canaille-globuzma/tests/oidc/conftest.py

import datetime
import os
import uuid

import pytest
from authlib.oidc.core.grants.util import generate_id_token
from werkzeug.security import gen_salt

from canaille.app import models
from canaille.oidc.installation import generate_keypair
from canaille.oidc.oauth import generate_user_info
from canaille.oidc.oauth import get_jwt_config


@pytest.fixture
# For some reason all the params from the overridden fixture must be present here
# https://github.com/pytest-dev/pytest/issues/11075
def app(app, configuration, backend):
    os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"
    yield app


@pytest.fixture(scope="session")
def keypair():
    return generate_keypair()


@pytest.fixture
def configuration(configuration, keypair):
    private_key, public_key = keypair
    configuration["CANAILLE_OIDC"] = {
        "JWT": {
            "PUBLIC_KEY": public_key,
            "PRIVATE_KEY": private_key,
            "ISS": "https://auth.mydomain.tld",
        }
    }
    return configuration


@pytest.fixture
def client(testclient, trusted_client, backend):
    c = models.Client(
        client_id=gen_salt(24),
        client_name="Some client",
        contacts=["contact@mydomain.tld"],
        client_uri="https://mydomain.tld",
        redirect_uris=[
            "https://mydomain.tld/redirect1",
            "https://mydomain.tld/redirect2",
        ],
        logo_uri="https://mydomain.tld/logo.webp",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "email", "profile", "groups", "address", "phone"],
        tos_uri="https://mydomain.tld/tos",
        policy_uri="https://mydomain.tld/policy",
        jwks_uri="https://mydomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://mydomain.tld/disconnected"],
    )
    backend.save(c)
    c.audience = [c, trusted_client]
    backend.save(c)

    yield c
    backend.delete(c)


@pytest.fixture
def trusted_client(testclient, backend):
    c = models.Client(
        client_id=gen_salt(24),
        client_name="Some other client",
        contacts=["contact@myotherdomain.tld"],
        client_uri="https://myotherdomain.tld",
        redirect_uris=[
            "https://myotherdomain.tld/redirect1",
            "https://myotherdomain.tld/redirect2",
        ],
        logo_uri="https://myotherdomain.tld/logo.webp",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "profile", "groups"],
        tos_uri="https://myotherdomain.tld/tos",
        policy_uri="https://myotherdomain.tld/policy",
        jwks_uri="https://myotherdomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],
        preconsent=True,
    )
    backend.save(c)
    c.audience = [c]
    backend.save(c)

    yield c
    backend.delete(c)


@pytest.fixture
def authorization(testclient, user, client, backend):
    a = models.AuthorizationCode(
        authorization_code_id=gen_salt(48),
        code="my-code",
        client=client,
        subject=user,
        redirect_uri="https://foo.bar/callback",
        response_type="code",
        scope=["openid", "profile"],
        nonce="nonce",
        issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),
        lifetime=3600,
        challenge="challenge",
        challenge_method="method",
    )
    backend.save(a)
    yield a
    backend.delete(a)


@pytest.fixture
def token(testclient, client, user, backend):
    t = models.Token(
        token_id=gen_salt(48),
        access_token=gen_salt(48),
        audience=[client],
        client=client,
        subject=user,
        refresh_token=gen_salt(48),
        scope=["openid", "profile"],
        issue_date=datetime.datetime.now(datetime.timezone.utc),
        lifetime=3600,
    )
    backend.save(t)
    yield t
    backend.delete(t)


@pytest.fixture
def id_token(testclient, client, user, backend):
    return generate_id_token(
        {},
        generate_user_info(user, client.scope),
        aud=client.client_id,
        **get_jwt_config(None),
    )


@pytest.fixture
def consent(testclient, client, user, backend):
    t = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
        issue_date=datetime.datetime.now(datetime.timezone.utc),
    )
    backend.save(t)
    yield t
    backend.delete(t)
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`import datetime`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`import os`
Explicitely set Consent cn 2023-01-23 17:55:27 +00:00			`import uuid`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
			`import pytest`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`from authlib.oidc.core.grants.util import generate_id_token`
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from werkzeug.security import gen_salt`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`from canaille.oidc.installation import generate_keypair`
Refactoring: file renaming 2022-10-06 11:32:41 +00:00			`from canaille.oidc.oauth import generate_user_info`
			`from canaille.oidc.oauth import get_jwt_config`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

refactoring: moved the authlib related test configuration in the oidc module 2022-12-29 01:06:54 +00:00			`@pytest.fixture`
chore: automitaclly fix typos 2024-09-11 07:33:42 +00:00			`# For some reason all the params from the overridden fixture must be present here`
backend fixture is parametrizable 2023-06-03 17:47:05 +00:00			`# https://github.com/pytest-dev/pytest/issues/11075`
			`def app(app, configuration, backend):`
refactoring: moved the authlib related test configuration in the oidc module 2022-12-29 01:06:54 +00:00			`os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"`
			`yield app`


Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`@pytest.fixture(scope="session")`
			`def keypair():`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`return generate_keypair()`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00

			`@pytest.fixture`
Refactored keypair management 2023-07-01 16:46:11 +00:00			`def configuration(configuration, keypair):`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`private_key, public_key = keypair`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`configuration["CANAILLE_OIDC"] = {`
			`"JWT": {`
			`"PUBLIC_KEY": public_key,`
			`"PRIVATE_KEY": private_key,`
			`"ISS": "https://auth.mydomain.tld",`
			`}`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`}`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`return configuration`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00

split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`def client(testclient, trusted_client, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`c = models.Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some client",`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00			`contacts=["contact@mydomain.tld"],`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_uri="https://mydomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://mydomain.tld/redirect1",`
			`"https://mydomain.tld/redirect2",`
			`],`
feat: convert the png in webp 2023-12-01 21:09:54 +00:00			`logo_uri="https://mydomain.tld/logo.webp",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`scope=["openid", "email", "profile", "groups", "address", "phone"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`tos_uri="https://mydomain.tld/tos",`
			`policy_uri="https://mydomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://mydomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://mydomain.tld/disconnected"],`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(c)`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`c.audience = [c, trusted_client]`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(c)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(c)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`def trusted_client(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`c = models.Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some other client",`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00			`contacts=["contact@myotherdomain.tld"],`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_uri="https://myotherdomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://myotherdomain.tld/redirect1",`
			`"https://myotherdomain.tld/redirect2",`
			`],`
feat: convert the png in webp 2023-12-01 21:09:54 +00:00			`logo_uri="https://myotherdomain.tld/logo.webp",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile", "groups"],`
			`tos_uri="https://myotherdomain.tld/tos",`
			`policy_uri="https://myotherdomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://myotherdomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`preconsent=True,`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(c)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`c.audience = [c]`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(c)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(c)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def authorization(testclient, user, client, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`a = models.AuthorizationCode(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`authorization_code_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`code="my-code",`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uri="https://foo.bar/callback",`
			`response_type="code",`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`nonce="nonce",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),`
OIDC lifetimes are not casted to string anymore 2023-05-17 07:29:32 +00:00			`lifetime=3600,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`challenge="challenge",`
			`challenge_method="method",`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(a)`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield a`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(a)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def token(testclient, client, user, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`t = models.Token(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`token_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`access_token=gen_salt(48),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`audience=[client],`
			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`refresh_token=gen_salt(48),`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
OIDC lifetimes are not casted to string anymore 2023-05-17 07:29:32 +00:00			`lifetime=3600,`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(t)`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(t)`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def id_token(testclient, client, user, backend):`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`return generate_id_token(`
			`{},`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`generate_user_info(user, client.scope),`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`aud=client.client_id,`
chore: pre-commit update 2023-12-26 00:13:11 +00:00			`**get_jwt_config(None),`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`)`


split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def consent(testclient, client, user, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`t = models.Consent(`
Use generic Consent.consent_id instead of LDAP Consent.cn attribute 2023-05-17 06:54:13 +00:00			`consent_id=str(uuid.uuid4()),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(t)`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(t)`