globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

tests: renamed other_client fixture in trusted_client

Browse source
This commit is contained in:
Éloi Rivard 2023-12-23 17:23:19 +01:00
parent 521ed75f18
commit 577bca360e
No known key found for this signature in database
GPG key ID: 7EDA204EA57DD184
6 changed files with 37 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
tests/oidc/conftest.py
View file

@ -41,7 +41,7 @@ def configuration(configuration, keypair):
@pytest.fixture @pytest.fixture
def client(testclient, other_client, backend): def client(testclient, trusted_client, backend):
c = models.Client( c = models.Client(
client_id=gen_salt(24), client_id=gen_salt(24),
client_name="Some client", client_name="Some client",
@ -69,7 +69,7 @@ def client(testclient, other_client, backend):
token_endpoint_auth_method="client_secret_basic", token_endpoint_auth_method="client_secret_basic",
post_logout_redirect_uris=["https://mydomain.tld/disconnected"], post_logout_redirect_uris=["https://mydomain.tld/disconnected"],
) )
c.audience = [c, other_client] c.audience = [c, trusted_client]
c.save() c.save()
yield c yield c
@ -77,7 +77,7 @@ def client(testclient, other_client, backend):
@pytest.fixture @pytest.fixture
def other_client(testclient, backend): def trusted_client(testclient, backend):
c = models.Client( c = models.Client(
client_id=gen_salt(24), client_id=gen_salt(24),
client_name="Some other client", client_name="Some other client",
@ -104,6 +104,7 @@ def other_client(testclient, backend):
jwks_uri="https://myotherdomain.tld/jwk", jwks_uri="https://myotherdomain.tld/jwk",
token_endpoint_auth_method="client_secret_basic", token_endpoint_auth_method="client_secret_basic",
post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"], post_logout_redirect_uris=["https://myotherdomain.tld/disconnected"],
preconsent=True,
) )
c.audience = [c] c.audience = [c]
c.save() c.save()

29
tests/oidc/test_authorization_code_flow.py
View file

@ -13,7 +13,7 @@ from . import client_credentials
def test_authorization_code_flow( def test_authorization_code_flow(
testclient, logged_user, client, keypair, other_client testclient, logged_user, client, keypair, trusted_client
): ):
assert not models.Consent.query() assert not models.Consent.query()
@ -81,13 +81,13 @@ def test_authorization_code_flow(
claims = jwt.decode(access_token, keypair[1]) claims = jwt.decode(access_token, keypair[1])
assert claims["sub"] == logged_user.user_name assert claims["sub"] == logged_user.user_name
assert claims["name"] == logged_user.formatted_name assert claims["name"] == logged_user.formatted_name
assert claims["aud"] == [client.client_id, other_client.client_id] assert claims["aud"] == [client.client_id, trusted_client.client_id]
id_token = res.json["id_token"] id_token = res.json["id_token"]
claims = jwt.decode(id_token, keypair[1]) claims = jwt.decode(id_token, keypair[1])
assert claims["sub"] == logged_user.user_name assert claims["sub"] == logged_user.user_name
assert claims["name"] == logged_user.formatted_name assert claims["name"] == logged_user.formatted_name
assert claims["aud"] == [client.client_id, other_client.client_id] assert claims["aud"] == [client.client_id, trusted_client.client_id]
res = testclient.get( res = testclient.get(
"/oauth/userinfo", "/oauth/userinfo",
@ -114,7 +114,7 @@ def test_invalid_client(testclient, logged_user, keypair):
def test_authorization_code_flow_with_redirect_uri( def test_authorization_code_flow_with_redirect_uri(
testclient, logged_user, client, keypair, other_client testclient, logged_user, client, keypair, trusted_client
): ):
assert not models.Consent.query() assert not models.Consent.query()
@ -161,7 +161,7 @@ def test_authorization_code_flow_with_redirect_uri(
def test_authorization_code_flow_preconsented( def test_authorization_code_flow_preconsented(
testclient, logged_user, client, keypair, other_client testclient, logged_user, client, keypair, trusted_client
): ):
assert not models.Consent.query() assert not models.Consent.query()
@ -209,7 +209,7 @@ def test_authorization_code_flow_preconsented(
claims = jwt.decode(id_token, keypair[1]) claims = jwt.decode(id_token, keypair[1])
assert logged_user.user_name == claims["sub"] assert logged_user.user_name == claims["sub"]
assert logged_user.formatted_name == claims["name"] assert logged_user.formatted_name == claims["name"]
assert [client.client_id, other_client.client_id] == claims["aud"] assert [client.client_id, trusted_client.client_id] == claims["aud"]
res = testclient.get( res = testclient.get(
"/oauth/userinfo", "/oauth/userinfo",
@ -584,7 +584,7 @@ def test_authorization_code_flow_when_consent_already_given_but_for_a_smaller_sc
def test_authorization_code_flow_but_user_cannot_use_oidc( def test_authorization_code_flow_but_user_cannot_use_oidc(
testclient, user, client, keypair, other_client testclient, user, client, keypair, trusted_client
): ):
testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = [] testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = []
user.reload() user.reload()
@ -645,16 +645,17 @@ def test_nonce_not_required_in_oauth_requests(testclient, logged_user, client):
def test_authorization_code_request_scope_too_large( def test_authorization_code_request_scope_too_large(
testclient, logged_user, keypair, other_client testclient, logged_user, keypair, client
): ):
assert not models.Consent.query() assert not models.Consent.query()
assert "email" not in other_client.scope client.scope = ["openid", "profile", "groups"]
client.save()
res = testclient.get( res = testclient.get(
"/oauth/authorize", "/oauth/authorize",
params=dict( params=dict(
response_type="code", response_type="code",
client_id=other_client.client_id, client_id=client.client_id,
scope="openid profile email", scope="openid profile email",
nonce="somenonce", nonce="somenonce",
), ),
@ -671,7 +672,7 @@ def test_authorization_code_request_scope_too_large(
"profile", "profile",
} }
consents = models.Consent.query(client=other_client, subject=logged_user) consents = models.Consent.query(client=client, subject=logged_user)
assert set(consents[0].scope) == { assert set(consents[0].scope) == {
"openid", "openid",
"profile", "profile",
@ -683,15 +684,15 @@ def test_authorization_code_request_scope_too_large(
grant_type="authorization_code", grant_type="authorization_code",
code=code, code=code,
scope="openid profile email groups address phone", scope="openid profile email groups address phone",
redirect_uri=other_client.redirect_uris[0], redirect_uri=client.redirect_uris[0],
), ),
headers={"Authorization": f"Basic {client_credentials(other_client)}"}, headers={"Authorization": f"Basic {client_credentials(client)}"},
status=200, status=200,
) )
access_token = res.json["access_token"] access_token = res.json["access_token"]
token = models.Token.get(access_token=access_token) token = models.Token.get(access_token=access_token)
assert token.client == other_client assert token.client == client
assert token.subject == logged_user assert token.subject == logged_user
assert set(token.scope) == { assert set(token.scope) == {
"openid", "openid",

20
tests/oidc/test_client_admin.py
View file

@ -21,7 +21,7 @@ def test_client_list(testclient, client, logged_admin):
res.mustcontain(client.client_name) res.mustcontain(client.client_name)
def test_client_list_pagination(testclient, logged_admin, client, other_client): def test_client_list_pagination(testclient, logged_admin, client, trusted_client):
res = testclient.get("/admin/client") res = testclient.get("/admin/client")
res.mustcontain("2 items") res.mustcontain("2 items")
clients = [] clients = []
@ -67,18 +67,18 @@ def test_client_list_bad_pages(testclient, logged_admin):
) )
def test_client_list_search(testclient, logged_admin, client, other_client): def test_client_list_search(testclient, logged_admin, client, trusted_client):
res = testclient.get("/admin/client") res = testclient.get("/admin/client")
res.mustcontain("2 items") res.mustcontain("2 items")
res.mustcontain(client.client_name) res.mustcontain(client.client_name)
res.mustcontain(other_client.client_name) res.mustcontain(trusted_client.client_name)
form = res.forms["search"] form = res.forms["search"]
form["query"] = "other" form["query"] = "other"
res = form.submit() res = form.submit()
res.mustcontain("1 item") res.mustcontain("1 item")
res.mustcontain(other_client.client_name) res.mustcontain(trusted_client.client_name)
res.mustcontain(no=client.client_name) res.mustcontain(no=client.client_name)
@ -144,7 +144,7 @@ def test_add_missing_fields(testclient, logged_admin):
) in res.flashes ) in res.flashes
def test_client_edit(testclient, client, logged_admin, other_client): def test_client_edit(testclient, client, logged_admin, trusted_client):
res = testclient.get("/admin/client/edit/" + client.client_id) res = testclient.get("/admin/client/edit/" + client.client_id)
data = { data = {
"client_name": "foobar", "client_name": "foobar",
@ -162,7 +162,7 @@ def test_client_edit(testclient, client, logged_admin, other_client):
"software_version": "1", "software_version": "1",
"jwk": "jwk", "jwk": "jwk",
"jwks_uri": "https://foo.bar/jwks.json", "jwks_uri": "https://foo.bar/jwks.json",
"audience": [client.id, other_client.id], "audience": [client.id, trusted_client.id],
"preconsent": True, "preconsent": True,
"post_logout_redirect_uris-0": "https://foo.bar/disconnected", "post_logout_redirect_uris-0": "https://foo.bar/disconnected",
} }
@ -196,12 +196,12 @@ def test_client_edit(testclient, client, logged_admin, other_client):
assert client.software_version == "1" assert client.software_version == "1"
assert client.jwk == "jwk" assert client.jwk == "jwk"
assert client.jwks_uri == "https://foo.bar/jwks.json" assert client.jwks_uri == "https://foo.bar/jwks.json"
assert client.audience == [client, other_client] assert client.audience == [client, trusted_client]
assert not client.preconsent assert not client.preconsent
assert client.post_logout_redirect_uris == ["https://foo.bar/disconnected"] assert client.post_logout_redirect_uris == ["https://foo.bar/disconnected"]
def test_client_edit_missing_fields(testclient, client, logged_admin, other_client): def test_client_edit_missing_fields(testclient, client, logged_admin, trusted_client):
res = testclient.get("/admin/client/edit/" + client.client_id) res = testclient.get("/admin/client/edit/" + client.client_id)
res.forms["clientaddform"]["client_name"] = "" res.forms["clientaddform"]["client_name"] = ""
res = res.forms["clientaddform"].submit(name="action", value="edit") res = res.forms["clientaddform"].submit(name="action", value="edit")
@ -255,7 +255,7 @@ def test_client_delete_invalid_client(testclient, logged_admin, client):
) )
def test_client_edit_preauth(testclient, client, logged_admin, other_client): def test_client_edit_preauth(testclient, client, logged_admin, trusted_client):
assert not client.preconsent assert not client.preconsent
res = testclient.get("/admin/client/edit/" + client.client_id) res = testclient.get("/admin/client/edit/" + client.client_id)
@ -275,7 +275,7 @@ def test_client_edit_preauth(testclient, client, logged_admin, other_client):
assert not client.preconsent assert not client.preconsent
def test_client_edit_invalid_uri(testclient, client, logged_admin, other_client): def test_client_edit_invalid_uri(testclient, client, logged_admin, trusted_client):
res = testclient.get("/admin/client/edit/" + client.client_id) res = testclient.get("/admin/client/edit/" + client.client_id)
res.forms["clientaddform"]["client_uri"] = "invalid" res.forms["clientaddform"]["client_uri"] = "invalid"
res = res.forms["clientaddform"].submit(status=200, name="action", value="edit") res = res.forms["clientaddform"].submit(status=200, name="action", value="edit")

4
tests/oidc/test_hybrid_flow.py
View file

@ -46,7 +46,7 @@ def test_oauth_hybrid(testclient, backend, user, client):
assert res.json["name"] == "John (johnny) Doe" assert res.json["name"] == "John (johnny) Doe"
def test_oidc_hybrid(testclient, backend, logged_user, client, keypair, other_client): def test_oidc_hybrid(testclient, backend, logged_user, client, keypair, trusted_client):
res = testclient.get( res = testclient.get(
"/oauth/authorize", "/oauth/authorize",
params=dict( params=dict(
@ -75,7 +75,7 @@ def test_oidc_hybrid(testclient, backend, logged_user, client, keypair, other_cl
claims = jwt.decode(id_token, keypair[1]) claims = jwt.decode(id_token, keypair[1])
assert logged_user.user_name == claims["sub"] assert logged_user.user_name == claims["sub"]
assert logged_user.formatted_name == claims["name"] assert logged_user.formatted_name == claims["name"]
assert [client.client_id, other_client.client_id] == claims["aud"] assert [client.client_id, trusted_client.client_id] == claims["aud"]
res = testclient.get( res = testclient.get(
"/oauth/userinfo", "/oauth/userinfo",

8
tests/oidc/test_implicit_flow.py
View file

@ -50,7 +50,7 @@ def test_oauth_implicit(testclient, user, client):
client.save() client.save()
def test_oidc_implicit(testclient, keypair, user, client, other_client): def test_oidc_implicit(testclient, keypair, user, client, trusted_client):
client.grant_types = ["token id_token"] client.grant_types = ["token id_token"]
client.token_endpoint_auth_method = "none" client.token_endpoint_auth_method = "none"
@ -88,7 +88,7 @@ def test_oidc_implicit(testclient, keypair, user, client, other_client):
claims = jwt.decode(id_token, keypair[1]) claims = jwt.decode(id_token, keypair[1])
assert user.user_name == claims["sub"] assert user.user_name == claims["sub"]
assert user.formatted_name == claims["name"] assert user.formatted_name == claims["name"]
assert [client.client_id, other_client.client_id] == claims["aud"] assert [client.client_id, trusted_client.client_id] == claims["aud"]
res = testclient.get( res = testclient.get(
"/oauth/userinfo", "/oauth/userinfo",
@ -104,7 +104,7 @@ def test_oidc_implicit(testclient, keypair, user, client, other_client):
def test_oidc_implicit_with_group( def test_oidc_implicit_with_group(
testclient, keypair, user, client, foo_group, other_client testclient, keypair, user, client, foo_group, trusted_client
): ):
client.grant_types = ["token id_token"] client.grant_types = ["token id_token"]
client.token_endpoint_auth_method = "none" client.token_endpoint_auth_method = "none"
@ -143,7 +143,7 @@ def test_oidc_implicit_with_group(
claims = jwt.decode(id_token, keypair[1]) claims = jwt.decode(id_token, keypair[1])
assert user.user_name == claims["sub"] assert user.user_name == claims["sub"]
assert user.formatted_name == claims["name"] assert user.formatted_name == claims["name"]
assert [client.client_id, other_client.client_id] == claims["aud"] assert [client.client_id, trusted_client.client_id] == claims["aud"]
assert ["foo"] == claims["groups"] assert ["foo"] == claims["groups"]
res = testclient.get( res = testclient.get(

4
tests/oidc/test_token_introspection.py
View file

@ -58,7 +58,7 @@ def test_token_invalid(testclient, client):
assert {"active": False} == res.json assert {"active": False} == res.json
def test_full_flow(testclient, logged_user, client, user, other_client): def test_full_flow(testclient, logged_user, client, user, trusted_client):
res = testclient.get( res = testclient.get(
"/oauth/authorize", "/oauth/authorize",
params=dict( params=dict(
@ -103,7 +103,7 @@ def test_full_flow(testclient, logged_user, client, user, other_client):
headers={"Authorization": f"Basic {client_credentials(client)}"}, headers={"Authorization": f"Basic {client_credentials(client)}"},
status=200, status=200,
) )
assert set(res.json["aud"]) == {client.client_id, other_client.client_id} assert set(res.json["aud"]) == {client.client_id, trusted_client.client_id}
assert res.json["active"] assert res.json["active"]
assert res.json["client_id"] == client.client_id assert res.json["client_id"] == client.client_id
assert res.json["token_type"] == token.type assert res.json["token_type"] == token.type