canaille-globuzma/tests/oidc/conftest.py

import datetime
import os
import uuid

import pytest
from authlib.oidc.core.grants.util import generate_id_token
from canaille.app import models
from canaille.oidc.installation import generate_keypair
from canaille.oidc.oauth import generate_user_info
from canaille.oidc.oauth import get_jwt_config
from werkzeug.security import gen_salt


@pytest.fixture
# For some reason all the params from the overriden fixture must be present here
# https://github.com/pytest-dev/pytest/issues/11075
def app(app, configuration, backend):
    os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"
    yield app


@pytest.fixture(scope="session")
def keypair():
    return generate_keypair()


@pytest.fixture
def configuration(configuration, keypair):
    private_key, public_key = keypair
    conf = {
        **configuration,
        "OIDC": {
            "JWT": {
                "PUBLIC_KEY": public_key,
                "PRIVATE_KEY": private_key,
                "ISS": "https://auth.mydomain.tld",
            }
        },
    }
    return conf


@pytest.fixture
def client(testclient, other_client, backend):
    c = models.Client(
        client_id=gen_salt(24),
        client_name="Some client",
        contacts="contact@mydomain.tld",
        client_uri="https://mydomain.tld",
        redirect_uris=[
            "https://mydomain.tld/redirect1",
            "https://mydomain.tld/redirect2",
        ],
        logo_uri="https://mydomain.tld/logo.png",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "email", "profile", "groups", "address", "phone"],
        tos_uri="https://mydomain.tld/tos",
        policy_uri="https://mydomain.tld/policy",
        jwks_uri="https://mydomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://mydomain.tld/disconnected"],
    )
    c.audience = [c, other_client]
    c.save()

    yield c
    c.delete()


@pytest.fixture
def other_client(testclient, backend):
    c = models.Client(
        client_id=gen_salt(24),
        client_name="Some other client",
        contacts="contact@myotherdomain.tld",
        client_uri="https://myotherdomain.tld",
        redirect_uris=[
            "https://myotherdomain.tld/redirect1",
            "https://myotherdomain.tld/redirect2",
        ],
        logo_uri="https://myotherdomain.tld/logo.png",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "profile", "groups"],
        tos_uri="https://myotherdomain.tld/tos",
        policy_uri="https://myotherdomain.tld/policy",
        jwks_uri="https://myotherdomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],
    )
    c.audience = [c]
    c.save()

    yield c
    c.delete()


@pytest.fixture
def authorization(testclient, user, client, backend):
    a = models.AuthorizationCode(
        authorization_code_id=gen_salt(48),
        code="my-code",
        client=client,
        subject=user,
        redirect_uri="https://foo.bar/callback",
        response_type="code",
        scope=["openid", "profile"],
        nonce="nonce",
        issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),
        lifetime=3600,
        challenge="challenge",
        challenge_method="method",
    )
    a.save()
    yield a
    a.delete()


@pytest.fixture
def token(testclient, client, user, backend):
    t = models.Token(
        token_id=gen_salt(48),
        access_token=gen_salt(48),
        audience=[client],
        client=client,
        subject=user,
        token_type=None,
        refresh_token=gen_salt(48),
        scope=["openid", "profile"],
        issue_date=datetime.datetime.now(datetime.timezone.utc),
        lifetime=3600,
    )
    t.save()
    yield t
    t.delete()


@pytest.fixture
def id_token(testclient, client, user, backend):
    return generate_id_token(
        {},
        generate_user_info(user, client.scope),
        aud=client.client_id,
        **get_jwt_config(None)
    )


@pytest.fixture
def consent(testclient, client, user, backend):
    t = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
        issue_date=datetime.datetime.now(datetime.timezone.utc),
    )
    t.save()
    yield t
    t.delete()
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`import datetime`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`import os`
Explicitely set Consent cn 2023-01-23 17:55:27 +00:00			`import uuid`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
			`import pytest`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`from authlib.oidc.core.grants.util import generate_id_token`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`from canaille.oidc.installation import generate_keypair`
Refactoring: file renaming 2022-10-06 11:32:41 +00:00			`from canaille.oidc.oauth import generate_user_info`
			`from canaille.oidc.oauth import get_jwt_config`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`from werkzeug.security import gen_salt`


refactoring: moved the authlib related test configuration in the oidc module 2022-12-29 01:06:54 +00:00			`@pytest.fixture`
backend fixture is parametrizable 2023-06-03 17:47:05 +00:00			`# For some reason all the params from the overriden fixture must be present here`
			`# https://github.com/pytest-dev/pytest/issues/11075`
			`def app(app, configuration, backend):`
refactoring: moved the authlib related test configuration in the oidc module 2022-12-29 01:06:54 +00:00			`os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"`
			`yield app`


Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`@pytest.fixture(scope="session")`
			`def keypair():`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`return generate_keypair()`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00

			`@pytest.fixture`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`def configuration(configuration, keypair):`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`private_key, public_key = keypair`
			`conf = {`
			`**configuration,`
Creates a OIDC configuration section for all the OIDC related entries 2023-04-10 14:24:43 +00:00			`"OIDC": {`
			`"JWT": {`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`"PUBLIC_KEY": public_key,`
			`"PRIVATE_KEY": private_key,`
Creates a OIDC configuration section for all the OIDC related entries 2023-04-10 14:24:43 +00:00			`"ISS": "https://auth.mydomain.tld",`
			`}`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`},`
			`}`
			`return conf`


split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def client(testclient, other_client, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`c = models.Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some client",`
			`contacts="contact@mydomain.tld",`
			`client_uri="https://mydomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://mydomain.tld/redirect1",`
			`"https://mydomain.tld/redirect2",`
			`],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`logo_uri="https://mydomain.tld/logo.png",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`scope=["openid", "email", "profile", "groups", "address", "phone"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`tos_uri="https://mydomain.tld/tos",`
			`policy_uri="https://mydomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://mydomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://mydomain.tld/disconnected"],`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`c.audience = [c, other_client]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`c.save()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`c.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def other_client(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`c = models.Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some other client",`
			`contacts="contact@myotherdomain.tld",`
			`client_uri="https://myotherdomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://myotherdomain.tld/redirect1",`
			`"https://myotherdomain.tld/redirect2",`
			`],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`logo_uri="https://myotherdomain.tld/logo.png",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile", "groups"],`
			`tos_uri="https://myotherdomain.tld/tos",`
			`policy_uri="https://myotherdomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://myotherdomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`c.audience = [c]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`c.save()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`c.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def authorization(testclient, user, client, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`a = models.AuthorizationCode(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`authorization_code_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`code="my-code",`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uri="https://foo.bar/callback",`
			`response_type="code",`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`nonce="nonce",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),`
OIDC lifetimes are not casted to string anymore 2023-05-17 07:29:32 +00:00			`lifetime=3600,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`challenge="challenge",`
			`challenge_method="method",`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`a.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield a`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`a.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def token(testclient, client, user, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`t = models.Token(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`token_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`access_token=gen_salt(48),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`audience=[client],`
			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_type=None,`
			`refresh_token=gen_salt(48),`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
OIDC lifetimes are not casted to string anymore 2023-05-17 07:29:32 +00:00			`lifetime=3600,`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`t.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`t.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def id_token(testclient, client, user, backend):`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`return generate_id_token(`
			`{},`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`generate_user_info(user, client.scope),`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`aud=client.client_id,`
			`**get_jwt_config(None)`
			`)`


split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def consent(testclient, client, user, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`t = models.Consent(`
Use generic Consent.consent_id instead of LDAP Consent.cn attribute 2023-05-17 06:54:13 +00:00			`consent_id=str(uuid.uuid4()),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`t.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`t.delete()`