82 lines
2.3 KiB
Go
82 lines
2.3 KiB
Go
package config
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestLoadOIDCJITProvisioningDefaultsToDisabled(t *testing.T) {
|
|
t.Setenv("OIDC_JIT_PROVISIONING_ENABLED", "")
|
|
t.Setenv("OIDC_GATEWAY_TENANT_KEY", "")
|
|
|
|
cfg := Load()
|
|
if cfg.OIDCJITProvisioningEnabled {
|
|
t.Fatal("OIDC JIT provisioning must be disabled by default")
|
|
}
|
|
if cfg.OIDCGatewayTenantKey != "" {
|
|
t.Fatalf("unexpected gateway tenant key: %q", cfg.OIDCGatewayTenantKey)
|
|
}
|
|
}
|
|
|
|
func TestValidateRequiresGatewayTenantKeyWhenOIDCJITIsEnabled(t *testing.T) {
|
|
cfg := Config{
|
|
OIDCEnabled: true,
|
|
OIDCJITProvisioningEnabled: true,
|
|
}
|
|
|
|
err := cfg.Validate()
|
|
if err == nil || !strings.Contains(err.Error(), "OIDC_GATEWAY_TENANT_KEY") {
|
|
t.Fatalf("Validate() error = %v, want missing OIDC_GATEWAY_TENANT_KEY", err)
|
|
}
|
|
|
|
cfg.OIDCGatewayTenantKey = "default"
|
|
if err := cfg.Validate(); err != nil {
|
|
t.Fatalf("Validate() with tenant key: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestLoadOIDCBrowserSessionUsesSafeEnvironmentDefaults(t *testing.T) {
|
|
t.Setenv("APP_ENV", "development")
|
|
t.Setenv("OIDC_BROWSER_SESSION_ENABLED", "")
|
|
t.Setenv("OIDC_SESSION_COOKIE_SECURE", "")
|
|
|
|
cfg := Load()
|
|
if !cfg.OIDCBrowserSessionEnabled {
|
|
t.Fatal("OIDC browser session should be enabled by default")
|
|
}
|
|
if cfg.OIDCSessionCookieSecure {
|
|
t.Fatal("development cookie should allow localhost HTTP by default")
|
|
}
|
|
|
|
t.Setenv("APP_ENV", "production")
|
|
cfg = Load()
|
|
if !cfg.OIDCSessionCookieSecure {
|
|
t.Fatal("production OIDC session cookie must default to Secure")
|
|
}
|
|
|
|
t.Setenv("APP_ENV", "staging")
|
|
cfg = Load()
|
|
if !cfg.OIDCSessionCookieSecure {
|
|
t.Fatal("staging OIDC session cookie must default to Secure")
|
|
}
|
|
}
|
|
|
|
func TestValidateRejectsInsecureNonLocalOIDCBrowserSession(t *testing.T) {
|
|
cfg := Config{
|
|
AppEnv: "staging",
|
|
OIDCEnabled: true,
|
|
OIDCBrowserSessionEnabled: true,
|
|
OIDCSessionCookieSecure: false,
|
|
CORSAllowedOrigin: "https://gateway.example.com",
|
|
}
|
|
if err := cfg.Validate(); err == nil || !strings.Contains(err.Error(), "OIDC_SESSION_COOKIE_SECURE") {
|
|
t.Fatalf("Validate() error = %v, want insecure non-local cookie rejection", err)
|
|
}
|
|
|
|
cfg.OIDCSessionCookieSecure = true
|
|
cfg.CORSAllowedOrigin = "*"
|
|
if err := cfg.Validate(); err == nil || !strings.Contains(err.Error(), "CORS_ALLOWED_ORIGIN") {
|
|
t.Fatalf("Validate() error = %v, want wildcard credentialed CORS rejection", err)
|
|
}
|
|
}
|