tests: add oidc tests on claim's default values (#31749)
This commit is contained in:
parent
57fc514a94
commit
e2ad31601e
|
@ -127,6 +127,23 @@ def oidc_client(request, superuser, app, simple_user, media):
|
|||
return client
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def normal_oidc_client(superuser, app, simple_user, media):
|
||||
url = reverse('admin:authentic2_idp_oidc_oidcclient_add')
|
||||
assert OIDCClient.objects.count() == 0
|
||||
response = utils.login(app, superuser, path=url)
|
||||
response.form.set('name', 'oidcclient')
|
||||
response.form.set('slug', 'oidcclient')
|
||||
response.form.set('ou', get_default_ou().pk)
|
||||
response.form.set('unauthorized_url', 'https://example.com/southpark/')
|
||||
response.form.set('redirect_uris', 'https://example.com/callbac%C3%A9')
|
||||
response = response.form.submit(name='_save').follow()
|
||||
assert OIDCClient.objects.count() == 1
|
||||
client = OIDCClient.objects.get()
|
||||
utils.logout(app)
|
||||
return client
|
||||
|
||||
|
||||
def client_authentication_headers(oidc_client):
|
||||
token = base64.b64encode('%s:%s' % (oidc_client.client_id, oidc_client.client_secret))
|
||||
return {'Authorization': 'Basic %s' % token}
|
||||
|
@ -285,7 +302,7 @@ def test_authorization_code_sso(login_first, oidc_settings, oidc_client, simple_
|
|||
simple_user.username = None
|
||||
simple_user.save()
|
||||
response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
|
||||
assert response.json['preferred_username'] is None
|
||||
assert response.json['preferred_username'] == ''
|
||||
|
||||
# Now logout
|
||||
if oidc_client.post_logout_redirect_uris:
|
||||
|
@ -971,3 +988,99 @@ def test_api_synchronization(app, oidc_client):
|
|||
if status == 200:
|
||||
assert response.json['result'] == 1
|
||||
assert set(response.json['unknown_uuids']) == deleted_subs
|
||||
|
||||
|
||||
def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app):
|
||||
oidc_settings.A2_IDP_OIDC_SCOPES = ['openid', 'profile', 'email', 'phone']
|
||||
Attribute.objects.create(
|
||||
name='phone',
|
||||
label='phone',
|
||||
kind='phone_number',
|
||||
asked_on_registration=False,
|
||||
required=False,
|
||||
user_visible=False,
|
||||
user_editable=False)
|
||||
OIDCClaim.objects.create(client=normal_oidc_client, name='phone', value='django_user_phone', scopes='phone')
|
||||
normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
|
||||
normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
|
||||
normal_oidc_client.save()
|
||||
|
||||
utils.login(app, simple_user)
|
||||
|
||||
simple_user.username = None
|
||||
simple_user.save()
|
||||
|
||||
oidc_client = normal_oidc_client
|
||||
redirect_uri = oidc_client.redirect_uris.split()[0]
|
||||
|
||||
params = {
|
||||
'client_id': oidc_client.client_id,
|
||||
'scope': 'openid email profile phone',
|
||||
'redirect_uri': redirect_uri,
|
||||
'state': 'xxx',
|
||||
'nonce': 'yyy',
|
||||
'response_type': 'code',
|
||||
}
|
||||
|
||||
def sso():
|
||||
authorize_url = make_url('oidc-authorize', params=params)
|
||||
|
||||
response = app.get(authorize_url)
|
||||
location = urlparse.urlparse(response['Location'])
|
||||
query = urlparse.parse_qs(location.query)
|
||||
code = query['code'][0]
|
||||
|
||||
token_url = make_url('oidc-token')
|
||||
response = app.post(token_url, params={
|
||||
'grant_type': 'authorization_code',
|
||||
'code': code,
|
||||
'redirect_uri': oidc_client.redirect_uris.split()[0],
|
||||
}, headers=client_authentication_headers(oidc_client))
|
||||
access_token = response.json['access_token']
|
||||
id_token = response.json['id_token']
|
||||
|
||||
key = JWK(kty='oct', k=base64.b64encode(oidc_client.client_secret.encode('utf-8')))
|
||||
jwt = JWT(jwt=id_token, key=key)
|
||||
claims = json.loads(jwt.claims)
|
||||
|
||||
user_info_url = make_url('oidc-user-info')
|
||||
response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
|
||||
return claims, response.json
|
||||
|
||||
claims, user_info = sso()
|
||||
|
||||
assert claims['sub'] == make_sub(oidc_client, simple_user)
|
||||
assert claims['preferred_username'] == ''
|
||||
assert claims['given_name'] == simple_user.first_name
|
||||
assert claims['family_name'] == simple_user.last_name
|
||||
assert claims['email'] == simple_user.email
|
||||
assert claims['phone'] is None
|
||||
assert claims['email_verified'] is False
|
||||
|
||||
assert user_info['sub'] == make_sub(oidc_client, simple_user)
|
||||
assert user_info['preferred_username'] == ''
|
||||
assert user_info['given_name'] == simple_user.first_name
|
||||
assert user_info['family_name'] == simple_user.last_name
|
||||
assert user_info['email'] == simple_user.email
|
||||
assert user_info['phone'] is None
|
||||
assert user_info['email_verified'] is False
|
||||
|
||||
params['scope'] = 'openid email'
|
||||
|
||||
claims, user_info = sso()
|
||||
|
||||
assert claims['sub'] == make_sub(oidc_client, simple_user)
|
||||
assert claims['email'] == simple_user.email
|
||||
assert claims['email_verified'] is False
|
||||
assert 'phone' not in claims
|
||||
assert 'preferred_username' not in claims
|
||||
assert 'given_name' not in claims
|
||||
assert 'family_name' not in claims
|
||||
|
||||
assert user_info['sub'] == make_sub(oidc_client, simple_user)
|
||||
assert user_info['email'] == simple_user.email
|
||||
assert user_info['email_verified'] is False
|
||||
assert 'phone' not in user_info
|
||||
assert 'preferred_username' not in user_info
|
||||
assert 'given_name' not in user_info
|
||||
assert 'family_name' not in user_info
|
||||
|
|
Loading…
Reference in New Issue