Added test cases

providers/provider_data.go

@@ -22,6 +22,7 @@ import (
 const (
 	// This is not exported as it's not currently user configurable
 	oidcUserClaim = "sub"
+	oidcAcrClaim  = "acr"
 )
 
 // ProviderData contains information required to configure all implementations
@@ -267,7 +268,7 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (*
 		{p.UserClaim, &ss.User},
 		{p.EmailClaim, &ss.Email},
 		{p.GroupsClaim, &ss.Groups},
-		{"acr", &ss.Acr},
+		{oidcAcrClaim, &ss.Acr},
 		// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
 		{"preferred_username", &ss.PreferredUsername},
 	} {

providers/provider_default_test.go

@@ -75,6 +75,8 @@ func TestProviderDataAuthorize(t *testing.T) {
 		name          string
 		allowedGroups []string
 		groups        []string
+		acr           string
+		userAcr       string
 		expectedAuthZ bool
 	}{
 		{
@@ -101,6 +103,23 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "1",
+			expectedAuthZ: false,
+		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "1",
+			userAcr:       "1",
+			expectedAuthZ: true,
+		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "2",
+			userAcr:       "somethingElse",
+			expectedAuthZ: false,
+		},
 	}
 
 	for _, tc := range testCases {
@@ -109,9 +128,11 @@ func TestProviderDataAuthorize(t *testing.T) {
 
 			session := &sessions.SessionState{
 				Groups: tc.groups,
+				Acr:    tc.userAcr,
 			}
 			p := &ProviderData{}
 			p.setAllowedGroups(tc.allowedGroups)
+			p.setAllowedACR(tc.acr)
 
 			authorized, err := p.Authorize(context.Background(), session)
 			g.Expect(err).ToNot(HaveOccurred())