forked from Github-Mirrors/canaille
302 lines
8 KiB
Python
302 lines
8 KiB
Python
from canaille.oidc.oauth import DEFAULT_JWT_MAPPING
|
|
from canaille.oidc.oauth import claims_from_scope
|
|
from canaille.oidc.oauth import generate_user_claims
|
|
|
|
|
|
def test_claims_from_scope():
|
|
assert claims_from_scope("openid") == {"sub"}
|
|
assert claims_from_scope("openid profile") == {
|
|
"sub",
|
|
"name",
|
|
"family_name",
|
|
"given_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"updated_at",
|
|
}
|
|
assert claims_from_scope("openid profile email") == {
|
|
"sub",
|
|
"name",
|
|
"family_name",
|
|
"given_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"updated_at",
|
|
"email",
|
|
"email_verified",
|
|
}
|
|
assert claims_from_scope("openid profile address") == {
|
|
"sub",
|
|
"name",
|
|
"family_name",
|
|
"given_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"updated_at",
|
|
"address",
|
|
}
|
|
assert claims_from_scope("openid profile phone") == {
|
|
"sub",
|
|
"name",
|
|
"family_name",
|
|
"given_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"updated_at",
|
|
"phone_number",
|
|
"phone_number_verified",
|
|
}
|
|
assert claims_from_scope("openid profile groups") == {
|
|
"sub",
|
|
"name",
|
|
"family_name",
|
|
"given_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"updated_at",
|
|
"groups",
|
|
}
|
|
|
|
|
|
def test_generate_user_claims(user, foo_group):
|
|
assert generate_user_claims(user, claims_from_scope("openid")) == {"sub": "user"}
|
|
assert generate_user_claims(user, claims_from_scope("openid profile")) == {
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
}
|
|
assert generate_user_claims(user, claims_from_scope("openid profile email")) == {
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"email": "john@doe.com",
|
|
}
|
|
assert generate_user_claims(user, claims_from_scope("openid profile address")) == {
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"address": "1235, somewhere",
|
|
}
|
|
assert generate_user_claims(user, claims_from_scope("openid profile phone")) == {
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"phone_number": "555-000-000",
|
|
}
|
|
assert generate_user_claims(user, claims_from_scope("openid profile groups")) == {
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"groups": ["foo"],
|
|
}
|
|
|
|
|
|
def test_userinfo(testclient, token, user, foo_group):
|
|
token.scope = ["openid"]
|
|
token.save()
|
|
testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
status=403,
|
|
)
|
|
|
|
token.scope = ["openid", "profile"]
|
|
token.save()
|
|
res = testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
)
|
|
assert res.json == {
|
|
"sub": "user",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"name": "John (johnny) Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
}
|
|
|
|
token.scope = ["openid", "profile", "email"]
|
|
token.save()
|
|
res = testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
)
|
|
assert res.json == {
|
|
"sub": "user",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"name": "John (johnny) Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"email": "john@doe.com",
|
|
}
|
|
|
|
token.scope = ["openid", "profile", "address"]
|
|
token.save()
|
|
res = testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
)
|
|
assert res.json == {
|
|
"sub": "user",
|
|
"family_name": "Doe",
|
|
"given_name": "John",
|
|
"name": "John (johnny) Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"address": "1235, somewhere",
|
|
}
|
|
|
|
token.scope = ["openid", "profile", "phone"]
|
|
token.save()
|
|
res = testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
)
|
|
assert res.json == {
|
|
"sub": "user",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"name": "John (johnny) Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"phone_number": "555-000-000",
|
|
}
|
|
|
|
token.scope = ["openid", "profile", "groups"]
|
|
token.save()
|
|
res = testclient.get(
|
|
"/oauth/userinfo",
|
|
headers={"Authorization": f"Bearer {token.access_token}"},
|
|
)
|
|
assert res.json == {
|
|
"sub": "user",
|
|
"given_name": "John",
|
|
"family_name": "Doe",
|
|
"name": "John (johnny) Doe",
|
|
"preferred_username": "Johnny",
|
|
"locale": "en",
|
|
"website": "https://john.example",
|
|
"groups": ["foo"],
|
|
}
|
|
|
|
|
|
STANDARD_CLAIMS = [
|
|
"sub",
|
|
"name",
|
|
"ugiven_name",
|
|
"family_name",
|
|
"middle_name",
|
|
"nickname",
|
|
"preferred_username",
|
|
"profile",
|
|
"picture",
|
|
"website",
|
|
"email",
|
|
"email_verified",
|
|
"gender",
|
|
"birthdate",
|
|
"zoneinfo",
|
|
"locale",
|
|
"phone_number",
|
|
"phone_number_verified",
|
|
"address",
|
|
"updated_at",
|
|
]
|
|
|
|
|
|
def test_generate_user_standard_claims_with_default_config(testclient, backend, user):
|
|
user.preferred_language = "fr"
|
|
|
|
data = generate_user_claims(user, STANDARD_CLAIMS, DEFAULT_JWT_MAPPING)
|
|
|
|
assert data == {
|
|
"address": "1235, somewhere",
|
|
"sub": "user",
|
|
"name": "John (johnny) Doe",
|
|
"family_name": "Doe",
|
|
"preferred_username": "Johnny",
|
|
"email": "john@doe.com",
|
|
"locale": "fr",
|
|
"phone_number": "555-000-000",
|
|
"website": "https://john.example",
|
|
}
|
|
|
|
|
|
def test_custom_config_format_claim_is_well_formated(testclient, backend, user):
|
|
jwt_mapping_config = DEFAULT_JWT_MAPPING.copy()
|
|
jwt_mapping_config["EMAIL"] = "{{ user.user_name }}@mydomain.tld"
|
|
|
|
data = generate_user_claims(user, STANDARD_CLAIMS, jwt_mapping_config)
|
|
|
|
assert data["email"] == "user@mydomain.tld"
|
|
|
|
|
|
def test_claim_is_omitted_if_empty(testclient, backend, user):
|
|
# According to https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
|
|
# it's better to not insert a null or empty string value
|
|
user.emails = []
|
|
user.save()
|
|
|
|
data = generate_user_claims(user, STANDARD_CLAIMS, DEFAULT_JWT_MAPPING)
|
|
|
|
assert "email" not in data
|