From 9bd6a1306a026b392d276e592a33a7bff1098560 Mon Sep 17 00:00:00 2001 From: SamTV12345 <40429738+samtv12345@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:11:52 +0100 Subject: [PATCH] Added test cases --- providers/provider_data.go | 3 ++- providers/provider_default_test.go | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/providers/provider_data.go b/providers/provider_data.go index e6c3c126..304fbd47 100644 --- a/providers/provider_data.go +++ b/providers/provider_data.go @@ -22,6 +22,7 @@ import ( const ( // This is not exported as it's not currently user configurable oidcUserClaim = "sub" + oidcAcrClaim = "acr" ) // ProviderData contains information required to configure all implementations @@ -267,7 +268,7 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (* {p.UserClaim, &ss.User}, {p.EmailClaim, &ss.Email}, {p.GroupsClaim, &ss.Groups}, - {"acr", &ss.Acr}, + {oidcAcrClaim, &ss.Acr}, // TODO (@NickMeves) Deprecate for dynamic claim to session mapping {"preferred_username", &ss.PreferredUsername}, } { diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index 80d5b4ce..520c51d8 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -75,6 +75,8 @@ func TestProviderDataAuthorize(t *testing.T) { name string allowedGroups []string groups []string + acr string + userAcr string expectedAuthZ bool }{ { @@ -101,6 +103,23 @@ func TestProviderDataAuthorize(t *testing.T) { groups: []string{"baz", "foo"}, expectedAuthZ: false, }, + { + name: "UserNotAllowedForACRLevel", + acr: "1", + expectedAuthZ: false, + }, + { + name: "UserNotAllowedForACRLevel", + acr: "1", + userAcr: "1", + expectedAuthZ: true, + }, + { + name: "UserNotAllowedForACRLevel", + acr: "2", + userAcr: "somethingElse", + expectedAuthZ: false, + }, } for _, tc := range testCases { @@ -109,9 +128,11 @@ func TestProviderDataAuthorize(t *testing.T) { session := &sessions.SessionState{ Groups: tc.groups, + Acr: tc.userAcr, } p := &ProviderData{} p.setAllowedGroups(tc.allowedGroups) + p.setAllowedACR(tc.acr) authorized, err := p.Authorize(context.Background(), session) g.Expect(err).ToNot(HaveOccurred())