         });
     });
 
-    it('should return valid config when wk uses unstable prefix for m.authentication', () => {
+    it("should return valid config when wk uses unstable prefix for m.authentication", () => {
         const wk = {
             ...baseWk,
             [M_AUTHENTICATION.unstable!]: {
                 issuer: "test.com",
                 account: "account.com",
-            }
-        }
+            },
+        };
         expect(validateWellKnownAuthentication(wk)).toEqual({
             issuer: "test.com",
-            account: "account.com"
+            account: "account.com",
         });
     });
-});
+});
+
+describe("validateOIDCIssuerWellKnown", () => {
+    const validWk = {
+        authorization_endpoint: "https://test.org/authorize",
+        token_endpoint: "https://authorize.org/token",
+        registration_endpoint: "https://authorize.org/regsiter",
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code"],
+        code_challenge_methods_supported: ["S256"],
+    };
+    beforeEach(() => {
+        // stub to avoid console litter
+        jest.spyOn(logger, "error")
+            .mockClear()
+            .mockImplementation(() => {});
+    });
+
+    it("should throw OP support error when wellKnown is not an object", () => {
+        expect(() => {
+            validateOIDCIssuerWellKnown([]);
+        }).toThrow(OidcDiscoveryError.OpSupport);
+        expect(logger.error).toHaveBeenCalledWith("Issuer configuration not found or malformed");
+    });
+
+    it("should log all errors before throwing", () => {
+        expect(() => {
+            validateOIDCIssuerWellKnown({
+                ...validWk,
+                authorization_endpoint: undefined,
+                response_types_supported: [],
+            });
+        }).toThrow(OidcDiscoveryError.OpSupport);
+        expect(logger.error).toHaveBeenCalledWith("OIDC issuer configuration: authorization_endpoint is invalid");
+        expect(logger.error).toHaveBeenCalledWith(
+            "OIDC issuer configuration: response_types_supported is invalid. code is required.",
+        );
+    });
+
+    it("should return validated issuer config", () => {
+        expect(validateOIDCIssuerWellKnown(validWk)).toEqual({
+            authorizationEndpoint: validWk.authorization_endpoint,
+            tokenEndpoint: validWk.token_endpoint,
+            registrationEndpoint: validWk.registration_endpoint,
+        });
+    });
+
+    type TestCase = [string, any];
+    it.each<TestCase>([
+        ["authorization_endpoint", undefined],
+        ["authorization_endpoint", { not: "a string" }],
+        ["token_endpoint", undefined],
+        ["token_endpoint", { not: "a string" }],
+        ["registration_endpoint", undefined],
+        ["registration_endpoint", { not: "a string" }],
+        ["response_types_supported", undefined],
+        ["response_types_supported", "not an array"],
+        ["response_types_supported", ["doesnt include code"]],
+        ["grant_types_supported", undefined],
+        ["grant_types_supported", "not an array"],
+        ["grant_types_supported", ["doesnt include authorization_code"]],
+        ["code_challenge_methods_supported", undefined],
+        ["code_challenge_methods_supported", "not an array"],
+        ["code_challenge_methods_supported", ["doesnt include S256"]],
+    ])("should throw OP support error when %s is %s", (key, value) => {
+        const wk = {
+            ...validWk,
+            [key]: value,
+        };
+        expect(() => validateOIDCIssuerWellKnown(wk)).toThrow(OidcDiscoveryError.OpSupport);
+    });
+});
