canaille-globuzma/tests/oidc/test_token_introspection.py

from urllib.parse import parse_qs
from urllib.parse import urlsplit

from canaille.app import models

from . import client_credentials


def test_access_token_introspection(testclient, user, client, token):
    res = testclient.post(
        "/oauth/introspect",
        params={"token": token.access_token},
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )
    assert {
        "active": True,
        "client_id": client.client_id,
        "token_type": token.type,
        "username": user.formatted_name,
        "scope": token.get_scope(),
        "sub": user.user_name,
        "aud": [client.client_id],
        "iss": "https://auth.mydomain.tld",
        "exp": token.get_expires_at(),
        "iat": token.get_issued_at(),
    } == res.json


def test_refresh_token_introspection(testclient, user, client, token):
    res = testclient.post(
        "/oauth/introspect",
        params={"token": token.refresh_token},
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )
    assert {
        "active": True,
        "client_id": client.client_id,
        "token_type": token.type,
        "username": user.formatted_name,
        "scope": token.get_scope(),
        "sub": user.user_name,
        "aud": [client.client_id],
        "iss": "https://auth.mydomain.tld",
        "exp": token.get_expires_at(),
        "iat": token.get_issued_at(),
    } == res.json


def test_token_invalid(testclient, client):
    res = testclient.post(
        "/oauth/introspect",
        params=dict(token="invalid"),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )
    assert {"active": False} == res.json


def test_full_flow(testclient, logged_user, client, user, trusted_client, backend):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="profile",
            nonce="somenonce",
        ),
        status=200,
    )

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = backend.get(models.AuthorizationCode, code=code)
    assert authcode is not None

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            redirect_uri=client.redirect_uris[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )
    access_token = res.json["access_token"]

    token = backend.get(models.Token, access_token=access_token)
    assert token.client == client
    assert token.subject == logged_user

    res = testclient.post(
        "/oauth/introspect",
        params=dict(
            token=token.access_token,
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )
    assert set(res.json["aud"]) == {client.client_id, trusted_client.client_id}
    assert res.json["active"]
    assert res.json["client_id"] == client.client_id
    assert res.json["token_type"] == token.type
    assert res.json["username"] == user.formatted_name
    assert res.json["scope"] == token.get_scope()
    assert res.json["sub"] == user.user_name
    assert res.json["iss"] == "https://auth.mydomain.tld"
    assert res.json["exp"] == token.get_expires_at()
    assert res.json["iat"] == token.get_issued_at()
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from urllib.parse import parse_qs`
			`from urllib.parse import urlsplit`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
pre-commit tox test 2021-12-20 22:57:27 +00:00
Token introspection testfile 2020-08-24 12:44:41 +00:00			`from . import client_credentials`


unit tests: improved token introspection coverage 2022-12-10 20:10:18 +00:00			`def test_access_token_introspection(testclient, user, client, token):`
Token introspection testfile 2020-08-24 12:44:41 +00:00			`res = testclient.post(`
			`"/oauth/introspect",`
unit tests: improved token introspection coverage 2022-12-10 20:10:18 +00:00			`params={"token": token.access_token},`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=200,`
			`)`
			`assert {`
			`"active": True,`
			`"client_id": client.client_id,`
			`"token_type": token.type,`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`"username": user.formatted_name,`
unit tests: improved token introspection coverage 2022-12-10 20:10:18 +00:00			`"scope": token.get_scope(),`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`"sub": user.user_name,`
unit tests: improved token introspection coverage 2022-12-10 20:10:18 +00:00			`"aud": [client.client_id],`
			`"iss": "https://auth.mydomain.tld",`
			`"exp": token.get_expires_at(),`
			`"iat": token.get_issued_at(),`
			`} == res.json`


			`def test_refresh_token_introspection(testclient, user, client, token):`
			`res = testclient.post(`
			`"/oauth/introspect",`
			`params={"token": token.refresh_token},`
Token introspection testfile 2020-08-24 12:44:41 +00:00			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`status=200,`
Token introspection testfile 2020-08-24 12:44:41 +00:00			`)`
			`assert {`
			`"active": True,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"client_id": client.client_id,`
			`"token_type": token.type,`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`"username": user.formatted_name,`
Token introspection testfile 2020-08-24 12:44:41 +00:00			`"scope": token.get_scope(),`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`"sub": user.user_name,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"aud": [client.client_id],`
Updated issuer test fixture 2022-11-15 15:00:29 +00:00			`"iss": "https://auth.mydomain.tld",`
Token introspection testfile 2020-08-24 12:44:41 +00:00			`"exp": token.get_expires_at(),`
			`"iat": token.get_issued_at(),`
			`} == res.json`
Token introspection unit test 2020-08-24 12:47:55 +00:00

			`def test_token_invalid(testclient, client):`
			`res = testclient.post(`
			`"/oauth/introspect",`
			`params=dict(token="invalid"),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`status=200,`
Token introspection unit test 2020-08-24 12:47:55 +00:00			`)`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`assert {"active": False} == res.json`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_full_flow(testclient, logged_user, client, user, trusted_client, backend):`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`status=200,`
			`)`

			`res = res.form.submit(name="answer", value="accept", status=302)`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`authcode = backend.get(models.AuthorizationCode, code=code)`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`assert authcode is not None`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uri=client.redirect_uris[0],`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=200,`
			`)`
			`access_token = res.json["access_token"]`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`assert token.client == client`
			`assert token.subject == logged_user`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00
			`res = testclient.post(`
			`"/oauth/introspect",`
			`params=dict(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token=token.access_token,`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=200,`
			`)`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`assert set(res.json["aud"]) == {client.client_id, trusted_client.client_id}`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00			`assert res.json["active"]`
			`assert res.json["client_id"] == client.client_id`
			`assert res.json["token_type"] == token.type`
			`assert res.json["username"] == user.formatted_name`
			`assert res.json["scope"] == token.get_scope()`
			`assert res.json["sub"] == user.user_name`
			`assert res.json["iss"] == "https://auth.mydomain.tld"`
			`assert res.json["exp"] == token.get_expires_at()`
			`assert res.json["iat"] == token.get_issued_at()`