canaille-globuzma/tests/oidc/test_consent.py

import logging
from urllib.parse import parse_qs
from urllib.parse import urlsplit

from canaille.app import models

from . import client_credentials


def test_no_logged_no_access(testclient):
    testclient.get("/consent", status=403)


def test_revokation(testclient, client, consent, logged_user, token, backend, caplog):
    res = testclient.get("/consent", status=200)
    res.mustcontain(client.client_name)
    res.mustcontain("Revoke access")
    res.mustcontain(no="Restore access")
    assert not consent.revoked
    assert not token.revoked

    res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)
    assert ("success", "The access has been revoked") in res.flashes
    assert (
        "canaille",
        logging.SECURITY,
        f"Consent revoked for {logged_user.user_name} in client {client.client_name} from unknown IP",
    ) in caplog.record_tuples
    res = res.follow(status=200)
    res.mustcontain(no="Revoke access")
    res.mustcontain("Restore access")

    backend.reload(consent)
    assert consent.revoked
    backend.reload(token)
    assert token.revoked


def test_revokation_already_revoked(testclient, client, consent, logged_user, backend):
    consent.revoke()

    assert consent.revoked

    res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)
    assert ("error", "The access is already revoked") in res.flashes
    res = res.follow(status=200)

    backend.reload(consent)
    assert consent.revoked


def test_restoration(testclient, client, consent, logged_user, token, backend):
    consent.revoke()

    assert consent.revoked
    backend.reload(token)
    assert token.revoked

    res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)
    assert ("success", "The access has been restored") in res.flashes
    res = res.follow(status=200)

    backend.reload(consent)
    assert not consent.revoked
    backend.reload(token)
    assert token.revoked


def test_restoration_already_restored(testclient, client, consent, logged_user, token):
    assert not consent.revoked

    res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)
    assert ("error", "The access is not revoked") in res.flashes
    res = res.follow(status=200)


def test_invalid_consent_revokation(testclient, client, logged_user):
    res = testclient.get("/consent/revoke/invalid", status=302)
    assert ("success", "The access has been revoked") not in res.flashes
    assert ("error", "Could not revoke this access") in res.flashes


def test_someone_else_consent_revokation(testclient, client, consent, logged_moderator):
    res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)
    assert ("success", "The access has been revoked") not in res.flashes
    assert ("error", "Could not revoke this access") in res.flashes


def test_invalid_consent_restoration(testclient, client, logged_user):
    res = testclient.get("/consent/restore/invalid", status=302)
    assert ("success", "The access has been restored") not in res.flashes
    assert ("error", "Could not restore this access") in res.flashes


def test_someone_else_consent_restoration(
    testclient, client, consent, logged_moderator
):
    res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)
    assert ("success", "The access has been restore") not in res.flashes
    assert ("error", "Could not restore this access") in res.flashes


def test_oidc_authorization_after_revokation(
    testclient, logged_user, client, keypair, consent, backend
):
    consent.revoke()

    assert consent.revoked

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
        ),
        status=200,
    )

    res = res.form.submit(name="answer", value="accept", status=302)

    consents = backend.query(models.Consent, client=client, subject=logged_user)
    backend.reload(consent)
    assert consents[0] == consent
    assert not consent.revoked

    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="openid profile",
            redirect_uri=client.redirect_uris[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )

    access_token = res.json["access_token"]
    token = backend.get(models.Token, access_token=access_token)
    assert token.client == client
    assert token.subject == logged_user


def test_preconsented_client_appears_in_consent_list(
    testclient, client, logged_user, backend
):
    assert not client.preconsent
    res = testclient.get("/consent/pre-consents")
    res.mustcontain(no=client.client_name)

    client.preconsent = True
    backend.save(client)

    res = testclient.get("/consent/pre-consents")
    res.mustcontain(client.client_name)


def test_revoke_preconsented_client(testclient, client, logged_user, token, backend):
    client.preconsent = True
    backend.save(client)
    assert not backend.get(models.Consent)
    assert not token.revoked

    res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)
    assert ("success", "The access has been revoked") in res.flashes

    consent = backend.get(models.Consent)
    assert consent.client == client
    assert consent.subject == logged_user
    assert consent.scope == ["openid", "email", "profile", "groups", "address", "phone"]
    assert not consent.issue_date
    backend.reload(token)
    assert token.revoked

    res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)
    assert ("success", "The access has been restored") in res.flashes

    backend.reload(consent)
    assert not consent.revoked
    assert consent.issue_date
    backend.reload(token)
    assert token.revoked

    res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)
    assert ("success", "The access has been revoked") in res.flashes
    backend.reload(consent)
    assert consent.revoked
    assert consent.issue_date


def test_revoke_invalid_preconsented_client(testclient, logged_user):
    res = testclient.get("/consent/revoke-preconsent/invalid", status=302)
    assert ("error", "Could not revoke this access") in res.flashes


def test_revoke_preconsented_client_with_manual_consent(
    testclient, logged_user, client, consent, backend
):
    client.preconsent = True
    backend.save(client)
    res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)
    res = res.follow()
    assert ("success", "The access has been revoked") in res.flashes


def test_revoke_preconsented_client_with_manual_revokation(
    testclient, logged_user, client, consent, backend
):
    client.preconsent = True
    backend.save(client)
    consent.revoke()
    backend.save(consent)

    res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)
    res = res.follow()
    assert ("error", "The access is already revoked") in res.flashes
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`import logging`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`from urllib.parse import parse_qs`
			`from urllib.parse import urlsplit`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00
			`from . import client_credentials`
test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00

Consents page 2020-09-17 10:01:21 +00:00			`def test_no_logged_no_access(testclient):`
			`testclient.get("/consent", status=403)`


feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`def test_revokation(testclient, client, consent, logged_user, token, backend, caplog):`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`res = testclient.get("/consent", status=200)`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(client.client_name)`
			`res.mustcontain("Revoke access")`
			`res.mustcontain(no="Restore access")`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert not consent.revoked`
Consents page 2020-09-17 10:01:21 +00:00			`assert not token.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`assert ("success", "The access has been revoked") in res.flashes`
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`assert (`
			`"canaille",`
refactor : added proper security logging level and refactored change email logging 2024-10-21 09:17:55 +00:00			`logging.SECURITY,`
			`f"Consent revoked for {logged_user.user_name} in client {client.client_name} from unknown IP",`
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`) in caplog.record_tuples`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=200)`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(no="Revoke access")`
			`res.mustcontain("Restore access")`
Consents page 2020-09-17 10:01:21 +00:00
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert consent.revoked`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
Consents page 2020-09-17 10:01:21 +00:00			`assert token.revoked`
unit tests: added consent deletion tests 2022-12-04 12:57:56 +00:00

refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`def test_revokation_already_revoked(testclient, client, consent, logged_user, backend):`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`consent.revoke()`

			`assert consent.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("error", "The access is already revoked") in res.flashes`
			`res = res.follow(status=200)`

refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert consent.revoked`

test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`def test_restoration(testclient, client, consent, logged_user, token, backend):`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`consent.revoke()`

			`assert consent.revoked`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00			`assert token.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("success", "The access has been restored") in res.flashes`
test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00			`res = res.follow(status=200)`

refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert not consent.revoked`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00			`assert token.revoked`


Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`def test_restoration_already_restored(testclient, client, consent, logged_user, token):`
			`assert not consent.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("error", "The access is not revoked") in res.flashes`
			`res = res.follow(status=200)`


			`def test_invalid_consent_revokation(testclient, client, logged_user):`
Use ruff linter 2023-05-25 11:37:58 +00:00			`res = testclient.get("/consent/revoke/invalid", status=302)`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`assert ("success", "The access has been revoked") not in res.flashes`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("error", "Could not revoke this access") in res.flashes`
unit tests: added consent deletion tests 2022-12-04 12:57:56 +00:00

Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`def test_someone_else_consent_revokation(testclient, client, consent, logged_moderator):`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`assert ("success", "The access has been revoked") not in res.flashes`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("error", "Could not revoke this access") in res.flashes`


			`def test_invalid_consent_restoration(testclient, client, logged_user):`
Use ruff linter 2023-05-25 11:37:58 +00:00			`res = testclient.get("/consent/restore/invalid", status=302)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("success", "The access has been restored") not in res.flashes`
			`assert ("error", "Could not restore this access") in res.flashes`


			`def test_someone_else_consent_restoration(`
			`testclient, client, consent, logged_moderator`
			`):`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert ("success", "The access has been restore") not in res.flashes`
			`assert ("error", "Could not restore this access") in res.flashes`


			`def test_oidc_authorization_after_revokation(`
refactor: move BackendModel.query to Backend.query 2024-04-10 13:44:11 +00:00			`testclient, logged_user, client, keypair, consent, backend`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`):`
			`consent.revoke()`

			`assert consent.revoked`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.client_id,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
			`status=200,`
			`)`

			`res = res.form.submit(name="answer", value="accept", status=302)`

refactor: move BackendModel.query to Backend.query 2024-04-10 13:44:11 +00:00			`consents = backend.query(models.Consent, client=client, subject=logged_user)`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`assert consents[0] == consent`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`assert not consent.revoked`

			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="openid profile",`
			`redirect_uri=client.redirect_uris[0],`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=200,`
			`)`

			`access_token = res.json["access_token"]`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`assert token.client == client`
			`assert token.subject == logged_user`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_preconsented_client_appears_in_consent_list(`
			`testclient, client, logged_user, backend`
			`):`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert not client.preconsent`
Split the consent page in two 2023-03-15 16:38:32 +00:00			`res = testclient.get("/consent/pre-consents")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(no=client.client_name)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
			`client.preconsent = True`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
Split the consent page in two 2023-03-15 16:38:32 +00:00			`res = testclient.get("/consent/pre-consents")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(client.client_name)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_revoke_preconsented_client(testclient, client, logged_user, token, backend):`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`client.preconsent = True`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert not backend.get(models.Consent)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert not token.revoked`

			`res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)`
			`assert ("success", "The access has been revoked") in res.flashes`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`consent = backend.get(models.Consent)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`assert consent.client == client`
			`assert consent.subject == logged_user`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert consent.scope == ["openid", "email", "profile", "groups", "address", "phone"]`
			`assert not consent.issue_date`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert token.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/restore/{consent.consent_id}", status=302)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert ("success", "The access has been restored") in res.flashes`

refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert not consent.revoked`
			`assert consent.issue_date`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert token.revoked`

refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`res = testclient.get(f"/consent/revoke/{consent.consent_id}", status=302)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert ("success", "The access has been revoked") in res.flashes`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(consent)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`assert consent.revoked`
			`assert consent.issue_date`


			`def test_revoke_invalid_preconsented_client(testclient, logged_user):`
			`res = testclient.get("/consent/revoke-preconsent/invalid", status=302)`
			`assert ("error", "Could not revoke this access") in res.flashes`


			`def test_revoke_preconsented_client_with_manual_consent(`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`testclient, logged_user, client, consent, backend`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`):`
			`client.preconsent = True`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)`
			`res = res.follow()`
			`assert ("success", "The access has been revoked") in res.flashes`


			`def test_revoke_preconsented_client_with_manual_revokation(`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`testclient, logged_user, client, consent, backend`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`):`
			`client.preconsent = True`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`consent.revoke()`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(consent)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
			`res = testclient.get(f"/consent/revoke-preconsent/{client.client_id}", status=302)`
			`res = res.follow()`
			`assert ("error", "The access is already revoked") in res.flashes`