From 161ff6d310930beb713f3f9f80bcdabdbc217932 Mon Sep 17 00:00:00 2001
From: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Date: Mon, 6 Feb 2023 17:17:03 +0000
Subject: [PATCH] Auth: Add test for oauth okta skip org role sync (#62547)

* add tests to oauth okta

* refactor: tests to make them work with the new structure

* add: three tests for okta oauth provider
---
 pkg/login/social/okta_oauth_test.go | 123 ++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 pkg/login/social/okta_oauth_test.go

diff --git a/pkg/login/social/okta_oauth_test.go b/pkg/login/social/okta_oauth_test.go
new file mode 100644
index 00000000000..fd955f081d1
--- /dev/null
+++ b/pkg/login/social/okta_oauth_test.go
@@ -0,0 +1,123 @@
+package social
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+
+	"github.com/grafana/grafana/pkg/models/roletype"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
+)
+
+func TestSocialOkta_UserInfo(t *testing.T) {
+	var boolPointer *bool
+
+	tests := []struct {
+		name                    string
+		userRawJSON             string
+		OAuth2Extra             interface{}
+		autoAssignOrgRole       string
+		settingSkipOrgRoleSync  bool
+		allowAssignGrafanaAdmin bool
+		RoleAttributePath       string
+		ExpectedEmail           string
+		ExpectedRole            roletype.RoleType
+		ExpectedGrafanaAdmin    *bool
+		ExpectedErr             error
+		wantErr                 bool
+	}{
+		{
+			name:              "Should give role from JSON and email from id token",
+			userRawJSON:       `{ "email": "okta-octopus@grafana.com", "role": "Admin" }`,
+			RoleAttributePath: "role",
+			OAuth2Extra: map[string]interface{}{
+				// {
+				// "email": "okto.octopus@test.com"
+				// },
+				"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQWRtaW4iLCJlbWFpbCI6Im9rdG8ub2N0b3B1c0B0ZXN0LmNvbSJ9.yhg0nvYCpMVCVrRvwtmHzhF0RJqid_YFbjJ_xuBCyHs",
+			},
+			ExpectedEmail:        "okto.octopus@test.com",
+			ExpectedRole:         "Admin",
+			ExpectedGrafanaAdmin: boolPointer,
+			wantErr:              false,
+		},
+		{
+			name:                   "Should give empty role and nil pointer for GrafanaAdmin when skip org role sync enable",
+			userRawJSON:            `{ "email": "okta-octopus@grafana.com", "role": "Admin" }`,
+			RoleAttributePath:      "role",
+			settingSkipOrgRoleSync: true,
+			OAuth2Extra: map[string]interface{}{
+				// {
+				// "email": "okto.octopus@test.com"
+				// },
+				"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQWRtaW4iLCJlbWFpbCI6Im9rdG8ub2N0b3B1c0B0ZXN0LmNvbSJ9.yhg0nvYCpMVCVrRvwtmHzhF0RJqid_YFbjJ_xuBCyHs",
+			},
+			ExpectedEmail:        "okto.octopus@test.com",
+			ExpectedRole:         "",
+			ExpectedGrafanaAdmin: boolPointer,
+			wantErr:              false,
+		},
+		{
+			name:                    "Should give grafanaAdmin role for specific GrafanaAdmin in the role assignement",
+			userRawJSON:             fmt.Sprintf(`{ "email": "okta-octopus@grafana.com", "role": "%s" }`, RoleGrafanaAdmin),
+			RoleAttributePath:       "role",
+			allowAssignGrafanaAdmin: true,
+			OAuth2Extra: map[string]interface{}{
+				// {
+				// "email": "okto.octopus@test.com"
+				// },
+				"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQWRtaW4iLCJlbWFpbCI6Im9rdG8ub2N0b3B1c0B0ZXN0LmNvbSJ9.yhg0nvYCpMVCVrRvwtmHzhF0RJqid_YFbjJ_xuBCyHs",
+			},
+			ExpectedEmail:        "okto.octopus@test.com",
+			ExpectedRole:         "Admin",
+			ExpectedGrafanaAdmin: trueBoolPtr(),
+			wantErr:              false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			server := httptest.NewServer(http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+				writer.WriteHeader(http.StatusOK)
+				// return JSON if matches user endpoint
+				if strings.HasSuffix(request.URL.String(), "/user") {
+					writer.Header().Set("Content-Type", "application/json")
+					_, err := writer.Write([]byte(tt.userRawJSON))
+					require.NoError(t, err)
+				} else {
+					writer.WriteHeader(http.StatusNotFound)
+				}
+			}))
+			defer server.Close()
+			provider := &SocialOkta{
+				SocialBase: newSocialBase("okta", &oauth2.Config{},
+					&OAuthInfo{RoleAttributePath: tt.RoleAttributePath}, tt.autoAssignOrgRole, false, *featuremgmt.WithFeatures()),
+				apiUrl:          server.URL + "/user",
+				skipOrgRoleSync: tt.settingSkipOrgRoleSync,
+			}
+			provider.allowAssignGrafanaAdmin = tt.allowAssignGrafanaAdmin
+			provider.roleAttributePath = tt.RoleAttributePath
+			// create a oauth2 token with a id_token
+			staticToken := oauth2.Token{
+				AccessToken:  "",
+				TokenType:    "",
+				RefreshToken: "",
+				Expiry:       time.Now(),
+			}
+			token := staticToken.WithExtra(tt.OAuth2Extra)
+			got, err := provider.UserInfo(server.Client(), token)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("UserInfo() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			require.Equal(t, tt.ExpectedEmail, got.Email)
+			require.Equal(t, tt.ExpectedRole, got.Role)
+			require.Equal(t, tt.ExpectedGrafanaAdmin, got.IsGrafanaAdmin)
+		})
+	}
+}