Enable OIDC support (#1070) (#1098)

Enable OIDC and RS256 JWT signing from django-oauth-toolkit with a single RSA key. Key rotation is not yet enabled and will be introduced on the first rotation. The JWT signed token contains the previous claims exposed in profile/v1 endpoint but compatible with the OIDC standard claims. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
2024-05-11 05:55:09 +00:00 · 2022-01-10 14:34:16 +01:00
parent 47c6a69926
commit 1c314cdf1f
10 changed files with 365 additions and 55 deletions
--- a/tests/test_oauth2_validators.py
+++ b/tests/test_oauth2_validators.py
@@ -0,0 +1,108 @@
+import pytest
+from django.contrib.auth.models import Group
+from oauthlib.common import Request
+
+from mainsite.oauth2 import validators
+from peeringdb_server import models
+
+from .util import reset_group_ids
+
+
+@pytest.fixture
+def organization():
+    return models.Organization.objects.create(name="test org", status="ok")
+
+
+@pytest.fixture(autouse=True)
+def network(organization):
+    return models.Network.objects.create(
+        name="test network", org=organization, asn=123, status="ok"
+    )
+
+
+@pytest.fixture
+def verified_user(organization):
+    reset_group_ids()
+    user_group = Group.objects.get(name="user")
+
+    user = models.User.objects.create_user(
+        "testuser", "testuser@example.net", first_name="Test", last_name="User"
+    )
+
+    # This makes the user verified
+    user_group.user_set.add(user)
+
+    organization.usergroup.user_set.add(user)
+    return user
+
+
+@pytest.fixture
+def oauth_request(verified_user):
+    request = Request("/")
+    request.user = verified_user
+    request.scopes = []
+    return request
+
+
+@pytest.mark.django_db
+def test_oidc_validator_produces_profile_claims(oauth_request):
+    oauth_request.scopes = ["openid", "profile"]
+    validator = validators.OIDCValidator()
+    claims = validator.get_oidc_claims(None, None, oauth_request)
+
+    assert claims == {
+        "sub": f"{oauth_request.user.id}",
+        "id": oauth_request.user.id,
+        "family_name": "User",
+        "given_name": "Test",
+        "name": "Test User",
+        "verified_user": True,
+        "email": None,
+        "email_verified": None,
+        "networks": None,
+    }
+
+
+@pytest.mark.django_db
+def test_oidc_validator_produces_email_claims(oauth_request):
+    oauth_request.scopes = ["openid", "email"]
+    validator = validators.OIDCValidator()
+    claims = validator.get_oidc_claims(None, None, oauth_request)
+
+    assert claims == {
+        "sub": f"{oauth_request.user.id}",
+        "id": None,
+        "family_name": None,
+        "given_name": None,
+        "verified_user": None,
+        "name": None,
+        "email": "testuser@example.net",
+        "email_verified": False,
+        "networks": None,
+    }
+
+
+@pytest.mark.django_db
+def test_oidc_validator_produces_network_claims(oauth_request, network):
+    oauth_request.scopes = ["openid", "networks"]
+    validator = validators.OIDCValidator()
+    claims = validator.get_oidc_claims(None, None, oauth_request)
+
+    assert claims == {
+        "sub": f"{oauth_request.user.id}",
+        "id": None,
+        "family_name": None,
+        "given_name": None,
+        "verified_user": None,
+        "name": None,
+        "email": None,
+        "email_verified": None,
+        "networks": [
+            {
+                "id": network.id,
+                "asn": 123,
+                "name": "test network",
+                "perms": 1,
+            },
+        ],
+    }