canaille-globuzma/tests/test_authorization_code_flow.py

from . import client_credentials
from authlib.oauth2.rfc7636 import create_s256_code_challenge
from urllib.parse import urlsplit, parse_qs
from oidc_ldap_bridge.models import AuthorizationCode, Token, Consent
from werkzeug.security import gen_salt


def test_authorization_code_flow(testclient, slapd_connection, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 200 == res.status_code

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            redirect_uri=client.oauthRedirectURIs[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]

    token = Token.get(access_token, conn=slapd_connection)
    assert token.oauthClient == client.dn
    assert token.oauthSubject == logged_user.dn

    res = testclient.get(
        "/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert 200 == res.status_code
    assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json


def test_logout_login(testclient, slapd_connection, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 200 == res.status_code

    res = res.forms["logout"].submit()
    assert 302 == res.status_code
    res = res.follow()
    assert 200 == res.status_code

    res.form["login"] = logged_user.name
    res.form["password"] = "wrong password"
    res = res.form.submit()
    assert 200 == res.status_code
    assert b"Login failed, please check your information" in res.body

    res.form["login"] = logged_user.name
    res.form["password"] = "correct horse battery staple"
    res = res.form.submit()
    assert 302 == res.status_code
    res = res.follow()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            redirect_uri=client.oauthRedirectURIs[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]

    token = Token.get(access_token, conn=slapd_connection)
    assert token.oauthClient == client.dn
    assert token.oauthSubject == logged_user.dn

    res = testclient.get(
        "/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert 200 == res.status_code
    assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json


def test_refresh_token(testclient, slapd_connection, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 200 == res.status_code

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            redirect_uri=client.oauthRedirectURIs[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]
    old_token = Token.get(access_token, conn=slapd_connection)
    assert old_token is not None
    assert not old_token.oauthRevokationDate

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="refresh_token",
            refresh_token=res.json["refresh_token"],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]
    new_token = Token.get(access_token, conn=slapd_connection)
    assert new_token is not None
    old_token.reload(slapd_connection)
    assert old_token.oauthRevokationDate

    res = testclient.get(
        "/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert 200 == res.status_code
    assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json


def test_code_challenge(testclient, slapd_connection, logged_user, client):
    client.oauthTokenEndpointAuthMethod = "none"
    client.save(slapd_connection)

    code_verifier = gen_salt(48)
    code_challenge = create_s256_code_challenge(code_verifier)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            code_challenge=code_challenge,
            code_challenge_method="S256",
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 200 == res.status_code

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            code_verifier=code_verifier,
            redirect_uri=client.oauthRedirectURIs[0],
            client_id=client.oauthClientID,
        ),
    )
    assert 200 == res.status_code
    access_token = res.json["access_token"]

    token = Token.get(access_token, conn=slapd_connection)
    assert token.oauthClient == client.dn
    assert token.oauthSubject == logged_user.dn

    res = testclient.get(
        "/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert 200 == res.status_code
    assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json

    client.oauthTokenEndpointAuthMethod = "client_secret_basic"
    client.save(slapd_connection)


def test_authorization_code_flow_when_consent_already_given(
    testclient, slapd_connection, logged_user, client
):
    assert not Consent.filter(conn=slapd_connection)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 200 == res.status_code

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    consents = Consent.filter(
        oauthClient=client.dn, oauthSubject=logged_user.dn, conn=slapd_connection
    )
    assert "profile" in consents[0].oauthScope

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="authorization_code",
            code=code,
            scope="profile",
            redirect_uri=client.oauthRedirectURIs[0],
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
    )
    assert 200 == res.status_code
    assert "access_token" in res.json

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
        ),
    )
    assert 302 == res.status_code
    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    assert "code" in params


def test_prompt_none(testclient, slapd_connection, logged_user, client):
    Consent(
        oauthClient=client.dn,
        oauthSubject=logged_user.dn,
        oauthScope=["openid", "profile"],
    ).save(conn=slapd_connection)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
            prompt="none",
        ),
    )
    assert 302 == res.status_code
    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).query)
    assert "code" in params


def test_prompt_not_logged(testclient, slapd_connection, user, client):
    Consent(
        oauthClient=client.dn,
        oauthSubject=user.dn,
        oauthScope=["openid", "profile"],
    ).save(conn=slapd_connection)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
            prompt="none",
        ),
    )
    assert 200 == res.status_code
    assert "login_required" == res.json.get("error")


def test_prompt_no_consent(testclient, slapd_connection, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.oauthClientID,
            scope="profile",
            nonce="somenonce",
            prompt="none",
        ),
    )
    assert 200 == res.status_code
    assert "consent_required" == res.json.get("error")
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`from . import client_credentials`
Code challenge unit tests 2020-08-25 13:28:13 +00:00			`from authlib.oauth2.rfc7636 import create_s256_code_challenge`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`from urllib.parse import urlsplit, parse_qs`
Remember consents 2020-09-17 08:00:39 +00:00			`from oidc_ldap_bridge.models import AuthorizationCode, Token, Consent`
Code challenge unit tests 2020-08-25 13:28:13 +00:00			`from werkzeug.security import gen_salt`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00

Implemented refresh grant 2020-08-24 08:52:21 +00:00			`def test_authorization_code_flow(testclient, slapd_connection, logged_user, client):`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 200 == res.status_code`

Implemented refresh grant 2020-08-24 08:52:21 +00:00			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
			`redirect_uri=client.oauthRedirectURIs[0],`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`)`
			`assert 200 == res.status_code`
			`access_token = res.json["access_token"]`

			`token = Token.get(access_token, conn=slapd_connection)`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`assert token.oauthClient == client.dn`
User token list view 2020-08-27 08:50:50 +00:00			`assert token.oauthSubject == logged_user.dn`
Implemented refresh grant 2020-08-24 08:52:21 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
			`"/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}`
			`)`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`assert 200 == res.status_code`
Use additional schemas in unit tests 2020-10-20 07:55:05 +00:00			`assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json`
Implemented refresh grant 2020-08-24 08:52:21 +00:00

			`def test_logout_login(testclient, slapd_connection, logged_user, client):`
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 200 == res.status_code`

			`res = res.forms["logout"].submit()`
			`assert 302 == res.status_code`
			`res = res.follow()`
			`assert 200 == res.status_code`

Better test coverage 2020-08-24 08:54:50 +00:00			`res.form["login"] = logged_user.name`
			`res.form["password"] = "wrong password"`
			`res = res.form.submit()`
			`assert 200 == res.status_code`
			`assert b"Login failed, please check your information" in res.body`

Implemented refresh grant 2020-08-24 08:52:21 +00:00			`res.form["login"] = logged_user.name`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`res.form["password"] = "correct horse battery staple"`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`res = res.form.submit()`
			`assert 302 == res.status_code`
			`res = res.follow()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
Admin login 2020-08-19 14:20:57 +00:00			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`assert authcode is not None`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
			`redirect_uri=client.oauthRedirectURIs[0],`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`)`
			`assert 200 == res.status_code`
			`access_token = res.json["access_token"]`

Admin login 2020-08-19 14:20:57 +00:00			`token = Token.get(access_token, conn=slapd_connection)`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`assert token.oauthClient == client.dn`
User token list view 2020-08-27 08:50:50 +00:00			`assert token.oauthSubject == logged_user.dn`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
			`"/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}`
			`)`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`assert 200 == res.status_code`
Use additional schemas in unit tests 2020-10-20 07:55:05 +00:00			`assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json`
Implemented refresh grant 2020-08-24 08:52:21 +00:00

			`def test_refresh_token(testclient, slapd_connection, logged_user, client):`
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 200 == res.status_code`

			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
			`redirect_uri=client.oauthRedirectURIs[0],`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`)`
			`assert 200 == res.status_code`
			`access_token = res.json["access_token"]`
Unit tests for token revocation 2020-08-25 09:39:06 +00:00			`old_token = Token.get(access_token, conn=slapd_connection)`
			`assert old_token is not None`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`assert not old_token.oauthRevokationDate`
Implemented refresh grant 2020-08-24 08:52:21 +00:00
			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
User token list view 2020-08-27 08:50:50 +00:00			`grant_type="refresh_token",`
			`refresh_token=res.json["refresh_token"],`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`)`
			`assert 200 == res.status_code`
			`access_token = res.json["access_token"]`
Unit tests for token revocation 2020-08-25 09:39:06 +00:00			`new_token = Token.get(access_token, conn=slapd_connection)`
			`assert new_token is not None`
			`old_token.reload(slapd_connection)`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`assert old_token.oauthRevokationDate`
Implemented refresh grant 2020-08-24 08:52:21 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
			`"/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}`
			`)`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`assert 200 == res.status_code`
Use additional schemas in unit tests 2020-10-20 07:55:05 +00:00			`assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json`
Code challenge unit tests 2020-08-25 13:28:13 +00:00

			`def test_code_challenge(testclient, slapd_connection, logged_user, client):`
Better code challenge unit tests 2020-08-25 13:51:49 +00:00			`client.oauthTokenEndpointAuthMethod = "none"`
			`client.save(slapd_connection)`

Code challenge unit tests 2020-08-25 13:28:13 +00:00			`code_verifier = gen_salt(48)`
			`code_challenge = create_s256_code_challenge(code_verifier)`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`code_challenge=code_challenge,`
			`code_challenge_method="S256",`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 200 == res.status_code`

			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
			`code_verifier=code_verifier,`
			`redirect_uri=client.oauthRedirectURIs[0],`
Better code challenge unit tests 2020-08-25 13:51:49 +00:00			`client_id=client.oauthClientID,`
Code challenge unit tests 2020-08-25 13:28:13 +00:00			`),`
			`)`
			`assert 200 == res.status_code`
			`access_token = res.json["access_token"]`

			`token = Token.get(access_token, conn=slapd_connection)`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`assert token.oauthClient == client.dn`
User token list view 2020-08-27 08:50:50 +00:00			`assert token.oauthSubject == logged_user.dn`
Code challenge unit tests 2020-08-25 13:28:13 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
			`"/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}`
			`)`
Code challenge unit tests 2020-08-25 13:28:13 +00:00			`assert 200 == res.status_code`
Use additional schemas in unit tests 2020-10-20 07:55:05 +00:00			`assert {"name": "John Doe", "family_name": "Doe", "sub": "user"} == res.json`
Better code challenge unit tests 2020-08-25 13:51:49 +00:00
			`client.oauthTokenEndpointAuthMethod = "client_secret_basic"`
			`client.save(slapd_connection)`
Remember consents 2020-09-17 08:00:39 +00:00

			`def test_authorization_code_flow_when_consent_already_given(`
			`testclient, slapd_connection, logged_user, client`
			`):`
			`assert not Consent.filter(conn=slapd_connection)`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 200 == res.status_code`

			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

			`consents = Consent.filter(`
			`oauthClient=client.dn, oauthSubject=logged_user.dn, conn=slapd_connection`
			`)`
			`assert "profile" in consents[0].oauthScope`

			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="authorization_code",`
			`code=code,`
			`scope="profile",`
			`redirect_uri=client.oauthRedirectURIs[0],`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`)`
			`assert 200 == res.status_code`
			`assert "access_token" in res.json`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert 302 == res.status_code`
			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`assert "code" in params`


			`def test_prompt_none(testclient, slapd_connection, logged_user, client):`
			`Consent(`
			`oauthClient=client.dn,`
			`oauthSubject=logged_user.dn,`
			`oauthScope=["openid", "profile"],`
			`).save(conn=slapd_connection)`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`)`
			`assert 302 == res.status_code`
			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).query)`
			`assert "code" in params`


			`def test_prompt_not_logged(testclient, slapd_connection, user, client):`
			`Consent(`
			`oauthClient=client.dn,`
			`oauthSubject=user.dn,`
			`oauthScope=["openid", "profile"],`
			`).save(conn=slapd_connection)`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`)`
			`assert 200 == res.status_code`
			`assert "login_required" == res.json.get("error")`


			`def test_prompt_no_consent(testclient, slapd_connection, logged_user, client):`
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code",`
			`client_id=client.oauthClientID,`
			`scope="profile",`
			`nonce="somenonce",`
			`prompt="none",`
			`),`
			`)`
			`assert 200 == res.status_code`
			`assert "consent_required" == res.json.get("error")`