X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/4312333bb8bd27e0b910b430edee91329124b02a..ed4d8462e763eb1d8c8f1548912495563cd9288f:/sdk/go/arvadostest/oidc_provider.go

diff --git a/sdk/go/arvadostest/oidc_provider.go b/sdk/go/arvadostest/oidc_provider.go
index 0632010ba4..de21302e5a 100644
--- a/sdk/go/arvadostest/oidc_provider.go
+++ b/sdk/go/arvadostest/oidc_provider.go
@@ -17,6 +17,7 @@ import (
 
 	"gopkg.in/check.v1"
 	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type OIDCProvider struct {
@@ -25,9 +26,10 @@ type OIDCProvider struct {
 	ValidClientID     string
 	ValidClientSecret string
 	// desired response from token endpoint
-	AuthEmail         string
-	AuthEmailVerified bool
-	AuthName          string
+	AuthEmail          string
+	AuthEmailVerified  bool
+	AuthName           string
+	AccessTokenPayload map[string]interface{}
 
 	PeopleAPIResponse map[string]interface{}
 
@@ -44,9 +46,15 @@ func NewOIDCProvider(c *check.C) *OIDCProvider {
 	c.Assert(err, check.IsNil)
 	p.Issuer = httptest.NewServer(http.HandlerFunc(p.serveOIDC))
 	p.PeopleAPI = httptest.NewServer(http.HandlerFunc(p.servePeopleAPI))
+	p.AccessTokenPayload = map[string]interface{}{"sub": "example"}
 	return p
 }
 
+func (p *OIDCProvider) ValidAccessToken() string {
+	buf, _ := json.Marshal(p.AccessTokenPayload)
+	return p.fakeToken(buf)
+}
+
 func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 	req.ParseForm()
 	p.c.Logf("serveOIDC: got req: %s %s %s", req.Method, req.URL, req.Form)
@@ -99,7 +107,7 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 			ExpiresIn    int32  `json:"expires_in"`
 			IDToken      string `json:"id_token"`
 		}{
-			AccessToken:  p.fakeToken([]byte("fake access token")),
+			AccessToken:  p.ValidAccessToken(),
 			TokenType:    "Bearer",
 			RefreshToken: "test-refresh-token",
 			ExpiresIn:    30,
@@ -114,7 +122,21 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 	case "/auth":
 		w.WriteHeader(http.StatusInternalServerError)
 	case "/userinfo":
-		w.WriteHeader(http.StatusInternalServerError)
+		authhdr := req.Header.Get("Authorization")
+		if _, err := jwt.ParseSigned(strings.TrimPrefix(authhdr, "Bearer ")); err != nil {
+			p.c.Logf("OIDCProvider: bad auth %q", authhdr)
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"sub":            "fake-user-id",
+			"name":           p.AuthName,
+			"given_name":     p.AuthName,
+			"family_name":    "",
+			"alt_username":   "desired-username",
+			"email":          p.AuthEmail,
+			"email_verified": p.AuthEmailVerified,
+		})
 	default:
 		w.WriteHeader(http.StatusNotFound)
 	}