canaille-globuzma/tests/oidc/test_authorization_prompt.py

"""Tests the behavior of Canaille depending on the OIDC 'prompt' parameter.

https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
"""

import datetime
import uuid
from urllib.parse import parse_qs
from urllib.parse import urlsplit

from flask import url_for

from canaille.app import models
from canaille.core.endpoints.account import RegistrationPayload


def test_prompt_none(testclient, logged_user, client, backend):
    """Nominal case with prompt=none."""
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=logged_user,
        scope=["openid", "profile"],
    )
    backend.save(consent)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=302,
    )
    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).query)
    assert "code" in params

    backend.delete(consent)


def test_prompt_not_logged(testclient, user, client, backend):
    """Prompt=none should return a login_required error when no user is logged
    in.

    login_required     The Authorization Server requires End-User
    authentication.     This error MAY be returned when the prompt
    parameter value in the     Authentication Request is none, but the
    Authentication Request     cannot be completed without displaying a
    user interface for End-User     authentication.
    """
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
    )
    backend.save(consent)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "login_required" == res.json.get("error")

    backend.delete(consent)


def test_prompt_no_consent(testclient, logged_user, client):
    """Prompt=none should return a consent_required error when user are logged
    in but have not granted their consent.

    consent_required The Authorization Server requires End-User consent.
    This error MAY be returned when the prompt parameter value in the
    Authentication Request is none, but the Authentication Request
    cannot be completed without displaying a user interface for End-User
    consent.
    """
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "consent_required" == res.json.get("error")


def test_prompt_create_logged(testclient, logged_user, client, backend):
    """If prompt=create and user is already logged in, then go straight to the
    consent page."""
    testclient.app.config["CANAILLE"]["ENABLE_REGISTRATION"] = True

    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=logged_user,
        scope=["openid", "profile"],
    )
    backend.save(consent)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="create",
        ),
        status=302,
    )
    assert res.location.startswith(client.redirect_uris[0])

    backend.delete(consent)


def test_prompt_create_registration_disabled(testclient, trusted_client, smtpd):
    """If prompt=create but Canaille registration is disabled, an error
    response should be returned.

    If the OpenID Provider receives a prompt value that it does not
    support (not declared in the prompt_values_supported metadata field)
    the OP SHOULD respond with an HTTP 400 (Bad Request) status code and
    an error value of invalid_request. It is RECOMMENDED that the OP
    return an error_description value identifying the invalid parameter
    value.
    """
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=trusted_client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="create",
        ),
        status=400,
    )
    assert res.json == {
        "error": "invalid_request",
        "error_description": "prompt 'create' value is not supported",
    }


def test_prompt_create_not_logged(testclient, trusted_client, smtpd):
    """If prompt=create and user is not logged in, then display the
    registration form.

    Check that the user is correctly redirected to the client page after
    the registration process.
    """
    testclient.app.config["CANAILLE"]["ENABLE_REGISTRATION"] = True

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=trusted_client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="create",
        ),
    )

    # Display the registration form
    res = res.follow()
    res.form["email"] = "foo@bar.test"
    res = res.form.submit()

    # Checks the registration mail is sent
    assert len(smtpd.messages) == 1

    # Simulate a click on the validation link in the mail
    payload = RegistrationPayload(
        creation_date_isoformat=datetime.datetime.now(
            datetime.timezone.utc
        ).isoformat(),
        user_name="",
        user_name_editable=True,
        email="foo@bar.test",
        groups=[],
    )
    registration_url = url_for(
        "core.account.registration",
        data=payload.b64(),
        hash=payload.build_hash(),
        _external=True,
    )

    # Fill the user creation form
    res = testclient.get(registration_url)
    res.form["user_name"] = "newuser"
    res.form["password1"] = "i'm a little pea"
    res.form["password2"] = "i'm a little pea"
    res.form["family_name"] = "newuser"
    res = res.form.submit()

    assert res.flashes == [
        ("success", "Your account has been created successfully."),
    ]

    # Return to the client
    res = res.follow()
    assert res.location.startswith(trusted_client.redirect_uris[0])
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""Tests the behavior of Canaille depending on the OIDC 'prompt' parameter.`

tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint`
			`"""`
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`import datetime`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`import uuid`
			`from urllib.parse import parse_qs`
			`from urllib.parse import urlsplit`

chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from flask import url_for`

tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`from canaille.app import models`
refactor: gather endpoints in a 'endpoints' directory 2023-12-25 23:23:47 +00:00			`from canaille.core.endpoints.account import RegistrationPayload`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_prompt_none(testclient, logged_user, client, backend):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""Nominal case with prompt=none."""`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`consent = models.Consent(`
			`consent_id=str(uuid.uuid4()),`
			`client=client,`
			`subject=logged_user,`
			`scope=["openid", "profile"],`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(consent)`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`status=302,`
			`)`
			`assert res.location.startswith(client.redirect_uris[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`assert "code" in params`

refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(consent)`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_prompt_not_logged(testclient, user, client, backend):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""Prompt=none should return a login_required error when no user is logged`
			`in.`

			`login_required The Authorization Server requires End-User`
			`authentication. This error MAY be returned when the prompt`
			`parameter value in the Authentication Request is none, but the`
			`Authentication Request cannot be completed without displaying a`
			`user interface for End-User authentication.`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`"""`
			`consent = models.Consent(`
			`consent_id=str(uuid.uuid4()),`
			`client=client,`
			`subject=user,`
			`scope=["openid", "profile"],`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(consent)`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`status=200,`
			`)`
			`assert "login_required" == res.json.get("error")`

refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(consent)`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00

			`def test_prompt_no_consent(testclient, logged_user, client):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""Prompt=none should return a consent_required error when user are logged`
			`in but have not granted their consent.`

			`consent_required The Authorization Server requires End-User consent.`
			`This error MAY be returned when the prompt parameter value in the`
			`Authentication Request is none, but the Authentication Request`
			`cannot be completed without displaying a user interface for End-User`
			`consent.`
tests: extracted the prompt tests in a dedicated file 2023-12-22 20:18:02 +00:00			`"""`
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`status=200,`
			`)`
			`assert "consent_required" == res.json.get("error")`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_prompt_create_logged(testclient, logged_user, client, backend):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""If prompt=create and user is already logged in, then go straight to the`
			`consent page."""`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ENABLE_REGISTRATION"] = True`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00
			`consent = models.Consent(`
			`consent_id=str(uuid.uuid4()),`
			`client=client,`
			`subject=logged_user,`
			`scope=["openid", "profile"],`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(consent)`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="create",`
			`),`
			`status=302,`
			`)`
			`assert res.location.startswith(client.redirect_uris[0])`

refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(consent)`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00

			`def test_prompt_create_registration_disabled(testclient, trusted_client, smtpd):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""If prompt=create but Canaille registration is disabled, an error`
			`response should be returned.`

			`If the OpenID Provider receives a prompt value that it does not`
			`support (not declared in the prompt_values_supported metadata field)`
			`the OP SHOULD respond with an HTTP 400 (Bad Request) status code and`
			`an error value of invalid_request. It is RECOMMENDED that the OP`
			`return an error_description value identifying the invalid parameter`
			`value.`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`"""`
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=trusted_client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="create",`
			`),`
			`status=400,`
			`)`
			`assert res.json == {`
			`"error": "invalid_request",`
			`"error_description": "prompt 'create' value is not supported",`
			`}`


			`def test_prompt_create_not_logged(testclient, trusted_client, smtpd):`
chore: add docformatter pre-commit 2023-12-28 17:31:57 +00:00			`"""If prompt=create and user is not logged in, then display the`
			`registration form.`

			`Check that the user is correctly redirected to the client page after`
			`the registration process.`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`"""`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ENABLE_REGISTRATION"] = True`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=trusted_client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`prompt="create",`
			`),`
			`)`

			`# Display the registration form`
			`res = res.follow()`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`res.form["email"] = "foo@bar.test"`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`res = res.form.submit()`

			`# Checks the registration mail is sent`
			`assert len(smtpd.messages) == 1`

			`# Simulate a click on the validation link in the mail`
			`payload = RegistrationPayload(`
			`creation_date_isoformat=datetime.datetime.now(`
			`datetime.timezone.utc`
			`).isoformat(),`
			`user_name="",`
			`user_name_editable=True,`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`email="foo@bar.test",`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`groups=[],`
			`)`
			`registration_url = url_for(`
			`"core.account.registration",`
			`data=payload.b64(),`
			`hash=payload.build_hash(),`
			`_external=True,`
			`)`

			`# Fill the user creation form`
			`res = testclient.get(registration_url)`
			`res.form["user_name"] = "newuser"`
updates tests with compromised password check with api HIBP 2024-11-05 14:44:25 +00:00			`res.form["password1"] = "i'm a little pea"`
			`res.form["password2"] = "i'm a little pea"`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`res.form["family_name"] = "newuser"`
			`res = res.form.submit()`

			`assert res.flashes == [`
			`("success", "Your account has been created successfully."),`
			`]`

			`# Return to the client`
			`res = res.follow()`
			`assert res.location.startswith(trusted_client.redirect_uris[0])`