canaille-globuzma/tests/oidc/conftest.py

import datetime
import os
import uuid

import pytest
from authlib.oidc.core.grants.util import generate_id_token
from canaille.oidc.models import AuthorizationCode
from canaille.oidc.models import Client
from canaille.oidc.models import Consent
from canaille.oidc.models import Token
from canaille.oidc.oauth import generate_user_info
from canaille.oidc.oauth import get_jwt_config
from cryptography.hazmat.backends import default_backend as crypto_default_backend
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from werkzeug.security import gen_salt


@pytest.fixture
def app(app):
    os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"
    yield app


@pytest.fixture(scope="session")
def keypair():
    key = rsa.generate_private_key(
        backend=crypto_default_backend(), public_exponent=65537, key_size=2048
    )
    private_key = key.private_bytes(
        crypto_serialization.Encoding.PEM,
        crypto_serialization.PrivateFormat.PKCS8,
        crypto_serialization.NoEncryption(),
    )
    public_key = key.public_key().public_bytes(
        crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH
    )
    return private_key, public_key


@pytest.fixture
def keypair_path(keypair, tmp_path):
    private_key, public_key = keypair

    private_key_path = os.path.join(tmp_path, "private.pem")
    with open(private_key_path, "wb") as fd:
        fd.write(private_key)

    public_key_path = os.path.join(tmp_path, "public.pem")
    with open(public_key_path, "wb") as fd:
        fd.write(public_key)

    return private_key_path, public_key_path


@pytest.fixture
def configuration(configuration, keypair_path):
    private_key_path, public_key_path = keypair_path
    conf = {
        **configuration,
        "JWT": {
            "PUBLIC_KEY": public_key_path,
            "PRIVATE_KEY": private_key_path,
            "ISS": "https://auth.mydomain.tld",
            "MAPPING": {
                "SUB": "{{ user.user_name[0] }}",
                "NAME": "{{ user.formatted_name[0] }}",
                "PHONE_NUMBER": "{{ user.phone_number[0] }}",
                "EMAIL": "{{ user.email[0] }}",
                "GIVEN_NAME": "{{ user.given_name[0] }}",
                "FAMILY_NAME": "{{ user.family_name[0] }}",
                "PREFERRED_USERNAME": "{{ user.display_name }}",
                "LOCALE": "{{ user.preferred_language }}",
                "PICTURE": "{% if user.photo %}{{ url_for('account.photo', user_name=user.user_name[0], field='photo', _external=True) }}{% endif %}",
                "ADDRESS": "{{ user.formatted_address[0] }}",
                "WEBSITE": "{{ user.profile_url[0] }}",
            },
        },
    }
    return conf


@pytest.fixture
def client(testclient, other_client, slapd_connection):
    c = Client(
        client_id=gen_salt(24),
        client_name="Some client",
        contacts="contact@mydomain.tld",
        client_uri="https://mydomain.tld",
        redirect_uris=[
            "https://mydomain.tld/redirect1",
            "https://mydomain.tld/redirect2",
        ],
        logo_uri="https://mydomain.tld/logo.png",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "email", "profile", "groups", "address", "phone"],
        tos_uri="https://mydomain.tld/tos",
        policy_uri="https://mydomain.tld/policy",
        jwks_uri="https://mydomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://mydomain.tld/disconnected"],
    )
    c.audience = [c, other_client]
    c.save()

    yield c
    c.delete()


@pytest.fixture
def other_client(testclient, slapd_connection):
    c = Client(
        client_id=gen_salt(24),
        client_name="Some other client",
        contacts="contact@myotherdomain.tld",
        client_uri="https://myotherdomain.tld",
        redirect_uris=[
            "https://myotherdomain.tld/redirect1",
            "https://myotherdomain.tld/redirect2",
        ],
        logo_uri="https://myotherdomain.tld/logo.png",
        client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),
        client_secret=gen_salt(48),
        grant_types=[
            "password",
            "authorization_code",
            "implicit",
            "hybrid",
            "refresh_token",
        ],
        response_types=["code", "token", "id_token"],
        scope=["openid", "profile", "groups"],
        tos_uri="https://myotherdomain.tld/tos",
        policy_uri="https://myotherdomain.tld/policy",
        jwks_uri="https://myotherdomain.tld/jwk",
        token_endpoint_auth_method="client_secret_basic",
        post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],
    )
    c.audience = [c]
    c.save()

    yield c
    c.delete()


@pytest.fixture
def authorization(testclient, user, client, slapd_connection):
    a = AuthorizationCode(
        authorization_code_id=gen_salt(48),
        code="my-code",
        client=client,
        subject=user,
        redirect_uri="https://foo.bar/callback",
        response_type="code",
        scope="openid profile",
        nonce="nonce",
        issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),
        lifetime="3600",
        challenge="challenge",
        challenge_method="method",
        revokation="",
    )
    a.save()
    yield a
    a.delete()


@pytest.fixture
def token(testclient, client, user, slapd_connection):
    t = Token(
        token_id=gen_salt(48),
        access_token=gen_salt(48),
        audience=[client],
        client=client,
        subject=user,
        token_type=None,
        refresh_token=gen_salt(48),
        scope="openid profile",
        issue_date=datetime.datetime.now(datetime.timezone.utc),
        lifetime=str(3600),
    )
    t.save()
    yield t
    t.delete()


@pytest.fixture
def id_token(testclient, client, user, slapd_connection):
    return generate_id_token(
        {},
        generate_user_info(user, client.scope),
        aud=client.client_id,
        **get_jwt_config(None)
    )


@pytest.fixture
def consent(testclient, client, user, slapd_connection):
    t = Consent(
        cn=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
        issue_date=datetime.datetime.now(datetime.timezone.utc),
    )
    t.save()
    yield t
    t.delete()
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`import datetime`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`import os`
Explicitely set Consent cn 2023-01-23 17:55:27 +00:00			`import uuid`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
			`import pytest`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`from authlib.oidc.core.grants.util import generate_id_token`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`from canaille.oidc.models import AuthorizationCode`
			`from canaille.oidc.models import Client`
			`from canaille.oidc.models import Consent`
			`from canaille.oidc.models import Token`
Refactoring: file renaming 2022-10-06 11:32:41 +00:00			`from canaille.oidc.oauth import generate_user_info`
			`from canaille.oidc.oauth import get_jwt_config`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`from cryptography.hazmat.backends import default_backend as crypto_default_backend`
			`from cryptography.hazmat.primitives import serialization as crypto_serialization`
			`from cryptography.hazmat.primitives.asymmetric import rsa`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`from werkzeug.security import gen_salt`


refactoring: moved the authlib related test configuration in the oidc module 2022-12-29 01:06:54 +00:00			`@pytest.fixture`
			`def app(app):`
			`os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "true"`
			`yield app`


Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`@pytest.fixture(scope="session")`
			`def keypair():`
			`key = rsa.generate_private_key(`
			`backend=crypto_default_backend(), public_exponent=65537, key_size=2048`
			`)`
			`private_key = key.private_bytes(`
			`crypto_serialization.Encoding.PEM,`
			`crypto_serialization.PrivateFormat.PKCS8,`
			`crypto_serialization.NoEncryption(),`
			`)`
			`public_key = key.public_key().public_bytes(`
			`crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH`
			`)`
			`return private_key, public_key`


			`@pytest.fixture`
			`def keypair_path(keypair, tmp_path):`
			`private_key, public_key = keypair`

			`private_key_path = os.path.join(tmp_path, "private.pem")`
			`with open(private_key_path, "wb") as fd:`
			`fd.write(private_key)`

			`public_key_path = os.path.join(tmp_path, "public.pem")`
			`with open(public_key_path, "wb") as fd:`
			`fd.write(public_key)`

			`return private_key_path, public_key_path`


			`@pytest.fixture`
			`def configuration(configuration, keypair_path):`
			`private_key_path, public_key_path = keypair_path`
			`conf = {`
			`**configuration,`
			`"JWT": {`
			`"PUBLIC_KEY": public_key_path,`
			`"PRIVATE_KEY": private_key_path,`
			`"ISS": "https://auth.mydomain.tld",`
			`"MAPPING": {`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`"SUB": "{{ user.user_name[0] }}",`
Fixed remaining ldap attribute calls 2023-04-07 20:38:01 +00:00			`"NAME": "{{ user.formatted_name[0] }}",`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`"PHONE_NUMBER": "{{ user.phone_number[0] }}",`
			`"EMAIL": "{{ user.email[0] }}",`
			`"GIVEN_NAME": "{{ user.given_name[0] }}",`
			`"FAMILY_NAME": "{{ user.family_name[0] }}",`
			`"PREFERRED_USERNAME": "{{ user.display_name }}",`
			`"LOCALE": "{{ user.preferred_language }}",`
			`"PICTURE": "{% if user.photo %}{{ url_for('account.photo', user_name=user.user_name[0], field='photo', _external=True) }}{% endif %}",`
			`"ADDRESS": "{{ user.formatted_address[0] }}",`
			`"WEBSITE": "{{ user.profile_url[0] }}",`
Moved the OIDC configuration in the oidc test subdir conftest.py 2022-12-24 01:06:28 +00:00			`},`
			`},`
			`}`
			`return conf`


split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`def client(testclient, other_client, slapd_connection):`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`c = Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some client",`
			`contacts="contact@mydomain.tld",`
			`client_uri="https://mydomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://mydomain.tld/redirect1",`
			`"https://mydomain.tld/redirect2",`
			`],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`logo_uri="https://mydomain.tld/logo.png",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`scope=["openid", "email", "profile", "groups", "address", "phone"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`tos_uri="https://mydomain.tld/tos",`
			`policy_uri="https://mydomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://mydomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://mydomain.tld/disconnected"],`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`c.audience = [c, other_client]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`c.save()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`c.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`def other_client(testclient, slapd_connection):`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`c = Client(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=gen_salt(24),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_name="Some other client",`
			`contacts="contact@myotherdomain.tld",`
			`client_uri="https://myotherdomain.tld",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uris=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"https://myotherdomain.tld/redirect1",`
			`"https://myotherdomain.tld/redirect2",`
			`],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`logo_uri="https://myotherdomain.tld/logo.png",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`client_id_issued_at=datetime.datetime.now(datetime.timezone.utc),`
Variable renaming 2022-10-17 15:49:52 +00:00			`client_secret=gen_salt(48),`
			`grant_types=[`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`"password",`
			`"authorization_code",`
			`"implicit",`
			`"hybrid",`
			`"refresh_token",`
			`],`
Variable renaming 2022-10-17 15:49:52 +00:00			`response_types=["code", "token", "id_token"],`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile", "groups"],`
			`tos_uri="https://myotherdomain.tld/tos",`
			`policy_uri="https://myotherdomain.tld/policy",`
Variable renaming 2022-10-17 15:49:52 +00:00			`jwks_uri="https://myotherdomain.tld/jwk",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_endpoint_auth_method="client_secret_basic",`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`c.audience = [c]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`c.save()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield c`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`c.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`def authorization(testclient, user, client, slapd_connection):`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`a = AuthorizationCode(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`authorization_code_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`code="my-code",`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`redirect_uri="https://foo.bar/callback",`
			`response_type="code",`
			`scope="openid profile",`
			`nonce="nonce",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime(2020, 1, 1, tzinfo=datetime.timezone.utc),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`lifetime="3600",`
			`challenge="challenge",`
			`challenge_method="method",`
			`revokation="",`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`a.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield a`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`a.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

			`@pytest.fixture`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`def token(testclient, client, user, slapd_connection):`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`t = Token(`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`token_id=gen_salt(48),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`access_token=gen_salt(48),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`audience=[client],`
			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`token_type=None,`
			`refresh_token=gen_salt(48),`
			`scope="openid profile",`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`lifetime=str(3600),`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`t.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`t.delete()`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00

Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`@pytest.fixture`
			`def id_token(testclient, client, user, slapd_connection):`
			`return generate_id_token(`
			`{},`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`generate_user_info(user, client.scope),`
Implemented RP-initiated logout 2022-05-20 12:07:56 +00:00			`aud=client.client_id,`
			`**get_jwt_config(None)`
			`)`


split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`@pytest.fixture`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`def consent(testclient, client, user, slapd_connection):`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`t = Consent(`
Explicitely set Consent cn 2023-01-23 17:55:27 +00:00			`cn=str(uuid.uuid4()),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=datetime.datetime.now(datetime.timezone.utc),`
split oidc tests from the rest 2022-01-11 18:42:26 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`t.save()`
Get rid of autouse fixtures 2022-05-20 07:24:24 +00:00			`yield t`
unit tests: removed useless try/except in oidc fixtures 2022-12-04 12:41:09 +00:00			`t.delete()`