peeringdb-peeringdb/tests/test_oauth2_validators.py

import pytest
from django.contrib.auth.models import Group
from oauthlib.common import Request

from mainsite.oauth2 import validators
from peeringdb_server import models

from .util import reset_group_ids


@pytest.fixture
def organization():
    reset_group_ids()
    return models.Organization.objects.create(name="test org", status="ok")


@pytest.fixture(autouse=True)
def network(organization):
    return models.Network.objects.create(
        name="test network", org=organization, asn=123, status="ok"
    )


@pytest.fixture
def verified_user(organization):
    user_group = Group.objects.get(name="user")

    user = models.User.objects.create_user(
        "testuser", "testuser@example.net", first_name="Test", last_name="User"
    )

    # This makes the user verified
    user_group.user_set.add(user)

    organization.usergroup.user_set.add(user)
    return user


@pytest.fixture
def oauth_request(verified_user):
    request = Request("/")
    request.user = verified_user
    request.scopes = []
    request.client = None
    request.decoded_body = [("code", "testcode")]
    return request


@pytest.mark.django_db
def test_oidc_validator_produces_profile_claims(oauth_request):
    oauth_request.scopes = ["openid", "profile"]
    validator = validators.OIDCValidator()
    claims = validator.get_oidc_claims(None, None, oauth_request)

    assert claims == {
        "sub": f"{oauth_request.user.id}",
        "id": oauth_request.user.id,
        "family_name": "User",
        "given_name": "Test",
        "name": "Test User",
        "verified_user": True,
        "email": None,
        "email_verified": None,
        "networks": None,
        "amr": [],
    }


@pytest.mark.django_db
def test_oidc_validator_produces_email_claims(oauth_request):
    oauth_request.scopes = ["openid", "email"]
    validator = validators.OIDCValidator()
    claims = validator.get_oidc_claims(None, None, oauth_request)

    assert claims == {
        "sub": f"{oauth_request.user.id}",
        "id": None,
        "family_name": None,
        "given_name": None,
        "verified_user": None,
        "name": None,
        "email": "testuser@example.net",
        "email_verified": False,
        "networks": None,
        "amr": [],
    }


@pytest.mark.django_db
def test_oidc_validator_produces_network_claims(oauth_request, network):
    oauth_request.scopes = ["openid", "networks"]
    validator = validators.OIDCValidator()
    claims = validator.get_oidc_claims(None, None, oauth_request)

    assert claims == {
        "sub": f"{oauth_request.user.id}",
        "id": None,
        "family_name": None,
        "given_name": None,
        "verified_user": None,
        "name": None,
        "email": None,
        "email_verified": None,
        "networks": [
            {
                "id": network.id,
                "asn": 123,
                "name": "test network",
                "perms": 1,
            },
        ],
        "amr": [],
    }
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`import pytest`
			`from django.contrib.auth.models import Group`
			`from oauthlib.common import Request`

			`from mainsite.oauth2 import validators`
			`from peeringdb_server import models`

			`from .util import reset_group_ids`


			`@pytest.fixture`
			`def organization():`
Expose authentication methods on outbound federation (#1565) * Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com> 2024-03-13 03:59:15 +02:00			`reset_group_ids()`
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`return models.Organization.objects.create(name="test org", status="ok")`


			`@pytest.fixture(autouse=True)`
			`def network(organization):`
			`return models.Network.objects.create(`
			`name="test network", org=organization, asn=123, status="ok"`
			`)`


			`@pytest.fixture`
			`def verified_user(organization):`
			`user_group = Group.objects.get(name="user")`

			`user = models.User.objects.create_user(`
			`"testuser", "testuser@example.net", first_name="Test", last_name="User"`
			`)`

			`# This makes the user verified`
			`user_group.user_set.add(user)`

			`organization.usergroup.user_set.add(user)`
			`return user`


			`@pytest.fixture`
			`def oauth_request(verified_user):`
			`request = Request("/")`
			`request.user = verified_user`
			`request.scopes = []`
Expose authentication methods on outbound federation (#1565) * Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com> 2024-03-13 03:59:15 +02:00			`request.client = None`
			`request.decoded_body = [("code", "testcode")]`
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`return request`


			`@pytest.mark.django_db`
			`def test_oidc_validator_produces_profile_claims(oauth_request):`
			`oauth_request.scopes = ["openid", "profile"]`
			`validator = validators.OIDCValidator()`
			`claims = validator.get_oidc_claims(None, None, oauth_request)`

			`assert claims == {`
			`"sub": f"{oauth_request.user.id}",`
			`"id": oauth_request.user.id,`
			`"family_name": "User",`
			`"given_name": "Test",`
			`"name": "Test User",`
			`"verified_user": True,`
			`"email": None,`
			`"email_verified": None,`
			`"networks": None,`
Expose authentication methods on outbound federation (#1565) * Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com> 2024-03-13 03:59:15 +02:00			`"amr": [],`
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`}`


			`@pytest.mark.django_db`
			`def test_oidc_validator_produces_email_claims(oauth_request):`
			`oauth_request.scopes = ["openid", "email"]`
			`validator = validators.OIDCValidator()`
			`claims = validator.get_oidc_claims(None, None, oauth_request)`

			`assert claims == {`
			`"sub": f"{oauth_request.user.id}",`
			`"id": None,`
			`"family_name": None,`
			`"given_name": None,`
			`"verified_user": None,`
			`"name": None,`
			`"email": "testuser@example.net",`
			`"email_verified": False,`
			`"networks": None,`
Expose authentication methods on outbound federation (#1565) * Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com> 2024-03-13 03:59:15 +02:00			`"amr": [],`
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`}`


			`@pytest.mark.django_db`
			`def test_oidc_validator_produces_network_claims(oauth_request, network):`
			`oauth_request.scopes = ["openid", "networks"]`
			`validator = validators.OIDCValidator()`
			`claims = validator.get_oidc_claims(None, None, oauth_request)`

			`assert claims == {`
			`"sub": f"{oauth_request.user.id}",`
			`"id": None,`
			`"family_name": None,`
			`"given_name": None,`
			`"verified_user": None,`
			`"name": None,`
			`"email": None,`
			`"email_verified": None,`
			`"networks": [`
			`{`
			`"id": network.id,`
			`"asn": 123,`
			`"name": "test network",`
			`"perms": 1,`
			`},`
			`],`
Expose authentication methods on outbound federation (#1565) * Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com> 2024-03-13 03:59:15 +02:00			`"amr": [],`
Enable OIDC support (#1070) (#1098) Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims 2022-01-10 14:34:16 +01:00			`}`