test-cmd/e2e/integration: add scopes to oauth access tokens/clients

Author: stlaz

test/integration/etcd_storage_path_test.go

@@ -112,27 +112,27 @@ var openshiftEtcdStorageData = map[schema.GroupVersionResource]etcddata.StorageD
 		},
 	},
 	gvr("oauth.openshift.io", "v1", "oauthaccesstokens"): {
-		Stub:             `{"clientName": "client1g", "metadata": {"name": "tokenneedstobelongenoughelseitwontworkg"}, "userName": "user", "userUID": "cannot be empty"}`,
+		Stub:             `{"clientName": "client1g", "metadata": {"name": "tokenneedstobelongenoughelseitwontworkg"}, "userName": "user", "scopes": ["user:info"], "redirectURI": "https://something.com/", "userUID": "cannot be empty"}`,
 		ExpectedEtcdPath: "openshift.io/oauth/accesstokens/tokenneedstobelongenoughelseitwontworkg",
 		Prerequisites: []etcddata.Prerequisite{
 			{
 				GvrData: gvr("oauth.openshift.io", "v1", "oauthclients"),
-				Stub:    `{"metadata": {"name": "client1g"}}`,
+				Stub:    `{"metadata": {"name": "client1g"}, "grantMethod": "prompt"}`,
 			},
 		},
 	},
 	gvr("oauth.openshift.io", "v1", "oauthauthorizetokens"): {
-		Stub:             `{"clientName": "client0g", "metadata": {"name": "tokenneedstobelongenoughelseitwontworkg"}, "userName": "user", "userUID": "cannot be empty", "expiresIn": 86400}`,
+		Stub:             `{"clientName": "client0g", "metadata": {"name": "tokenneedstobelongenoughelseitwontworkg"}, "userName": "user", "scopes": ["user:info"], "redirectURI": "https://something.com/", "userUID": "cannot be empty", "expiresIn": 86400}`,
 		ExpectedEtcdPath: "openshift.io/oauth/authorizetokens/tokenneedstobelongenoughelseitwontworkg",
 		Prerequisites: []etcddata.Prerequisite{
 			{
 				GvrData: gvr("oauth.openshift.io", "v1", "oauthclients"),
-				Stub:    `{"metadata": {"name": "client0g"}}`,
+				Stub:    `{"metadata": {"name": "client0g"}, "grantMethod": "auto"}`,
 			},
 		},
 	},
 	gvr("oauth.openshift.io", "v1", "oauthclients"): {
-		Stub:             `{"metadata": {"name": "clientg"}}`,
+		Stub:             `{"metadata": {"name": "clientg"}, "grantMethod": "prompt"}`,
 		ExpectedEtcdPath: "openshift.io/oauth/clients/clientg",
 	},
 	// --

test/integration/oauth_serviceaccount_client_test.go

@@ -160,26 +160,8 @@ func TestOAuthServiceAccountClient(t *testing.T) {
 			t.Fatalf("Unexpected error: %v", err)
 		} else if !reflect.DeepEqual(clientAuth.Scopes, []string{"user:full"}) {
 			t.Fatalf("Unexpected scopes: %v", clientAuth.Scopes)
-		} else {
-			// update the authorization to not contain any approved scopes
-			clientAuth.Scopes = nil
-			if _, err := clusterAdminOAuthClient.OAuthClientAuthorizations().Update(clientAuth); err != nil {
-				t.Fatalf("Unexpected error: %v", err)
-			}
 		}
-		// approval steps are needed again for unscoped access
-		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
-			"GET /oauth/authorize",
-			"received challenge",
-			"GET /oauth/authorize",
-			"redirect to /oauth/authorize/approve",
-			"form",
-			"POST /oauth/authorize/approve",
-			"redirect to /oauth/authorize",
-			"redirect to /oauthcallback",
-			"code",
-			"scope:user:full",
-		})
+
 		// with the authorization stored, approval steps are skipped
 		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
 			"GET /oauth/authorize",

test/integration/oauthstorage_test.go

@@ -94,6 +94,7 @@ func TestOAuthStorage(t *testing.T) {
 	oaclientConfig := &osincli.ClientConfig{
 		ClientId:     testClient,
 		ClientSecret: testClientSecret0,
+		Scope:        "user:full",
 		RedirectUrl:  assertServer.URL + testClientRedirect,
 		AuthorizeUrl: server.URL + authorizePath,
 		TokenUrl:     server.URL + tokenPath,
@@ -112,6 +113,7 @@ func TestOAuthStorage(t *testing.T) {
 			ObjectMeta:        metav1.ObjectMeta{Name: testClient},
 			Secret:            testClientSecret0,
 			AdditionalSecrets: []string{testClientSecret1},
+			GrantMethod:       oauthapi.GrantHandlerAuto,
 			RedirectURIs:      []string{assertServer.URL + testClientRedirect},
 		}); err != nil {
 			t.Fatal(err)

test/integration/scopes_test.go

@@ -66,12 +66,13 @@ func TestScopedTokens(t *testing.T) {
 	}
 
 	whoamiOnlyToken := &oauthapi.OAuthAccessToken{
-		ObjectMeta: metav1.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit"},
-		ClientName: "openshift-challenging-client",
-		ExpiresIn:  200,
-		Scopes:     []string{scope.UserInfo},
-		UserName:   userName,
-		UserUID:    string(haroldUser.UID),
+		ObjectMeta:  metav1.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit"},
+		ClientName:  "openshift-challenging-client",
+		ExpiresIn:   200,
+		Scopes:      []string{scope.UserInfo},
+		UserName:    userName,
+		UserUID:     string(haroldUser.UID),
+		RedirectURI: "https://localhost:8443/oauth/token/implicit",
 	}
 	if _, err := oauthclient.NewForConfigOrDie(clusterAdminClientConfig).OAuthAccessTokens().Create(whoamiOnlyToken); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -170,12 +171,13 @@ func TestScopeEscalations(t *testing.T) {
 	}
 
 	nonEscalatingEditToken := &oauthapi.OAuthAccessToken{
-		ObjectMeta: metav1.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit"},
-		ClientName: "openshift-challenging-client",
-		ExpiresIn:  200,
-		Scopes:     []string{scope.ClusterRoleIndicator + "edit:*"},
-		UserName:   userName,
-		UserUID:    string(haroldUser.UID),
+		ObjectMeta:  metav1.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit"},
+		ClientName:  "openshift-challenging-client",
+		ExpiresIn:   200,
+		Scopes:      []string{scope.ClusterRoleIndicator + "edit:*"},
+		UserName:    userName,
+		UserUID:     string(haroldUser.UID),
+		RedirectURI: "https://localhost:8443/oauth/token/implicit",
 	}
 	if _, err := clusterAdminOAuthClient.OAuthAccessTokens().Create(nonEscalatingEditToken); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -193,12 +195,13 @@ func TestScopeEscalations(t *testing.T) {
 	}
 
 	escalatingEditToken := &oauthapi.OAuthAccessToken{
-		ObjectMeta: metav1.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit"},
-		ClientName: "openshift-challenging-client",
-		ExpiresIn:  200,
-		Scopes:     []string{scope.ClusterRoleIndicator + "edit:*:!"},
-		UserName:   userName,
-		UserUID:    string(haroldUser.UID),
+		ObjectMeta:  metav1.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit"},
+		ClientName:  "openshift-challenging-client",
+		ExpiresIn:   200,
+		Scopes:      []string{scope.ClusterRoleIndicator + "edit:*:!"},
+		UserName:    userName,
+		UserUID:     string(haroldUser.UID),
+		RedirectURI: "https://localhost:8443/oauth/token/implicit",
 	}
 	if _, err := clusterAdminOAuthClient.OAuthAccessTokens().Create(escalatingEditToken); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -241,6 +244,7 @@ func TestTokensWithIllegalScopes(t *testing.T) {
 				},
 			},
 		},
+		GrantMethod: oauthapi.GrantHandlerAuto,
 	}
 	if _, err := clusterAdminOAuthClient.OAuthClients().Create(client); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -314,42 +318,46 @@ func TestTokensWithIllegalScopes(t *testing.T) {
 			name: "no scopes",
 			fail: true,
 			obj: &oauthapi.OAuthAccessToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				UserName:   "name",
-				UserUID:    "uid",
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				UserName:    "name",
+				UserUID:     "uid",
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "denied literal",
 			fail: true,
 			obj: &oauthapi.OAuthAccessToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"user:info", "user:check-access"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"user:info", "user:check-access"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "denied role",
 			fail: true,
 			obj: &oauthapi.OAuthAccessToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"role:one:*"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"role:one:*"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "ok role",
 			obj: &oauthapi.OAuthAccessToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"role:one:bravo"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"role:one:bravo"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 	}
@@ -373,46 +381,50 @@ func TestTokensWithIllegalScopes(t *testing.T) {
 			name: "no scopes",
 			fail: true,
 			obj: &oauthapi.OAuthAuthorizeToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				ExpiresIn:  86400,
-				UserName:   "name",
-				UserUID:    "uid",
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				ExpiresIn:   86400,
+				UserName:    "name",
+				UserUID:     "uid",
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "denied literal",
 			fail: true,
 			obj: &oauthapi.OAuthAuthorizeToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				ExpiresIn:  86400,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"user:info", "user:check-access"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				ExpiresIn:   86400,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"user:info", "user:check-access"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "denied role",
 			fail: true,
 			obj: &oauthapi.OAuthAuthorizeToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				ExpiresIn:  86400,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"role:one:*"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				ExpiresIn:   86400,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"role:one:*"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 		{
 			name: "ok role",
 			obj: &oauthapi.OAuthAuthorizeToken{
-				ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
-				ClientName: client.Name,
-				ExpiresIn:  86400,
-				UserName:   "name",
-				UserUID:    "uid",
-				Scopes:     []string{"role:one:bravo"},
+				ObjectMeta:  metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing"},
+				ClientName:  client.Name,
+				ExpiresIn:   86400,
+				UserName:    "name",
+				UserUID:     "uid",
+				Scopes:      []string{"role:one:bravo"},
+				RedirectURI: "https://localhost:8443/oauth/token/implicit",
 			},
 		},
 	}

test/testdata/oauthaccesstoken.yaml

@@ -6,4 +6,6 @@ metadata:
   name: DYGZDLucARCPIfUeKPhsgPfn0WBLR_9KdeREH0c9iod
 redirectURI: https://localhost:8443/oauth/token/implicit
 userName: test
-userUID: 322b236b-22b9-11e6-b307-080027242396
+userUID: 322b236b-22b9-11e6-b307-080027242396
+scopes:
+  - user:info

test/util/client.go

@@ -97,7 +97,8 @@ func GetClientForUser(clusterAdminConfig *restclient.Config, username string) (k
 	}
 
 	oauthClientObj := &oauthapi.OAuthClient{
-		ObjectMeta: metav1.ObjectMeta{Name: "test-integration-client"},
+		ObjectMeta:  metav1.ObjectMeta{Name: "test-integration-client"},
+		GrantMethod: oauthapi.GrantHandlerAuto,
 	}
 	if _, err := oauthClient.Oauth().OAuthClients().Create(oauthClientObj); err != nil && !kerrs.IsAlreadyExists(err) {
 		return nil, nil, err
@@ -110,10 +111,12 @@ func GetClientForUser(clusterAdminConfig *restclient.Config, username string) (k
 		accesstoken += "A"
 	}
 	token := &oauthapi.OAuthAccessToken{
-		ObjectMeta: metav1.ObjectMeta{Name: accesstoken},
-		ClientName: oauthClientObj.Name,
-		UserName:   username,
-		UserUID:    string(user.UID),
+		ObjectMeta:  metav1.ObjectMeta{Name: accesstoken},
+		ClientName:  oauthClientObj.Name,
+		UserName:    username,
+		UserUID:     string(user.UID),
+		Scopes:      []string{"user:full"},
+		RedirectURI: "https://localhost:8443/oauth/token/implicit",
 	}
 	if _, err := oauthClient.Oauth().OAuthAccessTokens().Create(token); err != nil {
 		return nil, nil, err