From 086c044dc34dfc0f74fbe41f4ecb402b2cd34884 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 03:13:33 +0200
Subject: Merging upstream version 125.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../support/fedcm/manifest-token-nocors.json       |  7 +++
 .../support/fedcm/manifest_with_rp_mode.json       |  6 +++
 .../fedcm/manifest_with_variable_accounts.json     | 10 ++++-
 .../support/fedcm/request-params-check.py          |  2 +
 .../support/fedcm/set_accounts_cookie.py           | 21 +++++++++
 .../credential-management/support/fedcm/token.py   |  3 ++
 .../support/fedcm/token_with_rp_mode.py            | 12 ++++++
 .../support/fedcm/variable_accounts.py             | 50 ++++++++++++++--------
 8 files changed, 93 insertions(+), 18 deletions(-)
 create mode 100644 testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json
 create mode 100644 testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json
 create mode 100644 testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
 create mode 100644 testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py

(limited to 'testing/web-platform/tests/credential-management/support')

diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json
new file mode 100644
index 0000000000..77ba1b4702
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest-token-nocors.json
@@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token.py?nocors=1",
+  "disconnect_endpoint": "disconnect.py",
+  "login_url": "login.html"
+}
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json
new file mode 100644
index 0000000000..5692fd9190
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_rp_mode.json
@@ -0,0 +1,6 @@
+{
+  "accounts_endpoint": "two_accounts.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_with_rp_mode.py",
+  "login_url": "login.html"
+}
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
index 10c2ddd55d..9e4af25004 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
+++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_variable_accounts.json
@@ -2,5 +2,13 @@
   "accounts_endpoint": "variable_accounts.py",
   "client_metadata_endpoint": "client_metadata.py",
   "id_assertion_endpoint": "token_with_account_id.py",
-  "login_url": "login.html"
+  "login_url": "login.html",
+  "modes": {
+    "button": {
+      "supports_use_other_account": true
+    },
+    "widget": {
+      "supports_use_other_account": true
+    }
+  }
 }
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
index daf91aad8f..b774496d5d 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py
@@ -80,6 +80,8 @@ def tokenCheck(request):
     return (544, [], "Missing 'account_id' POST parameter")
   if not request.POST.get(b"disclosure_text_shown"):
     return (545, [], "Missing 'disclosure_text_shown' POST parameter")
+  if not request.headers.get(b"Origin"):
+    return (540, [], "Missing Origin")
 
 def revokeCheck(request):
   common_error = commonCheck(request, b"cors")
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
new file mode 100644
index 0000000000..ab34992210
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py
@@ -0,0 +1,21 @@
+def main(request, response):
+  query_string = request.url_parts[3]
+  # We mark the cookie as HttpOnly so that this request
+  # can be made before login.html, which would overwrite
+  # the value to 1.
+  header_value = "accounts={}; SameSite=None; Secure; HttpOnly".format(query_string)
+  response.headers.set(b"Set-Cookie", header_value.encode("utf-8"))
+  response.headers.set(b"Content-Type", b"text/html")
+
+  return """
+<!DOCTYPE html>
+<script>
+// The important part of this page are the headers.
+
+// If this page was opened as a popup, notify the opener.
+if (window.opener) {
+  window.opener.postMessage("done_loading", "*");
+}
+</script>
+Sent header value: {}".format(header_value)
+"""
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token.py b/testing/web-platform/tests/credential-management/support/fedcm/token.py
index b914eb2d96..7ec81c390a 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/token.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token.py
@@ -7,5 +7,8 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  if b"nocors" not in request.GET:
+    response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+    response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   return "{\"token\": \"token\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py b/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py
new file mode 100644
index 0000000000..515736416f
--- /dev/null
+++ b/testing/web-platform/tests/credential-management/support/fedcm/token_with_rp_mode.py
@@ -0,0 +1,12 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  rp_mode = request.POST.get(b"mode")
+  return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"
diff --git a/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py b/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
index c9db2c4528..fc4446acc4 100644
--- a/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
+++ b/testing/web-platform/tests/credential-management/support/fedcm/variable_accounts.py
@@ -1,25 +1,14 @@
 import importlib
 error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
 
-def main(request, response):
-  request_error = error_checker.accountsCheck(request)
-  if (request_error):
-    return request_error
-
-  response.headers.set(b"Content-Type", b"application/json")
-
-  if request.cookies.get(b"accounts") != b"1":
-    return """
-{
- "accounts": [
-  ]
-}
+result_json = """
+{{
+ "accounts": [{}]
+}}
 """
 
-
-  return """
+one_account = """
 {
- "accounts": [{
    "id": "1234",
    "given_name": "John",
    "name": "John Doe",
@@ -28,6 +17,33 @@ def main(request, response):
    "approved_clients": ["123", "456", "789"],
    "login_hints": ["john_doe"],
    "hosted_domains": ["idp.example", "example"]
-  }]
+  }
+"""
+
+
+two_accounts = one_account + """
+, {
+   "id": "jane_doe",
+   "given_name": "Jane",
+   "name": "Jane Doe",
+   "email": "jane_doe@idp.example",
+   "picture": "https://idp.example/profile/5678",
+   "approved_clients": ["123", "abc"]
 }
 """
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  if request.cookies.get(b"accounts") == b"1":
+    return result_json.format(one_account)
+  if request.cookies.get(b"accounts") == b"2":
+    return result_json.format(two_accounts)
+
+  return result_json.format("")
+
+
-- 
cgit v1.2.3