From 8bc725a804783306593892ca15304435b978eb36 Mon Sep 17 00:00:00 2001
From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>
Date: Wed, 14 May 2025 15:02:01 -0500
Subject: [PATCH] add tests for "sub" value

---
 tests/.regress-config.template |  2 ++
 tests/001-oidcauth/main        |  5 +++++
 tests/014-checkdefaultsub/main | 24 ++++++++++++++++++++++++
 tests/015-checkgroupsub/main   | 26 ++++++++++++++++++++++++++
 4 files changed, 57 insertions(+)
 create mode 100644 tests/014-checkdefaultsub/main
 create mode 100644 tests/015-checkgroupsub/main

diff --git a/tests/.regress-config.template b/tests/.regress-config.template
index de2a604..06eed7a 100755
--- a/tests/.regress-config.template
+++ b/tests/.regress-config.template
@@ -1,5 +1,7 @@
 VAULTSERVER=
 ISSUER=
+GROUPROLE=
+GROUPSUBPAT=
 HASKERBEROS=true
 #HASSSH=true
 ROBOTKEYTAB=
diff --git a/tests/001-oidcauth/main b/tests/001-oidcauth/main
index 5b4c359..a08a54c 100644
--- a/tests/001-oidcauth/main
+++ b/tests/001-oidcauth/main
@@ -1,2 +1,7 @@
 htdestroytoken
+set -ex
 htgettoken --nokerberos --nossh -a $VAULTSERVER -i $ISSUER
+if [ -n "$GROUPSUBPAT" ]; then
+    # also check the sub from oidc flow (others in test 014)
+    htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
+fi
diff --git a/tests/014-checkdefaultsub/main b/tests/014-checkdefaultsub/main
new file mode 100644
index 0000000..3bb8ac7
--- /dev/null
+++ b/tests/014-checkdefaultsub/main
@@ -0,0 +1,24 @@
+if [ -z "$GROUPSUBPAT" ]; then
+    exit $SKIPCODE
+fi
+set -ex
+htgettoken --nokerberos --nooidc --nossh -a $VAULTSERVER -i $ISSUER --scopes="$TESTSCOPES"
+EXPTIME="$(htdecodetoken|jq -r .exp)"
+
+# check sub for token exchange
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER --scopes="$TESTSCOPES"
+htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
+
+# check sub for refresh
+# make sure that we don't request minsecs longer than the access token lifetime
+# by waiting a couple of seconds
+sleep 2
+NOW="$(date +%s)"
+let MINSECS=$EXPTIME-$NOW+1
+htgettoken --nooidc --nokerberos --nossh -a $VAULTSERVER -i $ISSUER --minsecs=$MINSECS
+EXPTIME2="$(htdecodetoken|jq -r .exp)"
+if [ "$EXPTIME" = "$EXPTIME2" ]; then
+    echo "The access token was not renewed!"
+    exit 1
+fi
+htdecodetoken | jq -r .sub | grep -v $GROUPSUBPAT
diff --git a/tests/015-checkgroupsub/main b/tests/015-checkgroupsub/main
new file mode 100644
index 0000000..02696b6
--- /dev/null
+++ b/tests/015-checkgroupsub/main
@@ -0,0 +1,26 @@
+if [ -z "$GROUPSUBPAT" ]; then
+    exit $SKIPCODE
+fi
+set -ex
+# check sub for oidc flow with role
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT
+EXPTIME="$(htdecodetoken|jq -r .exp)"
+
+# check sub for token exchange
+htgettoken --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE --scopes="$TESTSCOPES"
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT
+
+# check sub for refresh
+# make sure that we don't request minsecs longer than the access token lifetime
+# by waiting a couple of seconds
+sleep 2
+NOW="$(date +%s)"
+let MINSECS=$EXPTIME-$NOW+1
+htgettoken --nooidc --nokerberos --nossh -a $VAULTSERVER -i $ISSUER -r $GROUPROLE --minsecs=$MINSECS
+EXPTIME2="$(htdecodetoken|jq -r .exp)"
+if [ "$EXPTIME" = "$EXPTIME2" ]; then
+    echo "The access token was not renewed!"
+    exit 1
+fi
+htdecodetoken | jq -r .sub | grep $GROUPSUBPAT