Add realistic OIDC payload to Wire integration test

2026-01-27 10:18:34 +00:00 · 2024-01-16 16:32:35 +01:00
parent 99934ec9a3
commit 7680da7c57
1 changed files with 43 additions and 2 deletions
--- a/acme/api/wire_integration_test.go
+++ b/acme/api/wire_integration_test.go
@@ -70,6 +70,14 @@ func TestWireIntegration(t *testing.T) {
 	}, new(jose.SignerOptions))
 	require.NoError(t, err)

+	oidcTokenSignerJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+	require.NoError(t, err)
+	oidcTokenSigner, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(oidcTokenSignerJWK.Algorithm),
+		Key:       oidcTokenSignerJWK,
+	}, new(jose.SignerOptions))
+	require.NoError(t, err)
+
 	prov := newWireProvisionerWithOptions(t, &provisioner.Options{
 		X509: &provisioner.X509Options{
 			Template: `{
@@ -98,7 +106,7 @@ func TestWireIntegration(t *testing.T) {
 					SkipClientIDCheck:          true,
 					SkipExpiryCheck:            true,
 					SkipIssuerCheck:            true,
-					InsecureSkipSignatureCheck: true,
+					InsecureSkipSignatureCheck: true, // NOTE: this skips actual token verification
 					Now:                        time.Now,
 				},
 				TransformTemplate: "",
@@ -292,7 +300,8 @@ func TestWireIntegration(t *testing.T) {
 			ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)

 			var payload []byte
-			if challenge.Type == acme.WIREDPOP01 { // TODO(hs): OIDC payload
+			switch challenge.Type {
+			case acme.WIREDPOP01:
 				dpopBytes, err := json.Marshal(struct {
 					jose.Claims
 					Challenge string `json:"chal,omitempty"`
@@ -350,6 +359,38 @@ func TestWireIntegration(t *testing.T) {
 				})
 				require.NoError(t, err)
 				payload = p
+			case acme.WIREOIDC01:
+				keyAuth, err := acme.KeyAuthorization("token", jwk)
+				require.NoError(t, err)
+				tokenBytes, err := json.Marshal(struct {
+					jose.Claims
+					Name              string `json:"name,omitempty"`
+					PreferredUsername string `json:"preferred_username,omitempty"`
+				}{
+					Claims: jose.Claims{
+						Issuer:   "https://issuer.example.com",
+						Audience: []string{"test"},
+						Expiry:   jose.NewNumericDate(time.Now().Add(1 * time.Minute)),
+					},
+					Name:              "Alice Smith",
+					PreferredUsername: "wireapp://%40alice_wire@wire.com",
+				})
+				require.NoError(t, err)
+				signed, err := oidcTokenSigner.Sign(tokenBytes)
+				require.NoError(t, err)
+				idToken, err := signed.CompactSerialize()
+				require.NoError(t, err)
+				p, err := json.Marshal(struct {
+					IDToken string `json:"id_token"`
+					KeyAuth string `json:"keyauth"`
+				}{
+					IDToken: idToken,
+					KeyAuth: keyAuth,
+				})
+				require.NoError(t, err)
+				payload = p
+			default:
+				require.Fail(t, "unexpected challenge payload type")
 			}

 			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: payload})