openid-connect-0.1.0.0: example/certification.sh
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p curl
# shellcheck shell=bash
################################################################################
base="https://rp.certification.openid.net:8080"
client="hs-openid-connect"
################################################################################
out=$(pwd)/example
result="$out/result"
server_pid=
if [ ! -d "$out" ]; then
>&2 echo "ERROR: run this from the top-level directory"
exit 1
fi
if [ -z "$CLIENT_CONTACT" ]; then
>&2 echo "Please set CLIENT_CONTACT to an email address"
exit 1
fi
if [ -d "$result" ]; then
date=$(date +%Y-%m-%d-%H-%M-%S)
mv "$result" "$result-$date"
fi
mkdir -p "$result"
################################################################################
stop_server() {
if [ -n "$server_pid" ]; then
#echo "stop_server: $server_pid"
kill -s SIGTERM "$server_pid" > /dev/null 2>&1
wait "$server_pid" > /dev/null 2>&1
server_pid=
fi
}
################################################################################
start_server() {
path=$1; shift
./result/bin/example \
--provider "$base/$client/$path/.well-known/openid-configuration" \
--register "$CLIENT_CONTACT" "$@" \
> "$result/$path.server.stdout" \
2> "$result/$path.server.stderr" \
&
server_pid=$!
#echo "start_server: $server_pid"
sleep 5
if ! kill -n 0 "$server_pid"; then
>&2 echo "ERROR: server didn't start"
server_pid=
exit 1
fi
}
################################################################################
# Run curl(1) to make a certification request.
#
# Params:
#
# $1: the URL path
# $2: The test code.
# $3: Expected http status code
# $@: Passed on to curl
_curl() {
path=$1; shift
code=$1; shift
status=$1; shift
curl \
--verbose \
--insecure \
--location \
--cookie-jar "$out/cookies" \
--cookie "$out/cookies" \
--write-out "%{http_code}" \
--output "$result/$code.browser.stdout" \
"$@" "https://localhost:3000/$path" \
2>> "$result/$code.browser.stderr" \
1> "$result/$code.browers.code"
actual=$(cat "$result/$code.browers.code")
if [ "$actual" != "$status" ]; then
>&2 echo "FAIL: $actual != $status"
>&2 cat "$result/$code.browser.stdout"
exit 1
fi
}
################################################################################
trap stop_server EXIT
################################################################################
basic() {
test_code=$1; shift
expect_code=$1; shift
echo_test "$test_code"
start_server "$test_code" "$@"
_curl "login" "$test_code" "$expect_code"
stop_server
}
################################################################################
echo_profile() { echo "==>" "$@" ; }
echo_group() { echo " *" "$@" ; }
echo_test() { echo " |---->" "$@" ; }
skip() { echo_test "SKIP" "$1" ; }
pass() { echo_test "$@" ; }
################################################################################
# https://rp.certification.openid.net:8080/list?profile=C
profile_code() {
echo_profile "Profile: Basic RP"
echo_group "Response Type and Response Mode"
basic "rp-response_type-code" 200
echo_group "scope Request Parameter"
basic "rp-scope-userinfo-claims" 200
echo_group "nonce Request Parameter"
basic "rp-nonce-invalid" 403
echo_group "Client Authentication"
basic "rp-token_endpoint-client_secret_basic" 200
skip "rp-token_endpoint-private_key_jwt" 200 --force-private-jwt # FIXME
basic "rp-token_endpoint-client_secret_post" 200 --force-secret-post
basic "rp-token_endpoint-client_secret_jwt" 200 --force-secret-jwt
echo_group "ID Token"
basic "rp-id_token-kid-absent-single-jwks" 200
basic "rp-id_token-iat" 403
basic "rp-id_token-aud" 403
basic "rp-id_token-kid-absent-multiple-jwks" 200
basic "rp-id_token-sig-none" 403 # NOTE: spec says this should pass!
basic "rp-id_token-sig-rs256" 200
basic "rp-id_token-sub" 403
basic "rp-id_token-bad-sig-rs256" 403
basic "rp-id_token-issuer-mismatch" 403
skip "rp-id_token-sig+enc" 200 --request-token-enc
skip "rp-id_token-sig-hs256" 200
basic "rp-id_token-sig-es256" 200
skip "rp-id_token-sig+enc-a128kw" 200 --request-token-enc
skip "rp-id_token-bad-sig-hs256" 200
basic "rp-id_token-bad-sig-es256" 403
echo_group "UserInfo Endpoint"
skip "rp-userinfo-bad-sub-claim" # FIXME: REQUIRED
skip "rp-userinfo-bearer-header" # FIXME: REQUIRED
skip "rp-userinfo-sig"
skip "rp-userinfo-bearer-body"
skip "rp-userinfo-enc"
skip "rp-userinfo-sig+enc"
echo_group "Discovery"
skip "rp-discovery-webfinger-acct"
skip "rp-discovery-webfinger-http-href"
skip "rp-discovery-webfinger-url"
pass "rp-discovery-openid-configuration" # All tests do this
pass "rp-discovery-jwks_uri-keys" # All tests do this
skip "rp-discovery-issuer-not-matching-config"
skip "rp-discovery-webfinger-unknown-member"
echo_group "Dynamic Client Registration"
pass "rp-registration-dynamic" # All tests do this
echo_group "Response Type and Response Mode"
skip "rp-response_mode-form_post-error"
skip "rp-response_mode-form_post"
echo_group "request_uri Request Parameter"
skip "rp-request_uri-enc"
skip "rp-request_uri-sig"
skip "rp-request_uri-sig+enc"
skip "rp-request_uri-unsigned"
echo_group "Key Rotation"
skip "rp-key-rotation-op-sign-key-native"
skip "rp-key-rotation-op-sign-key"
skip "rp-key-rotation-op-enc-key"
echo_group "Claims Types"
skip "rp-claims-distributed"
skip "rp-claims-aggregated"
echo_group "3rd-Party Init SSO"
skip "rp-3rd_party-init-login"
echo_group "RP Initiated BackChannel Logout"
skip "rp-backchannel-rpinitlogout-lt-wrong-issuer"
skip "rp-backchannel-rpinitlogout-lt-no-event"
skip "rp-backchannel-rpinitlogout-lt-wrong-aud"
skip "rp-backchannel-rpinitlogout-lt-with-nonce"
skip "rp-backchannel-rpinitlogout-lt-wrong-event"
skip "rp-backchannel-rpinitlogout"
skip "rp-backchannel-rpinitlogout-lt-wrong-alg"
skip "rp-backchannel-rpinitlogout-lt-alg-none"
echo_group "RP Initiated FrontChannel Logout"
skip "rp-frontchannel-rpinitlogout"
skip "rp-init-logout-no-state"
skip "rp-init-logout-other-state"
skip "rp-init-logout"
echo_group "Session Management"
skip "rp-init-logout-session"
}
################################################################################
profile_code
# Local Variables:
# mode: sh
# sh-shell: bash
# End: