back-channel logout 서비스 및 핸들러 테스트 추가

2026-05-04 11:01:46 +09:00
parent 0664640c6f
commit a72df2e839
3 changed files with 255 additions and 0 deletions
--- a/backend/internal/service/backchannel_logout_service_test.go
+++ b/backend/internal/service/backchannel_logout_service_test.go
@@ -0,0 +1,85 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+
+	"github.com/go-jose/go-jose/v4"
+	josejwt "github.com/go-jose/go-jose/v4/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBackchannelLogoutService_BuildLogoutToken(t *testing.T) {
+	t.Setenv("BACKCHANNEL_LOGOUT_ISSUER", "https://sso.example.com/oidc")
+
+	svc, err := NewBackchannelLogoutService()
+	require.NoError(t, err)
+
+	token, err := svc.BuildLogoutToken("client-1", "user-1", "sid-1")
+	require.NoError(t, err)
+	require.NotEmpty(t, token)
+
+	jwksRaw, err := svc.MarshalPublicJWKS()
+	require.NoError(t, err)
+
+	var jwks struct {
+		Keys []jose.JSONWebKey `json:"keys"`
+	}
+	require.NoError(t, json.Unmarshal(jwksRaw, &jwks))
+	require.Len(t, jwks.Keys, 1)
+
+	parsed, err := josejwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.RS256})
+	require.NoError(t, err)
+
+	var claims struct {
+		Issuer  string                 `json:"iss"`
+		Subject string                 `json:"sub"`
+		Aud     interface{}            `json:"aud"`
+		Iat     int64                  `json:"iat"`
+		Jti     string                 `json:"jti"`
+		Sid     string                 `json:"sid"`
+		Events  map[string]interface{} `json:"events"`
+	}
+	require.NoError(t, parsed.Claims(jwks.Keys[0].Key, &claims))
+
+	assert.Equal(t, "https://sso.example.com/oidc", claims.Issuer)
+	assert.Equal(t, "user-1", claims.Subject)
+	switch aud := claims.Aud.(type) {
+	case string:
+		assert.Equal(t, "client-1", aud)
+	case []interface{}:
+		assert.Len(t, aud, 1)
+		assert.Equal(t, "client-1", aud[0])
+	default:
+		t.Fatalf("unexpected aud type: %T", claims.Aud)
+	}
+	assert.NotZero(t, claims.Iat)
+	assert.NotEmpty(t, claims.Jti)
+	assert.Equal(t, "sid-1", claims.Sid)
+	_, ok := claims.Events[backchannelLogoutEventURI]
+	assert.True(t, ok)
+}
+
+func TestBackchannelLogoutService_SendLogoutToken(t *testing.T) {
+	var body string
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method)
+		assert.Equal(t, "application/x-www-form-urlencoded", r.Header.Get("Content-Type"))
+		raw, _ := io.ReadAll(r.Body)
+		body = string(raw)
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	svc, err := NewBackchannelLogoutService()
+	require.NoError(t, err)
+	svc.HTTPClient = clientForHandler(handler)
+
+	statusCode, err := svc.SendLogoutToken(context.Background(), "https://rp.example.com/backchannel-logout", "signed-token")
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusNoContent, statusCode)
+	assert.Equal(t, "logout_token=signed-token", body)
+}