canaille-globuzma/tests/test_hybrid_flow.py

from authlib.jose import jwt
from urllib.parse import urlsplit, parse_qs
from web.models import AuthorizationCode, Token


def test_oauth_hybrid(testclient, slapd_connection, user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code token",
            client_id=client.oauthClientID,
            scope="openid profile",
            nonce="somenonce",
        ),
    )
    assert (200, "text/html") == (res.status_code, res.content_type), res.json

    res.form["login"] = user.name
    res.form["password"] = "correct horse battery staple"
    res = res.form.submit()
    assert 302 == res.status_code

    res = res.follow()
    assert (200, "text/html") == (res.status_code, res.content_type), res.json

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).fragment)

    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    access_token = params["access_token"][0]
    token = Token.get(access_token, conn=slapd_connection)
    assert token is not None

    res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
    assert 200 == res.status_code
    assert {"foo": "bar"} == res.json


def test_oidc_hybrid(testclient, slapd_connection, user, client):
    with testclient.session_transaction() as sess:
        sess["user_dn"] = user.dn

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code id_token token",
            client_id=client.oauthClientID,
            scope="openid profile",
            nonce="somenonce",
        ),
    )
    assert (200, "text/html") == (res.status_code, res.content_type), res.json

    res = res.forms["accept"].submit()
    assert 302 == res.status_code

    assert res.location.startswith(client.oauthRedirectURIs[0])
    params = parse_qs(urlsplit(res.location).fragment)

    code = params["code"][0]
    authcode = AuthorizationCode.get(code, conn=slapd_connection)
    assert authcode is not None

    access_token = params["access_token"][0]
    token = Token.get(access_token, conn=slapd_connection)
    assert token is not None

    id_token = params["id_token"][0]
#    claims = jwt.decode(id_token, None)

    res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
    assert 200 == res.status_code
    assert {"foo": "bar"} == res.json
wip 2020-08-21 09:11:39 +00:00			`from authlib.jose import jwt`
wip 2020-08-20 14:02:14 +00:00			`from urllib.parse import urlsplit, parse_qs`
			`from web.models import AuthorizationCode, Token`


wip 2020-08-21 09:11:39 +00:00			`def test_oauth_hybrid(testclient, slapd_connection, user, client):`
wip 2020-08-20 14:02:14 +00:00			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`response_type="code token",`
wip 2020-08-20 14:02:14 +00:00			`client_id=client.oauthClientID,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert (200, "text/html") == (res.status_code, res.content_type), res.json`

			`res.form["login"] = user.name`
			`res.form["password"] = "correct horse battery staple"`
			`res = res.form.submit()`
			`assert 302 == res.status_code`

			`res = res.follow()`
			`assert (200, "text/html") == (res.status_code, res.content_type), res.json`

			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`

wip 2020-08-20 14:02:14 +00:00			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`access_token = params["access_token"][0]`
wip 2020-08-20 14:02:14 +00:00			`token = Token.get(access_token, conn=slapd_connection)`
			`assert token is not None`

			`res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})`
			`assert 200 == res.status_code`
			`assert {"foo": "bar"} == res.json`
wip 2020-08-21 09:11:39 +00:00

			`def test_oidc_hybrid(testclient, slapd_connection, user, client):`
			`with testclient.session_transaction() as sess:`
			`sess["user_dn"] = user.dn`

			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="code id_token token",`
			`client_id=client.oauthClientID,`
			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
			`)`
			`assert (200, "text/html") == (res.status_code, res.content_type), res.json`

			`res = res.forms["accept"].submit()`
			`assert 302 == res.status_code`

			`assert res.location.startswith(client.oauthRedirectURIs[0])`
			`params = parse_qs(urlsplit(res.location).fragment)`

			`code = params["code"][0]`
			`authcode = AuthorizationCode.get(code, conn=slapd_connection)`
			`assert authcode is not None`

			`access_token = params["access_token"][0]`
			`token = Token.get(access_token, conn=slapd_connection)`
			`assert token is not None`

			`id_token = params["id_token"][0]`
			`# claims = jwt.decode(id_token, None)`

			`res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})`
			`assert 200 == res.status_code`
			`assert {"foo": "bar"} == res.json`