canaille-globuzma/tests/oidc/test_client_admin.py

import datetime

from canaille.oidc.models import AuthorizationCode
from canaille.oidc.models import Client
from canaille.oidc.models import Consent
from canaille.oidc.models import Token


def test_no_logged_no_access(testclient):
    testclient.get("/admin/client", status=403)


def test_no_admin_no_access(testclient, logged_user):
    testclient.get("/admin/client", status=403)


def test_invalid_client_edition(testclient, logged_admin):
    testclient.get("/admin/client/edit/invalid", status=404)


def test_client_list(testclient, client, logged_admin):
    res = testclient.get("/admin/client")
    assert client.client_name in res.text


def test_client_add(testclient, logged_admin):
    res = testclient.get("/admin/client/add")
    data = {
        "client_name": "foobar",
        "contacts": "foo@bar.com",
        "client_uri": "https://foo.bar",
        "redirect_uris": ["https:/foo.bar/callback"],
        "grant_types": ["password", "authorization_code"],
        "scope": "openid profile",
        "response_types": ["code", "token"],
        "token_endpoint_auth_method": "none",
        "logo_uri": "https://foo.bar/logo.png",
        "tos_uri": "https://foo.bar/tos",
        "policy_uri": "https://foo.bar/policy",
        "software_id": "software",
        "software_version": "1",
        "jwk": "jwk",
        "jwks_uri": "https://foo.bar/jwks.json",
        "audience": [],
        "preconsent": False,
        "post_logout_redirect_uris": ["https://foo.bar/disconnected"],
    }
    for k, v in data.items():
        res.form[k].force_value(v)

    res = res.form.submit(status=302, name="action", value="edit")
    res = res.follow(status=200)

    client_id = res.forms["readonly"]["client_id"].value
    client = Client.get(client_id)
    data["audience"] = [client]
    for k, v in data.items():
        client_value = getattr(client, k)
        if k == "scope":
            assert v == " ".join(client_value)
        elif k == "preconsent":
            assert v is False
        elif k == "contacts":
            assert [v] == client_value
        else:
            assert v == client_value
    client.delete()


def test_add_missing_fields(testclient, logged_admin):
    res = testclient.get("/admin/client/add")
    res = res.form.submit(status=200, name="action", value="edit")
    assert "The client has not been added. Please check your information." in res


def test_client_edit(testclient, client, logged_admin, other_client):
    res = testclient.get("/admin/client/edit/" + client.client_id)
    data = {
        "client_name": "foobar",
        "contacts": "foo@bar.com",
        "client_uri": "https://foo.bar",
        "redirect_uris": ["https:/foo.bar/callback"],
        "grant_types": ["password", "authorization_code"],
        "scope": "openid profile",
        "response_types": ["code", "token"],
        "token_endpoint_auth_method": "none",
        "logo_uri": "https://foo.bar/logo.png",
        "tos_uri": "https://foo.bar/tos",
        "policy_uri": "https://foo.bar/policy",
        "software_id": "software",
        "software_version": "1",
        "jwk": "jwk",
        "jwks_uri": "https://foo.bar/jwks.json",
        "audience": [client.dn, other_client.dn],
        "preconsent": True,
        "post_logout_redirect_uris": ["https://foo.bar/disconnected"],
    }
    for k, v in data.items():
        res.forms["clientadd"][k].force_value(v)
    res = res.forms["clientadd"].submit(status=302, name="action", value="edit")

    assert (
        "error",
        "The client has not been edited. Please check your information.",
    ) not in res.flashes
    assert ("success", "The client has been edited.") in res.flashes

    client = Client.get(client.dn)
    data["audience"] = [client, other_client]
    for k, v in data.items():
        client_value = getattr(client, k)
        if k == "scope":
            assert v == " ".join(client_value)
        elif k == "preconsent":
            assert v is True
        elif k == "contacts":
            assert [v] == client_value
        else:
            assert v == client_value


def test_client_edit_missing_fields(testclient, client, logged_admin, other_client):
    res = testclient.get("/admin/client/edit/" + client.client_id)
    res.forms["clientadd"]["client_name"] = ""
    res = res.forms["clientadd"].submit(name="action", value="edit")
    assert "The client has not been edited. Please check your information." in res
    client.reload()
    assert client.client_name


def test_client_delete(testclient, logged_admin):
    client = Client(client_id="client_id")
    client.save()
    token = Token(
        token_id="id", client=client, issue_datetime=datetime.datetime.utcnow()
    )
    token.save()
    consent = Consent(cn="cn", subject=logged_admin, client=client, scope="openid")
    consent.save()
    code = AuthorizationCode(authorization_code_id="id", client=client, subject=client)

    res = testclient.get("/admin/client/edit/" + client.client_id)
    res = res.forms["clientadd"].submit(name="action", value="delete").follow()

    assert not Client.get()
    assert not Token.get()
    assert not AuthorizationCode.get()
    assert not Consent.get()


def test_client_delete_invalid_client(testclient, logged_admin):
    testclient.post("/admin/client/edit/invalid", {"action": "delete"}, status=404)


def test_invalid_request(testclient, logged_admin, client):
    res = testclient.get("/admin/client/edit/" + client.client_id)
    res = res.forms["clientadd"].submit(name="action", value="invalid", status=400)


def test_client_edit_preauth(testclient, client, logged_admin, other_client):
    assert not client.preconsent

    res = testclient.get("/admin/client/edit/" + client.client_id)
    res.forms["clientadd"]["preconsent"] = True
    res = res.forms["clientadd"].submit(name="action", value="edit")

    assert ("success", "The client has been edited.") in res.flashes
    client = Client.get(client.dn)
    assert client.preconsent

    res = testclient.get("/admin/client/edit/" + client.client_id)
    res.forms["clientadd"]["preconsent"] = False
    res = res.forms["clientadd"].submit(name="action", value="edit")

    assert ("success", "The client has been edited.") in res.flashes
    client = Client.get(client.dn)
    assert not client.preconsent
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`import datetime`

			`from canaille.oidc.models import AuthorizationCode`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`from canaille.oidc.models import Client`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`from canaille.oidc.models import Consent`
			`from canaille.oidc.models import Token`
Client unit tests 2020-08-26 13:37:15 +00:00

			`def test_no_logged_no_access(testclient):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`testclient.get("/admin/client", status=403)`
Client unit tests 2020-08-26 13:37:15 +00:00

			`def test_no_admin_no_access(testclient, logged_user):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`testclient.get("/admin/client", status=403)`
Client unit tests 2020-08-26 13:37:15 +00:00

Implemented client pre-authorization 2021-10-20 10:05:08 +00:00			`def test_invalid_client_edition(testclient, logged_admin):`
			`testclient.get("/admin/client/edit/invalid", status=404)`


Client unit tests 2020-08-26 13:37:15 +00:00			`def test_client_list(testclient, client, logged_admin):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`res = testclient.get("/admin/client")`
Variable renaming 2022-10-17 15:49:52 +00:00			`assert client.client_name in res.text`
Client unit tests 2020-08-26 13:37:15 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_client_add(testclient, logged_admin):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`res = testclient.get("/admin/client/add")`
Client unit tests 2020-08-26 13:37:15 +00:00			`data = {`
Variable renaming 2022-10-17 15:49:52 +00:00			`"client_name": "foobar",`
			`"contacts": "foo@bar.com",`
			`"client_uri": "https://foo.bar",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"redirect_uris": ["https:/foo.bar/callback"],`
Variable renaming 2022-10-17 15:49:52 +00:00			`"grant_types": ["password", "authorization_code"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"scope": "openid profile",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"response_types": ["code", "token"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"token_endpoint_auth_method": "none",`
			`"logo_uri": "https://foo.bar/logo.png",`
			`"tos_uri": "https://foo.bar/tos",`
			`"policy_uri": "https://foo.bar/policy",`
			`"software_id": "software",`
			`"software_version": "1",`
			`"jwk": "jwk",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"jwks_uri": "https://foo.bar/jwks.json",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"audience": [],`
			`"preconsent": False,`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`"post_logout_redirect_uris": ["https://foo.bar/disconnected"],`
Client unit tests 2020-08-26 13:37:15 +00:00			`}`
			`for k, v in data.items():`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`res.form[k].force_value(v)`
Client unit tests 2020-08-26 13:37:15 +00:00
Admins can remove clients. Fixes #45 2020-11-23 16:32:40 +00:00			`res = res.form.submit(status=302, name="action", value="edit")`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=200)`
Client unit tests 2020-08-26 13:37:15 +00:00
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id = res.forms["readonly"]["client_id"].value`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`client = Client.get(client_id)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`data["audience"] = [client]`
Client unit tests 2020-08-26 13:37:15 +00:00			`for k, v in data.items():`
			`client_value = getattr(client, k)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if k == "scope":`
Client unit tests 2020-08-26 13:37:15 +00:00			`assert v == " ".join(client_value)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`elif k == "preconsent":`
Implemented client pre-authorization 2021-10-20 10:05:08 +00:00			`assert v is False`
Variable renaming 2022-10-17 15:49:52 +00:00			`elif k == "contacts":`
			`assert [v] == client_value`
Client unit tests 2020-08-26 13:37:15 +00:00			`else:`
			`assert v == client_value`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`client.delete()`
Client unit tests 2020-08-26 13:37:15 +00:00

unit tests: client admin validation failures 2022-12-14 18:29:59 +00:00			`def test_add_missing_fields(testclient, logged_admin):`
			`res = testclient.get("/admin/client/add")`
			`res = res.form.submit(status=200, name="action", value="edit")`
			`assert "The client has not been added. Please check your information." in res`


Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_client_edit(testclient, client, logged_admin, other_client):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`res = testclient.get("/admin/client/edit/" + client.client_id)`
Client unit tests 2020-08-26 13:37:15 +00:00			`data = {`
Variable renaming 2022-10-17 15:49:52 +00:00			`"client_name": "foobar",`
			`"contacts": "foo@bar.com",`
			`"client_uri": "https://foo.bar",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"redirect_uris": ["https:/foo.bar/callback"],`
Variable renaming 2022-10-17 15:49:52 +00:00			`"grant_types": ["password", "authorization_code"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"scope": "openid profile",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"response_types": ["code", "token"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"token_endpoint_auth_method": "none",`
			`"logo_uri": "https://foo.bar/logo.png",`
			`"tos_uri": "https://foo.bar/tos",`
			`"policy_uri": "https://foo.bar/policy",`
			`"software_id": "software",`
			`"software_version": "1",`
			`"jwk": "jwk",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"jwks_uri": "https://foo.bar/jwks.json",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"audience": [client.dn, other_client.dn],`
			`"preconsent": True,`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`"post_logout_redirect_uris": ["https://foo.bar/disconnected"],`
Client unit tests 2020-08-26 13:37:15 +00:00			`}`
			`for k, v in data.items():`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`res.forms["clientadd"][k].force_value(v)`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`res = res.forms["clientadd"].submit(status=302, name="action", value="edit")`
Client unit tests 2020-08-26 13:37:15 +00:00
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00			`assert (`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`"error",`
			`"The client has not been edited. Please check your information.",`
			`) not in res.flashes`
			`assert ("success", "The client has been edited.") in res.flashes`
tokens can have multiple audiences 2021-10-13 09:52:02 +00:00
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`client = Client.get(client.dn)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`data["audience"] = [client, other_client]`
Client unit tests 2020-08-26 13:37:15 +00:00			`for k, v in data.items():`
			`client_value = getattr(client, k)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if k == "scope":`
Client unit tests 2020-08-26 13:37:15 +00:00			`assert v == " ".join(client_value)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`elif k == "preconsent":`
Implemented client pre-authorization 2021-10-20 10:05:08 +00:00			`assert v is True`
Variable renaming 2022-10-17 15:49:52 +00:00			`elif k == "contacts":`
			`assert [v] == client_value`
Client unit tests 2020-08-26 13:37:15 +00:00			`else:`
			`assert v == client_value`
Admins can remove clients. Fixes #45 2020-11-23 16:32:40 +00:00
Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00
unit tests: client admin validation failures 2022-12-14 18:29:59 +00:00			`def test_client_edit_missing_fields(testclient, client, logged_admin, other_client):`
			`res = testclient.get("/admin/client/edit/" + client.client_id)`
			`res.forms["clientadd"]["client_name"] = ""`
			`res = res.forms["clientadd"].submit(name="action", value="edit")`
			`assert "The client has not been edited. Please check your information." in res`
			`client.reload()`
			`assert client.client_name`


unit tests: client admin deletion 2022-12-13 18:14:25 +00:00			`def test_client_delete(testclient, logged_admin):`
			`client = Client(client_id="client_id")`
			`client.save()`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`token = Token(`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`token_id="id", client=client, issue_datetime=datetime.datetime.utcnow()`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`)`
			`token.save()`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`consent = Consent(cn="cn", subject=logged_admin, client=client, scope="openid")`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`consent.save()`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`code = AuthorizationCode(authorization_code_id="id", client=client, subject=client)`
unit tests: client admin deletion 2022-12-13 18:14:25 +00:00
			`res = testclient.get("/admin/client/edit/" + client.client_id)`
			`res = res.forms["clientadd"].submit(name="action", value="delete").follow()`

Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`assert not Client.get()`
			`assert not Token.get()`
			`assert not AuthorizationCode.get()`
			`assert not Consent.get()`

unit tests: invalid client admin deletion 2022-12-14 20:03:35 +00:00
			`def test_client_delete_invalid_client(testclient, logged_admin):`
			`testclient.post("/admin/client/edit/invalid", {"action": "delete"}, status=404)`
unit tests: client admin deletion 2022-12-13 18:14:25 +00:00

unit tests: client admin invalid request 2022-12-13 18:15:54 +00:00			`def test_invalid_request(testclient, logged_admin, client):`
			`res = testclient.get("/admin/client/edit/" + client.client_id)`
			`res = res.forms["clientadd"].submit(name="action", value="invalid", status=400)`


Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00			`def test_client_edit_preauth(testclient, client, logged_admin, other_client):`
			`assert not client.preconsent`

			`res = testclient.get("/admin/client/edit/" + client.client_id)`
			`res.forms["clientadd"]["preconsent"] = True`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`res = res.forms["clientadd"].submit(name="action", value="edit")`
Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`assert ("success", "The client has been edited.") in res.flashes`
Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00			`client = Client.get(client.dn)`
			`assert client.preconsent`

			`res = testclient.get("/admin/client/edit/" + client.client_id)`
			`res.forms["clientadd"]["preconsent"] = False`
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`res = res.forms["clientadd"].submit(name="action", value="edit")`
Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00
Checks flask flashed messages with flask_webtest Response.flashes 2023-01-28 18:02:00 +00:00			`assert ("success", "The client has been edited.") in res.flashes`
Fixed client preconsent disabling 2022-11-16 16:36:16 +00:00			`client = Client.get(client.dn)`
			`assert not client.preconsent`