grafana/pkg/services/authn/authnimpl/sync/oauth_token_sync_test.go

package sync

import (
	"context"
	"errors"
	"testing"
	"time"

	"github.com/grafana/authlib/claims"
	"github.com/stretchr/testify/assert"
	"golang.org/x/sync/singleflight"

	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/tracing"
	"github.com/grafana/grafana/pkg/login/social"
	"github.com/grafana/grafana/pkg/login/social/socialtest"
	"github.com/grafana/grafana/pkg/services/auth"
	"github.com/grafana/grafana/pkg/services/auth/authtest"
	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/login"
	"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"
)

func TestOAuthTokenSync_SyncOAuthTokenHook(t *testing.T) {
	type testCase struct {
		desc      string
		identity  *authn.Identity
		oauthInfo *social.OAuthInfo

		expectedHasEntryToken *login.UserAuth
		expectHasEntryCalled  bool

		expectedTryRefreshErr       error
		expectTryRefreshTokenCalled bool

		expectRevokeTokenCalled           bool
		expectInvalidateOauthTokensCalled bool

		expectedErr error
	}

	tests := []testCase{
		{
			desc:                        "should skip sync when identity is not a user",
			identity:                    &authn.Identity{ID: "1", Type: claims.TypeServiceAccount},
			expectTryRefreshTokenCalled: false,
		},
		{
			desc:                        "should skip sync when identity is a user but is not authenticated with session token",
			identity:                    &authn.Identity{ID: "1", Type: claims.TypeUser},
			expectTryRefreshTokenCalled: false,
		},
		{
			desc:                              "should invalidate access token and session token if token refresh fails",
			identity:                          &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},
			expectHasEntryCalled:              true,
			expectedTryRefreshErr:             errors.New("some err"),
			expectTryRefreshTokenCalled:       true,
			expectInvalidateOauthTokensCalled: true,
			expectRevokeTokenCalled:           true,
			expectedHasEntryToken:             &login.UserAuth{OAuthExpiry: time.Now().Add(-10 * time.Minute)},
			expectedErr:                       authn.ErrExpiredAccessToken,
		},
		{
			desc:                              "should refresh the token successfully",
			identity:                          &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},
			expectHasEntryCalled:              false,
			expectTryRefreshTokenCalled:       true,
			expectInvalidateOauthTokensCalled: false,
			expectRevokeTokenCalled:           false,
		},
		{
			desc:                              "should not invalidate the token if the token has already been refreshed by another request (singleflight)",
			identity:                          &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},
			expectHasEntryCalled:              true,
			expectTryRefreshTokenCalled:       true,
			expectInvalidateOauthTokensCalled: false,
			expectRevokeTokenCalled:           false,
			expectedHasEntryToken:             &login.UserAuth{OAuthExpiry: time.Now().Add(10 * time.Minute)},
			expectedTryRefreshErr:             errors.New("some err"),
		},

		// TODO: address coverage of oauthtoken sync
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			var (
				hasEntryCalled         bool
				tryRefreshCalled       bool
				invalidateTokensCalled bool
				revokeTokenCalled      bool
			)

			service := &oauthtokentest.MockOauthTokenService{
				HasOAuthEntryFunc: func(ctx context.Context, usr identity.Requester) (*login.UserAuth, bool, error) {
					hasEntryCalled = true
					return tt.expectedHasEntryToken, tt.expectedHasEntryToken != nil, nil
				},
				InvalidateOAuthTokensFunc: func(ctx context.Context, usr *login.UserAuth) error {
					invalidateTokensCalled = true
					return nil
				},
				TryTokenRefreshFunc: func(ctx context.Context, usr identity.Requester) error {
					tryRefreshCalled = true
					return tt.expectedTryRefreshErr
				},
			}

			sessionService := &authtest.FakeUserAuthTokenService{
				RevokeTokenProvider: func(ctx context.Context, token *auth.UserToken, soft bool) error {
					revokeTokenCalled = true
					return nil
				},
			}

			if tt.oauthInfo == nil {
				tt.oauthInfo = &social.OAuthInfo{
					UseRefreshToken: true,
				}
			}

			socialService := &socialtest.FakeSocialService{
				ExpectedAuthInfoProvider: tt.oauthInfo,
			}

			sync := &OAuthTokenSync{
				log:               log.NewNopLogger(),
				service:           service,
				sessionService:    sessionService,
				socialService:     socialService,
				singleflightGroup: new(singleflight.Group),
				tracer:            tracing.InitializeTracerForTest(),
			}

			err := sync.SyncOauthTokenHook(context.Background(), tt.identity, nil)
			assert.ErrorIs(t, err, tt.expectedErr)
			assert.Equal(t, tt.expectHasEntryCalled, hasEntryCalled)
			assert.Equal(t, tt.expectTryRefreshTokenCalled, tryRefreshCalled)
			assert.Equal(t, tt.expectInvalidateOauthTokensCalled, invalidateTokensCalled)
			assert.Equal(t, tt.expectRevokeTokenCalled, revokeTokenCalled)
		})
	}
}
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`package sync`

			`import (`
			`"context"`
			`"errors"`
			`"testing"`
			`"time"`

Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`"github.com/grafana/authlib/claims"`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`"github.com/stretchr/testify/assert"`
Auth: Handle when access token has already been refreshed in OAuth token sync (#77118) * Use singleflight to prevent logging error if the token has already been refreshed * Change order of error checks * align tests, change error name * Change sf key * Update based on the review * refactor 2023-10-26 00:15:41 +08:00			`"golang.org/x/sync/singleflight"`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00
Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 17:52:14 +08:00			`"github.com/grafana/grafana/pkg/apimachinery/identity"`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2024-07-03 14:08:57 +08:00			`"github.com/grafana/grafana/pkg/infra/tracing"`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`"github.com/grafana/grafana/pkg/login/social"`
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError 2023-12-08 18:20:42 +08:00			`"github.com/grafana/grafana/pkg/login/social/socialtest"`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`"github.com/grafana/grafana/pkg/services/auth"`
			`"github.com/grafana/grafana/pkg/services/auth/authtest"`
			`"github.com/grafana/grafana/pkg/services/authn"`
			`"github.com/grafana/grafana/pkg/services/login"`
			`"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"`
			`)`

			`func TestOAuthTokenSync_SyncOAuthTokenHook(t *testing.T) {`
			`type testCase struct {`
			`desc string`
			`identity *authn.Identity`
			`oauthInfo *social.OAuthInfo`

			`expectedHasEntryToken *login.UserAuth`
			`expectHasEntryCalled bool`

			`expectedTryRefreshErr error`
			`expectTryRefreshTokenCalled bool`

			`expectRevokeTokenCalled bool`
			`expectInvalidateOauthTokensCalled bool`

			`expectedErr error`
			`}`

			`tests := []testCase{`
			`{`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`desc: "should skip sync when identity is not a user",`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`identity: &authn.Identity{ID: "1", Type: claims.TypeServiceAccount},`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`expectTryRefreshTokenCalled: false,`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`},`
			`{`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`desc: "should skip sync when identity is a user but is not authenticated with session token",`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`identity: &authn.Identity{ID: "1", Type: claims.TypeUser},`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`expectTryRefreshTokenCalled: false,`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`},`
			`{`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`desc: "should invalidate access token and session token if token refresh fails",`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`identity: &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`expectHasEntryCalled: true,`
			`expectedTryRefreshErr: errors.New("some err"),`
			`expectTryRefreshTokenCalled: true,`
			`expectInvalidateOauthTokensCalled: true,`
			`expectRevokeTokenCalled: true,`
			`expectedHasEntryToken: &login.UserAuth{OAuthExpiry: time.Now().Add(-10 * time.Minute)},`
			`expectedErr: authn.ErrExpiredAccessToken,`
			`},`
			`{`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`desc: "should refresh the token successfully",`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`identity: &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`expectHasEntryCalled: false,`
			`expectTryRefreshTokenCalled: true,`
			`expectInvalidateOauthTokensCalled: false,`
			`expectRevokeTokenCalled: false,`
			`},`
			`{`
			`desc: "should not invalidate the token if the token has already been refreshed by another request (singleflight)",`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`identity: &authn.Identity{ID: "1", Type: claims.TypeUser, SessionToken: &auth.UserToken{}, AuthenticatedBy: login.AzureADAuthModule},`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`expectHasEntryCalled: true,`
			`expectTryRefreshTokenCalled: true,`
			`expectInvalidateOauthTokensCalled: false,`
			`expectRevokeTokenCalled: false,`
			`expectedHasEntryToken: &login.UserAuth{OAuthExpiry: time.Now().Add(10 * time.Minute)},`
			`expectedTryRefreshErr: errors.New("some err"),`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`},`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00
			`// TODO: address coverage of oauthtoken sync`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`}`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`var (`
			`hasEntryCalled bool`
			`tryRefreshCalled bool`
			`invalidateTokensCalled bool`
			`revokeTokenCalled bool`
			`)`

			`service := &oauthtokentest.MockOauthTokenService{`
Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 17:52:14 +08:00			`HasOAuthEntryFunc: func(ctx context.Context, usr identity.Requester) (*login.UserAuth, bool, error) {`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`hasEntryCalled = true`
			`return tt.expectedHasEntryToken, tt.expectedHasEntryToken != nil, nil`
			`},`
			`InvalidateOAuthTokensFunc: func(ctx context.Context, usr *login.UserAuth) error {`
			`invalidateTokensCalled = true`
			`return nil`
			`},`
Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 17:52:14 +08:00			`TryTokenRefreshFunc: func(ctx context.Context, usr identity.Requester) error {`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`tryRefreshCalled = true`
			`return tt.expectedTryRefreshErr`
			`},`
			`}`

			`sessionService := &authtest.FakeUserAuthTokenService{`
			`RevokeTokenProvider: func(ctx context.Context, token *auth.UserToken, soft bool) error {`
			`revokeTokenCalled = true`
			`return nil`
			`},`
			`}`

			`if tt.oauthInfo == nil {`
			`tt.oauthInfo = &social.OAuthInfo{`
			`UseRefreshToken: true,`
			`}`
			`}`

			`socialService := &socialtest.FakeSocialService{`
			`ExpectedAuthInfoProvider: tt.oauthInfo,`
			`}`

			`sync := &OAuthTokenSync{`
Fix: Refresh token when id_token is expired (#79569) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2024-02-05 23:44:25 +08:00			`log: log.NewNopLogger(),`
			`service: service,`
			`sessionService: sessionService,`
			`socialService: socialService,`
			`singleflightGroup: new(singleflight.Group),`
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2024-07-03 14:08:57 +08:00			`tracer: tracing.InitializeTracerForTest(),`
Revert "AuthN: move oauth token hook into session client" (#76882) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit 455cede6992cfad57f1c5b1749c9454d1475dba6. 2023-10-20 22:09:46 +08:00			`}`

			`err := sync.SyncOauthTokenHook(context.Background(), tt.identity, nil)`
			`assert.ErrorIs(t, err, tt.expectedErr)`
			`assert.Equal(t, tt.expectHasEntryCalled, hasEntryCalled)`
			`assert.Equal(t, tt.expectTryRefreshTokenCalled, tryRefreshCalled)`
			`assert.Equal(t, tt.expectInvalidateOauthTokensCalled, invalidateTokensCalled)`
			`assert.Equal(t, tt.expectRevokeTokenCalled, revokeTokenCalled)`
			`})`
			`}`
			`}`