canaille-globuzma/tests/oidc/test_dynamic_client_registration_management.py

import warnings
from datetime import datetime

from canaille.app import models


def test_get(testclient, backend, client, user):
    assert not testclient.app.config["CANAILLE_OIDC"].get(
        "DYNAMIC_CLIENT_REGISTRATION_OPEN"
    )
    testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [
        "static-token"
    ]

    headers = {"Authorization": "Bearer static-token"}
    res = testclient.get(
        f"/oauth/register/{client.client_id}", headers=headers, status=200
    )
    assert res.json == {
        "client_id": client.client_id,
        "client_secret": client.client_secret,
        "client_id_issued_at": int(datetime.timestamp(client.client_id_issued_at)),
        "client_secret_expires_at": 0,
        "redirect_uris": [
            "https://mydomain.test/redirect1",
            "https://mydomain.test/redirect2",
        ],
        "registration_access_token": "static-token",
        "registration_client_uri": f"http://canaille.test/oauth/register/{client.client_id}",
        "token_endpoint_auth_method": "client_secret_basic",
        "grant_types": [
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
            "client_credentials",
        ],
        "response_types": ["code", "token", "id_token"],
        "client_name": "Some client",
        "client_uri": "https://mydomain.test",
        "logo_uri": "https://mydomain.test/logo.webp",
        "scope": "openid email profile groups address phone",
        "contacts": ["contact@mydomain.test"],
        "tos_uri": "https://mydomain.test/tos",
        "policy_uri": "https://mydomain.test/policy",
        "jwk": None,
        "jwks_uri": "https://mydomain.test/jwk",
        "software_id": None,
        "software_version": None,
    }


def test_update(testclient, backend, client, user):
    assert not testclient.app.config["CANAILLE_OIDC"].get(
        "DYNAMIC_CLIENT_REGISTRATION_OPEN"
    )
    testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [
        "static-token"
    ]

    assert client.redirect_uris != ["https://newname.example.test/callback"]
    assert client.token_endpoint_auth_method != "none"
    assert client.grant_types != ["refresh_token"]
    assert client.response_types != ["code", "token"]
    assert client.client_name != "new name"
    assert client.client_uri != "https://newname.example.test"
    assert client.logo_uri != "https://newname.example.test/logo.webp"
    assert client.scope != ["openid", "profile", "email"]
    assert client.contacts != ["newcontact@example.test"]
    assert client.tos_uri != "https://newname.example.test/tos"
    assert client.policy_uri != "https://newname.example.test/policy"
    assert client.jwks_uri != "https://newname.example.test/my_public_keys.jwks"
    assert client.software_id != "new_software_id"
    assert client.software_version != "3.14"

    payload = {
        "client_id": client.client_id,
        "redirect_uris": ["https://newname.example.test/callback"],
        "token_endpoint_auth_method": "none",
        "grant_types": ["refresh_token"],
        "response_types": ["code", "token"],
        "client_name": "new name",
        "client_uri": "https://newname.example.test",
        "logo_uri": "https://newname.example.test/logo.webp",
        "scope": "openid profile email",
        "contacts": ["newcontact@example.test"],
        "tos_uri": "https://newname.example.test/tos",
        "policy_uri": "https://newname.example.test/policy",
        "jwks_uri": "https://newname.example.test/my_public_keys.jwks",
        "software_id": "new_software_id",
        "software_version": "3.14",
    }

    headers = {"Authorization": "Bearer static-token"}
    res = testclient.put_json(
        f"/oauth/register/{client.client_id}", payload, headers=headers, status=200
    )
    client = backend.get(models.Client, client_id=res.json["client_id"])

    assert res.json == {
        "client_id": client.client_id,
        "client_secret": client.client_secret,
        "client_id_issued_at": int(datetime.timestamp(client.client_id_issued_at)),
        "client_secret_expires_at": 0,
        "redirect_uris": ["https://newname.example.test/callback"],
        "registration_access_token": "static-token",
        "registration_client_uri": f"http://canaille.test/oauth/register/{client.client_id}",
        "token_endpoint_auth_method": "none",
        "grant_types": ["refresh_token"],
        "response_types": ["code", "token"],
        "client_name": "new name",
        "client_uri": "https://newname.example.test",
        "logo_uri": "https://newname.example.test/logo.webp",
        "scope": "openid profile email",
        "contacts": ["newcontact@example.test"],
        "tos_uri": "https://newname.example.test/tos",
        "policy_uri": "https://newname.example.test/policy",
        "jwk": None,
        "jwks_uri": "https://newname.example.test/my_public_keys.jwks",
        "software_id": "new_software_id",
        "software_version": "3.14",
    }

    assert client.redirect_uris == ["https://newname.example.test/callback"]
    assert client.token_endpoint_auth_method == "none"
    assert client.grant_types == ["refresh_token"]
    assert client.response_types == ["code", "token"]
    assert client.client_name == "new name"
    assert client.client_uri == "https://newname.example.test"
    assert client.logo_uri == "https://newname.example.test/logo.webp"
    assert client.scope == ["openid", "profile", "email"]
    assert client.contacts == ["newcontact@example.test"]
    assert client.tos_uri == "https://newname.example.test/tos"
    assert client.policy_uri == "https://newname.example.test/policy"
    assert client.jwks_uri == "https://newname.example.test/my_public_keys.jwks"
    assert client.software_id == "new_software_id"
    assert client.software_version == "3.14"


def test_delete(testclient, backend, user):
    assert not testclient.app.config["CANAILLE_OIDC"].get(
        "DYNAMIC_CLIENT_REGISTRATION_OPEN"
    )
    testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [
        "static-token"
    ]

    client = models.Client(client_id="foobar", client_name="Some client")
    backend.save(client)

    headers = {"Authorization": "Bearer static-token"}
    with warnings.catch_warnings(record=True):
        testclient.delete(
            f"/oauth/register/{client.client_id}", headers=headers, status=204
        )
    assert not backend.get(models.Client, client_id=client.client_id)


def test_invalid_client(testclient, backend, user):
    assert not testclient.app.config["CANAILLE_OIDC"].get(
        "DYNAMIC_CLIENT_REGISTRATION_OPEN"
    )
    testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [
        "static-token"
    ]

    payload = {
        "client_id": "invalid-client-id",
        "redirect_uris": ["https://newname.example.test/callback"],
    }

    headers = {"Authorization": "Bearer static-token"}
    res = testclient.put_json(
        "/oauth/register/invalid-client-id", payload, headers=headers, status=401
    )
    assert res.json == {"error": "invalid_client"}
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`import warnings`
			`from datetime import datetime`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_get(testclient, backend, client, user):`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`assert not testclient.app.config["CANAILLE_OIDC"].get(`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"DYNAMIC_CLIENT_REGISTRATION_OPEN"`
			`)`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"static-token"`
			`]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`headers = {"Authorization": "Bearer static-token"}`
			`res = testclient.get(`
			`f"/oauth/register/{client.client_id}", headers=headers, status=200`
			`)`
			`assert res.json == {`
			`"client_id": client.client_id,`
			`"client_secret": client.client_secret,`
			`"client_id_issued_at": int(datetime.timestamp(client.client_id_issued_at)),`
fix: OIDC client 'client_secret_expires_at' claim must be 0, not None 2023-11-23 08:15:40 +00:00			`"client_secret_expires_at": 0,`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"redirect_uris": [`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"https://mydomain.test/redirect1",`
			`"https://mydomain.test/redirect2",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`],`
			`"registration_access_token": "static-token",`
tests: use canaille.test domain instead of localhost 2023-12-14 19:07:49 +00:00			`"registration_client_uri": f"http://canaille.test/oauth/register/{client.client_id}",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"token_endpoint_auth_method": "client_secret_basic",`
			`"grant_types": [`
			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
feat: implement OIDC client_credentials flow 2024-12-06 13:43:31 +00:00			`"client_credentials",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`],`
			`"response_types": ["code", "token", "id_token"],`
			`"client_name": "Some client",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"client_uri": "https://mydomain.test",`
			`"logo_uri": "https://mydomain.test/logo.webp",`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`"scope": "openid email profile groups address phone",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"contacts": ["contact@mydomain.test"],`
			`"tos_uri": "https://mydomain.test/tos",`
			`"policy_uri": "https://mydomain.test/policy",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"jwk": None,`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"jwks_uri": "https://mydomain.test/jwk",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"software_id": None,`
			`"software_version": None,`
			`}`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_update(testclient, backend, client, user):`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`assert not testclient.app.config["CANAILLE_OIDC"].get(`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"DYNAMIC_CLIENT_REGISTRATION_OPEN"`
			`)`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"static-token"`
			`]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.redirect_uris != ["https://newname.example.test/callback"]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.token_endpoint_auth_method != "none"`
			`assert client.grant_types != ["refresh_token"]`
			`assert client.response_types != ["code", "token"]`
			`assert client.client_name != "new name"`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.client_uri != "https://newname.example.test"`
			`assert client.logo_uri != "https://newname.example.test/logo.webp"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.scope != ["openid", "profile", "email"]`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.contacts != ["newcontact@example.test"]`
			`assert client.tos_uri != "https://newname.example.test/tos"`
			`assert client.policy_uri != "https://newname.example.test/policy"`
			`assert client.jwks_uri != "https://newname.example.test/my_public_keys.jwks"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.software_id != "new_software_id"`
			`assert client.software_version != "3.14"`

			`payload = {`
			`"client_id": client.client_id,`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"redirect_uris": ["https://newname.example.test/callback"],`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"token_endpoint_auth_method": "none",`
			`"grant_types": ["refresh_token"],`
			`"response_types": ["code", "token"],`
			`"client_name": "new name",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"client_uri": "https://newname.example.test",`
			`"logo_uri": "https://newname.example.test/logo.webp",`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`"scope": "openid profile email",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"contacts": ["newcontact@example.test"],`
			`"tos_uri": "https://newname.example.test/tos",`
			`"policy_uri": "https://newname.example.test/policy",`
			`"jwks_uri": "https://newname.example.test/my_public_keys.jwks",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"software_id": "new_software_id",`
			`"software_version": "3.14",`
			`}`

			`headers = {"Authorization": "Bearer static-token"}`
			`res = testclient.put_json(`
			`f"/oauth/register/{client.client_id}", payload, headers=headers, status=200`
			`)`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`client = backend.get(models.Client, client_id=res.json["client_id"])`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`assert res.json == {`
			`"client_id": client.client_id,`
			`"client_secret": client.client_secret,`
			`"client_id_issued_at": int(datetime.timestamp(client.client_id_issued_at)),`
fix: OIDC client 'client_secret_expires_at' claim must be 0, not None 2023-11-23 08:15:40 +00:00			`"client_secret_expires_at": 0,`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"redirect_uris": ["https://newname.example.test/callback"],`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"registration_access_token": "static-token",`
tests: use canaille.test domain instead of localhost 2023-12-14 19:07:49 +00:00			`"registration_client_uri": f"http://canaille.test/oauth/register/{client.client_id}",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"token_endpoint_auth_method": "none",`
			`"grant_types": ["refresh_token"],`
			`"response_types": ["code", "token"],`
			`"client_name": "new name",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"client_uri": "https://newname.example.test",`
			`"logo_uri": "https://newname.example.test/logo.webp",`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`"scope": "openid profile email",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"contacts": ["newcontact@example.test"],`
			`"tos_uri": "https://newname.example.test/tos",`
			`"policy_uri": "https://newname.example.test/policy",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"jwk": None,`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"jwks_uri": "https://newname.example.test/my_public_keys.jwks",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"software_id": "new_software_id",`
			`"software_version": "3.14",`
			`}`

refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.redirect_uris == ["https://newname.example.test/callback"]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.token_endpoint_auth_method == "none"`
			`assert client.grant_types == ["refresh_token"]`
			`assert client.response_types == ["code", "token"]`
			`assert client.client_name == "new name"`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.client_uri == "https://newname.example.test"`
			`assert client.logo_uri == "https://newname.example.test/logo.webp"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.scope == ["openid", "profile", "email"]`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`assert client.contacts == ["newcontact@example.test"]`
			`assert client.tos_uri == "https://newname.example.test/tos"`
			`assert client.policy_uri == "https://newname.example.test/policy"`
			`assert client.jwks_uri == "https://newname.example.test/my_public_keys.jwks"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`assert client.software_id == "new_software_id"`
			`assert client.software_version == "3.14"`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_delete(testclient, backend, user):`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`assert not testclient.app.config["CANAILLE_OIDC"].get(`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"DYNAMIC_CLIENT_REGISTRATION_OPEN"`
			`)`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"static-token"`
			`]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`client = models.Client(client_id="foobar", client_name="Some client")`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`headers = {"Authorization": "Bearer static-token"}`
			`with warnings.catch_warnings(record=True):`
Use ruff linter 2023-05-25 11:37:58 +00:00			`testclient.delete(`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`f"/oauth/register/{client.client_id}", headers=headers, status=204`
			`)`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert not backend.get(models.Client, client_id=client.client_id)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_invalid_client(testclient, backend, user):`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`assert not testclient.app.config["CANAILLE_OIDC"].get(`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"DYNAMIC_CLIENT_REGISTRATION_OPEN"`
			`)`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE_OIDC"]["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = [`
Correctly read OIDC dynamic registration config entries 2023-04-10 17:28:26 +00:00			`"static-token"`
			`]`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`payload = {`
			`"client_id": "invalid-client-id",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`"redirect_uris": ["https://newname.example.test/callback"],`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`}`

			`headers = {"Authorization": "Bearer static-token"}`
			`res = testclient.put_json(`
			`"/oauth/register/invalid-client-id", payload, headers=headers, status=401`
			`)`
			`assert res.json == {"error": "invalid_client"}`