diff --git a/swh/auth/tests/conftest.py b/swh/auth/tests/conftest.py --- a/swh/auth/tests/conftest.py +++ b/swh/auth/tests/conftest.py @@ -1,39 +1,157 @@ -# Copyright (C) 2021 The Software Heritage developers +# Copyright (C) 2020-2021 The Software Heritage developers # See the AUTHORS file at the top-level directory of this distribution # License: GNU Affero General Public License version 3, or any later version # See top-level LICENSE file for more information +from copy import copy +from datetime import datetime, timezone +from typing import Optional +from unittest.mock import Mock + +from keycloak.exceptions import KeycloakError import pytest from swh.auth import KeycloakOpenIDConnect -from .sample_data import OIDC_PROFILE, REALM, SERVER_URL, USER_INFO, WELL_KNOWN - +from .sample_data import ( + OIDC_PROFILE, + RAW_REALM_PUBLIC_KEY, + REALM, + SERVER_URL, + USER_INFO, +) -@pytest.fixture -def keycloak_open_id_connect(): - return KeycloakOpenIDConnect( - server_url=SERVER_URL, realm_name=REALM, client_id="client-id", - ) +class KeycloackOpenIDConnectMock(KeycloakOpenIDConnect): + """Mock KeycloakOpenIDConnect class to allow testing -@pytest.fixture -def mock_keycloak(requests_mock): - """Keycloak with most endpoints available. + Args: + auth_success: boolean flag to simulate authentication success or failure + exp: expiration + user_groups: user groups configuration (if any) + user_permissions: user permissions configuration (if any) """ - requests_mock.get(WELL_KNOWN["well-known"], json=WELL_KNOWN) - requests_mock.post(WELL_KNOWN["token_endpoint"], json=OIDC_PROFILE) - requests_mock.get(WELL_KNOWN["userinfo_endpoint"], json=USER_INFO) - requests_mock.post(WELL_KNOWN["end_session_endpoint"], status_code=204) - return requests_mock + def __init__( + self, + server_url: str, + realm_name: str, + client_id: str, + auth_success: bool = True, + exp: Optional[int] = None, + user_groups=[], + user_permissions=[], + ): + super().__init__( + server_url=server_url, realm_name=realm_name, client_id=client_id + ) + self.exp = exp + self.user_groups = user_groups + self.user_permissions = user_permissions + self._keycloak.public_key = lambda: RAW_REALM_PUBLIC_KEY + self._keycloak.well_know = lambda: { + "issuer": f"{self.server_url}realms/{self.realm_name}", + "authorization_endpoint": ( + f"{self.server_url}realms/" + f"{self.realm_name}/protocol/" + "openid-connect/auth" + ), + "token_endpoint": ( + f"{self.server_url}realms/{self.realm_name}/" + "protocol/openid-connect/token" + ), + "token_introspection_endpoint": ( + f"{self.server_url}realms/" + f"{self.realm_name}/protocol/" + "openid-connect/token/" + "introspect" + ), + "userinfo_endpoint": ( + f"{self.server_url}realms/{self.realm_name}/" + "protocol/openid-connect/userinfo" + ), + "end_session_endpoint": ( + f"{self.server_url}realms/" + f"{self.realm_name}/protocol/" + "openid-connect/logout" + ), + "jwks_uri": ( + f"{self.server_url}realms/{self.realm_name}/" + "protocol/openid-connect/certs" + ), + } + self.set_auth_success(auth_success) + + def decode_token(self, token): + options = {} + if self.auth_success: + # skip signature expiration check as we use a static oidc_profile + # for the tests with expired tokens in it + options["verify_exp"] = False + decoded = super().decode_token(token, options) + # tweak auth and exp time for tests + expire_in = decoded["exp"] - decoded["auth_time"] + if self.exp is not None: + decoded["exp"] = self.exp + decoded["auth_time"] = self.exp - expire_in + else: + decoded["auth_time"] = int(datetime.now(tz=timezone.utc).timestamp()) + decoded["exp"] = decoded["auth_time"] + expire_in + decoded["groups"] = self.user_groups + if self.user_permissions: + decoded["resource_access"][self.client_id] = { + "roles": self.user_permissions + } + return decoded + def set_auth_success(self, auth_success: bool) -> None: + # following type ignore because mypy is not too happy about affecting mock to + # method "Cannot assign to a method affecting mock". Ignore for now. + self.authorization_code = Mock() # type: ignore + self.refresh_token = Mock() # type: ignore + self.userinfo = Mock() # type: ignore + self.logout = Mock() # type: ignore + self.auth_success = auth_success + if auth_success: + self.authorization_code.return_value = copy(OIDC_PROFILE) + self.refresh_token.return_value = copy(OIDC_PROFILE) + self.userinfo.return_value = copy(USER_INFO) + else: + self.authorization_url = Mock() # type: ignore + exception = KeycloakError( + error_message="Authentication failed", response_code=401 + ) + self.authorization_code.side_effect = exception + self.authorization_url.side_effect = exception + self.refresh_token.side_effect = exception + self.userinfo.side_effect = exception + self.logout.side_effect = exception -@pytest.fixture -def mock_keycloak_refused_auth(requests_mock): - """Keycloak with token endpoint refusing authentication. + +def keycloak_mock_factory( + server_url=SERVER_URL, + realm_name=REALM, + client_id="swh-client-id", + auth_success=True, + exp=None, + user_groups=[], + user_permissions=[], +): + """Keycloak mock fixture factory """ - requests_mock.post(WELL_KNOWN["token_endpoint"], status_code=401) - return requests_mock + + @pytest.fixture + def keycloak_open_id_connect(): + return KeycloackOpenIDConnectMock( + server_url=server_url, + realm_name=realm_name, + client_id=client_id, + auth_success=auth_success, + exp=exp, + user_groups=user_groups, + user_permissions=user_permissions, + ) + + return keycloak_open_id_connect diff --git a/swh/auth/tests/sample_data.py b/swh/auth/tests/sample_data.py --- a/swh/auth/tests/sample_data.py +++ b/swh/auth/tests/sample_data.py @@ -5,198 +5,40 @@ SERVER_URL = "http://keycloak:8080/keycloak/auth/" REALM = "SoftwareHeritage" +CLIENT_ID = "swh-web" -WELL_KNOWN = { - "issuer": f"{SERVER_URL}realms/SoftwareHeritage", - "well-known": f"{SERVER_URL}realms/{REALM}/.well-known/openid-configuration", - "authorization_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/auth", # noqa - "token_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/token", - "introspection_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/token/introspect", # noqa - "userinfo_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/userinfo", - "end_session_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/logout", # noqa - "jwks_uri": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/certs", - "check_session_iframe": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/login-status-iframe.html", # noqa - "grant_types_supported": [ - "authorization_code", - "implicit", - "refresh_token", - "password", - "client_credentials", - ], - "response_types_supported": [ - "code", - "none", - "id_token", - "token", - "id_token token", - "code id_token", - "code token", - "code id_token token", - ], - "subject_types_supported": ["public", "pairwise"], - "id_token_signing_alg_values_supported": [ - "PS384", - "ES384", - "RS384", - "HS256", - "HS512", - "ES256", - "RS256", - "HS384", - "ES512", - "PS256", - "PS512", - "RS512", - ], - "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"], - "id_token_encryption_enc_values_supported": [ - "A256GCM", - "A192GCM", - "A128GCM", - "A128CBC-HS256", - "A192CBC-HS384", - "A256CBC-HS512", - ], - "userinfo_signing_alg_values_supported": [ - "PS384", - "ES384", - "RS384", - "HS256", - "HS512", - "ES256", - "RS256", - "HS384", - "ES512", - "PS256", - "PS512", - "RS512", - "none", - ], - "request_object_signing_alg_values_supported": [ - "PS384", - "ES384", - "RS384", - "HS256", - "HS512", - "ES256", - "RS256", - "HS384", - "ES512", - "PS256", - "PS512", - "RS512", - "none", - ], - "response_modes_supported": ["query", "fragment", "form_post"], - "registration_endpoint": "{SERVER_URL}realms/{REALM}/clients-registrations/openid-connect", # noqa - "token_endpoint_auth_methods_supported": [ - "private_key_jwt", - "client_secret_basic", - "client_secret_post", - "tls_client_auth", - "client_secret_jwt", - ], - "token_endpoint_auth_signing_alg_values_supported": [ - "PS384", - "ES384", - "RS384", - "HS256", - "HS512", - "ES256", - "RS256", - "HS384", - "ES512", - "PS256", - "PS512", - "RS512", - ], - "claims_supported": [ - "aud", - "sub", - "iss", - "auth_time", - "name", - "given_name", - "family_name", - "preferred_username", - "email", - "acr", - ], - "claim_types_supported": ["normal"], - "claims_parameter_supported": True, - "scopes_supported": [ - "openid", - "microprofile-jwt", - "web-origins", - "roles", - "phone", - "address", - "email", - "profile", - "offline_access", - ], - "request_parameter_supported": True, - "request_uri_parameter_supported": True, - "require_request_uri_registration": True, - "code_challenge_methods_supported": ["plain", "S256"], - "tls_client_certificate_bound_access_tokens": True, - "revocation_endpoint": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/revoke", - "revocation_endpoint_auth_methods_supported": [ - "private_key_jwt", - "client_secret_basic", - "client_secret_post", - "tls_client_auth", - "client_secret_jwt", - ], - "revocation_endpoint_auth_signing_alg_values_supported": [ - "PS384", - "ES384", - "RS384", - "HS256", - "HS512", - "ES256", - "RS256", - "HS384", - "ES512", - "PS256", - "PS512", - "RS512", - ], - "backchannel_logout_supported": True, - "backchannel_logout_session_supported": True, +# Decoded token (out of the access token) +DECODED_TOKEN = { + "jti": "31fc50b7-bbe5-4f51-91ef-8e3eec51331e", + "exp": 1614787019, + "nbf": 0, + "iat": 1582723101, + "iss": "http://localhost:8080/auth/realms/SoftwareHeritage", + "aud": [CLIENT_ID, "account"], + "sub": "feacd344-b468-4a65-a236-14f61e6b7200", + "typ": "Bearer", + "azp": CLIENT_ID, + "auth_time": 1614786418, + "session_state": "d82b90d1-0a94-4e74-ad66-dd95341c7b6d", + "acr": "1", + "allowed-origins": ["*"], + "realm_access": {"roles": ["offline_access", "uma_authorization"]}, + "resource_access": { + "account": {"roles": ["manage-account", "manage-account-links", "view-profile"]} + }, + "scope": "openid email profile", + "email_verified": False, + "name": "John Doe", + "groups": [], + "preferred_username": "johndoe", + "given_name": "John", + "family_name": "Doe", + "email": "john.doe@example.com", } - # Authentication response is an oidc profile dict OIDC_PROFILE = { "access_token": ( - # decoded token: - # {'acr': '1', - # 'allowed-origins': ['*'], - # 'aud': ['swh-web', 'account'], - # 'auth_time': 1592395601, - # 'azp': 'swh-web', - # 'email': 'john.doe@example.com', - # 'email_verified': False, - # 'exp': 1592396202, - # 'family_name': 'Doe', - # 'given_name': 'John', - # 'groups': ['/staff'], - # 'iat': 1582723101, - # 'iss': 'http://localhost:8080/auth/realms/SoftwareHeritage', - # 'jti': '31fc50b7-bbe5-4f51-91ef-8e3eec51331e', - # 'name': 'John Doe', - # 'nbf': 0, - # 'preferred_username': 'johndoe', - # 'realm_access': {'roles': ['offline_access', 'uma_authorization']}, - # 'resource_access': {'account': {'roles': ['manage-account', - # 'manage-account-links', - # 'view-profile']}}, - # 'scope': 'openid email profile', - # 'session_state': 'd82b90d1-0a94-4e74-ad66-dd95341c7b6d', - # 'sub': 'feacd344-b468-4a65-a236-14f61e6b7200', - # 'typ': 'Bearer' - # } "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPSnhV" "Q0p0TmJQT0NOUGFNNmc3ZU1zY2pqTXhoem9vNGxZaFhsa1c2TWhBIn0." "eyJqdGkiOiIzMWZjNTBiNy1iYmU1LTRmNTEtOTFlZi04ZTNlZWM1MTMz" @@ -271,7 +113,6 @@ "token_type": "bearer", } - USER_INFO = { "email": "john.doe@example.com", "email_verified": False, @@ -282,3 +123,20 @@ "preferred_username": "johndoe", "sub": "feacd344-b468-4a65-a236-14f61e6b7200", } + +RAW_REALM_PUBLIC_KEY = ( + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnqF4xvGjaI54P6WtJvyGayxP8A93u" + "NcA3TH6jitwmyAalj8dN8/NzK9vrdlSA3Ibvp/XQujPSOP7a35YiYFscEJnogTXQpE/FhZrUY" + "y21U6ezruVUv4z/ER1cYLb+q5ZI86nXSTNCAbH+lw7rQjlvcJ9KvgHEeA5ALXJ1r55zUmNvuy" + "5o6ke1G3fXbNSXwF4qlWAzo1o7Ms8qNrNyOG8FPx24dvm9xMH7/08IPvh9KUqlnP8h6olpxHr" + "drX/q4E+Nzj8Tr8p7Z5CimInls40QuOTIhs6C2SwFHUgQgXl9hB9umiZJlwYEpDv0/LO2zYie" + "Hl5Lv7Iig4FOIXIVCaDGQIDAQAB" +) + +REALM_PUBLIC_KEY = { + "realm": REALM, + "public_key": RAW_REALM_PUBLIC_KEY, + "token-service": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect", + "account-service": f"{SERVER_URL}realms/{REALM}/account", + "tokens-not-before": 0, +} diff --git a/swh/auth/tests/test_auth.py b/swh/auth/tests/test_auth.py --- a/swh/auth/tests/test_auth.py +++ b/swh/auth/tests/test_auth.py @@ -3,81 +3,84 @@ # License: GNU Affero General Public License version 3, or any later version # See top-level LICENSE file for more information +from copy import copy from urllib.parse import parse_qs, urlparse -from keycloak.exceptions import KeycloakAuthenticationError, KeycloakConnectionError +from keycloak.exceptions import KeycloakError import pytest -from .sample_data import OIDC_PROFILE, USER_INFO, WELL_KNOWN +from swh.auth.tests.conftest import keycloak_mock_factory +from swh.auth.tests.sample_data import CLIENT_ID, DECODED_TOKEN, OIDC_PROFILE, USER_INFO +# dataset we have here is bound to swh-web +keycloak_mock = keycloak_mock_factory(client_id=CLIENT_ID) -def test_auth_connection_failure(keycloak_open_id_connect): - with pytest.raises(KeycloakConnectionError): - keycloak_open_id_connect.well_known() - -def test_auth_well_known(mock_keycloak, keycloak_open_id_connect): - well_known_result = keycloak_open_id_connect.well_known() - assert well_known_result is not None - assert well_known_result == WELL_KNOWN - - assert mock_keycloak.called +def test_auth_well_known(keycloak_mock): + well_known_result = keycloak_mock.well_known() + assert set(well_known_result.keys()) == { + "issuer", + "authorization_endpoint", + "token_endpoint", + "userinfo_endpoint", + "end_session_endpoint", + "jwks_uri", + "token_introspection_endpoint", + } -def test_auth_authorization_url(mock_keycloak, keycloak_open_id_connect): - actual_auth_uri = keycloak_open_id_connect.authorization_url( - "http://redirect-uri", foo="bar" - ) +def test_auth_authorization_url(keycloak_mock): + actual_auth_uri = keycloak_mock.authorization_url("http://redirect-uri", foo="bar") - expected_auth_url = WELL_KNOWN["authorization_endpoint"] + expected_auth_url = keycloak_mock.well_known()["authorization_endpoint"] parsed_result = urlparse(actual_auth_uri) assert expected_auth_url.endswith(parsed_result.path) parsed_query = parse_qs(parsed_result.query) assert parsed_query == { - "client_id": ["client-id"], + "client_id": [CLIENT_ID], "response_type": ["code"], "redirect_uri": ["http://redirect-uri"], "foo": ["bar"], } - assert mock_keycloak.called - -def test_auth_authorization_code_fail( - mock_keycloak_refused_auth, keycloak_open_id_connect -): - with pytest.raises(KeycloakAuthenticationError): - keycloak_open_id_connect.authorization_code("auth-code", "redirect-uri") +def test_auth_authorization_code_fail(keycloak_mock): + "Authorization failure raise error" + # Simulate failed authentication with Keycloak + keycloak_mock.set_auth_success(False) - assert mock_keycloak_refused_auth.called + with pytest.raises(KeycloakError): + keycloak_mock.authorization_code("auth-code", "redirect-uri") -def test_auth_authorization_code(mock_keycloak, keycloak_open_id_connect): - actual_response = keycloak_open_id_connect.authorization_code( - "auth-code", "redirect-uri" - ) - +def test_auth_authorization_code(keycloak_mock): + actual_response = keycloak_mock.authorization_code("auth-code", "redirect-uri") assert actual_response == OIDC_PROFILE - assert mock_keycloak.called +def test_auth_refresh_token(keycloak_mock): + actual_result = keycloak_mock.refresh_token("refresh-token") + assert actual_result == OIDC_PROFILE -def test_auth_refresh_token(mock_keycloak, keycloak_open_id_connect): - actual_result = keycloak_open_id_connect.refresh_token("refresh-token") - assert actual_result is not None - assert mock_keycloak.called +def test_auth_userinfo(keycloak_mock): + actual_user_info = keycloak_mock.userinfo("refresh-token") + assert actual_user_info == USER_INFO -def test_auth_userinfo(mock_keycloak, keycloak_open_id_connect): - actual_user_info = keycloak_open_id_connect.userinfo("refresh-token") - assert actual_user_info == USER_INFO +def test_auth_logout(keycloak_mock): + """Login out does not raise""" + keycloak_mock.logout("refresh-token") - assert mock_keycloak.called +def test_auth_decode_token(keycloak_mock): + actual_decoded_data = keycloak_mock.decode_token(OIDC_PROFILE["access_token"]) -def test_auth_logout(mock_keycloak, keycloak_open_id_connect): - keycloak_open_id_connect.logout("refresh-token") + actual_decoded_data2 = copy(actual_decoded_data) + expected_decoded_token = copy(DECODED_TOKEN) + for dynamic_valued_key in ["exp", "auth_time"]: + actual_decoded_data2.pop(dynamic_valued_key) + expected_decoded_token.pop(dynamic_valued_key) - assert mock_keycloak.called + assert actual_decoded_data2 == expected_decoded_token