lib/controller/localdb/login_oidc_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "bytes"
   9         "context"
  10         "crypto/hmac"
  11         "crypto/sha256"
  12         "encoding/json"
  13         "fmt"
  14         "io"
  15         "net/http"
  16         "net/http/httptest"
  17         "net/url"
  18         "sort"
  19         "strings"
  20         "testing"
  21         "time"
  22
  23         "git.arvados.org/arvados.git/lib/config"
  24         "git.arvados.org/arvados.git/lib/controller/rpc"
  25         "git.arvados.org/arvados.git/sdk/go/arvados"
  26         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  27         "git.arvados.org/arvados.git/sdk/go/auth"
  28         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  29         "github.com/jmoiron/sqlx"
  30         check "gopkg.in/check.v1"
  31 )
  32
  33 // Gocheck boilerplate
  34 func Test(t *testing.T) {
  35         check.TestingT(t)
  36 }
  37
  38 var _ = check.Suite(&OIDCLoginSuite{})
  39
  40 type OIDCLoginSuite struct {
  41         cluster      *arvados.Cluster
  42         localdb      *Conn
  43         railsSpy     *arvadostest.Proxy
  44         fakeProvider *arvadostest.OIDCProvider
  45 }
  46
  47 func (s *OIDCLoginSuite) TearDownSuite(c *check.C) {
  48         // Undo any changes/additions to the user database so they
  49         // don't affect subsequent tests.
  50         arvadostest.ResetEnv()
  51         c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
  52 }
  53
  54 func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
  55         s.fakeProvider = arvadostest.NewOIDCProvider(c)
  56         s.fakeProvider.AuthEmail = "active-user@arvados.local"
  57         s.fakeProvider.AuthEmailVerified = true
  58         s.fakeProvider.AuthName = "Fake User Name"
  59         s.fakeProvider.ValidCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
  60         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{}
  61
  62         cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
  63         c.Assert(err, check.IsNil)
  64         s.cluster, err = cfg.GetCluster("")
  65         c.Assert(err, check.IsNil)
  66         s.cluster.Login.Test.Enable = false
  67         s.cluster.Login.Google.Enable = true
  68         s.cluster.Login.Google.ClientID = "test%client$id"
  69         s.cluster.Login.Google.ClientSecret = "test#client/secret"
  70         s.cluster.Users.PreferDomainForUsername = "PreferDomainForUsername.example.com"
  71         s.fakeProvider.ValidClientID = "test%client$id"
  72         s.fakeProvider.ValidClientSecret = "test#client/secret"
  73
  74         s.localdb = NewConn(s.cluster)
  75         c.Assert(s.localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
  76         s.localdb.loginController.(*oidcLoginController).Issuer = s.fakeProvider.Issuer.URL
  77         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakeProvider.PeopleAPI.URL
  78
  79         s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
  80         *s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
  81 }
  82
  83 func (s *OIDCLoginSuite) TearDownTest(c *check.C) {
  84         s.railsSpy.Close()
  85 }
  86
  87 func (s *OIDCLoginSuite) TestGoogleLogout(c *check.C) {
  88         resp, err := s.localdb.Logout(context.Background(), arvados.LogoutOptions{ReturnTo: "https://foo.example.com/bar"})
  89         c.Check(err, check.IsNil)
  90         c.Check(resp.RedirectLocation, check.Equals, "https://foo.example.com/bar")
  91 }
  92
  93 func (s *OIDCLoginSuite) TestGoogleLogin_Start_Bogus(c *check.C) {
  94         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{})
  95         c.Check(err, check.IsNil)
  96         c.Check(resp.RedirectLocation, check.Equals, "")
  97         c.Check(resp.HTML.String(), check.Matches, `.*missing return_to parameter.*`)
  98 }
  99
 100 func (s *OIDCLoginSuite) TestGoogleLogin_Start(c *check.C) {
 101         for _, remote := range []string{"", "zzzzz"} {
 102                 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{Remote: remote, ReturnTo: "https://app.example.com/foo?bar"})
 103                 c.Check(err, check.IsNil)
 104                 target, err := url.Parse(resp.RedirectLocation)
 105                 c.Check(err, check.IsNil)
 106                 issuerURL, _ := url.Parse(s.fakeProvider.Issuer.URL)
 107                 c.Check(target.Host, check.Equals, issuerURL.Host)
 108                 q := target.Query()
 109                 c.Check(q.Get("client_id"), check.Equals, "test%client$id")
 110                 state := s.localdb.loginController.(*oidcLoginController).parseOAuth2State(q.Get("state"))
 111                 c.Check(state.verify([]byte(s.cluster.SystemRootToken)), check.Equals, true)
 112                 c.Check(state.Time, check.Not(check.Equals), 0)
 113                 c.Check(state.Remote, check.Equals, remote)
 114                 c.Check(state.ReturnTo, check.Equals, "https://app.example.com/foo?bar")
 115         }
 116 }
 117
 118 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidCode(c *check.C) {
 119         state := s.startLogin(c)
 120         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 121                 Code:  "first-try-a-bogus-code",
 122                 State: state,
 123         })
 124         c.Check(err, check.IsNil)
 125         c.Check(resp.RedirectLocation, check.Equals, "")
 126         c.Check(resp.HTML.String(), check.Matches, `(?ms).*error in OAuth2 exchange.*cannot fetch token.*`)
 127 }
 128
 129 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidState(c *check.C) {
 130         s.startLogin(c)
 131         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 132                 Code:  s.fakeProvider.ValidCode,
 133                 State: "bogus-state",
 134         })
 135         c.Check(err, check.IsNil)
 136         c.Check(resp.RedirectLocation, check.Equals, "")
 137         c.Check(resp.HTML.String(), check.Matches, `(?ms).*invalid OAuth2 state.*`)
 138 }
 139
 140 func (s *OIDCLoginSuite) setupPeopleAPIError(c *check.C) {
 141         s.fakeProvider.PeopleAPI = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 142                 w.WriteHeader(http.StatusForbidden)
 143                 fmt.Fprintln(w, `Error 403: accessNotConfigured`)
 144         }))
 145         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakeProvider.PeopleAPI.URL
 146 }
 147
 148 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {
 149         s.localdb.loginController.(*oidcLoginController).UseGooglePeopleAPI = false
 150         s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
 151         s.setupPeopleAPIError(c)
 152         state := s.startLogin(c)
 153         _, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 154                 Code:  s.fakeProvider.ValidCode,
 155                 State: state,
 156         })
 157         c.Check(err, check.IsNil)
 158         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 159         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 160 }
 161
 162 func (s *OIDCLoginSuite) TestConfig(c *check.C) {
 163         s.cluster.Login.Google.Enable = false
 164         s.cluster.Login.OpenIDConnect.Enable = true
 165         s.cluster.Login.OpenIDConnect.Issuer = "https://accounts.example.com/"
 166         s.cluster.Login.OpenIDConnect.ClientID = "oidc-client-id"
 167         s.cluster.Login.OpenIDConnect.ClientSecret = "oidc-client-secret"
 168         s.cluster.Login.OpenIDConnect.AuthenticationRequestParameters = map[string]string{"testkey": "testvalue"}
 169         localdb := NewConn(s.cluster)
 170         ctrl := localdb.loginController.(*oidcLoginController)
 171         c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com/")
 172         c.Check(ctrl.ClientID, check.Equals, "oidc-client-id")
 173         c.Check(ctrl.ClientSecret, check.Equals, "oidc-client-secret")
 174         c.Check(ctrl.UseGooglePeopleAPI, check.Equals, false)
 175         c.Check(ctrl.AuthParams["testkey"], check.Equals, "testvalue")
 176
 177         for _, enableAltEmails := range []bool{false, true} {
 178                 s.cluster.Login.OpenIDConnect.Enable = false
 179                 s.cluster.Login.Google.Enable = true
 180                 s.cluster.Login.Google.ClientID = "google-client-id"
 181                 s.cluster.Login.Google.ClientSecret = "google-client-secret"
 182                 s.cluster.Login.Google.AlternateEmailAddresses = enableAltEmails
 183                 s.cluster.Login.Google.AuthenticationRequestParameters = map[string]string{"testkey": "testvalue"}
 184                 localdb = NewConn(s.cluster)
 185                 ctrl = localdb.loginController.(*oidcLoginController)
 186                 c.Check(ctrl.Issuer, check.Equals, "https://accounts.google.com")
 187                 c.Check(ctrl.ClientID, check.Equals, "google-client-id")
 188                 c.Check(ctrl.ClientSecret, check.Equals, "google-client-secret")
 189                 c.Check(ctrl.UseGooglePeopleAPI, check.Equals, enableAltEmails)
 190                 c.Check(ctrl.AuthParams["testkey"], check.Equals, "testvalue")
 191         }
 192 }
 193
 194 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIError(c *check.C) {
 195         s.setupPeopleAPIError(c)
 196         state := s.startLogin(c)
 197         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 198                 Code:  s.fakeProvider.ValidCode,
 199                 State: state,
 200         })
 201         c.Check(err, check.IsNil)
 202         c.Check(resp.RedirectLocation, check.Equals, "")
 203 }
 204
 205 func (s *OIDCLoginSuite) TestOIDCAuthorizer(c *check.C) {
 206         s.cluster.Login.Google.Enable = false
 207         s.cluster.Login.OpenIDConnect.Enable = true
 208         json.Unmarshal([]byte(fmt.Sprintf("%q", s.fakeProvider.Issuer.URL)), &s.cluster.Login.OpenIDConnect.Issuer)
 209         s.cluster.Login.OpenIDConnect.ClientID = "oidc#client#id"
 210         s.cluster.Login.OpenIDConnect.ClientSecret = "oidc#client#secret"
 211         s.cluster.Login.OpenIDConnect.AcceptAccessToken = true
 212         s.cluster.Login.OpenIDConnect.AcceptAccessTokenScope = ""
 213         s.fakeProvider.ValidClientID = "oidc#client#id"
 214         s.fakeProvider.ValidClientSecret = "oidc#client#secret"
 215         db := arvadostest.DB(c, s.cluster)
 216
 217         tokenCacheTTL = time.Millisecond
 218         tokenCacheRaceWindow = time.Millisecond
 219         tokenCacheNegativeTTL = time.Millisecond
 220
 221         oidcAuthorizer := OIDCAccessTokenAuthorizer(s.cluster, func(context.Context) (*sqlx.DB, error) { return db, nil })
 222         accessToken := s.fakeProvider.ValidAccessToken()
 223
 224         mac := hmac.New(sha256.New, []byte(s.cluster.SystemRootToken))
 225         io.WriteString(mac, accessToken)
 226         apiToken := fmt.Sprintf("%x", mac.Sum(nil))
 227
 228         cleanup := func() {
 229                 _, err := db.Exec(`delete from api_client_authorizations where api_token=$1`, apiToken)
 230                 c.Check(err, check.IsNil)
 231         }
 232         cleanup()
 233         defer cleanup()
 234
 235         ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{accessToken}})
 236         var exp1 time.Time
 237         oidcAuthorizer.WrapCalls(func(ctx context.Context, opts interface{}) (interface{}, error) {
 238                 creds, ok := auth.FromContext(ctx)
 239                 c.Assert(ok, check.Equals, true)
 240                 c.Assert(creds.Tokens, check.HasLen, 1)
 241                 c.Check(creds.Tokens[0], check.Equals, accessToken)
 242
 243                 err := db.QueryRowContext(ctx, `select expires_at at time zone 'UTC' from api_client_authorizations where api_token=$1`, apiToken).Scan(&exp1)
 244                 c.Check(err, check.IsNil)
 245                 c.Check(exp1.Sub(time.Now()) > -time.Second, check.Equals, true)
 246                 c.Check(exp1.Sub(time.Now()) < time.Second, check.Equals, true)
 247                 return nil, nil
 248         })(ctx, nil)
 249
 250         // If the token is used again after the in-memory cache
 251         // expires, oidcAuthorizer must re-check the token and update
 252         // the expires_at value in the database.
 253         time.Sleep(3 * time.Millisecond)
 254         oidcAuthorizer.WrapCalls(func(ctx context.Context, opts interface{}) (interface{}, error) {
 255                 var exp time.Time
 256                 err := db.QueryRowContext(ctx, `select expires_at at time zone 'UTC' from api_client_authorizations where api_token=$1`, apiToken).Scan(&exp)
 257                 c.Check(err, check.IsNil)
 258                 c.Check(exp.Sub(exp1) > 0, check.Equals, true)
 259                 c.Check(exp.Sub(exp1) < time.Second, check.Equals, true)
 260                 return nil, nil
 261         })(ctx, nil)
 262
 263         s.fakeProvider.AccessTokenPayload = map[string]interface{}{"scope": "openid profile foobar"}
 264         accessToken = s.fakeProvider.ValidAccessToken()
 265         ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{accessToken}})
 266
 267         mac = hmac.New(sha256.New, []byte(s.cluster.SystemRootToken))
 268         io.WriteString(mac, accessToken)
 269         apiToken = fmt.Sprintf("%x", mac.Sum(nil))
 270
 271         for _, trial := range []struct {
 272                 configEnable bool
 273                 configScope  string
 274                 acceptable   bool
 275                 shouldRun    bool
 276         }{
 277                 {true, "foobar", true, true},
 278                 {true, "foo", false, false},
 279                 {true, "", true, true},
 280                 {false, "", false, true},
 281                 {false, "foobar", false, true},
 282         } {
 283                 c.Logf("trial = %+v", trial)
 284                 cleanup()
 285                 s.cluster.Login.OpenIDConnect.AcceptAccessToken = trial.configEnable
 286                 s.cluster.Login.OpenIDConnect.AcceptAccessTokenScope = trial.configScope
 287                 oidcAuthorizer = OIDCAccessTokenAuthorizer(s.cluster, func(context.Context) (*sqlx.DB, error) { return db, nil })
 288                 checked := false
 289                 oidcAuthorizer.WrapCalls(func(ctx context.Context, opts interface{}) (interface{}, error) {
 290                         var n int
 291                         err := db.QueryRowContext(ctx, `select count(*) from api_client_authorizations where api_token=$1`, apiToken).Scan(&n)
 292                         c.Check(err, check.IsNil)
 293                         if trial.acceptable {
 294                                 c.Check(n, check.Equals, 1)
 295                         } else {
 296                                 c.Check(n, check.Equals, 0)
 297                         }
 298                         checked = true
 299                         return nil, nil
 300                 })(ctx, nil)
 301                 c.Check(checked, check.Equals, trial.shouldRun)
 302         }
 303 }
 304
 305 func (s *OIDCLoginSuite) TestGenericOIDCLogin(c *check.C) {
 306         s.cluster.Login.Google.Enable = false
 307         s.cluster.Login.OpenIDConnect.Enable = true
 308         json.Unmarshal([]byte(fmt.Sprintf("%q", s.fakeProvider.Issuer.URL)), &s.cluster.Login.OpenIDConnect.Issuer)
 309         s.cluster.Login.OpenIDConnect.ClientID = "oidc#client#id"
 310         s.cluster.Login.OpenIDConnect.ClientSecret = "oidc#client#secret"
 311         s.cluster.Login.OpenIDConnect.AuthenticationRequestParameters = map[string]string{"testkey": "testvalue"}
 312         s.fakeProvider.ValidClientID = "oidc#client#id"
 313         s.fakeProvider.ValidClientSecret = "oidc#client#secret"
 314         for _, trial := range []struct {
 315                 expectEmail string // "" if failure expected
 316                 setup       func()
 317         }{
 318                 {
 319                         expectEmail: "user@oidc.example.com",
 320                         setup: func() {
 321                                 c.Log("=== succeed because email_verified is false but not required")
 322                                 s.fakeProvider.AuthEmail = "user@oidc.example.com"
 323                                 s.fakeProvider.AuthEmailVerified = false
 324                                 s.cluster.Login.OpenIDConnect.EmailClaim = "email"
 325                                 s.cluster.Login.OpenIDConnect.EmailVerifiedClaim = ""
 326                                 s.cluster.Login.OpenIDConnect.UsernameClaim = ""
 327                         },
 328                 },
 329                 {
 330                         expectEmail: "",
 331                         setup: func() {
 332                                 c.Log("=== fail because email_verified is false and required")
 333                                 s.fakeProvider.AuthEmail = "user@oidc.example.com"
 334                                 s.fakeProvider.AuthEmailVerified = false
 335                                 s.cluster.Login.OpenIDConnect.EmailClaim = "email"
 336                                 s.cluster.Login.OpenIDConnect.EmailVerifiedClaim = "email_verified"
 337                                 s.cluster.Login.OpenIDConnect.UsernameClaim = ""
 338                         },
 339                 },
 340                 {
 341                         expectEmail: "user@oidc.example.com",
 342                         setup: func() {
 343                                 c.Log("=== succeed because email_verified is false but config uses custom 'verified' claim")
 344                                 s.fakeProvider.AuthEmail = "user@oidc.example.com"
 345                                 s.fakeProvider.AuthEmailVerified = false
 346                                 s.cluster.Login.OpenIDConnect.EmailClaim = "email"
 347                                 s.cluster.Login.OpenIDConnect.EmailVerifiedClaim = "alt_verified"
 348                                 s.cluster.Login.OpenIDConnect.UsernameClaim = ""
 349                         },
 350                 },
 351                 {
 352                         expectEmail: "alt_email@example.com",
 353                         setup: func() {
 354                                 c.Log("=== succeed with custom 'email' and 'email_verified' claims")
 355                                 s.fakeProvider.AuthEmail = "bad@wrong.example.com"
 356                                 s.fakeProvider.AuthEmailVerified = false
 357                                 s.cluster.Login.OpenIDConnect.EmailClaim = "alt_email"
 358                                 s.cluster.Login.OpenIDConnect.EmailVerifiedClaim = "alt_verified"
 359                                 s.cluster.Login.OpenIDConnect.UsernameClaim = "alt_username"
 360                         },
 361                 },
 362         } {
 363                 trial.setup()
 364                 if s.railsSpy != nil {
 365                         s.railsSpy.Close()
 366                 }
 367                 s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
 368                 s.localdb = NewConn(s.cluster)
 369                 *s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
 370
 371                 state := s.startLogin(c, func(form url.Values) {
 372                         c.Check(form.Get("testkey"), check.Equals, "testvalue")
 373                 })
 374                 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 375                         Code:  s.fakeProvider.ValidCode,
 376                         State: state,
 377                 })
 378                 c.Assert(err, check.IsNil)
 379                 if trial.expectEmail == "" {
 380                         c.Check(resp.HTML.String(), check.Matches, `(?ms).*Login error.*`)
 381                         c.Check(resp.RedirectLocation, check.Equals, "")
 382                         continue
 383                 }
 384                 c.Check(resp.HTML.String(), check.Equals, "")
 385                 target, err := url.Parse(resp.RedirectLocation)
 386                 c.Assert(err, check.IsNil)
 387                 token := target.Query().Get("api_token")
 388                 c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 389                 authinfo := getCallbackAuthInfo(c, s.railsSpy)
 390                 c.Check(authinfo.Email, check.Equals, trial.expectEmail)
 391
 392                 switch s.cluster.Login.OpenIDConnect.UsernameClaim {
 393                 case "alt_username":
 394                         c.Check(authinfo.Username, check.Equals, "desired-username")
 395                 case "":
 396                         c.Check(authinfo.Username, check.Equals, "")
 397                 default:
 398                         c.Fail() // bad test case
 399                 }
 400         }
 401 }
 402
 403 func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 404         s.cluster.Login.Google.AuthenticationRequestParameters["prompt"] = "consent"
 405         s.cluster.Login.Google.AuthenticationRequestParameters["foo"] = "bar"
 406         state := s.startLogin(c, func(form url.Values) {
 407                 c.Check(form.Get("foo"), check.Equals, "bar")
 408                 c.Check(form.Get("prompt"), check.Equals, "consent")
 409         })
 410         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 411                 Code:  s.fakeProvider.ValidCode,
 412                 State: state,
 413         })
 414         c.Check(err, check.IsNil)
 415         c.Check(resp.HTML.String(), check.Equals, "")
 416         target, err := url.Parse(resp.RedirectLocation)
 417         c.Check(err, check.IsNil)
 418         c.Check(target.Host, check.Equals, "app.example.com")
 419         c.Check(target.Path, check.Equals, "/foo")
 420         token := target.Query().Get("api_token")
 421         c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 422
 423         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 424         c.Check(authinfo.FirstName, check.Equals, "Fake User")
 425         c.Check(authinfo.LastName, check.Equals, "Name")
 426         c.Check(authinfo.Email, check.Equals, "active-user@arvados.local")
 427         c.Check(authinfo.AlternateEmails, check.HasLen, 0)
 428
 429         // Try using the returned Arvados token.
 430         c.Logf("trying an API call with new token %q", token)
 431         ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
 432         cl, err := s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 433         c.Check(cl.ItemsAvailable, check.Not(check.Equals), 0)
 434         c.Check(cl.Items, check.Not(check.HasLen), 0)
 435         c.Check(err, check.IsNil)
 436
 437         // Might as well check that bogus tokens aren't accepted.
 438         badtoken := token + "plussomeboguschars"
 439         c.Logf("trying an API call with mangled token %q", badtoken)
 440         ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{badtoken}})
 441         cl, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 442         c.Check(cl.Items, check.HasLen, 0)
 443         c.Check(err, check.NotNil)
 444         c.Check(err, check.ErrorMatches, `.*401 Unauthorized: Not logged in.*`)
 445 }
 446
 447 func (s *OIDCLoginSuite) TestGoogleLogin_RealName(c *check.C) {
 448         s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
 449         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{
 450                 "names": []map[string]interface{}{
 451                         {
 452                                 "metadata":   map[string]interface{}{"primary": false},
 453                                 "givenName":  "Joe",
 454                                 "familyName": "Smith",
 455                         },
 456                         {
 457                                 "metadata":   map[string]interface{}{"primary": true},
 458                                 "givenName":  "Joseph",
 459                                 "familyName": "Psmith",
 460                         },
 461                 },
 462         }
 463         state := s.startLogin(c)
 464         s.localdb.Login(context.Background(), arvados.LoginOptions{
 465                 Code:  s.fakeProvider.ValidCode,
 466                 State: state,
 467         })
 468
 469         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 470         c.Check(authinfo.FirstName, check.Equals, "Joseph")
 471         c.Check(authinfo.LastName, check.Equals, "Psmith")
 472 }
 473
 474 func (s *OIDCLoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
 475         s.fakeProvider.AuthName = "Joe P. Smith"
 476         s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
 477         state := s.startLogin(c)
 478         s.localdb.Login(context.Background(), arvados.LoginOptions{
 479                 Code:  s.fakeProvider.ValidCode,
 480                 State: state,
 481         })
 482
 483         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 484         c.Check(authinfo.FirstName, check.Equals, "Joe P.")
 485         c.Check(authinfo.LastName, check.Equals, "Smith")
 486 }
 487
 488 // People API returns some additional email addresses.
 489 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses(c *check.C) {
 490         s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
 491         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{
 492                 "emailAddresses": []map[string]interface{}{
 493                         {
 494                                 "metadata": map[string]interface{}{"verified": true},
 495                                 "value":    "joe.smith@work.example.com",
 496                         },
 497                         {
 498                                 "value": "joe.smith@unverified.example.com", // unverified, so this one will be ignored
 499                         },
 500                         {
 501                                 "metadata": map[string]interface{}{"verified": true},
 502                                 "value":    "joe.smith@home.example.com",
 503                         },
 504                 },
 505         }
 506         state := s.startLogin(c)
 507         s.localdb.Login(context.Background(), arvados.LoginOptions{
 508                 Code:  s.fakeProvider.ValidCode,
 509                 State: state,
 510         })
 511
 512         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 513         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 514         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com", "joe.smith@work.example.com"})
 515 }
 516
 517 // Primary address is not the one initially returned by oidc.
 518 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses_Primary(c *check.C) {
 519         s.fakeProvider.AuthEmail = "joe.smith@alternate.example.com"
 520         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{
 521                 "emailAddresses": []map[string]interface{}{
 522                         {
 523                                 "metadata": map[string]interface{}{"verified": true, "primary": true},
 524                                 "value":    "joe.smith@primary.example.com",
 525                         },
 526                         {
 527                                 "metadata": map[string]interface{}{"verified": true},
 528                                 "value":    "joe.smith@alternate.example.com",
 529                         },
 530                         {
 531                                 "metadata": map[string]interface{}{"verified": true},
 532                                 "value":    "jsmith+123@preferdomainforusername.example.com",
 533                         },
 534                 },
 535         }
 536         state := s.startLogin(c)
 537         s.localdb.Login(context.Background(), arvados.LoginOptions{
 538                 Code:  s.fakeProvider.ValidCode,
 539                 State: state,
 540         })
 541         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 542         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 543         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@alternate.example.com", "jsmith+123@preferdomainforusername.example.com"})
 544         c.Check(authinfo.Username, check.Equals, "jsmith")
 545 }
 546
 547 func (s *OIDCLoginSuite) TestGoogleLogin_NoPrimaryEmailAddress(c *check.C) {
 548         s.fakeProvider.AuthEmail = "joe.smith@unverified.example.com"
 549         s.fakeProvider.AuthEmailVerified = false
 550         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{
 551                 "emailAddresses": []map[string]interface{}{
 552                         {
 553                                 "metadata": map[string]interface{}{"verified": true},
 554                                 "value":    "joe.smith@work.example.com",
 555                         },
 556                         {
 557                                 "metadata": map[string]interface{}{"verified": true},
 558                                 "value":    "joe.smith@home.example.com",
 559                         },
 560                 },
 561         }
 562         state := s.startLogin(c)
 563         s.localdb.Login(context.Background(), arvados.LoginOptions{
 564                 Code:  s.fakeProvider.ValidCode,
 565                 State: state,
 566         })
 567
 568         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 569         c.Check(authinfo.Email, check.Equals, "joe.smith@work.example.com") // first verified email in People response
 570         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com"})
 571         c.Check(authinfo.Username, check.Equals, "")
 572 }
 573
 574 func (s *OIDCLoginSuite) startLogin(c *check.C, checks ...func(url.Values)) (state string) {
 575         // Initiate login, but instead of following the redirect to
 576         // the provider, just grab state from the redirect URL.
 577         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{ReturnTo: "https://app.example.com/foo?bar"})
 578         c.Check(err, check.IsNil)
 579         target, err := url.Parse(resp.RedirectLocation)
 580         c.Check(err, check.IsNil)
 581         state = target.Query().Get("state")
 582         c.Check(state, check.Not(check.Equals), "")
 583         for _, fn := range checks {
 584                 fn(target.Query())
 585         }
 586         s.cluster.Login.OpenIDConnect.AuthenticationRequestParameters = map[string]string{"testkey": "testvalue"}
 587         return
 588 }
 589
 590 func getCallbackAuthInfo(c *check.C, railsSpy *arvadostest.Proxy) (authinfo rpc.UserSessionAuthInfo) {
 591         for _, dump := range railsSpy.RequestDumps {
 592                 c.Logf("spied request: %q", dump)
 593                 split := bytes.Split(dump, []byte("\r\n\r\n"))
 594                 c.Assert(split, check.HasLen, 2)
 595                 hdr, body := string(split[0]), string(split[1])
 596                 if strings.Contains(hdr, "POST /auth/controller/callback") {
 597                         vs, err := url.ParseQuery(body)
 598                         c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
 599                         c.Check(err, check.IsNil)
 600                         sort.Strings(authinfo.AlternateEmails)
 601                         return
 602                 }
 603         }
 604         c.Error("callback not found")
 605         return
 606 }