From c9df8fb5b364c80c627a2dd19c5fb0d38c888673 Mon Sep 17 00:00:00 2001
From: Eloi Rivard <eloi@yaal.coop>
Date: Wed, 27 Oct 2021 09:31:24 +0200
Subject: [PATCH] Updated consents when a larger scope is required

---
 canaille/oauth.py                     |  2 +-
 tests/test_authorization_code_flow.py | 69 +++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/canaille/oauth.py b/canaille/oauth.py
index 970874b3..42601dbe 100644
--- a/canaille/oauth.py
+++ b/canaille/oauth.py
@@ -135,7 +135,7 @@ def authorize():
                     oauthScope=scopes,
                     oauthIssueDate=datetime.datetime.now().strftime("%Y%m%d%H%M%SZ"),
                 )
-                consent.save()
+            consent.save()
 
         response = authorization.create_authorization_response(grant_user=grant_user)
         current_app.logger.debug(
diff --git a/tests/test_authorization_code_flow.py b/tests/test_authorization_code_flow.py
index eab44c21..98017b41 100644
--- a/tests/test_authorization_code_flow.py
+++ b/tests/test_authorization_code_flow.py
@@ -369,6 +369,75 @@ def test_authorization_code_flow_when_consent_already_given(
     assert "code" in params
 
 
+def test_authorization_code_flow_when_consent_already_given_but_for_a_smaller_scope(
+    testclient, slapd_connection, logged_user, client
+):
+    assert not Consent.filter(conn=slapd_connection)
+
+    res = testclient.get(
+        "/oauth/authorize",
+        params=dict(
+            response_type="code",
+            client_id=client.oauthClientID,
+            scope="profile",
+            nonce="somenonce",
+        ),
+        status=200,
+    )
+
+    res = res.form.submit(name="answer", value="accept", status=302)
+
+    assert res.location.startswith(client.oauthRedirectURIs[0])
+    params = parse_qs(urlsplit(res.location).query)
+    code = params["code"][0]
+    authcode = AuthorizationCode.get(code, conn=slapd_connection)
+    assert authcode is not None
+
+    consents = Consent.filter(
+        oauthClient=client.dn, oauthSubject=logged_user.dn, conn=slapd_connection
+    )
+    assert "profile" in consents[0].oauthScope
+    assert "groups" not in consents[0].oauthScope
+
+    res = testclient.post(
+        "/oauth/token",
+        params=dict(
+            grant_type="authorization_code",
+            code=code,
+            scope="profile",
+            redirect_uri=client.oauthRedirectURIs[0],
+        ),
+        headers={"Authorization": f"Basic {client_credentials(client)}"},
+        status=200,
+    )
+    assert "access_token" in res.json
+
+    res = testclient.get(
+        "/oauth/authorize",
+        params=dict(
+            response_type="code",
+            client_id=client.oauthClientID,
+            scope="profile groups",
+            nonce="somenonce",
+        ),
+        status=200,
+    )
+
+    res = res.form.submit(name="answer", value="accept", status=302)
+
+    assert res.location.startswith(client.oauthRedirectURIs[0])
+    params = parse_qs(urlsplit(res.location).query)
+    code = params["code"][0]
+    authcode = AuthorizationCode.get(code, conn=slapd_connection)
+    assert authcode is not None
+
+    consents = Consent.filter(
+        oauthClient=client.dn, oauthSubject=logged_user.dn, conn=slapd_connection
+    )
+    assert "profile" in consents[0].oauthScope
+    assert "groups" in consents[0].oauthScope
+
+
 def test_prompt_none(testclient, slapd_connection, logged_user, client):
     Consent(
         oauthClient=client.dn,