tests: extracted the prompt tests in a dedicated file

2023-12-22 21:18:02 +01:00 · 2023-12-22 21:18:02 +01:00 · 9ff0411e9e
commit 9ff0411e9e
parent f7162e4a5a
4 changed files with 111 additions and 75 deletions
--- a/canaille/oidc/endpoints.py
+++ b/canaille/oidc/endpoints.py
@ -55,9 +55,8 @@ def authorize():
        abort(400, "Invalid client.")
    user = current_user()
-    scopes = client.get_allowed_scope(request.args.get("scope", "").split(" ")).split(
+    requested_scopes = request.args.get("scope", "").split(" ")
-        " "
+    allowed_scopes = client.get_allowed_scope(requested_scopes).split(" ")
    )
    # LOGIN
@ -69,7 +68,9 @@ def authorize():
        return redirect(url_for("core.auth.login"))
    if not user.can_use_oidc:
-        abort(403, "User does not have the permission to achieve OIDC authentication.")
+        abort(
            403, "The user does not have the permission to achieve OIDC authentication."
        )
    # CONSENT
@ -82,7 +83,9 @@ def authorize():
    if request.method == "GET":
        if (
            (client.preconsent and (not consent or not consent.revoked))
-            or (consent and all(scope in set(consent.scope) for scope in scopes))
+            or (
                consent and all(scope in set(consent.scope) for scope in allowed_scopes)
            )
            and not consent.revoked
        ):
            return authorization.create_authorization_response(grant_user=user)
@ -125,14 +128,14 @@ def authorize():
            if consent.revoked:
                consent.restore()
            consent.scope = client.get_allowed_scope(
-                list(set(scopes + consents[0].scope))
+                list(set(allowed_scopes + consents[0].scope))
            ).split(" ")
        else:
            consent = models.Consent(
                consent_id=str(uuid.uuid4()),
                client=client,
                subject=user,
-                scope=scopes,
+                scope=allowed_scopes,
                issue_date=datetime.datetime.now(datetime.timezone.utc),
            )
        consent.save()
--- a/canaille/oidc/well_known.py
+++ b/canaille/oidc/well_known.py
@ -76,6 +76,7 @@ def openid_configuration():
        ],
        "subject_types_supported": ["pairwise", "public"],
        "id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"],
        "prompt_values_supported": ["none"],
    }
--- a/tests/oidc/test_authorization_code_flow.py
+++ b/tests/oidc/test_authorization_code_flow.py
@ -1,4 +1,3 @@
 import uuid
 from urllib.parse import parse_qs
 from urllib.parse import urlsplit
@ -610,73 +609,6 @@ def test_authorization_code_flow_but_user_cannot_use_oidc(
    res = res.follow(status=403)
 def test_prompt_none(testclient, logged_user, client):
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=logged_user,
        scope=["openid", "profile"],
    )
    consent.save()
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=302,
    )
    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).query)
    assert "code" in params
    consent.delete()
 def test_prompt_not_logged(testclient, user, client):
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
    )
    consent.save()
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "login_required" == res.json.get("error")
    consent.delete()
 def test_prompt_no_consent(testclient, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "consent_required" == res.json.get("error")
 def test_nonce_required_in_oidc_requests(testclient, logged_user, client):
    res = testclient.get(
        "/oauth/authorize",
--- a/tests/oidc/test_authorization_prompt.py
+++ b/tests/oidc/test_authorization_prompt.py
@ -0,0 +1,100 @@
 """
 Tests the behavior of Canaille depending on the OIDC 'prompt' parameter.
 https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
 """
 import uuid
 from urllib.parse import parse_qs
 from urllib.parse import urlsplit
 from canaille.app import models
 def test_prompt_none(testclient, logged_user, client):
    """
    Nominal case with prompt=none
    """
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=logged_user,
        scope=["openid", "profile"],
    )
    consent.save()
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=302,
    )
    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).query)
    assert "code" in params
    consent.delete()
 def test_prompt_not_logged(testclient, user, client):
    """
    prompt=none should return a login_required error when no
    user is logged in.
    login_required
        The Authorization Server requires End-User authentication.
        This error MAY be returned when the prompt parameter value in the
        Authentication Request is none, but the Authentication Request
        cannot be completed without displaying a user interface for End-User
        authentication.
    """
    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=["openid", "profile"],
    )
    consent.save()
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "login_required" == res.json.get("error")
    consent.delete()
 def test_prompt_no_consent(testclient, logged_user, client):
    """
    prompt=none should return a consent_required error when user
    are logged in but have not granted their consent.
    consent_required
    The Authorization Server requires End-User consent. This error MAY be
    returned when the prompt parameter value in the Authentication Request
    is none, but the Authentication Request cannot be completed without
    displaying a user interface for End-User consent.
    """
    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="code",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
            prompt="none",
        ),
        status=200,
    )
    assert "consent_required" == res.json.get("error")