Add refreshToken tests

SURFscz · Feb 11, 2025 · 225428f · 225428f
1 parent 230e039
commit 225428f
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 19 deletions.
diff --git a/ci-runner/admin.json b/ci-runner/admin.json
@@ -5,6 +5,7 @@
             "openid",
             "profile",
             "email",
+            "offline_access",
             "eduperson_assurance",
             "eduperson_entitlement",
             "eduperson_orcid",
@@ -28,9 +29,9 @@
             "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
         ]
     },
-    "access_token":
+    "access_token_1":
     {
-        "scope": "openid profile email eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid openid",
+        "scope": "openid profile email offline_access eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid openid",
         "aud": [
             "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
         ],
@@ -64,6 +65,50 @@
         "token_class": "access_token",
         "iss": "https://proxy.acc.sram.eduteams.org"
     },
+    "access_token_2":
+    {
+        "aud": [
+            "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
+        ],
+        "client_id": "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7",
+        "sub": "98d4d0ddd179f57c0cbbf06ae2d7094522b21eab@acc.sram.eduteams.org",
+        "eduperson_principal_name": [
+            "admin@ci-runner.sram.surf.nl"
+        ],
+        "eduperson_assurance": [
+            "http://idm.example.org/LOA1#sample"
+        ],
+        "email": "martin+ci-admin@surfnet.nl",
+        "voperson_external_id": [
+            "admin@ci-runner.sram.surf.nl"
+        ],
+        "name": "Admin admin",
+        "given_name": "Admin",
+        "family_name": "admin",
+        "ssh_public_key": [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRa9pltI/Re4384pGFe0Kw1ctP83oLxmvFITcMLwDYYuVo7yzww1uumrYRmbfUNPdKsJEKjB9dGSeTFx3LauzqyLcTdxpoFJh4p7cF3T3zbO4XTcmdnRALmjvxfAoSTtdWKtXeyNZmQCWKi5UQ84b/4sup5/yAUc7UyZJa9YqluBKEbhsemXD6aCHdOIIhySFXg7WyOLktyum+5v7oiwOBstajtKgu5G5JOVuA9+v6gLbdiU/TLINxgFu+sw5FtbNH6sYoWdiz36depOC1Kz5R1UhiWnQp8m1KNnOQACwu1a0WsucWWE5Mu1cgLWHE5ISc7I7NH8Jyg/dZ/IQaS2fe4XqSm89fELRspb+o1zAaLEmq+ed8/Alw6DSQ2gfdryBuv5APtxAmWru/TnMPSbECkruNjDQk6PIdSorDfJ+d6mQURyq+zxgkbECCNiBspFCGDvTtaWf/JFkF7ySGPA9eL4l3Tz91pxXLB06wYQifFEm2eWZ3d+pK7Dx4oPiEuts= pubkey@ci-runner"
+        ],
+        "eduperson_scoped_affiliation": [
+            "member@acc.sram.eduteams.org"
+        ],
+        "voperson_id": [
+            "98d4d0ddd179f57c0cbbf06ae2d7094522b21eab@acc.sram.eduteams.org"
+        ],
+        "eduperson_entitlement": [
+            "urn:mace:surf.nl:x-sram-ci:group:ci",
+            "urn:mace:surf.nl:x-sram-ci:group:ci:cico",
+            "urn:geant:eduteams.org:acc.sram.eduteams.org:group:surf-ram#acc.sram.eduteams.org"
+        ],
+        "uid": [
+            "admin"
+        ],
+        "voperson_external_affiliation": [
+            "member@ci-runner.sram.surf.nl",
+            "affiliate@ci-runner.sram.surf.nl"
+        ],
+        "token_class": "access_token",
+        "iss": "https://proxy.acc.sram.eduteams.org"
+    },
     "user_info":
     {
         "sub": "98d4d0ddd179f57c0cbbf06ae2d7094522b21eab@acc.sram.eduteams.org",

diff --git a/ci-runner/features/steps/ci.py b/ci-runner/features/steps/ci.py
@@ -76,8 +76,10 @@ def step_impl(context, file):
 
     # Test user attributes
     id_token = json.loads(context.browser.find_element(By.ID, 'id_token').text)
-    access_token = json.loads(context.browser.find_element(By.ID, 'access_token').text)
-    user_info = json.loads(context.browser.find_element(By.ID, 'user_info').text)
+    access_token_1 = json.loads(context.browser.find_element(By.ID, 'access_token_1').text)
+    access_token_2 = json.loads(context.browser.find_element(By.ID, 'access_token_2').text)
+    user_info_1 = json.loads(context.browser.find_element(By.ID, 'user_info_1').text)
+    user_info_2 = json.loads(context.browser.find_element(By.ID, 'user_info_2').text)
 
     with open(file) as f:
         user_claims = json.load(f)
@@ -88,14 +90,26 @@ def step_impl(context, file):
         else:
             assert(id_token[claim] == value), f"id_token {claim} did not contain {value}"
 
-    for claim, value in user_claims['access_token'].items():
+    for claim, value in user_claims['access_token_1'].items():
         if type(value) is list:
-            assert(set(access_token[claim]) == set(value)), f"access_token {claim} did not contain {value}"
+            assert(set(access_token_1[claim]) == set(value)), f"access_token_1 {claim} did not contain {value}"
         else:
-            assert(access_token[claim] == value), f"access_token {claim} did not contain {value}"
+            assert(access_token_1[claim] == value), f"access_token_1 {claim} did not contain {value}"
 
-    for claim, value in user_claims['user_info'].items():
+    for claim, value in user_claims['access_token_2'].items():
         if type(value) is list:
-            assert(set(user_info[claim]) == set(value)), f"user_info {claim} did not contain {value}"
+            assert(set(access_token_2[claim]) == set(value)), f"access_token_2 {claim} did not contain {value}"
         else:
-            assert(user_info[claim] == value), f"user_info {claim} did not contain {value}"
+            assert(access_token_2[claim] == value), f"access_token_2 {claim} did not contain {value}"
+
+    for claim, value in user_claims['user_info_1'].items():
+        if type(value) is list:
+            assert(set(user_info_1[claim]) == set(value)), f"user_info_1 {claim} did not contain {value}"
+        else:
+            assert(user_info_1[claim] == value), f"user_info_1 {claim} did not contain {value}"
+
+    for claim, value in user_claims['user_info_2'].items():
+        if type(value) is list:
+            assert(set(user_info_2[claim]) == set(value)), f"user_info_2 {claim} did not contain {value}"
+        else:
+            assert(user_info_2[claim] == value), f"user_info_2 {claim} did not contain {value}"
diff --git a/ci-runner/student.json b/ci-runner/student.json
@@ -5,6 +5,7 @@
             "openid",
             "profile",
             "email",
+            "offline_access",
             "eduperson_assurance",
             "eduperson_entitlement",
             "eduperson_orcid",
@@ -28,9 +29,9 @@
             "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
         ]
     },
-    "access_token":
+    "access_token_1":
     {
-        "scope": "openid profile email eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid openid",
+        "scope": "openid profile email offline_access eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid openid",
         "aud": [
             "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
         ],
@@ -60,6 +61,46 @@
         "token_class": "access_token",
         "iss": "https://proxy.acc.sram.eduteams.org"
     },
+    "access_token_2":
+    {
+        "aud": [
+            "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7"
+        ],
+        "client_id": "APP-B1F3C5AA-5514-48A9-BBA1-EBC388540BF7",
+        "sub": "8e7811387bc200409b395a7a156826875a4248f9@acc.sram.eduteams.org",
+        "voperson_external_id": [
+            "student@ci-runner.sram.surf.nl"
+        ],
+        "eduperson_scoped_affiliation": [
+            "member@acc.sram.eduteams.org"
+        ],
+        "ssh_public_key": [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRa9pltI/Re4384pGFe0Kw1ctP83oLxmvFITcMLwDYYuVo7yzww1uumrYRmbfUNPdKsJEKjB9dGSeTFx3LauzqyLcTdxpoFJh4p7cF3T3zbO4XTcmdnRALmjvxfAoSTtdWKtXeyNZmQCWKi5UQ84b/4sup5/yAUc7UyZJa9YqluBKEbhsemXD6aCHdOIIhySFXg7WyOLktyum+5v7oiwOBstajtKgu5G5JOVuA9+v6gLbdiU/TLINxgFu+sw5FtbNH6sYoWdiz36depOC1Kz5R1UhiWnQp8m1KNnOQACwu1a0WsucWWE5Mu1cgLWHE5ISc7I7NH8Jyg/dZ/IQaS2fe4XqSm89fELRspb+o1zAaLEmq+ed8/Alw6DSQ2gfdryBuv5APtxAmWru/TnMPSbECkruNjDQk6PIdSorDfJ+d6mQURyq+zxgkbECCNiBspFCGDvTtaWf/JFkF7ySGPA9eL4l3Tz91pxXLB06wYQifFEm2eWZ3d+pK7Dx4oPiEuts= pubkey@ci-runner"
+        ],
+        "eduperson_entitlement": [
+            "urn:mace:surf.nl:x-sram-ci:group:ci:cico",
+            "urn:mace:surf.nl:x-sram-ci:group:ci",
+            "urn:geant:eduteams.org:acc.sram.eduteams.org:group:surf-ram#acc.sram.eduteams.org"
+        ],
+        "voperson_id": [
+            "8e7811387bc200409b395a7a156826875a4248f9@acc.sram.eduteams.org"
+        ],
+        "name": "Student Student",
+        "given_name": "Student",
+        "family_name": "Student",
+        "email": "student@ci-runner.sram.surf.nl",
+        "eduperson_assurance": [
+            "http://idm.example.org/LOA2#sample"
+        ],
+        "eduperson_principal_name": [
+            "Student@ci-runner.sram.surf.nl"
+        ],
+        "uid": [
+            "Student"
+        ],
+        "token_class": "access_token",
+        "iss": "https://proxy.acc.sram.eduteams.org"
+    },
     "user_info":
     {
         "sub": "8e7811387bc200409b395a7a156826875a4248f9@acc.sram.eduteams.org",

diff --git a/roles/ci-test/templates/index.php.j2 b/roles/ci-test/templates/index.php.j2
@@ -9,7 +9,7 @@ use Jumbojett\OpenIDConnectClient;
 $CLIENT_ID = "{{ ci_rp_client_id }}";
 $CLIENT_SECRET = "{{ ci_rp_client_secret }}";
 
-$SCOPES = "openid profile email eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid";
+$SCOPES = "openid profile email offline_access eduperson_assurance eduperson_entitlement eduperson_orcid eduperson_principal_name eduperson_scoped_affiliation voperson_external_affiliation voperson_external_id voperson_id aarc ssh_public_key orcid uid";
 #$CLAIMS = "given_name family_name email eduperson_scoped_affiliation ssh_public_key";
 $CLAIMS = [
     "id_token" => [
@@ -75,6 +75,7 @@ $oidc = new OpenIDConnectClient('https://proxy.acc.sram.eduteams.org/',
                                 $CLIENT_SECRET);
 $oidc->addScope(explode(" ", $scope));
 #$oidc->addAuthParam(array('idp_hint' => $idp_hint));
+$oidc->addAuthParam(array('prompt' => 'consent'));
 $oidc->setResponseTypes($response_type);
 // $oidc->setAllowImplicitFlow(true);
 $oidc->setRedirectURL($redirect_uri);
@@ -95,22 +96,47 @@ if (!$authenticated) {
     }
     $_SESSION['authenticated'] = true;
     $_SESSION['id_token'] = $oidc->getVerifiedClaims();
-    $_SESSION['access_token'] = $oidc->getAccessTokenPayload();
-    $_SESSION['userinfo'] = $oidc->requestUserInfo();
+    $_SESSION['access_token_1'] = $oidc->getAccessTokenPayload();
+    $_SESSION['refresh_token_1'] = $oidc->getRefreshToken();
+    $_SESSION['userinfo_1'] = $oidc->requestUserInfo();
+
+    try {
+        $json = $oidc->refreshToken($_SESSION['refresh_token_1']);
+    } catch (Exception $e) {
+        echo "<pre id=result>" . json_encode($e->getMessage(), JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)  . "</pre>\n";
+        exit();
+    }
+    $_SESSION['access_token_2'] = $oidc->getAccessTokenPayload();
+    $_SESSION['refresh_token_2'] = $oidc->getRefreshToken();
+    $_SESSION['userinfo_2'] = $oidc->requestUserInfo();
+
 }
 
 $id_token = $_SESSION['id_token'];
-$access_token = $_SESSION['access_token'];
-$userinfo = $_SESSION['userinfo'];
 $request_claims = $_SESSION['claims'];
 
+$access_token_1 = $_SESSION['access_token_1'];
+$refresh_token_1 = $_SESSION['refresh_token_1'];
+$userinfo_1 = $_SESSION['userinfo_1'];
+
+$access_token_2 = $_SESSION['access_token_2'];
+$refresh_token_2 = $_SESSION['refresh_token_2'];
+$userinfo_2 = $_SESSION['userinfo_2'];
+
 $meta = new StdClass();
 $meta->requested_scope = $scope;
 $meta->requested_claims = $request_claims;
 
 echo "ID_TOKEN\n<pre id=id_token>" . json_encode($id_token, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
-echo "ACCESS_TOKEN\n<pre id=access_token>" . json_encode($access_token, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
-echo "USER_INFO\n<pre id=user_info>" . json_encode($userinfo, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+
+echo "ACCESS_TOKEN_1\n<pre id=access_token_1>" . json_encode($access_token_1, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+echo "REFRESH_TOKEN_1\n<pre id=refresh_token_1>" . json_encode($refresh_token_1, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+echo "USER_INFO_1\n<pre id=user_info_1>" . json_encode($userinfo_1, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+
+echo "ACCESS_TOKEN_2\n<pre id=access_token_2>" . json_encode($access_token_2, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+echo "REFRESH_TOKEN_2\n<pre id=refresh_token_2>" . json_encode($refresh_token_2, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+echo "USER_INFO_2\n<pre id=user_info_2>" . json_encode($userinfo_2, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
+
 echo "META\n<pre id=meta>" . json_encode($meta, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
 ?>
 <form method="POST" action="/index.php"><input type="submit" name="reset"  value="Reset"></form>