mirror of
https://gitlab.crans.org/bde/nk20
synced 2025-11-08 07:49:49 +01:00
109 lines
3.6 KiB
Python
109 lines
3.6 KiB
Python
# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
import base64
|
|
|
|
from django.contrib.auth.models import User
|
|
from django.test import TestCase
|
|
from member.models import Membership, Club
|
|
from note.models import NoteUser
|
|
from oauth2_provider.models import Application, AccessToken
|
|
|
|
from ..models import Role, Permission
|
|
|
|
|
|
class OAuth2TestCase(TestCase):
|
|
fixtures = ('initial', )
|
|
|
|
def setUp(self):
|
|
self.user = User.objects.create(
|
|
username="toto",
|
|
password="toto1234",
|
|
)
|
|
|
|
NoteUser.objects.create(user=self.user)
|
|
membership = Membership.objects.create(user=self.user, club_id=1)
|
|
membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
|
|
membership.save()
|
|
|
|
bde = Club.objects.get(name="BDE")
|
|
view_user_perm = Permission.objects.get(pk=1) # View own user detail
|
|
|
|
self.base_scope = f'{view_user_perm.pk}_{bde.pk}'
|
|
|
|
def test_oauth2_authorization_code_flow(self):
|
|
"""
|
|
Ensure OAuth2 Authorization Code Flow work
|
|
"""
|
|
pass
|
|
|
|
def test_oauth2_implicit_flow(self):
|
|
"""
|
|
Ensure OAuth2 Implicit Flow work
|
|
"""
|
|
pass
|
|
|
|
def test_oauth2_resource_owner_password_credentials_flow(self):
|
|
"""
|
|
Ensure OAuth2 Resource Owner Password Credentials Flow work
|
|
"""
|
|
pass
|
|
|
|
def test_oauth2_client_credentials(self):
|
|
"""
|
|
Ensure OAuth2 Client Credentials work
|
|
"""
|
|
app = Application.objects.create(
|
|
name="Test credentials",
|
|
client_type=Application.CLIENT_CONFIDENTIAL,
|
|
authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
|
|
user=self.user,
|
|
hash_client_secret=False,
|
|
algorithm=Application.NO_ALGORITHM,
|
|
)
|
|
|
|
# No token without credential
|
|
resp = self.client.post('/o/token/',
|
|
data={"grant_type": "client_credentials"},
|
|
**{"Content-Type": 'application/x-www-form-urlencoded'}
|
|
)
|
|
|
|
self.assertEqual(resp.status_code, 401)
|
|
|
|
# Access with credential
|
|
credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
|
|
|
|
resp = self.client.post('/o/token/',
|
|
data={"grant_type": "client_credentials"},
|
|
**{'HTTP_Authorization': f'Basic {credential}',
|
|
"Content-Type": 'application/x-www-form-urlencoded'}
|
|
)
|
|
|
|
self.assertEqual(resp.status_code, 200)
|
|
|
|
token = AccessToken.objects.get(token=resp.json()['access_token'])
|
|
|
|
# Token do nothing, it should be have the useless scope
|
|
self.assertEqual(token.scope, '0_0')
|
|
|
|
# RFC6749 4.4.2 allows use of scope in client credential flow
|
|
resp = self.client.post('/o/token/',
|
|
data={"grant_type": "client_credentials",
|
|
"scope": self.base_scope},
|
|
**{'http_Authorization': f'Basic {credential}',
|
|
"Content-Type": 'application/x-www-form-urlencoded'}
|
|
)
|
|
|
|
self.assertEqual(resp.status_code, 200)
|
|
|
|
token = AccessToken.objects.get(token=resp.json()['access_token'])
|
|
|
|
# Token can have access, it shouldn't have the useless scope
|
|
self.assertEqual(token.scope, self.base_scope)
|
|
|
|
def test_oidc_flow(self):
|
|
"""
|
|
Ensure OIDC Flow work
|
|
"""
|
|
pass
|