From 6736e69ebd3922528e1250c88a79a6bbf6f0f930 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 9 Feb 2017 12:52:33 -0800 Subject: [PATCH] Add end-to-end OIDC binding test --- test/test_oauth_login.py | 47 ++++++++++++++++++++++++++++++++-------- test/testconfig.py | 1 + 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/test/test_oauth_login.py b/test/test_oauth_login.py index ce5dfcd5f..9d71a74e7 100644 --- a/test/test_oauth_login.py +++ b/test/test_oauth_login.py @@ -9,10 +9,23 @@ from Crypto.PublicKey import RSA from httmock import urlmatch, HTTMock from jwkest.jwk import RSAKey -from app import app +from app import app, authentication from data import model from endpoints.oauthlogin import oauthlogin as oauthlogin_bp from test.test_endpoints import EndpointTestCase +from test.test_ldap import mock_ldap + +class AuthForTesting(object): + def __init__(self, auth_engine): + self.auth_engine = auth_engine + self.existing_state = None + + def __enter__(self): + self.existing_state = authentication.state + authentication.state = self.auth_engine + + def __exit__(self, type, value, traceback): + authentication.state = self.existing_state try: app.register_blueprint(oauthlogin_bp, url_prefix='/oauth2') @@ -22,16 +35,18 @@ except ValueError: class OAuthLoginTestCase(EndpointTestCase): def invoke_oauth_tests(self, callback_endpoint, attach_endpoint, service_name, service_ident, - new_username): + new_username, test_attach=True): # Test callback. created = self.invoke_oauth_test(callback_endpoint, service_name, service_ident, new_username) # Delete the created user. + self.assertNotEquals(created.username, 'devtable') model.user.delete_user(created, []) # Test attach. - self.login('devtable', 'password') - self.invoke_oauth_test(attach_endpoint, service_name, service_ident, 'devtable') + if test_attach: + self.login('devtable', 'password') + self.invoke_oauth_test(attach_endpoint, service_name, service_ident, 'devtable') def invoke_oauth_test(self, endpoint_name, service_name, service_ident, username): # No CSRF. @@ -111,7 +126,7 @@ class OAuthLoginTestCase(EndpointTestCase): self.invoke_oauth_tests('github_oauth_callback', 'github_oauth_attach', 'github', 'someid', 'someusername') - def test_oidc_auth(self): + def _get_oidc_mocks(self): private_key = RSA.generate(2048) generatedjwk = RSAKey(key=private_key.publickey()).serialize() kid = 'somekey' @@ -123,7 +138,7 @@ class OAuthLoginTestCase(EndpointTestCase): 'nbf': int(time.time()), 'iat': int(time.time()), 'exp': int(time.time() + 600), - 'sub': 'cooluser', + 'sub': 'cool.user', } token_headers = { @@ -143,7 +158,7 @@ class OAuthLoginTestCase(EndpointTestCase): @urlmatch(netloc=r'fakeoidc', path='/user') def user_handler(_, __): content = { - 'sub': 'cooluser', + 'sub': 'cool.user', 'preferred_username': 'someusername', 'email': 'someemail@example.com', 'email_verified': True, @@ -169,9 +184,23 @@ class OAuthLoginTestCase(EndpointTestCase): } return py_json.dumps(content) - with HTTMock(discovery_handler, jwks_handler, token_handler, user_handler): + return (discovery_handler, jwks_handler, token_handler, user_handler) + + def test_oidc_database_auth(self): + oidc_mocks = self._get_oidc_mocks() + with HTTMock(*oidc_mocks): self.invoke_oauth_tests('testoidc_oauth_callback', 'testoidc_oauth_attach', 'testoidc', - 'cooluser', 'someusername') + 'cool.user', 'someusername') + + def test_oidc_ldap_auth(self): + # Test with database auth. + oidc_mocks = self._get_oidc_mocks() + with mock_ldap() as ldap: + with AuthForTesting(ldap): + with HTTMock(*oidc_mocks): + self.invoke_oauth_tests('testoidc_oauth_callback', 'testoidc_oauth_attach', 'testoidc', + 'cool.user', 'cool_user', test_attach=False) + if __name__ == '__main__': unittest.main() diff --git a/test/testconfig.py b/test/testconfig.py index e9d6c03db..ae7af6f93 100644 --- a/test/testconfig.py +++ b/test/testconfig.py @@ -87,6 +87,7 @@ class TestConfig(DefaultConfig): 'CLIENT_SECRET': 'bar', 'OIDC_SERVER': 'http://fakeoidc', 'DEBUGGING': True, + 'LOGIN_BINDING_FIELD': 'sub', } RECAPTCHA_SITE_KEY = 'somekey'