-
Notifications
You must be signed in to change notification settings - Fork 186
Expand file tree
/
Copy pathsso_discovery.rs
More file actions
93 lines (85 loc) · 3.2 KB
/
Copy pathsso_discovery.rs
File metadata and controls
93 lines (85 loc) · 3.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
//! Tests for the `discover_sso` (update, drives) / `get_sso_discovery` (query,
//! reads state) allowlist gate.
use canister_tests::api::internet_identity as api;
use canister_tests::framework::*;
use internet_identity_interface::internet_identity::types::{
InternetIdentityInit, SsoDiscoveryState,
};
/// On a non-production install only `beta.dfinity.org` is allowed by default;
/// the query reports `NotAllowed` for other domains (including the production
/// domain) and `Pending` for the allowed one.
#[test]
fn sso_discovery_gates_on_allowlist() {
let env = env();
let canister_id =
install_ii_canister_with_arg_and_cycles(&env, II_WASM.clone(), None, 10_000_000_000_000);
// Arbitrary and production domains are not allowed on a non-production canister.
assert_eq!(
api::get_sso_discovery(&env, canister_id, "evil.example.com").unwrap(),
SsoDiscoveryState::NotAllowed
);
assert_eq!(
api::get_sso_discovery(&env, canister_id, "dfinity.org").unwrap(),
SsoDiscoveryState::NotAllowed
);
// The default non-production domain is allowed and reads `Pending` until
// warm; driving it is accepted (a no-op until the fetch lands).
assert_eq!(
api::get_sso_discovery(&env, canister_id, "beta.dfinity.org").unwrap(),
SsoDiscoveryState::Pending
);
api::discover_sso(&env, canister_id, "beta.dfinity.org").unwrap();
}
/// An explicit `sso_discoverable_domains` allowlist replaces the built-in
/// defaults.
#[test]
fn sso_discovery_honours_explicit_allowlist() {
let env = env();
let arg = InternetIdentityInit {
sso_discoverable_domains: Some(vec!["example.com".to_string()]),
..Default::default()
};
let canister_id = install_ii_canister_with_arg_and_cycles(
&env,
II_WASM.clone(),
Some(arg),
10_000_000_000_000,
);
assert_eq!(
api::get_sso_discovery(&env, canister_id, "example.com").unwrap(),
SsoDiscoveryState::Pending
);
// The default domain is no longer allowed once an explicit list is set.
assert_eq!(
api::get_sso_discovery(&env, canister_id, "beta.dfinity.org").unwrap(),
SsoDiscoveryState::NotAllowed
);
}
/// The `sso_allow_any_domain` deploy flag opens the gate to every domain: a
/// domain off the allowlist reads `Pending` instead of `NotAllowed`.
#[test]
fn sso_allow_any_domain_opens_the_gate() {
let env = env();
let arg = InternetIdentityInit {
sso_discoverable_domains: Some(vec!["example.com".to_string()]),
sso_allow_any_domain: Some(true),
..Default::default()
};
let canister_id = install_ii_canister_with_arg_and_cycles(
&env,
II_WASM.clone(),
Some(arg),
10_000_000_000_000,
);
// The explicit entry is still allowed.
assert_eq!(
api::get_sso_discovery(&env, canister_id, "example.com").unwrap(),
SsoDiscoveryState::Pending
);
// A domain off the allowlist is now accepted rather than `NotAllowed`.
assert_eq!(
api::get_sso_discovery(&env, canister_id, "evil.example.com").unwrap(),
SsoDiscoveryState::Pending
);
api::discover_sso(&env, canister_id, "evil.example.com").unwrap();
}