oauthtest

package

v0.30.1 Latest Latest Go to latest Published: Jun 23, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Documentation ¶

Overview ¶

Package oauthtest provides shared test fixtures for OAuth 2.0 response decoding. It is intended for use by tests in pkg/oauth and by sibling grant packages (token exchange, JWT bearer, etc.) so they share a single canonical response-builder rather than each maintaining a parallel copy that can drift.

Index ¶

func NewRealTokenSource(tokenEndpointURL string) oauth2.TokenSource
type ControllableServer
- func NewControllableServer() *ControllableServer
- func (s *ControllableServer) RequestCount() int
- func (s *ControllableServer) SetMode(m FailureMode)
type ErrorResponseBuilder
- func NewErrorResponse() *ErrorResponseBuilder
type FailureMode
type ResponseBuilder
- func NewResponse() *ResponseBuilder

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewRealTokenSource ¶ added in v0.30.1

func NewRealTokenSource(tokenEndpointURL string) oauth2.TokenSource

NewRealTokenSource builds a real golang.org/x/oauth2 token source pointed at the given token endpoint URL (typically a ControllableServer's URL). The returned source is hardcoded with a fixed initial refresh token ("test-refresh-token") and an expiry one hour in the past, so the first Token() call always triggers an HTTP refresh against the endpoint.

This is intentionally non-configurable. Tests that need to exercise "valid current token, will not refresh yet" or "refresh token rotation" scenarios should construct their own oauth2.TokenSource directly rather than extending this helper.

Types ¶

type ControllableServer ¶ added in v0.30.1

type ControllableServer struct {
	*httptest.Server
	// contains filtered or unexported fields
}

ControllableServer is an httptest.NewServer with a programmable token endpoint. Tests flip the mode at runtime to drive the token source under test through specific error shapes. Used to write end-to-end tests that exercise the real golang.org/x/oauth2 library against actual HTTP responses rather than synthetic Go values.

Construct with NewControllableServer, swap behavior with SetMode, and close via the embedded *httptest.Server's Close().

func NewControllableServer ¶ added in v0.30.1

func NewControllableServer() *ControllableServer

NewControllableServer returns a server in ModeSuccess. Success responses use a fixed 1-second expires_in (see serverExpiresInSeconds for rationale).

func (*ControllableServer) RequestCount ¶ added in v0.30.1

func (s *ControllableServer) RequestCount() int

RequestCount returns the number of token-endpoint requests observed so far. Useful for tests that need to assert refresh activity occurred.

func (*ControllableServer) SetMode ¶ added in v0.30.1

func (s *ControllableServer) SetMode(m FailureMode)

SetMode swaps the response behavior. Concurrent-safe.

type ErrorResponseBuilder ¶

type ErrorResponseBuilder struct {
	ErrorCode        string `json:"error,omitempty"`
	ErrorDescription string `json:"error_description,omitempty"`
	ErrorURI         string `json:"error_uri,omitempty"`
}

ErrorResponseBuilder composes a JSON-encoded OAuth 2.0 error response per RFC 6749 Section 5.2. Fluent setters populate only the listed fields — unset fields are omitted from the JSON output so callers can simulate minimal servers that return only the required error code.

func NewErrorResponse ¶

func NewErrorResponse() *ErrorResponseBuilder

NewErrorResponse returns an empty builder. Tests call WithError at minimum to produce a valid RFC 6749 §5.2 body.

func (*ErrorResponseBuilder) Build ¶

func (b *ErrorResponseBuilder) Build() []byte

Build marshals the builder to JSON. Panics on marshaling errors; the underlying types are simple and failure indicates a programming error in the test itself.

func (*ErrorResponseBuilder) WithDescription ¶

func (b *ErrorResponseBuilder) WithDescription(description string) *ErrorResponseBuilder

WithDescription sets error_description.

func (*ErrorResponseBuilder) WithError ¶

func (b *ErrorResponseBuilder) WithError(code string) *ErrorResponseBuilder

WithError sets the error code (RFC 6749 §5.2 required field).

func (*ErrorResponseBuilder) WithURI ¶

func (b *ErrorResponseBuilder) WithURI(uri string) *ErrorResponseBuilder

WithURI sets error_uri.

type FailureMode ¶ added in v0.30.1

type FailureMode int

FailureMode controls how a ControllableServer responds to a token endpoint request. ModeSuccess returns a valid JSON token response; the other modes produce error shapes commonly observed in production.

const (
	// ModeSuccess returns 200 with a valid JSON token response carrying
	// access_token, token_type=Bearer, expires_in, and refresh_token.
	ModeSuccess FailureMode = iota
	// ModeWAFBlock returns 403 with an HTML body and no RFC 6749 error code —
	// the shape commonly returned by WAFs, CDNs, or reverse proxies that
	// block a request before it reaches the OAuth server. Classified as
	// transient (4xx without an OAuth error code) per RFC 6749 §5.2; see
	// pkg/auth/monitored_token_source.go isTransientRetrieveError.
	ModeWAFBlock
	// ModeServerError returns 500. Treated as transient.
	ModeServerError
	// ModeInvalidGrant returns 400 with {"error":"invalid_grant"}. Treated as
	// permanent (RFC 6749 §5.2).
	ModeInvalidGrant
)

type ResponseBuilder ¶

type ResponseBuilder struct {
	AccessToken     string `json:"access_token,omitempty"`
	TokenType       string `json:"token_type,omitempty"`
	ExpiresIn       int    `json:"expires_in,omitempty"`
	RefreshToken    string `json:"refresh_token,omitempty"`
	IssuedTokenType string `json:"issued_token_type,omitempty"`
	Scope           string `json:"scope,omitempty"`
}

ResponseBuilder composes a JSON-encoded OAuth 2.0 token endpoint success response. Fluent setters leave unset fields as their zero value, matching the behavior of a minimal IdP reply. Build returns the marshaled JSON bytes ready to write into an httptest response.

func NewResponse ¶

func NewResponse() *ResponseBuilder

NewResponse returns a builder pre-populated with a minimal valid RFC 8693 success response (access token, Bearer type, access-token URN for issued type). Tests override any field they care about via the With* setters.

func (*ResponseBuilder) Build ¶

func (b *ResponseBuilder) Build() []byte

Build marshals the builder to JSON. Panics on marshaling errors; the underlying types are simple and failure indicates a programming error in the test itself.

func (*ResponseBuilder) WithAccessToken ¶

func (b *ResponseBuilder) WithAccessToken(token string) *ResponseBuilder

WithAccessToken overrides the access_token field (including the empty string, which lets tests exercise RFC 6749 §5.1 validation).

func (*ResponseBuilder) WithExpiresIn ¶

func (b *ResponseBuilder) WithExpiresIn(seconds int) *ResponseBuilder

WithExpiresIn sets the expires_in field. Zero suppresses the field (omitempty) so callers can assert the no-expiry path.

func (*ResponseBuilder) WithIssuedTokenType ¶

func (b *ResponseBuilder) WithIssuedTokenType(tokenType string) *ResponseBuilder

WithIssuedTokenType sets the RFC 8693 issued_token_type field.

func (*ResponseBuilder) WithRefreshToken ¶

func (b *ResponseBuilder) WithRefreshToken(token string) *ResponseBuilder

WithRefreshToken sets the refresh_token field.

func (*ResponseBuilder) WithScope ¶

func (b *ResponseBuilder) WithScope(scope string) *ResponseBuilder

WithScope sets the scope field (space-separated).

func (*ResponseBuilder) WithTokenType ¶

func (b *ResponseBuilder) WithTokenType(tokenType string) *ResponseBuilder

WithTokenType overrides the token_type field.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL