Code challenge unit tests

2020-08-25 15:28:13 +02:00 · 2020-08-25 15:28:13 +02:00 · 2777013ad0
commit 2777013ad0
parent 56448cbf19
4 changed files with 63 additions and 1 deletions
--- a/schemas/oauth2-openldap.ldif
+++ b/schemas/oauth2-openldap.ldif
@ -67,6 +67,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.8 NAME 'oauthCodeChallenge'
        ORDERING caseExactOrderingMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+        SINGLE-VALUE
        USAGE userApplications
        X-ORIGIN 'OAuth 2.0' )
 olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
@ -75,6 +76,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
        ORDERING caseExactOrderingMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+        SINGLE-VALUE
        USAGE userApplications
        X-ORIGIN 'OAuth 2.0' )
 olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret'
--- a/schemas/oauth2-openldap.schema
+++ b/schemas/oauth2-openldap.schema
@ -64,6 +64,7 @@ attributetype ( 1.3.6.1.4.1.56207.1.1.8 NAME 'oauthCodeChallenge'
        ORDERING caseExactOrderingMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+        SINGLE-VALUE
        USAGE userApplications
        X-ORIGIN 'OAuth 2.0' )
 attributetype ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
@ -72,6 +73,7 @@ attributetype ( 1.3.6.1.4.1.56207.1.1.9 NAME 'oauthCodeChallengeMethod'
        ORDERING caseExactOrderingMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+        SINGLE-VALUE
        USAGE userApplications
        X-ORIGIN 'OAuth 2.0' )
 attributetype ( 1.3.6.1.4.1.56207.1.1.10 NAME 'oauthClientSecret'
--- a/tests/test_authorization_code_flow.py
+++ b/tests/test_authorization_code_flow.py
@ -1,6 +1,8 @@
 from . import client_credentials
+from authlib.oauth2.rfc7636 import create_s256_code_challenge
 from urllib.parse import urlsplit, parse_qs
 from web.models import AuthorizationCode, Token
+from werkzeug.security import gen_salt


 def test_authorization_code_flow(testclient, slapd_connection, logged_user, client):
@ -159,3 +161,51 @@ def test_refresh_token(testclient, slapd_connection, logged_user, client):
    res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
    assert 200 == res.status_code
    assert {"foo": "bar"} == res.json
+
+
+def test_code_challenge(testclient, slapd_connection, logged_user, client):
+    code_verifier = gen_salt(48)
+    code_challenge = create_s256_code_challenge(code_verifier)
+
+    res = testclient.get(
+        "/oauth/authorize",
+        params=dict(
+            code_challenge=code_challenge,
+            code_challenge_method="S256",
+            response_type="code",
+            client_id=client.oauthClientID,
+            scope="profile",
+            nonce="somenonce",
+        ),
+    )
+    assert 200 == res.status_code
+
+    res = res.forms["accept"].submit()
+    assert 302 == res.status_code
+
+    assert res.location.startswith(client.oauthRedirectURIs[0])
+    params = parse_qs(urlsplit(res.location).query)
+    code = params["code"][0]
+    authcode = AuthorizationCode.get(code, conn=slapd_connection)
+    assert authcode is not None
+
+    res = testclient.post(
+        "/oauth/token",
+        params=dict(
+            grant_type="authorization_code",
+            code=code,
+            scope="profile",
+            code_verifier=code_verifier,
+            redirect_uri=client.oauthRedirectURIs[0],
+        ),
+        headers={"Authorization": f"Basic {client_credentials(client)}"},
+    )
+    assert 200 == res.status_code
+    access_token = res.json["access_token"]
+
+    token = Token.get(access_token, conn=slapd_connection)
+    assert token is not None
+
+    res = testclient.get("/api/me", headers={"Authorization": f"Bearer {access_token}"})
+    assert 200 == res.status_code
+    assert {"foo": "bar"} == res.json
--- a/web/oauth2utils.py
+++ b/web/oauth2utils.py
@ -9,7 +9,7 @@ from authlib.oauth2.rfc6749.grants import (
 )
 from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator
 from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint
-from authlib.oauth2.rfc7636 import CodeChallenge
+from authlib.oauth2.rfc7636 import CodeChallenge as _CodeChallenge
 from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint
 from authlib.oidc.core.grants import (
    OpenIDCode as _OpenIDCode,
@ -257,6 +257,14 @@ class IntrospectionEndpoint(_IntrospectionEndpoint):
        }


+class CodeChallenge(_CodeChallenge):
+    def get_authorization_code_challenge(self, authorization_code):
+        return authorization_code.oauthCodeChallenge
+
+    def get_authorization_code_challenge_method(self, authorization_code):
+        return authorization_code.oauthCodeChallengeMethod
+
+
 authorization = AuthorizationServer()
 require_oauth = ResourceProtector()