Addressed review comment and added unit test

2025-05-21 16:33:55 +02:00 · 2025-02-09 20:50:52 +11:00 · 2025-02-09 20:50:52 +11:00 · 0efa4166dd
parent 58f266dc0d
commit 0efa4166dd
4 changed files with 32 additions and 5 deletions
--- a/proto/src/oauth2.rs
+++ b/proto/src/oauth2.rs
@ -450,7 +450,7 @@ pub struct OidcWebfingerRel {
 }

 /// The response to an Webfinger request. Only a subset of the body is defined here.
-/// <https://datatracker.ietf.org/doc/html/rfc7033>
+/// <https://datatracker.ietf.org/doc/html/rfc7033#section-4.4>
 #[skip_serializing_none]
 #[derive(Serialize, Deserialize, Debug)]
 pub struct OidcWebfingerResponse {
--- a/server/core/src/actors/v1_read.rs
+++ b/server/core/src/actors/v1_read.rs
@ -1522,7 +1522,7 @@ impl QueryServerReadV1 {
        eventid: Uuid,
    ) -> Result<OidcWebfingerResponse, OperationError> {
        let mut idms_prox_read = self.idms.proxy_read().await?;
-        idms_prox_read.oauth2_openid_webfinger_discovery(&client_id, &resource_id)
+        idms_prox_read.oauth2_openid_webfinger(&client_id, &resource_id)
    }

    #[instrument(
--- a/server/core/src/https/oauth2.rs
+++ b/server/core/src/https/oauth2.rs
@ -552,13 +552,12 @@ pub async fn oauth2_openid_webfinger_get(
    // Query(rel): Query<Vec<String>>,
    Extension(kopid): Extension<KOpId>,
 ) -> impl IntoResponse {
-
    let Oauth2OpenIdWebfingerQuery { resource } = query;

    let cleaned_resource = if resource.starts_with("acct:") {
        resource[5..].to_string()
    } else {
-        resource
+        resource.clone()
    };

    let res = state
--- a/server/lib/src/idm/oauth2.rs
+++ b/server/lib/src/idm/oauth2.rs
@ -2743,7 +2743,7 @@ impl IdmServerProxyReadTransaction<'_> {
    }

    #[instrument(level = "debug", skip_all)]
-    pub fn oauth2_openid_webfinger_discovery(
+    pub fn oauth2_openid_webfinger(
        &mut self,
        client_id: &str,
        resource_id: &str,
@ -5472,6 +5472,34 @@ mod tests {
            .expect("Oauth2 authorisation failed");
    }

+    #[idm_test]
+    async fn test_idm_oauth2_webfinger(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
+        let ct = Duration::from_secs(TEST_CURRENT_TIME);
+        let (_secret, _uat, _ident, _) =
+            setup_oauth2_resource_server_basic(idms, ct, true, false, true).await;
+        let mut idms_prox_read = idms.proxy_read().await.unwrap();
+
+        let user = "testperson1@example.com";
+
+        let webfinger = idms_prox_read
+            .oauth2_openid_webfinger("test_resource_server", user)
+            .expect("Failed to get webfinger");
+
+        assert_eq!(webfinger.subject, user);
+        assert_eq!(webfinger.links.len(), 1);
+
+        let link = &webfinger.links[0];
+        assert_eq!(link.rel, "http://openid.net/specs/connect/1.0/issuer");
+        assert_eq!(
+            link.href,
+            "https://idm.example.com/oauth2/openid/test_resource_server"
+        );
+
+        let failed_webfinger = idms_prox_read
+            .oauth2_openid_webfinger("test_resource_server", "someone@another.domain");
+        assert!(failed_webfinger.is_err());
+    }
+
    #[idm_test]
    async fn test_idm_oauth2_openid_legacy_crypto(
        idms: &IdmServer,