Change OIDC engine to not be federated

We don't need linking, just the ability to perform lookup

data/users/test/test_oidc.py

@@ -1,19 +1,40 @@
+import pytest
+
 from httmock import HTTMock
 
+from data import model
 from data.users.oidc import OIDCInternalAuth
 from oauth.test.test_oidc import (id_token, oidc_service, signing_key, jwks_handler,
                                   discovery_handler, app_config, http_client,
                                   discovery_content)
+from test.fixtures import *
 
-def test_oidc_login(app_config, id_token, jwks_handler, discovery_handler):
+@pytest.mark.parametrize('username, expect_success', [
+  ('devtable', True),
+  ('disabled', False)
+])
+def test_oidc_login(username, expect_success, app_config, id_token, jwks_handler,
+                    discovery_handler, app):
   internal_auth = OIDCInternalAuth(app_config, 'someoidc', False)
   with HTTMock(jwks_handler, discovery_handler):
-    # Try a valid token.
-    (user, err) = internal_auth.verify_credentials('someusername', id_token)
-    assert err is None
-    assert user.username == 'cooluser'
-
     # Try an invalid token.
     (user, err) = internal_auth.verify_credentials('someusername', 'invalidtoken')
     assert err is not None
     assert user is None
+
+    # Try a valid token for an unlinked user.
+    (user, err) = internal_auth.verify_credentials('someusername', id_token)
+    assert err is not None
+    assert user is None
+
+    # Link the user to the service.
+    model.user.attach_federated_login(model.user.get_user(username), 'someoidc', 'cooluser')
+
+    # Try a valid token for a linked user.
+    (user, err) = internal_auth.verify_credentials('someusername', id_token)
+    if expect_success:
+      assert err is None
+      assert user.username == username
+    else:
+      assert err is not None
+      assert user is None