canaille-globuzma/tests/oidc/test_password_flow.py

from canaille.app import models

from . import client_credentials


def test_password_flow_basic(testclient, user, client, backend):
    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="password",
            username="user",
            password="correct horse battery staple",
            scope="openid profile groups",
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=200,
    )

    assert res.json["scope"] == "openid profile groups"
    assert res.json["token_type"] == "Bearer"
    access_token = res.json["access_token"]

    token = backend.get(models.Token, access_token=access_token)
    assert token is not None

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert res.json["name"] == "John (johnny) Doe"


def test_password_flow_post(testclient, user, client, backend):
    client.token_endpoint_auth_method = "client_secret_post"
    backend.save(client)

    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="password",
            username="user",
            password="correct horse battery staple",
            scope="openid profile groups",
            client_id=client.client_id,
            client_secret=client.client_secret,
        ),
        status=200,
    )

    assert res.json["scope"] == "openid profile groups"
    assert res.json["token_type"] == "Bearer"
    access_token = res.json["access_token"]

    token = backend.get(models.Token, access_token=access_token)
    assert token is not None

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert res.json["name"] == "John (johnny) Doe"


def test_invalid_user(testclient, user, client):
    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="password",
            username="invalid",
            password="invalid",
            scope="openid profile groups",
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=400,
    )

    assert res.json == {
        "error": "invalid_request",
        "error_description": 'Invalid "username" or "password" in request.',
    }


def test_invalid_credentials(testclient, user, client):
    res = testclient.post(
        "/oauth/token",
        params=dict(
            grant_type="password",
            username="user",
            password="invalid",
            scope="openid profile groups",
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
        status=400,
    )

    assert res.json == {
        "error": "invalid_request",
        "error_description": 'Invalid "username" or "password" in request.',
    }
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Password flow unit test 2020-08-19 07:09:22 +00:00
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from . import client_credentials`

Password flow unit test 2020-08-19 07:09:22 +00:00
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_password_flow_basic(testclient, user, client, backend):`
Password flow unit test 2020-08-19 07:09:22 +00:00			`res = testclient.post(`
			`"/oauth/token",`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`params=dict(`
Password flow unit test 2020-08-19 07:09:22 +00:00			`grant_type="password",`
unit tests: only use user_name to authenticate users 2023-05-11 13:33:34 +00:00			`username="user",`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`password="correct horse battery staple",`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`scope="openid profile groups",`
Password flow unit test 2020-08-19 07:09:22 +00:00			`),`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`status=200,`
Password flow unit test 2020-08-19 07:09:22 +00:00			`)`

Add groups claim and scope 2021-06-03 15:24:36 +00:00			`assert res.json["scope"] == "openid profile groups"`
Password flow unit test 2020-08-19 07:09:22 +00:00			`assert res.json["token_type"] == "Bearer"`
			`access_token = res.json["access_token"]`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`assert token is not None`

Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`)`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
password flow: allow other token endpoint authentication methods 2021-11-21 12:23:08 +00:00

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_password_flow_post(testclient, user, client, backend):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "client_secret_post"`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
password flow: allow other token endpoint authentication methods 2021-11-21 12:23:08 +00:00
			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="password",`
unit tests: only use user_name to authenticate users 2023-05-11 13:33:34 +00:00			`username="user",`
password flow: allow other token endpoint authentication methods 2021-11-21 12:23:08 +00:00			`password="correct horse battery staple",`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`scope="openid profile groups",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=client.client_secret,`
password flow: allow other token endpoint authentication methods 2021-11-21 12:23:08 +00:00			`),`
			`status=200,`
			`)`

			`assert res.json["scope"] == "openid profile groups"`
			`assert res.json["token_type"] == "Bearer"`
			`access_token = res.json["access_token"]`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
password flow: allow other token endpoint authentication methods 2021-11-21 12:23:08 +00:00			`assert token is not None`

			`res = testclient.get(`
			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
			`)`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
unit tests: password flow with invalid credentials 2022-12-27 17:12:19 +00:00

Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`def test_invalid_user(testclient, user, client):`
unit tests: password flow with invalid credentials 2022-12-27 17:12:19 +00:00			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="password",`
			`username="invalid",`
			`password="invalid",`
			`scope="openid profile groups",`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=400,`
			`)`

			`assert res.json == {`
			`"error": "invalid_request",`
			`"error_description": 'Invalid "username" or "password" in request.',`
			`}`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00

			`def test_invalid_credentials(testclient, user, client):`
			`res = testclient.post(`
			`"/oauth/token",`
			`params=dict(`
			`grant_type="password",`
			`username="user",`
			`password="invalid",`
			`scope="openid profile groups",`
			`),`
			`headers={"Authorization": f"Basic {client_credentials(client)}"},`
			`status=400,`
			`)`

			`assert res.json == {`
			`"error": "invalid_request",`
			`"error_description": 'Invalid "username" or "password" in request.',`
			`}`