Merge pull request #129 from DrDaveD/subtests

DrDaveD · web-flow · commit 001fecb7ce2b · 2025-05-14T15:06:31.000-05:00
add tests for "sub" value
diff --git a/tests/.regress-config.template b/tests/.regress-config.template
@@ -1,5 +1,7 @@
 VAULTSERVER=
 ISSUER=
+GROUPROLE=
+GROUPSUBPAT=
 HASKERBEROS=true
 #HASSSH=true
 ROBOTKEYTAB=
diff --git a/tests/001-oidcauth/main b/tests/001-oidcauth/main
@@ -1,2 +1,7 @@
 htdestroytoken
+set -ex
 htgettoken --nokerberos --nossh -a $VAULTSERVER -i $ISSUER
+if [ -n "$GROUPSUBPAT" ]; then
+    # also check the sub from oidc flow (others in test 014)
+    htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
+fi
diff --git a/tests/014-checkdefaultsub/main b/tests/014-checkdefaultsub/main
@@ -0,0 +1,24 @@
+if [ -z "$GROUPSUBPAT" ]; then
+    exit $SKIPCODE
+fi
+set -ex
+htgettoken --nokerberos --nooidc --nossh -a $VAULTSERVER -i $ISSUER --scopes="$TESTSCOPES"
+EXPTIME="$(htdecodetoken|jq -r .exp)"
+
+# check sub for token exchange
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER --scopes="$TESTSCOPES"
+htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
+
+# check sub for refresh
+# make sure that we don't request minsecs longer than the access token lifetime
+# by waiting a couple of seconds
+sleep 2
+NOW="$(date +%s)"
+let MINSECS=$EXPTIME-$NOW+1
+htgettoken --nooidc --nokerberos --nossh -a $VAULTSERVER -i $ISSUER --minsecs=$MINSECS
+EXPTIME2="$(htdecodetoken|jq -r .exp)"
+if [ "$EXPTIME" = "$EXPTIME2" ]; then
+    echo "The access token was not renewed!"
+    exit 1
+fi
+htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
diff --git a/tests/015-checkgroupsub/main b/tests/015-checkgroupsub/main
@@ -0,0 +1,26 @@
+if [ -z "$GROUPSUBPAT" ]; then
+    exit $SKIPCODE
+fi
+set -ex
+# check sub for oidc flow with role
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT
+EXPTIME="$(htdecodetoken|jq -r .exp)"
+
+# check sub for token exchange
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE --scopes="$TESTSCOPES"
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT
+
+# check sub for refresh
+# make sure that we don't request minsecs longer than the access token lifetime
+# by waiting a couple of seconds
+sleep 2
+NOW="$(date +%s)"
+let MINSECS=$EXPTIME-$NOW+1
+htgettoken --nooidc --nokerberos --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE --minsecs=$MINSECS
+EXPTIME2="$(htdecodetoken|jq -r .exp)"
+if [ "$EXPTIME" = "$EXPTIME2" ]; then
+    echo "The access token was not renewed!"
+    exit 1
+fi
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT
