canaille-globuzma/tests/oidc/test_userinfo.py
2024-03-15 19:58:37 +01:00

302 lines
8 KiB
Python

from canaille.oidc.oauth import DEFAULT_JWT_MAPPING
from canaille.oidc.oauth import claims_from_scope
from canaille.oidc.oauth import generate_user_claims
def test_claims_from_scope():
assert claims_from_scope("openid") == {"sub"}
assert claims_from_scope("openid profile") == {
"sub",
"name",
"family_name",
"given_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
}
assert claims_from_scope("openid profile email") == {
"sub",
"name",
"family_name",
"given_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"email",
"email_verified",
}
assert claims_from_scope("openid profile address") == {
"sub",
"name",
"family_name",
"given_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"address",
}
assert claims_from_scope("openid profile phone") == {
"sub",
"name",
"family_name",
"given_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"phone_number",
"phone_number_verified",
}
assert claims_from_scope("openid profile groups") == {
"sub",
"name",
"family_name",
"given_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"groups",
}
def test_generate_user_claims(user, foo_group):
assert generate_user_claims(user, claims_from_scope("openid")) == {"sub": "user"}
assert generate_user_claims(user, claims_from_scope("openid profile")) == {
"sub": "user",
"name": "John (johnny) Doe",
"given_name": "John",
"family_name": "Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
}
assert generate_user_claims(user, claims_from_scope("openid profile email")) == {
"sub": "user",
"name": "John (johnny) Doe",
"given_name": "John",
"family_name": "Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"email": "john@doe.com",
}
assert generate_user_claims(user, claims_from_scope("openid profile address")) == {
"sub": "user",
"name": "John (johnny) Doe",
"given_name": "John",
"family_name": "Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"address": "1235, somewhere",
}
assert generate_user_claims(user, claims_from_scope("openid profile phone")) == {
"sub": "user",
"name": "John (johnny) Doe",
"given_name": "John",
"family_name": "Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"phone_number": "555-000-000",
}
assert generate_user_claims(user, claims_from_scope("openid profile groups")) == {
"sub": "user",
"name": "John (johnny) Doe",
"given_name": "John",
"family_name": "Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"groups": ["foo"],
}
def test_userinfo(testclient, token, user, foo_group):
token.scope = ["openid"]
token.save()
testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
status=403,
)
token.scope = ["openid", "profile"]
token.save()
res = testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
)
assert res.json == {
"sub": "user",
"given_name": "John",
"family_name": "Doe",
"name": "John (johnny) Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
}
token.scope = ["openid", "profile", "email"]
token.save()
res = testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
)
assert res.json == {
"sub": "user",
"given_name": "John",
"family_name": "Doe",
"name": "John (johnny) Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"email": "john@doe.com",
}
token.scope = ["openid", "profile", "address"]
token.save()
res = testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
)
assert res.json == {
"sub": "user",
"family_name": "Doe",
"given_name": "John",
"name": "John (johnny) Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"address": "1235, somewhere",
}
token.scope = ["openid", "profile", "phone"]
token.save()
res = testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
)
assert res.json == {
"sub": "user",
"given_name": "John",
"family_name": "Doe",
"name": "John (johnny) Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"phone_number": "555-000-000",
}
token.scope = ["openid", "profile", "groups"]
token.save()
res = testclient.get(
"/oauth/userinfo",
headers={"Authorization": f"Bearer {token.access_token}"},
)
assert res.json == {
"sub": "user",
"given_name": "John",
"family_name": "Doe",
"name": "John (johnny) Doe",
"preferred_username": "Johnny",
"locale": "en",
"website": "https://john.example",
"groups": ["foo"],
}
STANDARD_CLAIMS = [
"sub",
"name",
"ugiven_name",
"family_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"email",
"email_verified",
"gender",
"birthdate",
"zoneinfo",
"locale",
"phone_number",
"phone_number_verified",
"address",
"updated_at",
]
def test_generate_user_standard_claims_with_default_config(testclient, backend, user):
user.preferred_language = "fr"
data = generate_user_claims(user, STANDARD_CLAIMS, DEFAULT_JWT_MAPPING)
assert data == {
"address": "1235, somewhere",
"sub": "user",
"name": "John (johnny) Doe",
"family_name": "Doe",
"preferred_username": "Johnny",
"email": "john@doe.com",
"locale": "fr",
"phone_number": "555-000-000",
"website": "https://john.example",
}
def test_custom_config_format_claim_is_well_formated(testclient, backend, user):
jwt_mapping_config = DEFAULT_JWT_MAPPING.copy()
jwt_mapping_config["EMAIL"] = "{{ user.user_name }}@mydomain.tld"
data = generate_user_claims(user, STANDARD_CLAIMS, jwt_mapping_config)
assert data["email"] == "user@mydomain.tld"
def test_claim_is_omitted_if_empty(testclient, backend, user):
# According to https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
# it's better to not insert a null or empty string value
user.emails = []
user.save()
data = generate_user_claims(user, STANDARD_CLAIMS, DEFAULT_JWT_MAPPING)
assert "email" not in data