canaille-globuzma/tests/oidc/test_hybrid_flow.py

from urllib.parse import parse_qs
from urllib.parse import urlsplit

from authlib.jose import jwt
from canaille.oidc.models import AuthorizationCode
from canaille.oidc.models import Token


def test_oauth_hybrid(testclient, slapd_connection, user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code token",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
        ),
        status=200,
    )
    assert "text/html" == res.content_type, res.json

    res.form["login"] = user.user_name[0]
    res.form["password"] = "correct horse battery staple"
    res = res.form.submit(status=302)

    res = res.follow(status=200)
    assert "text/html" == res.content_type, res.json

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).fragment)

    code = params["code"][0]
    authcode = AuthorizationCode.get(code=code)
    assert authcode is not None

    access_token = params["access_token"][0]
    token = Token.get(access_token=access_token)
    assert token is not None

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert res.json["name"] == "John (johnny) Doe"


def test_oidc_hybrid(
    testclient, slapd_connection, logged_user, client, keypair, other_client
):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code id_token token",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
        ),
    )
    assert "text/html" == res.content_type, res.json

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).fragment)

    code = params["code"][0]
    authcode = AuthorizationCode.get(code=code)
    assert authcode is not None

    access_token = params["access_token"][0]
    token = Token.get(access_token=access_token)
    assert token is not None

    id_token = params["id_token"][0]
    claims = jwt.decode(id_token, keypair[1])
    assert logged_user.user_name[0] == claims["sub"]
    assert logged_user.formatted_name[0] == claims["name"]
    assert [client.client_id, other_client.client_id] == claims["aud"]

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert res.json["name"] == "John (johnny) Doe"
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from urllib.parse import parse_qs`
			`from urllib.parse import urlsplit`

wip 2020-08-21 09:11:39 +00:00			`from authlib.jose import jwt`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`from canaille.oidc.models import AuthorizationCode`
			`from canaille.oidc.models import Token`
wip 2020-08-20 14:02:14 +00:00

wip 2020-08-21 09:11:39 +00:00			`def test_oauth_hybrid(testclient, slapd_connection, user, client):`
wip 2020-08-20 14:02:14 +00:00			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`response_type="code token",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
wip 2020-08-20 14:02:14 +00:00			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`status=200,`
wip 2020-08-20 14:02:14 +00:00			`)`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type, res.json`
wip 2020-08-20 14:02:14 +00:00
unit tests: only use user_name to authenticate users 2023-05-11 13:33:34 +00:00			`res.form["login"] = user.user_name[0]`
wip 2020-08-20 14:02:14 +00:00			`res.form["password"] = "correct horse battery staple"`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(status=302)`
wip 2020-08-20 14:02:14 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=200)`
			`assert "text/html" == res.content_type, res.json`
wip 2020-08-20 14:02:14 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(name="answer", value="accept", status=302)`
wip 2020-08-20 14:02:14 +00:00
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`

wip 2020-08-20 14:02:14 +00:00			`code = params["code"][0]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`authcode = AuthorizationCode.get(code=code)`
wip 2020-08-20 14:02:14 +00:00			`assert authcode is not None`

Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`access_token = params["access_token"][0]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`token = Token.get(access_token=access_token)`
wip 2020-08-20 14:02:14 +00:00			`assert token is not None`

Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`)`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
wip 2020-08-21 09:11:39 +00:00

tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`def test_oidc_hybrid(`
			`testclient, slapd_connection, logged_user, client, keypair, other_client`
			`):`
wip 2020-08-21 09:11:39 +00:00			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code id_token token",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
wip 2020-08-21 09:11:39 +00:00			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
			`)`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type, res.json`
wip 2020-08-21 09:11:39 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(name="answer", value="accept", status=302)`
wip 2020-08-21 09:11:39 +00:00
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
wip 2020-08-21 09:11:39 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`

			`code = params["code"][0]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`authcode = AuthorizationCode.get(code=code)`
wip 2020-08-21 09:11:39 +00:00			`assert authcode is not None`

			`access_token = params["access_token"][0]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`token = Token.get(access_token=access_token)`
wip 2020-08-21 09:11:39 +00:00			`assert token is not None`

			`id_token = params["id_token"][0]`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`claims = jwt.decode(id_token, keypair[1])`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`assert logged_user.user_name[0] == claims["sub"]`
			`assert logged_user.formatted_name[0] == claims["name"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert [client.client_id, other_client.client_id] == claims["aud"]`
wip 2020-08-21 09:11:39 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`)`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`