auth code flow integration test

Author: ponachte

containers/aggregator-server/model/registration.go

@@ -48,7 +48,7 @@ type RegistrationResponse struct {
 
 // AuthorizationCodeStartResponse represents the response for authorization_code start phase
 type AuthorizationCodeStartResponse struct {
-	AggregatorClientID  string `json:"client_id"`
+	AggregatorClientID  string `json:"aggregator_client_id"`
 	CodeChallenge       string `json:"code_challenge"`
 	CodeChallengeMethod string `json:"code_challenge_method"`
 	State               string `json:"state"`

containers/aggregator-server/registration/registration.go

@@ -148,6 +148,11 @@ func handleRegistrationDelete(w http.ResponseWriter, r *http.Request) {
 	}
 	logrus.Infof("Kubernetes resources deleted for aggregator: %s", req.AggregatorID)
 
+	// Delete user tokens
+	if inst.RegistrationType != "none" {
+		deleteTokens(inst.OwnerID)
+	}
+
 	// Delete from storage
 	logrus.Infof("Deleting aggregator instance from storage: %s", req.AggregatorID)
 	if err := instance.DeleteAggregatorInstance(req.AggregatorID); err != nil {

containers/aggregator-server/registration/registration_authorization_code.go

@@ -220,7 +220,7 @@ func handleAuthorizationCodeFinish(w http.ResponseWriter, req model.Registration
 	var inst *instance.AggregatorInstance
 	if isUpdate {
 		// Check if aggregator exists
-		inst, err := instance.GetAggregatorInstance(storedData.AggregatorID)
+		inst, err = instance.GetAggregatorInstance(storedData.AggregatorID)
 		if err != nil {
 			logrus.WithError(err).Error("Failed to retrieve aggregator for update")
 			http.Error(w, "Aggregator not found for update", http.StatusNotFound)

containers/aggregator-server/registration/tokens.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"time"
 )
 
@@ -21,6 +22,7 @@ type TokenResponse struct {
 }
 
 type StoreRequest struct {
+	UserID       string `json:"user_id"`
 	AccessToken  string `json:"access_token"`
 	RefreshToken string `json:"refresh_token"`
 	IDToken      string `json:"id_token"`
@@ -41,6 +43,7 @@ func storeTokens(
 	expiryUnix := time.Now().Add(time.Duration(tok.ExpiresIn) * time.Second).Unix()
 
 	reqBody := StoreRequest{
+		UserID:       userID,
 		AccessToken:  tok.AccessToken,
 		RefreshToken: tok.RefreshToken,
 		IDToken:      tok.IDToken,
@@ -55,16 +58,10 @@ func storeTokens(
 		return err
 	}
 
-	url := fmt.Sprintf(
-		"http://token-service.%s.svc.cluster.local:8080/token/%s",
-		model.Namespace,
-		userID,
-	)
-
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "http://token-service:8080/token", bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -94,6 +91,7 @@ func updateTokens(
 	expiryUnix := time.Now().Add(time.Duration(tok.ExpiresIn) * time.Second).Unix()
 
 	reqBody := StoreRequest{
+		UserID:       userID,
 		AccessToken:  tok.AccessToken,
 		RefreshToken: tok.RefreshToken,
 		IDToken:      tok.IDToken,
@@ -108,16 +106,10 @@ func updateTokens(
 		return err
 	}
 
-	url := fmt.Sprintf(
-		"http://token-service.%s.svc.cluster.local:8080/token/%s",
-		model.Namespace,
-		userID,
-	)
-
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodPut, url, bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, "http://token-service:8080/token", bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -129,10 +121,41 @@ func updateTokens(
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode != http.StatusCreated {
+	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
 		return fmt.Errorf("token service returned %d: %s", resp.StatusCode, string(body))
 	}
 
 	return nil
 }
+
+func deleteTokens(userID string) error {
+	encodedID := url.QueryEscape(userID)
+
+	endpoint := fmt.Sprintf(
+		"http://token-service:8080/token?id=%s",
+		encodedID,
+	)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, endpoint, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := model.HttpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNoContent &&
+		resp.StatusCode != http.StatusOK &&
+		resp.StatusCode != http.StatusNotFound {
+		return fmt.Errorf("unexpected status from token service: %d", resp.StatusCode)
+	}
+
+	return nil
+}

containers/aggregator/config/description.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -71,10 +72,13 @@ func handleAggregatorDescription(w http.ResponseWriter, r *http.Request) {
 }
 
 func checkLoginStatus() bool {
+	// URL-encode the userID for safe use as a query parameter
+	encodedID := url.QueryEscape(model.Owner.UserId)
+
 	url := fmt.Sprintf(
-		"http://token-service.%s.svc.cluster.local:8080/loginstatus/%s",
+		"http://token-service.%s.svc.cluster.local:8080/loginstatus?id=%s",
 		model.Namespace,
-		model.Owner.UserId,
+		encodedID,
 	)
 
 	req, err := http.NewRequest(http.MethodGet, url, nil)

containers/egress-uma/tokens.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/sirupsen/logrus"
 )
@@ -16,7 +17,13 @@ func getAccessToken() (string, error) {
 		"component": "token_service",
 	})
 
-	url := fmt.Sprintf("http://token-service:8080/token/%s", UserId)
+	// URL-encode the userID for safe use as a query parameter
+	encodedID := url.QueryEscape(UserId)
+
+	url := fmt.Sprintf(
+		"http://token-service:8080/token?id=%s",
+		encodedID,
+	)
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {

containers/ingress-uma/auth/credentials.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"ingress-uma/model"
 	"net/http"
+	"net/url"
 	"sync"
 	"time"
 
@@ -371,7 +372,13 @@ func getIDToken(userId string) (string, error) {
 		"component": "token_service",
 	})
 
-	url := fmt.Sprintf("http://token-service:8080/token/%s", userId)
+	// URL-encode the userID for safe use as a query parameter
+	encodedID := url.QueryEscape(userId)
+
+	url := fmt.Sprintf(
+		"http://token-service:8080/token?id=%s",
+		encodedID,
+	)
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {

containers/token-service/main.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/signal"
 	"strings"
@@ -51,8 +52,8 @@ func main() {
 
 	log.Info("Starting token service")
 
-	http.HandleFunc("/token/", tokenHandler)
-	http.HandleFunc("/loginstatus/", authorizedHandler)
+	http.HandleFunc("/token", tokenHandler)
+	http.HandleFunc("/loginstatus", authorizedHandler)
 	http.HandleFunc("/healthz", healthHandler)
 
 	// Listen for SIGTERM
@@ -96,22 +97,22 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func tokenHandler(w http.ResponseWriter, r *http.Request) {
-	userID := r.URL.Path[len("/token/"):]
 	switch r.Method {
 	case http.MethodPost:
-		handleStore(w, r, userID)
+		handleStore(w, r)
 	case http.MethodPut:
-		handleUpdate(w, r, userID)
+		handleUpdate(w, r)
 	case http.MethodGet:
-		handleGet(w, r, userID)
+		handleGet(w, r)
 	case http.MethodDelete:
-		handleDelete(w, r, userID)
+		handleDelete(w, r)
 	default:
 		w.WriteHeader(http.StatusMethodNotAllowed)
 	}
 }
 
 type StoreRequest struct {
+	UserID       string `json:"user_id"`
 	AccessToken  string `json:"access_token"`
 	RefreshToken string `json:"refresh_token"`
 	IDToken      string `json:"id_token"`
@@ -121,21 +122,21 @@ type StoreRequest struct {
 	ClientSecret string `json:"client_secret"`
 }
 
-func handleStore(w http.ResponseWriter, r *http.Request, userID string) {
-	_, exists := store.tokens[userID]
-	if exists {
-		log.WithField("user_id", userID).Warn("Token store requested but existing token found")
-		http.Error(w, "User tokens already exists. Use PUT to update a token", 409)
-		return
-	}
-
+func handleStore(w http.ResponseWriter, r *http.Request) {
 	var req StoreRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		log.WithError(err).Warn("Invalid store request")
 		http.Error(w, err.Error(), 400)
 		return
 	}
 
+	_, exists := store.tokens[req.UserID]
+	if exists {
+		log.WithField("user_id", req.UserID).Warn("Token store requested but existing token found")
+		http.Error(w, "User tokens already exists. Use PUT to update a token", 409)
+		return
+	}
+
 	provider, err := oidc.NewProvider(ctx, req.Issuer)
 	if err != nil {
 		http.Error(w, err.Error(), 400)
@@ -159,26 +160,26 @@ func handleStore(w http.ResponseWriter, r *http.Request, userID string) {
 		Expiry:       time.Unix(req.Expiry, 0),
 	}
 
-	storeToken(userID, token, req.IDToken, oauthConfig, req.Issuer)
+	storeToken(req.UserID, token, req.IDToken, oauthConfig, req.Issuer)
 
 	w.WriteHeader(http.StatusCreated)
 }
 
-func handleUpdate(w http.ResponseWriter, r *http.Request, userID string) {
-	_, exists := store.tokens[userID]
-	if !exists {
-		log.WithField("user_id", userID).Warn("Token update requested but no existing token found")
-		http.Error(w, "User tokens not found. Use POST to create a token", 404)
-		return
-	}
-
+func handleUpdate(w http.ResponseWriter, r *http.Request) {
 	var req StoreRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		log.WithError(err).Warn("Invalid update request")
 		http.Error(w, err.Error(), 400)
 		return
 	}
 
+	_, exists := store.tokens[req.UserID]
+	if !exists {
+		log.WithField("user_id", req.UserID).Warn("Token update requested but no existing token found")
+		http.Error(w, "User tokens not found. Use POST to create a token", 404)
+		return
+	}
+
 	provider, err := oidc.NewProvider(ctx, req.Issuer)
 	if err != nil {
 		http.Error(w, err.Error(), 400)
@@ -202,7 +203,7 @@ func handleUpdate(w http.ResponseWriter, r *http.Request, userID string) {
 		Expiry:       time.Unix(req.Expiry, 0),
 	}
 
-	storeToken(userID, token, req.IDToken, oauthConfig, req.Issuer)
+	storeToken(req.UserID, token, req.IDToken, oauthConfig, req.Issuer)
 
 	w.WriteHeader(http.StatusOK)
 }
@@ -220,7 +221,21 @@ func storeToken(userID string, token *oauth2.Token, idToken string, config *oaut
 	log.WithField("user_id", userID).Info("Stored token")
 }
 
-func handleGet(w http.ResponseWriter, _ *http.Request, userID string) {
+func handleGet(w http.ResponseWriter, r *http.Request) {
+	// Get the userID from the query parameter
+	encodedID := r.URL.Query().Get("id")
+	if encodedID == "" {
+		http.Error(w, "Missing 'id' query parameter", http.StatusBadRequest)
+		return
+	}
+
+	// URL-decode the userID
+	userID, err := url.QueryUnescape(encodedID)
+	if err != nil {
+		http.Error(w, "Invalid 'id' query parameter", http.StatusBadRequest)
+		return
+	}
+
 	entry, err := getEntry(userID)
 	if err != nil {
 		log.WithField("user_id", userID).Warn("Token not found")
@@ -241,7 +256,21 @@ func handleGet(w http.ResponseWriter, _ *http.Request, userID string) {
 	})
 }
 
-func handleDelete(w http.ResponseWriter, _ *http.Request, userID string) {
+func handleDelete(w http.ResponseWriter, r *http.Request) {
+	// Get the userID from the query parameter
+	encodedID := r.URL.Query().Get("id")
+	if encodedID == "" {
+		http.Error(w, "Missing 'id' query parameter", http.StatusBadRequest)
+		return
+	}
+
+	// URL-decode the userID
+	userID, err := url.QueryUnescape(encodedID)
+	if err != nil {
+		http.Error(w, "Invalid 'id' query parameter", http.StatusBadRequest)
+		return
+	}
+
 	store.mu.Lock()
 	delete(store.tokens, userID)
 	store.mu.Unlock()
@@ -256,7 +285,19 @@ func authorizedHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	userID := r.URL.Path[len("/loginstatus/"):]
+	// Get the userID from the query parameter
+	encodedID := r.URL.Query().Get("id")
+	if encodedID == "" {
+		http.Error(w, "Missing 'id' query parameter", http.StatusBadRequest)
+		return
+	}
+
+	// URL-decode the userID
+	userID, err := url.QueryUnescape(encodedID)
+	if err != nil {
+		http.Error(w, "Invalid 'id' query parameter", http.StatusBadRequest)
+		return
+	}
 
 	entry, err := getEntry(userID)
 	if err != nil {