cognito-idp integration test

Author: sbera87

src/aws-cpp-sdk-core/include/smithy/identity/signer/built-in/SigV4aSigner.h

@@ -290,7 +290,7 @@ namespace smithy {
         const bool m_includeSha256HashHeader{true};
         const bool m_urlEscape{true};
         const Aws::Set<Aws::String> m_unsignedHeaders{USER_AGENT,X_AMZN_TRACE_ID};
-        const Aws::Crt::Auth::SignatureType m_signatureType{Aws::Crt::Auth::SignatureType::HttpRequestViaHeaders};
+        const Aws::Crt::Auth::SignatureType m_signatureType{Aws::Crt::Auth::SignatureType::HttpRequestViaQueryParams};
         std::condition_variable m_cv;
         std::mutex m_mutex;
     };

tests/aws-cpp-sdk-cognitoidentityprovider-integration-tests/CMakeLists.txt

@@ -37,7 +37,7 @@ find_package(OpenSSL REQUIRED)
 # Include directories for OpenSSL headers
 include_directories(${OPENSSL_INCLUDE_DIR})
 
-target_link_libraries(${PROJECT_NAME} ${PROJECT_LIBS})
+target_link_libraries(${PROJECT_NAME} ${PROJECT_LIBS} OpenSSL::Crypto)
 
 
 

tests/aws-cpp-sdk-cognitoidentityprovider-integration-tests/OperationTest.cpp

@@ -14,23 +14,32 @@
 #include <aws/cognito-idp/model/AuthFlowType.h>
 #include <aws/cognito-idp/model/ExplicitAuthFlowsType.h>
 #include <aws/cognito-idp/model/InitiateAuthRequest.h>
-#include <aws/cognito-idp/model/CreateUserPoolClientRequest.h>
 #include <aws/cognito-idp/model/SignUpRequest.h>
+#include <aws/cognito-idp/model/CreateUserPoolClientRequest.h>
 #include <aws/cognito-idp/model/DeleteUserPoolClientRequest.h>
+#include <aws/cognito-idp/model/CreateUserPoolRequest.h>
+#include <aws/cognito-idp/model/DeleteUserPoolRequest.h>
+#include <aws/cognito-idp/model/AdminCreateUserRequest.h>
+#include <aws/cognito-idp/model/AdminDeleteUserRequest.h>
+#include <aws/cognito-idp/model/MessageActionType.h>
+#include <aws/cognito-idp/CognitoIdentityProviderServiceClientModel.h>
 
 #include <aws/core/client/CoreErrors.h>
 #include <aws/core/utils/json/JsonSerializer.h>
 #include <aws/core/utils/Outcome.h>
 #include <aws/testing/TestingEnvironment.h>
 #include <aws/core/platform/Environment.h>
-#include <openssl/srp.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bn.h>
+
+
 using namespace Aws::CognitoIdentityProvider;
 using namespace Aws::CognitoIdentityProvider::Model;
 using namespace Aws::Client;
 using namespace Aws::Region;
 
-#define TEST_POOL_PREFIX  "IntegrationTest_"
-
 namespace
 {
 static const char* ALLOCATION_TAG = "IdentityProviderOperationTest";
@@ -49,19 +58,64 @@ class IdentityProviderOperationTest : public ::testing::Test
 protected:
 
     const Aws::String m_clientName{"testClient"};
+    Aws::String m_userPoolId;
+    Aws::String m_clientId;
+    const Aws::String m_username{"testUser"};
+    Aws::String m_clientSecret;
 
     void SetUp()
     {
         Aws::Client::ClientConfiguration config;
         config.region = AWS_TEST_REGION;
 
-        //TODO: move this over to profile config file.
         client = Aws::MakeShared<Aws::CognitoIdentityProvider::CognitoIdentityProviderClient>(ALLOCATION_TAG, config);
+
+        //make user pool
+        m_userPoolId = createUserPool("TestPool");
+
+        ASSERT_TRUE(!m_userPoolId.empty());
+
+        //make client
+        if(!m_userPoolId.empty())
+        {
+            auto ret = createPoolClient(m_userPoolId, m_clientName);
+            m_clientId = ret.first;
+            m_clientSecret = ret.second;
+        }
+
+        ASSERT_TRUE(!m_clientId.empty());
+        ASSERT_TRUE(!m_clientSecret.empty());
+
+        //create user
+        if(!m_userPoolId.empty() && !m_clientId.empty())
+        {
+            ASSERT_TRUE(createUser(m_username, "Password123!", m_userPoolId));
+        }
+
     }
 
     void TearDown()
     {
-        client = nullptr;
+
+        //delete user
+        if(!m_userPoolId.empty())
+        {
+            ASSERT_TRUE(deleteUser(m_username, m_userPoolId));
+        }
+
+        // delete client
+        if(!m_userPoolId.empty() && !m_clientId.empty())
+        {
+            ASSERT_TRUE(deletePoolClient(m_userPoolId, m_clientId));
+        }
+
+        // delete user pool
+        if(!m_userPoolId.empty())
+        {
+            ASSERT_TRUE(deleteUserPool(m_userPoolId));
+        }
+
+
         if (::testing::Test::HasFailure())
         {
             std::cout << "Test traces: " << testTrace << "\n";
@@ -70,125 +124,263 @@ class IdentityProviderOperationTest : public ::testing::Test
     }
 
 
-    void registerUser(const Aws::String& username, const Aws::String& password)
-    {   
-        // Set up the request for creating a new User Pool Client
-        Aws::CognitoIdentityProvider::Model::SignUpRequest request;
-        request.SetClientId(m_clientName);
-        request.SetUsername(username);
-        request.SetPassword(password);
+    Aws::String createUserPool(Aws::String poolName)
+    {
+        if(poolName.empty())
+        {
+            return {};
+        }
+        Aws::CognitoIdentityProvider::Model::CreateUserPoolRequest userPoolRequest;
+        userPoolRequest.SetPoolName(poolName);
+
+        CreateUserPoolOutcome userPoolOutcome = client->CreateUserPool(userPoolRequest);
+        //ASSERT_TRUE(userPoolOutcome.IsSuccess());
+        if (!userPoolOutcome.IsSuccess()) {
+            return {};
+        }
+
+        auto poolId = userPoolOutcome.GetResult().GetUserPool().GetId();
+        std::cout << "Created User Pool with ID: " << poolId << " for pool name="<<poolName<<std::endl;
+        return poolId;
+    }
 
-        auto outcome = client->SignUp(request);
-        ASSERT_TRUE(outcome.IsSuccess());
-        if (outcome.IsSuccess())
+    bool deleteUserPool(const Aws::String& poolId)
+    {
+        if (poolId.empty())
         {
-            std::cout << "User registered successfully." << std::endl;
-            std::cout << "User confirmed: " << (outcome.GetResult().GetUserConfirmed() ? "Yes" : "No") << std::endl;
-            std::cout << "User sub: " << outcome.GetResult().GetUserSub() << std::endl;
+            return false;
+        }
+        Aws::CognitoIdentityProvider::Model::DeleteUserPoolRequest deletePoolRequest;
+        deletePoolRequest.SetUserPoolId(poolId);
+
+        auto deletePoolOutcome = client->DeleteUserPool(deletePoolRequest);
+        //ASSERT_TRUE(deletePoolOutcome.IsSuccess());
+        if (!deletePoolOutcome.IsSuccess()) {
+            std::cerr << "Failed to delete User Pool: " << deletePoolOutcome.GetError().GetMessage() << std::endl;
+        }
+        else
+        {
+            std::cout << "Deleted User Pool with ID: " << poolId << std::endl;
+        }
+        return deletePoolOutcome.IsSuccess();
+    }
+
+    bool createUser(const Aws::String& username, const Aws::String& password, const Aws::String& userPoolId)
+    {
+        if (userPoolId.empty() || username.empty() || password.empty())
+        {
+            return false;
+        }
+        
+        Aws::CognitoIdentityProvider::Model::AdminCreateUserRequest createUserRequest;
+        createUserRequest.SetUserPoolId(userPoolId);
+        createUserRequest.SetUsername(username);
+
+        Aws::CognitoIdentityProvider::Model::AttributeType emailAttribute;
+        emailAttribute.SetName("email");
+        emailAttribute.SetValue("testuser@example.com");
+        createUserRequest.AddUserAttributes(emailAttribute);
+
+        // Set a temporary password
+        createUserRequest.SetTemporaryPassword(password);
+
+        // Suppress sending an email to the user
+        createUserRequest.SetMessageAction(Aws::CognitoIdentityProvider::Model::MessageActionType::SUPPRESS);
+
+        auto outcome = client->AdminCreateUser(createUserRequest);
+        //ASSERT_TRUE(outcome.IsSuccess());
+        if (outcome.IsSuccess()) {
+            std::cout << "User created successfully: " << outcome.GetResult().GetUser().GetUsername() << std::endl;
+        } else {
+            std::cerr << "Failed to create user: " << outcome.GetError().GetMessage() << std::endl;
+        }
 
+        return outcome.IsSuccess();
+    }
 
+    bool deleteUser(const Aws::String& username, const Aws::String& userPoolId)
+    {
+        if (username.empty() || userPoolId.empty())
+        {
+            return false;
+        }
+        
+        Aws::CognitoIdentityProvider::Model::AdminDeleteUserRequest deleteUserRequest;
+        deleteUserRequest.SetUserPoolId(userPoolId);
+        deleteUserRequest.SetUsername(username);
+        auto deleteUserOutcome = client->AdminDeleteUser(deleteUserRequest);
+        //ASSERT_TRUE(deleteUserOutcome.IsSuccess());
+        if (!deleteUserOutcome.IsSuccess()) {
+            std::cerr << "Failed to delete user: " << deleteUserOutcome.GetError().GetMessage() << std::endl;
         }
+        else
+        {
+            std::cout << "Deleted test user: " << username << std::endl;
+        }
+        return deleteUserOutcome.IsSuccess();
     }
 
-    CreateUserPoolClientOutcome createPoolClient()
+
+    std::pair<Aws::String, Aws::String> createPoolClient(const Aws::String& userPoolId, const Aws::String& clientName)
     {
-        // Set up the request for creating a new User Pool Client
+        if(userPoolId.empty() || clientName.empty())
+        {
+            return {};
+        }
+
         Aws::CognitoIdentityProvider::Model::CreateUserPoolClientRequest request;
-        request.SetUserPoolId("test-pool-id"); 
-        request.SetClientName("testClient");  
+        request.SetUserPoolId(userPoolId); 
+        request.SetClientName(clientName);  
 
-        request.SetGenerateSecret(true); // If you need a secret for your client
-        Aws::Vector<Aws::CognitoIdentityProvider::Model::ExplicitAuthFlowsType> authFlows{Aws::CognitoIdentityProvider::Model::ExplicitAuthFlowsType::ALLOW_USER_SRP_AUTH};
+        request.SetGenerateSecret(true);
+        Aws::Vector<Aws::CognitoIdentityProvider::Model::ExplicitAuthFlowsType> authFlows{Aws::CognitoIdentityProvider::Model::ExplicitAuthFlowsType::ALLOW_USER_SRP_AUTH, Aws::CognitoIdentityProvider::Model::ExplicitAuthFlowsType::ALLOW_REFRESH_TOKEN_AUTH};
         request.SetExplicitAuthFlows(authFlows);
 
-        // Make the call to create the user pool client
-        auto outcome = client->CreateUserPoolClient(request);
-        ASSERT_TRUE(outcome.IsSuccess());
+        Aws::CognitoIdentityProvider::Model::CreateUserPoolClientOutcome outcome = client->CreateUserPoolClient(request);
+        //ASSERT_TRUE(outcome.IsSuccess());
+        Aws::String clientId, clientSecret;
         if (outcome.IsSuccess())
         {
+            clientId = outcome.GetResult().GetUserPoolClient().GetClientId();
+            clientSecret = outcome.GetResult().GetUserPoolClient().GetClientSecret();
             std::cout << "User Pool Client created successfully." << std::endl;
-            std::cout << "Client ID: " << outcome.GetResult().GetUserPoolClient().GetClientId() << std::endl;
-            if (request.GetGenerateSecret())
-            {
-                std::cout << "Client Secret: " << outcome.GetResult().GetUserPoolClient().GetClientSecret() << std::endl;
-            }
+            std::cout << "Client ID: " << clientId << std::endl;
         }
-        return outcome;
+        return {clientId,clientSecret};
     }
 
-    void deletePoolClient()
+    bool deletePoolClient(const Aws::String& userPoolId, const Aws::String& clientId)
     {
         // Set up the request for deleting the User Pool Client
         Aws::CognitoIdentityProvider::Model::DeleteUserPoolClientRequest request;
-        request.SetUserPoolId("test-pool-id");
-        request.SetClientId("testClient");
+        request.SetUserPoolId(userPoolId);
+        request.SetClientId(clientId);
 
         // Make the call to delete the user pool client
         auto outcome = client->DeleteUserPoolClient(request);
-        ASSERT_TRUE(outcome.IsSuccess());
         if (outcome.IsSuccess())
         {
             std::cout << "User Pool Client deleted successfully." << std::endl;
         }
+        //ASSERT_TRUE(outcome.IsSuccess());
+        return outcome.IsSuccess();
     }
 
-
 };
 
 
-
-
-
-
-TEST_F(IdentityProviderOperationTest, testSecret)
+Aws::String ComputeSecretHash(const Aws::String &userPoolClientId, const Aws::String &clientSecret, const Aws::String &userName)
 {
-    auto outcome = createPoolClient();
+    const auto message = userName + userPoolClientId;
+    unsigned char hash[EVP_MAX_MD_SIZE];
+    unsigned int len = 0;
+
+    HMAC(EVP_sha256(),
+    clientSecret.c_str(), clientSecret.length(),
+    (unsigned char*)message.c_str(), message.length(),
+    hash, &len);
+    
+    // Base64 encode the hash
+    char encoded[128];
+    EVP_EncodeBlock((unsigned char*)encoded, hash, len);
 
+    return std::string(encoded);
+}
+// https://github.com/aws/amazon-cognito-identity-js/blob/master/src/AuthenticationHelper.js#L22
+const char* initN = 
+    "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+    "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+    "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+    "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+    "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+    "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+    "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+    "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+    "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+    "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+    "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"
+    "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"
+    "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"
+    "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+    "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"
+    "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF";
+// https://github.com/aws/amazon-cognito-identity-js/blob/master/src/AuthenticationHelper.js#
+const char* generator = "2";
+
+
+class SRPClient {
+    public:
+    SRPClient(const std::string& N_hex, const std::string& g):N(BN_new()), g(BN_new()), a(nullptr), A(BN_new()), ctx(BN_CTX_new())
+    {
+        if (!BN_hex2bn(&N, N_hex.c_str())) {
+            std::cout<<"Failed to load N"<<std::endl;
+        }
+    
+        if (!BN_dec2bn(&this->g, g.c_str())) {
+            std::cout<<"Failed to load g"<<std::endl;
+        }
 
-    Aws::String ComputeSecretHash(const Aws::String &userPoolClientId, const Aws::String &userPoolClientSecret, const Aws::String &userName)
+        generatePrivateKey(256);
+    }
+    ~SRPClient()
     {
-        const auto secret = userPoolClientSecret;
-        const auto message = userName + userPoolClientId;
-        
-        unsigned char * digest = HMAC(EVP_sha256(), 
-                                    secret.c_str(), static_cast<int>(secret.length()), 
-                                    reinterpret_cast<const unsigned char*>(message.c_str()), 
-                                    static_cast<int>(message.length()), 
-                                    NULL, NULL);
-        
-        char mdString[SHA256_DIGEST_LENGTH * 2 + 1];
-        for (int i = 0; i < SHA256_DIGEST_LENGTH; ++i)
-            sprintf(&mdString[i*2], "%02x", (unsigned int)digest[i]);
+        BN_free(N);
+        BN_free(g);
+        BN_free(a);
+        BN_free(A);
+        BN_CTX_free(ctx);
+    }
 
-        mdString[64] = '\0'; // null-terminate the string
-        
-        return Aws::String(mdString);
+    
+    private:
+    BIGNUM* N{nullptr};
+    BIGNUM* g{nullptr};
+    BIGNUM* a{nullptr};
+    BIGNUM* A{nullptr};
+    BN_CTX* ctx;
+
+    void generatePrivateKey(int bits)
+    {
+        a = BN_new();
+        if (!BN_rand(a, bits, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
+            std::cout<<"Failed to generate private key"<<std::endl;
+        }
     }
 
+    public:
+    std::string calculateA() const
+    {
+        if (!BN_mod_exp(A, g, a, N, ctx)) {
+            std::cout<<"Failed to compute A = g^a % N"<<std::endl;
+            return {};
+        }
+    
+        char* A_hex = BN_bn2hex(A);
+        std::string A_str(A_hex);
+        OPENSSL_free(A_hex);
+    
+        return A_str;
+    }
+};
 
-    Aws::Map<Aws::String, Aws::String> authParameters;
-    authParameters["USERNAME"] = "dummyuser"; // Replace with actual username
 
-    // Compute SECRET_HASH if the client has a secret
-    const Aws::String clientId = outcome.GetResult().GetUserPoolClient().GetClientId(); // Client ID from previous step
-    const Aws::String clientSecret = outcome.GetResult().GetUserPoolClient().GetClientSecret(); // Client Secret if generated
-    authParameters["SECRET_HASH"] = ComputeSecretHash(clientId, clientSecret, "dummyuser");
 
-    // Note: SRP_A is part of the SRP protocol, you need to implement or use a library for SRP
-    // This is a placeholder for a correct SRP implementation:
-    authParameters["SRP_A"] = "dummy"; // Replace with actual SRP_A value
+TEST_F(IdentityProviderOperationTest, testSecret)
+{
+    SRPClient srpclient(initN, generator);
+    Aws::Map<Aws::String, Aws::String> authParameters;
+    authParameters["USERNAME"] = m_username;
+    authParameters["SECRET_HASH"] = ComputeSecretHash(m_clientId, m_clientSecret, m_username);
+    auto srpa = srpclient.calculateA();
+    ASSERT_TRUE(!srpa.empty());
+    authParameters["SRP_A"] = srpa;  
 
     Aws::CognitoIdentityProvider::Model::InitiateAuthRequest authRequest;
-    authRequest.SetClientId(clientId); // Client ID from when you created the client
+    authRequest.SetClientId(m_clientId);
     authRequest.SetAuthFlow(Aws::CognitoIdentityProvider::Model::AuthFlowType::USER_SRP_AUTH);
     authRequest.SetAuthParameters(authParameters);
-
     Aws::CognitoIdentityProvider::Model::InitiateAuthOutcome authResult = client->InitiateAuth( authRequest );
-
     EXPECT_TRUE(authResult.IsSuccess());
-
-
-    deletePoolClient();
 }
 
 }