Add WPT for scope_specification

New test: set-scope-specification.https.html

Bug: 353767385
Change-Id: I3c6d43aa6bebec43caef7fc1285576edd112d534
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6333587
Commit-Queue: thefrog <[email protected]>
Reviewed-by: Daniel Rubery <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1430905}

Author: thefrog-gh

device-bound-session-credentials/excludeInScopeSpecification/excluded_verify_authenticated.py

@@ -0,0 +1,5 @@
+import importlib
+util = importlib.import_module('device-bound-session-credentials.verify_authenticated_util')
+
+def main(request, response):
+    return util.verify_authenticated(request, response)

device-bound-session-credentials/includeInScopeSpecification/included_verify_authenticated.py

@@ -0,0 +1,5 @@
+import importlib
+util = importlib.import_module('device-bound-session-credentials.verify_authenticated_util')
+
+def main(request, response):
+    return util.verify_authenticated(request, response)

device-bound-session-credentials/session_manager.py

@@ -25,6 +25,7 @@ def __init__(self):
         self.registration_sends_challenge = False
         self.cookie_name_and_value = "auth_cookie=abcdef0123"
         self.has_called_refresh = False
+        self.scope_specification_items = []
 
     def create_new_session(self):
         session_id = str(len(self.session_to_key_map))
@@ -72,6 +73,10 @@ def configure_state_for_test(self, configuration):
         if cookie_name_and_value is not None:
             self.cookie_name_and_value = cookie_name_and_value
 
+        scope_specification_items = configuration.get("scopeSpecificationItems")
+        if scope_specification_items is not None:
+            self.scope_specification_items = scope_specification_items
+
     def get_should_refresh_end_session(self):
         return self.should_refresh_end_session
 
@@ -113,7 +118,7 @@ def get_session_instructions_response(self, session_id, request):
             "scope": {
                 "origin": scope_origin,
                 "include_site": True,
-                "scope_specification" : [
+                "scope_specification" : self.scope_specification_items + [
                     { "type": "exclude", "domain": request.url_parts.hostname, "path": "/device-bound-session-credentials/request_early_challenge.py" },
                     { "type": "exclude", "domain": request.url_parts.hostname, "path": "/device-bound-session-credentials/end_session_via_clear_site_data.py" },
                     { "type": "exclude", "domain": request.url_parts.hostname, "path": "/device-bound-session-credentials/pull_server_state.py" },

device-bound-session-credentials/set-scope-specification.https.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>DBSC scope specification set</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="helper.js" type="module"></script>
+
+<script type="module">
+  import { expireCookie, waitForCookie, addCookieAndSessionCleanup, setupShardedServerState, configureServer} from "./helper.js";
+
+  promise_test(async t => {
+    await setupShardedServerState();
+    const expectedCookieAndValue = "auth_cookie=abcdef0123";
+    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
+    addCookieAndSessionCleanup(t, expectedCookieAndAttributes);
+
+    // Configure server to set scope specification.
+    configureServer({ scopeSpecificationItems: [{
+      "type": "include",
+      "domain": location.hostname,
+      "path": "/device-bound-session-credentials/excludeInScopeSpecification/excluded_verify_authenticated.py"
+    }, {
+      "type": "exclude",
+      "domain": location.hostname,
+      "path": "/device-bound-session-credentials/excludeInScopeSpecification"
+    }, {
+      "type": "include",
+      "domain": location.hostname,
+      "path": "/device-bound-session-credentials/includeInScopeSpecification/included_verify_authenticated.py"
+    }, {
+      "type": "exclude",
+      "domain": location.hostname,
+      "path": "/device-bound-session-credentials/verify_authenticated.py"
+    }, {
+      "type": "include",
+      "domain": location.hostname,
+      "path": "/device-bound-session-credentials/verify_authenticated_alternate.py"
+    }, {
+      "type": "include",
+      "domain": `www1.${location.hostname}`,
+      "path": "/device-bound-session-credentials/verify_authenticated.py"
+    }, {
+      "type": "exclude",
+      "domain": `www2.${location.hostname}`,
+      "path": "/device-bound-session-credentials/verify_authenticated.py"
+    }] });
+
+    // Prompt starting a session, and wait until registration completes.
+    const login_response = await fetch('login.py');
+    assert_equals(login_response.status, 200);
+    assert_true(await waitForCookie(expectedCookieAndValue));
+
+    async function expireCookieAndTriggerRequest(endpoint, expectRefresh) {
+      expireCookie(expectedCookieAndAttributes);
+      const auth_response = await fetch(endpoint, { credentials: "include" });
+      assert_equals(auth_response.status, expectRefresh ? 200 : 401);
+    }
+
+    await expireCookieAndTriggerRequest("verify_authenticated.py", /*expectRefresh=*/false);
+    await expireCookieAndTriggerRequest("verify_authenticated_alternate.py", /*expectRefresh=*/true);
+    // This one is marked as included, but excludeInScopeSpecification/ is marked as excluded, and order matters.
+    await expireCookieAndTriggerRequest("excludeInScopeSpecification/excluded_verify_authenticated.py", /*expectRefresh=*/false);
+    await expireCookieAndTriggerRequest("includeInScopeSpecification/included_verify_authenticated.py", /*expectRefresh=*/true);
+    await expireCookieAndTriggerRequest(`${location.protocol}//www1.${location.hostname}:${location.port}/device-bound-session-credentials/verify_authenticated.py`, /*expectRefresh=*/true);
+    await expireCookieAndTriggerRequest(`${location.protocol}//www2.${location.hostname}:${location.port}/device-bound-session-credentials/verify_authenticated.py`, /*expectRefresh=*/false);
+  }, "Scope specification configuration is respected");
+</script>

device-bound-session-credentials/verify_authenticated.py

@@ -1,16 +1,5 @@
-def main(request, response):
-    expected_cookie_name_and_value = request.body
-    if expected_cookie_name_and_value == b"":
-        expected_cookie_name_and_value = b"auth_cookie=abcdef0123"
-    (expected_name, expected_value) = expected_cookie_name_and_value.split(b"=")
-
-    headers = []
-    # Only CORS requests need the CORS headers
-    if request.headers.get(b"origin") != None:
-      headers = [(b"Access-Control-Allow-Origin",request.headers.get(b"origin")),
-                 (b"Access-Control-Allow-Credentials", b"true")]
+import importlib
+util = importlib.import_module('device-bound-session-credentials.verify_authenticated_util')
 
-    cookie = request.cookies.get(expected_name)
-    if cookie == None or cookie.value != expected_value:
-        return (401, headers, "")
-    return (200, headers, "")
+def main(request, response):
+    return util.verify_authenticated(request, response)

device-bound-session-credentials/verify_authenticated_alternate.py

@@ -0,0 +1,5 @@
+import importlib
+util = importlib.import_module('device-bound-session-credentials.verify_authenticated_util')
+
+def main(request, response):
+    return util.verify_authenticated(request, response)

device-bound-session-credentials/verify_authenticated_util.py

@@ -0,0 +1,16 @@
+def verify_authenticated(request, response):
+    expected_cookie_name_and_value = request.body
+    if expected_cookie_name_and_value == b"":
+        expected_cookie_name_and_value = b"auth_cookie=abcdef0123"
+    (expected_name, expected_value) = expected_cookie_name_and_value.split(b"=")
+
+    headers = []
+    # Only CORS requests need the CORS headers
+    if request.headers.get(b"origin") != None:
+      headers = [(b"Access-Control-Allow-Origin",request.headers.get(b"origin")),
+                 (b"Access-Control-Allow-Credentials", b"true")]
+
+    cookie = request.cookies.get(expected_name)
+    if cookie == None or cookie.value != expected_value:
+        return (401, headers, "")
+    return (200, headers, "")