From 693b1b3bbec8fd556f746d60473fcc68acce604e Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Tue, 19 Oct 2021 21:10:19 +0200
Subject: [PATCH] test: add missing test for client assertion

---
 pkg/openid/assertion_test.go | 51 ++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 pkg/openid/assertion_test.go

diff --git a/pkg/openid/assertion_test.go b/pkg/openid/assertion_test.go
new file mode 100644
index 0000000..e12fe52
--- /dev/null
+++ b/pkg/openid/assertion_test.go
@@ -0,0 +1,51 @@
+package openid_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/nais/wonderwall/pkg/mock"
+	"github.com/nais/wonderwall/pkg/openid"
+	"github.com/nais/wonderwall/pkg/openid/scopes"
+)
+
+func TestAssertion(t *testing.T) {
+	provider := mock.NewTestProvider()
+	provider.OpenIDConfiguration.Issuer = "some-issuer"
+	provider.ClientConfiguration.ClientID = "client-id"
+	provider.ClientConfiguration.Scopes = scopes.DefaultScopes()
+
+	expiry := 30 * time.Second
+	assertionString, err := openid.ClientAssertion(provider, expiry)
+	assert.NoError(t, err)
+
+	key := provider.GetClientConfiguration().GetClientJWK()
+	publicKey, err := key.PublicKey()
+	assert.NoError(t, err)
+	opts := []jwt.ParseOption{
+		jwt.WithValidate(true),
+		jwt.WithVerify(jwa.SignatureAlgorithm(publicKey.Algorithm()), publicKey),
+		jwt.WithRequiredClaim(jwt.IssuedAtKey),
+		jwt.WithRequiredClaim(jwt.ExpirationKey),
+		jwt.WithRequiredClaim(jwt.JwtIDKey),
+	}
+
+	assertion, err := jwt.Parse([]byte(assertionString), opts...)
+	assert.NoError(t, err)
+
+	assert.ElementsMatch(t, []string{"some-issuer"}, assertion.Audience())
+	assert.Equal(t, "client-id", assertion.Issuer())
+	assert.Equal(t, "client-id", assertion.Subject())
+
+	scps, ok := assertion.Get("scope")
+	assert.True(t, ok)
+	assert.Equal(t, "openid", scps)
+
+	assert.True(t, assertion.IssuedAt().Before(time.Now()))
+	assert.True(t, assertion.Expiration().After(time.Now()))
+	assert.True(t, assertion.Expiration().Before(time.Now().Add(expiry)))
+}