diff --git a/oauth2/fosite_store_helpers.go b/oauth2/fosite_store_helpers.go index f1c403ca34f..0f7af846ce5 100644 --- a/oauth2/fosite_store_helpers.go +++ b/oauth2/fosite_store_helpers.go @@ -1000,6 +1000,30 @@ func testFositeJWTBearerGrantStorage(x InternalRegistry) func(t *testing.T) { require.NotNil(t, jwks) require.NotEmpty(t, jwks.Keys) }) + + t.Run("case=does not return expired values", func(t *testing.T) { + keySet, err := jwk.GenerateJWK(context.Background(), jose.RS256, "issuer-key", "sig") + require.NoError(t, err) + + publicKey := keySet.Keys[0].Public() + issuer := "unlimited-issuer" + grant := trust.Grant{ + ID: uuid.New(), + Issuer: issuer, + Subject: "", + AllowAnySubject: true, + Scope: []string{"openid", "offline"}, + PublicKey: trust.PublicKey{Set: issuer, KeyID: publicKey.KeyID}, + CreatedAt: time.Now().UTC().Round(time.Second), + ExpiresAt: time.Now().UTC().Round(time.Second).AddDate(-1, 0, 0), + } + + err = grantManager.CreateGrant(context.TODO(), grant, publicKey) + require.NoError(t, err) + + _, err := grantStorage.GetPublicKeys(context.TODO(), issuer, "any-subject-3") + require.ErrorIs(t, err, sqlcon.ErrNoRows) + }) } } diff --git a/persistence/sql/persister_nid_test.go b/persistence/sql/persister_nid_test.go index cf23e95d365..2ca0f672be2 100644 --- a/persistence/sql/persister_nid_test.go +++ b/persistence/sql/persister_nid_test.go @@ -10,8 +10,6 @@ import ( "testing" "time" - "github.com/ory/x/sqlcon" - "github.com/stretchr/testify/assert" "github.com/ory/hydra/v2/persistence" @@ -1343,38 +1341,22 @@ func (s *PersisterTestSuite) TestGetPublicKeys() { t := s.T() for k, r := range s.registries { t.Run(k, func(t *testing.T) { - t.Run("get key", func(t *testing.T) { - ks := newKeySet("ks-id", "use") - grant := trust.Grant{ - ID: uuid.Must(uuid.NewV4()).String(), - ExpiresAt: time.Now().Add(time.Hour), - PublicKey: trust.PublicKey{Set: "ks-id", KeyID: ks.Keys[0].KeyID}, - } - require.NoError(t, r.Persister().AddKeySet(s.t1, "ks-id", ks)) - require.NoError(t, r.Persister().CreateGrant(s.t1, grant, ks.Keys[0])) - - actual, err := r.Persister().GetPublicKeys(s.t2, grant.Issuer, grant.Subject) - require.NoError(t, err) - require.Nil(t, actual.Keys) + ks := newKeySet("ks-id", "use") + grant := trust.Grant{ + ID: uuid.Must(uuid.NewV4()).String(), + ExpiresAt: time.Now().Add(time.Hour), + PublicKey: trust.PublicKey{Set: "ks-id", KeyID: ks.Keys[0].KeyID}, + } + require.NoError(t, r.Persister().AddKeySet(s.t1, "ks-id", ks)) + require.NoError(t, r.Persister().CreateGrant(s.t1, grant, ks.Keys[0])) - actual, err = r.Persister().GetPublicKeys(s.t1, grant.Issuer, grant.Subject) - require.NoError(t, err) - require.NotNil(t, actual.Keys) - }) + actual, err := r.Persister().GetPublicKeys(s.t2, grant.Issuer, grant.Subject) + require.NoError(t, err) + require.Nil(t, actual.Keys) - t.Run("get expired key fails", func(t *testing.T) { - ks := newKeySet("ks-id", "use") - grant := trust.Grant{ - ID: uuid.Must(uuid.NewV4()).String(), - ExpiresAt: time.Now().Add(-time.Hour), - PublicKey: trust.PublicKey{Set: "ks-id", KeyID: ks.Keys[0].KeyID}, - } - require.NoError(t, r.Persister().AddKeySet(s.t1, "ks-id", ks)) - require.NoError(t, r.Persister().CreateGrant(s.t1, grant, ks.Keys[0])) - - _, err := r.Persister().GetPublicKeys(s.t2, grant.Issuer, grant.Subject) - require.ErrorIs(t, err, sqlcon.ErrNoRows) - }) + actual, err = r.Persister().GetPublicKeys(s.t1, grant.Issuer, grant.Subject) + require.NoError(t, err) + require.NotNil(t, actual.Keys) }) } }