globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

Code challenge unit tests

Browse source
This commit is contained in:
Éloi Rivard 2020-08-25 15:28:13 +02:00
parent 56448cbf19
commit 2777013ad0
4 changed files with 63 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
schemas/oauth2-openldap.ldif
View file

@ -67,6 +67,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.8 NAME 'oauthCodeChallenge'
ORDERING caseExactOrderingMatch ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications USAGE userApplications
X-ORIGIN 'OAuth 2.0' ) X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod' olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
@ -75,6 +76,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
ORDERING caseExactOrderingMatch ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications USAGE userApplications
X-ORIGIN 'OAuth 2.0' ) X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret' olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret'

2
schemas/oauth2-openldap.schema
View file

@ -64,6 +64,7 @@ attributetype ( 1.3.6.1.4.1.56207.1.1.8 NAME 'oauthCodeChallenge'
ORDERING caseExactOrderingMatch ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications USAGE userApplications
X-ORIGIN 'OAuth 2.0' ) X-ORIGIN 'OAuth 2.0' )
attributetype ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod' attributetype ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
@ -72,6 +73,7 @@ attributetype ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
ORDERING caseExactOrderingMatch ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications USAGE userApplications
X-ORIGIN 'OAuth 2.0' ) X-ORIGIN 'OAuth 2.0' )
attributetype ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret' attributetype ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret'

50
tests/test_authorization_code_flow.py
View file

@ -1,6 +1,8 @@
from . import client_credentials from . import client_credentials
from authlib.oauth2.rfc7636 import create_s256_code_challenge
from urllib.parse import urlsplit, parse_qs from urllib.parse import urlsplit, parse_qs
from web.models import AuthorizationCode, Token from web.models import AuthorizationCode, Token
from werkzeug.security import gen_salt
def test_authorization_code_flow(testclient, slapd_connection, logged_user, client): def test_authorization_code_flow(testclient, slapd_connection, logged_user, client):
@ -159,3 +161,51 @@ def test_refresh_token(testclient, slapd_connection, logged_user, client):
res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"}) res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
assert 200 == res.status_code assert 200 == res.status_code
assert {"foo": "bar"} == res.json assert {"foo": "bar"} == res.json
def test_code_challenge(testclient, slapd_connection, logged_user, client):
code_verifier = gen_salt(48)
code_challenge = create_s256_code_challenge(code_verifier)
res = testclient.get(
"/oauth/authorize",
params=dict(
code_challenge=code_challenge,
code_challenge_method="S256",
response_type="code",
client_id=client.oauthClientID,
scope="profile",
nonce="somenonce",
),
)
assert 200 == res.status_code
res = res.forms["accept"].submit()
assert 302 == res.status_code
assert res.location.startswith(client.oauthRedirectURIs[0])
params = parse_qs(urlsplit(res.location).query)
code = params["code"][0]
authcode = AuthorizationCode.get(code, conn=slapd_connection)
assert authcode is not None
res = testclient.post(
"/oauth/token",
params=dict(
grant_type="authorization_code",
code=code,
scope="profile",
code_verifier=code_verifier,
redirect_uri=client.oauthRedirectURIs[0],
),
headers={"Authorization": f"Basic {client_credentials(client)}"},
)
assert 200 == res.status_code
access_token = res.json["access_token"]
token = Token.get(access_token, conn=slapd_connection)
assert token is not None
res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
assert 200 == res.status_code
assert {"foo": "bar"} == res.json

10
web/oauth2utils.py
View file

@ -9,7 +9,7 @@ from authlib.oauth2.rfc6749.grants import (
) )
from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator
from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint
from authlib.oauth2.rfc7636 import CodeChallenge from authlib.oauth2.rfc7636 import CodeChallenge as _CodeChallenge
from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint
from authlib.oidc.core.grants import ( from authlib.oidc.core.grants import (
OpenIDCode as _OpenIDCode, OpenIDCode as _OpenIDCode,
@ -257,6 +257,14 @@ class IntrospectionEndpoint(_IntrospectionEndpoint):
} }
class CodeChallenge(_CodeChallenge):
def get_authorization_code_challenge(self, authorization_code):
return authorization_code.oauthCodeChallenge
def get_authorization_code_challenge_method(self, authorization_code):
return authorization_code.oauthCodeChallengeMethod
authorization = AuthorizationServer() authorization = AuthorizationServer()
require_oauth = ResourceProtector() require_oauth = ResourceProtector()