fix(oauth-client): Phase 7 cycle 2 — complete gating, diagnostics, RP client config, and happy-path test

+1

src/commands/test/oauth/client/pipeline.rs

··· 299 299 /// Status of the grant_types check. 300 300 pub grant_types_includes_authorization_code: CheckStatus, 301 301 /// Status of the refresh_token grant type check. 302 + /// Phase 7 hard-codes ClientRefreshed.skipped; refresh token support is wired in Phase 8. 302 303 pub grant_types_includes_refresh_token: CheckStatus, 303 304 } 304 305

+121 -57

src/commands/test/oauth/client/pipeline/interactive.rs

··· 1 1 //! OAuth client interactive stage — fake AS server, RP-driven flow, conformance checks. 2 2 3 3 use std::borrow::Cow; 4 + use std::fmt; 4 5 use std::sync::Arc; 6 + 7 + use miette::Diagnostic; 8 + use thiserror::Error; 5 9 6 10 use crate::commands::test::oauth::client::fake_as::{FakeAsOptions, ServerHandle}; 7 11 use crate::common::oauth::clock::Clock; ··· 10 14 use super::jwks::JwksFacts; 11 15 use super::metadata::MetadataFacts; 12 16 use super::{InteractiveDriveMode, InteractiveOptions, StaticGating}; 17 + 18 + /// Diagnostic for interactive stage spec violations. 19 + #[derive(Debug, Error)] 20 + #[error("{message}")] 21 + struct InteractiveViolationDiagnostic { 22 + /// The violation message. 23 + message: String, 24 + /// The stable diagnostic code for this check. 25 + code: &'static str, 26 + } 27 + 28 + impl Diagnostic for InteractiveViolationDiagnostic { 29 + fn code<'a>(&'a self) -> Option<Box<dyn fmt::Display + 'a>> { 30 + Some(Box::new(self.code)) 31 + } 32 + } 13 33 14 34 /// Facts produced by the interactive stage. 15 35 pub struct InteractiveFacts { ··· 79 99 } 80 100 } 81 101 82 - /// Emit a SpecViolation result. 102 + /// Emit a SpecViolation result with diagnostic code. 83 103 pub fn spec_violation(self) -> CheckResult { 104 + let diagnostic = InteractiveViolationDiagnostic { 105 + message: format!("Interactive check failed: {}", self.summary()), 106 + code: self.id(), 107 + }; 84 108 CheckResult { 85 109 id: self.id(), 86 110 stage: Stage::INTERACTIVE, 87 111 status: CheckStatus::SpecViolation, 88 112 summary: Cow::Borrowed(self.summary()), 89 - diagnostic: None, 113 + diagnostic: Some(Box::new(diagnostic)), 90 114 skipped_reason: None, 91 115 } 92 116 } ··· 119 143 // ClientCompletedToken depends on all of the above + keys_have_alg. 120 144 // ClientRefreshed depends on grant_types including refresh_token. 121 145 146 + // Compute each check's gate status independently. 122 147 let par_gates_pass = static_gating.scope_present == CheckStatus::Pass 123 148 && static_gating.dpop_bound_required == CheckStatus::Pass; 124 149 125 - let token_gates_pass = par_gates_pass && static_gating.keys_have_alg == CheckStatus::Pass; 150 + let _token_gates_pass = par_gates_pass && static_gating.keys_have_alg == CheckStatus::Pass; 126 151 127 152 // Emit blocked_by results for checks whose gates didn't pass. 128 - if !par_gates_pass { 129 - if static_gating.scope_present != CheckStatus::Pass { 130 - results.push(blocked_by( 131 - Check::ClientReachedPar.id(), 132 - Stage::INTERACTIVE, 133 - Check::ClientReachedPar.summary(), 134 - "oauth_client::metadata::scope_present", 135 - )); 136 - results.push(blocked_by( 137 - Check::ClientUsedPkceS256.id(), 138 - Stage::INTERACTIVE, 139 - Check::ClientUsedPkceS256.summary(), 140 - "oauth_client::metadata::scope_present", 141 - )); 142 - results.push(blocked_by( 143 - Check::ClientIncludedDpop.id(), 144 - Stage::INTERACTIVE, 145 - Check::ClientIncludedDpop.summary(), 146 - "oauth_client::metadata::scope_present", 147 - )); 148 - } else if static_gating.dpop_bound_required != CheckStatus::Pass { 149 - results.push(blocked_by( 150 - Check::ClientReachedPar.id(), 151 - Stage::INTERACTIVE, 152 - Check::ClientReachedPar.summary(), 153 - "oauth_client::metadata::dpop_bound_required", 154 - )); 155 - results.push(blocked_by( 156 - Check::ClientUsedPkceS256.id(), 157 - Stage::INTERACTIVE, 158 - Check::ClientUsedPkceS256.summary(), 159 - "oauth_client::metadata::dpop_bound_required", 160 - )); 161 - results.push(blocked_by( 162 - Check::ClientIncludedDpop.id(), 163 - Stage::INTERACTIVE, 164 - Check::ClientIncludedDpop.summary(), 165 - "oauth_client::metadata::dpop_bound_required", 166 - )); 167 - } 153 + // Each check's result is based on its specific gate, not a cascading if-chain. 168 154 169 - if !token_gates_pass { 170 - results.push(blocked_by( 171 - Check::ClientCompletedToken.id(), 172 - Stage::INTERACTIVE, 173 - Check::ClientCompletedToken.summary(), 174 - if static_gating.scope_present != CheckStatus::Pass { 175 - "oauth_client::metadata::scope_present" 176 - } else if static_gating.dpop_bound_required != CheckStatus::Pass { 177 - "oauth_client::metadata::dpop_bound_required" 178 - } else { 179 - "oauth_client::jws::keys_have_alg" 180 - }, 181 - )); 182 - } 155 + if static_gating.scope_present != CheckStatus::Pass { 156 + results.push(blocked_by( 157 + Check::ClientReachedPar.id(), 158 + Stage::INTERACTIVE, 159 + Check::ClientReachedPar.summary(), 160 + "oauth_client::metadata::scope_present", 161 + )); 162 + results.push(blocked_by( 163 + Check::ClientUsedPkceS256.id(), 164 + Stage::INTERACTIVE, 165 + Check::ClientUsedPkceS256.summary(), 166 + "oauth_client::metadata::scope_present", 167 + )); 168 + results.push(blocked_by( 169 + Check::ClientIncludedDpop.id(), 170 + Stage::INTERACTIVE, 171 + Check::ClientIncludedDpop.summary(), 172 + "oauth_client::metadata::scope_present", 173 + )); 174 + results.push(blocked_by( 175 + Check::ClientCompletedToken.id(), 176 + Stage::INTERACTIVE, 177 + Check::ClientCompletedToken.summary(), 178 + "oauth_client::metadata::scope_present", 179 + )); 180 + // ClientRefreshed is always skipped in Phase 7. 181 + results.push(Check::ClientRefreshed.skipped("covered in Phase 8 flow variants")); 182 + // Emit ServerBound.skipped to maintain consistent 6-check inventory. 183 + results.insert( 184 + 0, 185 + Check::ServerBound.skipped("interactive stage blocked by failed static prerequisites"), 186 + ); 187 + return InteractiveStageOutput { 188 + results, 189 + facts: None, 190 + }; 191 + } 183 192 193 + if static_gating.dpop_bound_required != CheckStatus::Pass { 194 + results.push(blocked_by( 195 + Check::ClientReachedPar.id(), 196 + Stage::INTERACTIVE, 197 + Check::ClientReachedPar.summary(), 198 + "oauth_client::metadata::dpop_bound_required", 199 + )); 200 + results.push(blocked_by( 201 + Check::ClientUsedPkceS256.id(), 202 + Stage::INTERACTIVE, 203 + Check::ClientUsedPkceS256.summary(), 204 + "oauth_client::metadata::dpop_bound_required", 205 + )); 206 + results.push(blocked_by( 207 + Check::ClientIncludedDpop.id(), 208 + Stage::INTERACTIVE, 209 + Check::ClientIncludedDpop.summary(), 210 + "oauth_client::metadata::dpop_bound_required", 211 + )); 212 + results.push(blocked_by( 213 + Check::ClientCompletedToken.id(), 214 + Stage::INTERACTIVE, 215 + Check::ClientCompletedToken.summary(), 216 + "oauth_client::metadata::dpop_bound_required", 217 + )); 218 + // ClientRefreshed is always skipped in Phase 7. 184 219 results.push(Check::ClientRefreshed.skipped("covered in Phase 8 flow variants")); 220 + // Emit ServerBound.skipped to maintain consistent 6-check inventory. 221 + results.insert( 222 + 0, 223 + Check::ServerBound.skipped("interactive stage blocked by failed static prerequisites"), 224 + ); 225 + return InteractiveStageOutput { 226 + results, 227 + facts: None, 228 + }; 229 + } 185 230 231 + if static_gating.keys_have_alg != CheckStatus::Pass { 232 + // PAR gates pass, but token gate (keys_have_alg) fails. 233 + // ClientReachedPar, ClientUsedPkceS256, ClientIncludedDpop can pass. 234 + // ClientCompletedToken is blocked by keys_have_alg. 235 + results.push(blocked_by( 236 + Check::ClientCompletedToken.id(), 237 + Stage::INTERACTIVE, 238 + Check::ClientCompletedToken.summary(), 239 + "oauth_client::jws::keys_have_alg", 240 + )); 241 + // ClientRefreshed is always skipped in Phase 7. 242 + results.push(Check::ClientRefreshed.skipped("covered in Phase 8 flow variants")); 243 + // Emit ServerBound.skipped to maintain consistent 6-check inventory. 244 + results.insert( 245 + 0, 246 + Check::ServerBound.skipped("interactive stage blocked by failed static prerequisites"), 247 + ); 186 248 return InteractiveStageOutput { 187 249 results, 188 250 facts: None, 189 251 }; 190 252 } 253 + 254 + // All static gates pass; continue to happy-path flow. 191 255 192 256 // Bind fake AS. 193 257 let opts = FakeAsOptions {

+21 -11

src/common/oauth/relying_party.rs

··· 7 7 8 8 use std::collections::HashMap; 9 9 use std::sync::{Arc, Mutex}; 10 + use std::time::Duration; 10 11 11 12 use base64::Engine; 12 13 use jsonwebtoken::{Algorithm, EncodingKey, Header}; ··· 24 25 25 26 use super::clock::Clock; 26 27 use super::jws; 28 + use crate::common::APP_USER_AGENT; 27 29 28 30 /// High-level client kind for RP behavior. 29 31 #[derive(Debug, Clone, Copy)] ··· 122 124 signing_jwk_public: Value, 123 125 clock: Arc<dyn Clock>, 124 126 rng: Mutex<ChaCha20Rng>, 125 - /// DPoP nonce state, keyed by endpoint URL because atproto AS servers 126 - /// rotate nonces per endpoint family. A single shared nonce would 127 - /// cross-contaminate retry state between PAR and token flows. 128 - #[expect(dead_code)] 129 - dpop_nonces: Mutex<HashMap<Url, String>>, 130 127 http: ReqwestClient, 131 128 } 132 129 ··· 171 168 "y": y, 172 169 }); 173 170 171 + // Build HTTP client with rustls, user-agent, and timeout. 172 + let http = ReqwestClient::builder() 173 + .use_rustls_tls() 174 + .user_agent(APP_USER_AGENT) 175 + .timeout(Duration::from_secs(30)) 176 + .build() 177 + .unwrap_or_else(|_| ReqwestClient::new()); 178 + 174 179 Self { 175 180 client_id, 176 181 kind, ··· 179 184 signing_jwk_public, 180 185 clock, 181 186 rng: Mutex::new(rng), 182 - dpop_nonces: Mutex::new(HashMap::new()), 183 - http: ReqwestClient::new(), 187 + http, 184 188 } 185 189 } 186 190 ··· 360 364 .append_pair("request_uri", request_uri) 361 365 .append_pair("client_id", self.client_id.as_str()); 362 366 363 - let client = ReqwestClient::new(); 367 + // Build a client with redirect policy disabled to manually follow redirects. 368 + let client = ReqwestClient::builder() 369 + .use_rustls_tls() 370 + .user_agent(APP_USER_AGENT) 371 + .timeout(Duration::from_secs(30)) 372 + .redirect(reqwest::redirect::Policy::none()) 373 + .build() 374 + .unwrap_or_else(|_| ReqwestClient::new()); 375 + 364 376 let response = client.get(url).send().await?; 365 377 366 378 // Follow redirects manually: stop on the first redirect whose ··· 564 576 &self.encoding_key, 565 577 Algorithm::ES256, 566 578 ) 567 - .map_err(|e| RpError::MetadataMalformed { 568 - reason: format!("DPoP signing failed: {e}"), 569 - })?; 579 + .map_err(|e| RpError::JwsFailure(jws::JwsError::SignFailed(e)))?; 570 580 571 581 let signature_b64 = b64.encode(&signature); 572 582 Ok(format!("{signing_input}.{signature_b64}"))

+47 -52

tests/oauth_client_interactive.rs

··· 224 224 } 225 225 226 226 #[tokio::test] 227 - async fn interactive_happy_path_rp_drives_fake_as() { 228 - use atproto_devtool::commands::test::oauth::client::pipeline::OauthClientTarget; 227 + async fn interactive_happy_path_gates_all_pass() { 228 + use atproto_devtool::commands::test::oauth::client::pipeline::interactive; 229 229 use atproto_devtool::commands::test::oauth::client::pipeline::{ 230 - InteractiveDriveMode, InteractiveOptions, OauthClientOptions, run_pipeline, 230 + InteractiveDriveMode, InteractiveOptions, StaticGating, 231 231 }; 232 - use atproto_devtool::common::identity::RealHttpClient; 232 + use atproto_devtool::common::report::CheckStatus; 233 233 234 - // Create a mock RP factory. 235 - struct TestRpFactory { 236 - client_id: Url, 237 - clock: Arc<FakeClock>, 238 - } 234 + // Create a minimal RP factory for gating tests. 235 + struct TestRpFactory; 239 236 240 237 impl atproto_devtool::common::oauth::relying_party::RpFactory for TestRpFactory { 241 238 fn build(&self) -> atproto_devtool::common::oauth::relying_party::RelyingParty { 239 + let clock = Arc::new(FakeClock::new(1_700_000_000)); 240 + let client_id: Url = "http://localhost:3000".parse().unwrap(); 242 241 atproto_devtool::common::oauth::relying_party::RelyingParty::new( 243 - self.client_id.clone(), 242 + client_id, 244 243 atproto_devtool::common::oauth::relying_party::ClientKind::Public, 245 - self.clock.clone(), 244 + clock, 246 245 [42u8; 32], 247 246 ) 248 247 } 249 248 } 250 249 251 250 let clock = Arc::new(FakeClock::new(1_700_000_000)); 252 - let client_id: Url = "http://localhost:3000".parse().unwrap(); 253 - let rp_factory = Arc::new(TestRpFactory { 254 - client_id: client_id.clone(), 255 - clock: clock.clone(), 256 - }); 251 + 252 + // Create a static gating with all gates passing. 253 + let static_gating = StaticGating { 254 + scope_present: CheckStatus::Pass, 255 + dpop_bound_required: CheckStatus::Pass, 256 + keys_have_alg: CheckStatus::Pass, 257 + grant_types_includes_authorization_code: CheckStatus::Pass, 258 + grant_types_includes_refresh_token: CheckStatus::Pass, 259 + }; 257 260 258 - // Set up interactive options. 261 + // Set up interactive options with in-process RP driver. 259 262 let interactive_opts = InteractiveOptions { 260 263 bind_port: None, 261 264 public_base_url: None, 262 - drive_mode: InteractiveDriveMode::DriveRpInProcess { rp_factory }, 265 + drive_mode: InteractiveDriveMode::DriveRpInProcess { 266 + rp_factory: Arc::new(TestRpFactory), 267 + }, 263 268 }; 264 269 265 - // Set up HTTP client. 266 - let reqwest_client = reqwest::Client::builder() 267 - .use_rustls_tls() 268 - .build() 269 - .expect("build reqwest client"); 270 - let http = RealHttpClient::from_client(reqwest_client.clone()); 271 - let jwks_fetcher = 272 - atproto_devtool::commands::test::oauth::client::pipeline::jwks::RealJwksFetcher::new( 273 - reqwest_client, 274 - ); 270 + // Call interactive::run directly with known-passing StaticGating. 271 + let output = interactive::run(static_gating, None, None, &interactive_opts, clock).await; 275 272 276 - // Build options with interactive stage. 277 - let opts = OauthClientOptions { 278 - http: &http, 279 - jwks: &jwks_fetcher, 280 - verbose: false, 281 - interactive: Some(&interactive_opts), 282 - }; 273 + // Verify that all expected checks are present. 274 + assert_eq!(output.results.len(), 6, "should have 6 checks"); 283 275 284 - // Create a loopback target (doesn't need to be fetched). 285 - let target = OauthClientTarget::Loopback( 286 - atproto_devtool::commands::test::oauth::client::pipeline::LoopbackTarget { 287 - host: atproto_devtool::commands::test::oauth::client::pipeline::LoopbackHost::Localhost, 288 - port: None, 289 - path: "/".to_string(), 290 - }, 276 + // Check that ServerBound passed (server bind was successful). 277 + let server_bound = output 278 + .results 279 + .iter() 280 + .find(|r| r.id == "oauth_client::interactive::server_bound") 281 + .expect("ServerBound check present"); 282 + assert_eq!( 283 + server_bound.status, 284 + CheckStatus::Pass, 285 + "ServerBound should pass when gates allow" 291 286 ); 292 287 293 - // Run the pipeline (this will run discovery, metadata, JWKS, and interactive stages). 294 - // Note: This test will fail at discovery stage since we're using a loopback target 295 - // without a real metadata. For a full happy-path test, we'd need to mock the 296 - // HTTP responses or use a real server. This test verifies the pipeline structure. 297 - let report = run_pipeline(target, opts).await; 298 - 299 - // The report should exist (even if stages fail due to missing server). 300 - assert!( 301 - !report.exit_code() < 2 || report.exit_code() == 1, 302 - "report created" 288 + // ClientRefreshed should always be skipped in Phase 7. 289 + let client_refreshed = output 290 + .results 291 + .iter() 292 + .find(|r| r.id == "oauth_client::interactive::client_refreshed") 293 + .expect("ClientRefreshed check present"); 294 + assert_eq!( 295 + client_refreshed.status, 296 + CheckStatus::Skipped, 297 + "ClientRefreshed should be skipped in Phase 7" 303 298 ); 304 299 } 305 300

Configure Feed

Configure Feed