Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
921 Commits
16 Branches
112 Tags
19 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
python-keycloak/tests/test_keycloak_openid.py

1075 lines
40 KiB
Raw Permalink Normal View History

test: added auth_url and token tests, more structure to fixtures
2 years ago
fix: linter check
9 months ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
fix: Feature parity for `a_decode_token` and `decode_token` (#616) * Consistency for token decoding * Mark as staticmethod * Helper function to convert key * Refactor key handling * Add tests for validate=False * Change test name * Fix failing test * Remove special case for str * Some docstring * docs: missing docstrings --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
14 hours ago
test: added more openid tests
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
test: test of init and well_known of oid
2 years ago
test: added load authorization config test
2 years ago
style: applied isort
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: added load authorization config test
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
fix: Add optional Nonce parameter to the authorization URL requests (#606) * feat: add optional nonce parameter to the authorization URL requests * fix: shorten docstring to be below max line length --------- Co-authored-by: Greg Griffin <greg@lapetussolutions.com>
3 weeks ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: fix the tests for latest keycloak
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: fix the tests for latest keycloak
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: fix the tests for latest keycloak
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
feat: realm changing helpers
1 year ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
test: Tests with Keycloak 24 (#535)
7 months ago
test: added more openid tests
2 years ago
feat: Adding additional methods to support roles-by-id api calls Most of the methods rely on the role name within python keycloak, which for the vast majority is fine, however there are some role names which cannot be used by the API endpoint as they contain characters that cannot be encoded properly. Therefore this change is to allow the use of the role's id to get, update and delete roles by their id instead.'
9 months ago
test: added more openid tests
2 years ago
test: Tests with Keycloak 24 (#535)
7 months ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added more openid tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added load authorization config test
2 years ago
fix: Feature parity for `a_decode_token` and `decode_token` (#616) * Consistency for token decoding * Mark as staticmethod * Helper function to convert key * Refactor key handling * Add tests for validate=False * Change test name * Fix failing test * Remove special case for str * Some docstring * docs: missing docstrings --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
14 hours ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
7 months ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: updated tests not to use deprecated attributes
7 months ago
test: finished off openid tests
2 years ago
test: added missing tests
7 months ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
fix: Add optional Nonce parameter to the authorization URL requests (#606) * feat: add optional nonce parameter to the authorization URL requests * fix: shorten docstring to be below max line length --------- Co-authored-by: Greg Griffin <greg@lapetussolutions.com>
3 weeks ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
fix: Feature parity for `a_decode_token` and `decode_token` (#616) * Consistency for token decoding * Mark as staticmethod * Helper function to convert key * Refactor key handling * Add tests for validate=False * Change test name * Fix failing test * Remove special case for str * Some docstring * docs: missing docstrings --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
14 hours ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
fix: Feature parity for `a_decode_token` and `decode_token` (#616) * Consistency for token decoding * Mark as staticmethod * Helper function to convert key * Refactor key handling * Add tests for validate=False * Change test name * Fix failing test * Remove special case for str * Some docstring * docs: missing docstrings --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
14 hours ago
feat: Async feature (#566) * chore: add async client to connection * chore: add async client to keycloak openid * chore: add async client to keycloak uma * chore: add async client and methods to keycloak admin * chore: add async tests for connection and uma class * chore: add async tests for keycloak openid class * chore: add async tests for keycloak admin class * chore: update poetry lock * chore: update poetry lock * fix: poetry files * fix: lint issues * fix: conftest fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: lint test fix * fix: added setuptools * fix: delete request fix and test cases fix * fix: email test case * fix: email test case for older versions * fix: set correct content type on token endpoint * fix: async on missing calls * test: updated tests * chore: deps * fix: preserve original bearer * fix: dont set bearer in refresh token directly * fix: default content type * fix: content type for initial access token * fix: content type for async initial access token * chore: add divergence test * chore: add divergence test for uma and conneciton class * chore: add docs for async module * fix: sphinx error fixes * test: verify signature * test: final divergence tests --------- Co-authored-by: Richard Nemeth <ryshoooo@gmail.com>
5 months ago
  1. """Test module for KeycloakOpenID."""
  3. from inspect import iscoroutinefunction, signature
  4. from typing import Tuple
  5. from unittest import mock
  7. import jwcrypto.jwk
  8. import jwcrypto.jws
  9. import pytest
  11. from keycloak import KeycloakAdmin, KeycloakOpenID
  12. from keycloak.authorization import Authorization
  13. from keycloak.authorization.permission import Permission
  14. from keycloak.authorization.policy import Policy
  15. from keycloak.authorization.role import Role
  16. from keycloak.connection import ConnectionManager
  17. from keycloak.exceptions import (
  18. KeycloakAuthenticationError,
  19. KeycloakAuthorizationConfigError,
  20. KeycloakDeprecationError,
  21. KeycloakInvalidTokenError,
  22. KeycloakPostError,
  23. KeycloakRPTNotFound,
  24. )
  27. def test_keycloak_openid_init(env):
  28. """Test KeycloakOpenId's init method.
  30. :param env: Environment fixture
  31. :type env: KeycloakTestEnv
  32. """
  33. oid = KeycloakOpenID(
  34. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  35. realm_name="master",
  36. client_id="admin-cli",
  37. )
  39. assert oid.client_id == "admin-cli"
  40. assert oid.client_secret_key is None
  41. assert oid.realm_name == "master"
  42. assert isinstance(oid.connection, ConnectionManager)
  43. assert isinstance(oid.authorization, Authorization)
  46. def test_well_known(oid: KeycloakOpenID):
  47. """Test the well_known method.
  49. :param oid: Keycloak OpenID client
  50. :type oid: KeycloakOpenID
  51. """
  52. res = oid.well_known()
  53. assert res is not None
  54. assert res != dict()
  55. for key in [
  56. "acr_values_supported",
  57. "authorization_encryption_alg_values_supported",
  58. "authorization_encryption_enc_values_supported",
  59. "authorization_endpoint",
  60. "authorization_signing_alg_values_supported",
  61. "backchannel_authentication_endpoint",
  62. "backchannel_authentication_request_signing_alg_values_supported",
  63. "backchannel_logout_session_supported",
  64. "backchannel_logout_supported",
  65. "backchannel_token_delivery_modes_supported",
  66. "check_session_iframe",
  67. "claim_types_supported",
  68. "claims_parameter_supported",
  69. "claims_supported",
  70. "code_challenge_methods_supported",
  71. "device_authorization_endpoint",
  72. "end_session_endpoint",
  73. "frontchannel_logout_session_supported",
  74. "frontchannel_logout_supported",
  75. "grant_types_supported",
  76. "id_token_encryption_alg_values_supported",
  77. "id_token_encryption_enc_values_supported",
  78. "id_token_signing_alg_values_supported",
  79. "introspection_endpoint",
  80. "introspection_endpoint_auth_methods_supported",
  81. "introspection_endpoint_auth_signing_alg_values_supported",
  82. "issuer",
  83. "jwks_uri",
  84. "mtls_endpoint_aliases",
  85. "pushed_authorization_request_endpoint",
  86. "registration_endpoint",
  87. "request_object_encryption_alg_values_supported",
  88. "request_object_encryption_enc_values_supported",
  89. "request_object_signing_alg_values_supported",
  90. "request_parameter_supported",
  91. "request_uri_parameter_supported",
  92. "require_pushed_authorization_requests",
  93. "require_request_uri_registration",
  94. "response_modes_supported",
  95. "response_types_supported",
  96. "revocation_endpoint",
  97. "revocation_endpoint_auth_methods_supported",
  98. "revocation_endpoint_auth_signing_alg_values_supported",
  99. "scopes_supported",
  100. "subject_types_supported",
  101. "tls_client_certificate_bound_access_tokens",
  102. "token_endpoint",
  103. "token_endpoint_auth_methods_supported",
  104. "token_endpoint_auth_signing_alg_values_supported",
  105. "userinfo_encryption_alg_values_supported",
  106. "userinfo_encryption_enc_values_supported",
  107. "userinfo_endpoint",
  108. "userinfo_signing_alg_values_supported",
  109. ]:
  110. assert key in res
  113. def test_auth_url(env, oid: KeycloakOpenID):
  114. """Test the auth_url method.
  116. :param env: Environment fixture
  117. :type env: KeycloakTestEnv
  118. :param oid: Keycloak OpenID client
  119. :type oid: KeycloakOpenID
  120. """
  121. res = oid.auth_url(redirect_uri="http://test.test/*")
  122. assert (
  123. res
  124. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  125. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  126. + "&redirect_uri=http://test.test/*&scope=email&state=&nonce="
  127. )
  130. def test_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  131. """Test the token method.
  133. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  134. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  135. """
  136. oid, username, password = oid_with_credentials
  137. token = oid.token(username=username, password=password)
  138. assert token == {
  139. "access_token": mock.ANY,
  140. "expires_in": mock.ANY,
  141. "id_token": mock.ANY,
  142. "not-before-policy": 0,
  143. "refresh_expires_in": mock.ANY,
  144. "refresh_token": mock.ANY,
  145. "scope": mock.ANY,
  146. "session_state": mock.ANY,
  147. "token_type": "Bearer",
  148. }
  150. # Test with dummy totp
  151. token = oid.token(username=username, password=password, totp="123456")
  152. assert token == {
  153. "access_token": mock.ANY,
  154. "expires_in": mock.ANY,
  155. "id_token": mock.ANY,
  156. "not-before-policy": 0,
  157. "refresh_expires_in": mock.ANY,
  158. "refresh_token": mock.ANY,
  159. "scope": mock.ANY,
  160. "session_state": mock.ANY,
  161. "token_type": "Bearer",
  162. }
  164. # Test with extra param
  165. token = oid.token(username=username, password=password, extra_param="foo")
  166. assert token == {
  167. "access_token": mock.ANY,
  168. "expires_in": mock.ANY,
  169. "id_token": mock.ANY,
  170. "not-before-policy": 0,
  171. "refresh_expires_in": mock.ANY,
  172. "refresh_token": mock.ANY,
  173. "scope": mock.ANY,
  174. "session_state": mock.ANY,
  175. "token_type": "Bearer",
  176. }
  179. def test_exchange_token(
  180. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  181. ):
  182. """Test the exchange token method.
  184. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  185. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  186. :param admin: Keycloak Admin client
  187. :type admin: KeycloakAdmin
  188. """
  189. # Verify existing user
  190. oid, username, password = oid_with_credentials
  192. # Allow impersonation
  193. admin.change_current_realm(oid.realm_name)
  194. admin.assign_client_role(
  195. user_id=admin.get_user_id(username=username),
  196. client_id=admin.get_client_id(client_id="realm-management"),
  197. roles=[
  198. admin.get_client_role(
  199. client_id=admin.get_client_id(client_id="realm-management"),
  200. role_name="impersonation",
  201. )
  202. ],
  203. )
  205. token = oid.token(username=username, password=password)
  206. assert oid.userinfo(token=token["access_token"]) == {
  207. "email": f"{username}@test.test",
  208. "email_verified": True,
  209. "family_name": "last",
  210. "given_name": "first",
  211. "name": "first last",
  212. "preferred_username": username,
  213. "sub": mock.ANY,
  214. }
  216. # Exchange token with the new user
  217. new_token = oid.exchange_token(
  218. token=token["access_token"], audience=oid.client_id, subject=username
  219. )
  220. assert oid.userinfo(token=new_token["access_token"]) == {
  221. "email": f"{username}@test.test",
  222. "email_verified": True,
  223. "family_name": "last",
  224. "given_name": "first",
  225. "name": "first last",
  226. "preferred_username": username,
  227. "sub": mock.ANY,
  228. }
  229. assert token != new_token
  232. def test_logout(oid_with_credentials):
  233. """Test logout.
  235. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  236. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  237. """
  238. oid, username, password = oid_with_credentials
  240. token = oid.token(username=username, password=password)
  241. assert oid.userinfo(token=token["access_token"]) != dict()
  242. assert oid.logout(refresh_token=token["refresh_token"]) == dict()
  244. with pytest.raises(KeycloakAuthenticationError):
  245. oid.userinfo(token=token["access_token"])
  248. def test_certs(oid: KeycloakOpenID):
  249. """Test certificates.
  251. :param oid: Keycloak OpenID client
  252. :type oid: KeycloakOpenID
  253. """
  254. assert len(oid.certs()["keys"]) == 2
  257. def test_public_key(oid: KeycloakOpenID):
  258. """Test public key.
  260. :param oid: Keycloak OpenID client
  261. :type oid: KeycloakOpenID
  262. """
  263. assert oid.public_key() is not None
  266. def test_entitlement(
  267. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  268. ):
  269. """Test entitlement.
  271. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  272. server with client credentials
  273. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  274. :param admin: Keycloak Admin client
  275. :type admin: KeycloakAdmin
  276. """
  277. oid, username, password = oid_with_credentials_authz
  278. token = oid.token(username=username, password=password)
  279. resource_server_id = admin.get_client_authz_resources(
  280. client_id=admin.get_client_id(oid.client_id)
  281. )[0]["_id"]
  283. with pytest.raises(KeycloakDeprecationError):
  284. oid.entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  287. def test_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  288. """Test introspect.
  290. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  291. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  292. """
  293. oid, username, password = oid_with_credentials
  294. token = oid.token(username=username, password=password)
  296. assert oid.introspect(token=token["access_token"])["active"]
  297. assert oid.introspect(
  298. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  299. ) == {"active": False}
  301. with pytest.raises(KeycloakRPTNotFound):
  302. oid.introspect(token=token["access_token"], token_type_hint="requesting_party_token")
  305. def test_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  306. """Test decode token.
  308. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  309. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  310. """
  311. oid, username, password = oid_with_credentials
  312. token = oid.token(username=username, password=password)
  313. decoded_access_token = oid.decode_token(token=token["access_token"])
  314. decoded_access_token_2 = oid.decode_token(token=token["access_token"], validate=False)
  315. decoded_refresh_token = oid.decode_token(token=token["refresh_token"], validate=False)
  317. assert decoded_access_token == decoded_access_token_2
  318. assert decoded_access_token["preferred_username"] == username, decoded_access_token
  319. assert decoded_refresh_token["typ"] == "Refresh", decoded_refresh_token
  322. def test_decode_token_invalid_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  323. """Test decode token with an invalid token.
  325. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  326. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  327. """
  328. oid, username, password = oid_with_credentials
  329. token = oid.token(username=username, password=password)
  330. access_token = token["access_token"]
  331. decoded_access_token = oid.decode_token(token=access_token)
  333. key = oid.public_key()
  334. key = "-----BEGIN PUBLIC KEY-----\n" + key + "\n-----END PUBLIC KEY-----"
  335. key = jwcrypto.jwk.JWK.from_pem(key.encode("utf-8"))
  337. invalid_access_token = access_token + "a"
  338. with pytest.raises(jwcrypto.jws.InvalidJWSSignature):
  339. decoded_invalid_access_token = oid.decode_token(token=invalid_access_token, validate=True)
  341. with pytest.raises(jwcrypto.jws.InvalidJWSSignature):
  342. decoded_invalid_access_token = oid.decode_token(
  343. token=invalid_access_token, validate=True, key=key
  344. )
  346. decoded_invalid_access_token = oid.decode_token(token=invalid_access_token, validate=False)
  347. assert decoded_access_token == decoded_invalid_access_token
  349. decoded_invalid_access_token = oid.decode_token(
  350. token=invalid_access_token, validate=False, key=key
  351. )
  352. assert decoded_access_token == decoded_invalid_access_token
  355. def test_load_authorization_config(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  356. """Test load authorization config.
  358. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  359. server with client credentials
  360. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  361. """
  362. oid, username, password = oid_with_credentials_authz
  364. oid.load_authorization_config(path="tests/data/authz_settings.json")
  365. assert "test-authz-rb-policy" in oid.authorization.policies
  366. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  367. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  368. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  369. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  370. assert isinstance(
  371. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  372. )
  375. def test_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  376. """Test get policies.
  378. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  379. server with client credentials
  380. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  381. """
  382. oid, username, password = oid_with_credentials_authz
  383. token = oid.token(username=username, password=password)
  385. with pytest.raises(KeycloakAuthorizationConfigError):
  386. oid.get_policies(token=token["access_token"])
  388. oid.load_authorization_config(path="tests/data/authz_settings.json")
  389. assert oid.get_policies(token=token["access_token"]) is None
  391. orig_client_id = oid.client_id
  392. oid.client_id = "account"
  393. assert oid.get_policies(token=token["access_token"], method_token_info="decode") == []
  394. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  395. policy.add_role(role="account/view-profile")
  396. oid.authorization.policies["test"] = policy
  397. assert [
  398. str(x) for x in oid.get_policies(token=token["access_token"], method_token_info="decode")
  399. ] == ["Policy: test (role)"]
  400. assert [
  401. repr(x) for x in oid.get_policies(token=token["access_token"], method_token_info="decode")
  402. ] == ["<Policy: test (role)>"]
  403. oid.client_id = orig_client_id
  405. oid.logout(refresh_token=token["refresh_token"])
  406. with pytest.raises(KeycloakInvalidTokenError):
  407. oid.get_policies(token=token["access_token"])
  410. def test_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  411. """Test get policies.
  413. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  414. server with client credentials
  415. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  416. """
  417. oid, username, password = oid_with_credentials_authz
  418. token = oid.token(username=username, password=password)
  420. with pytest.raises(KeycloakAuthorizationConfigError):
  421. oid.get_permissions(token=token["access_token"])
  423. oid.load_authorization_config(path="tests/data/authz_settings.json")
  424. assert oid.get_permissions(token=token["access_token"]) is None
  426. orig_client_id = oid.client_id
  427. oid.client_id = "account"
  428. assert oid.get_permissions(token=token["access_token"], method_token_info="decode") == []
  429. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  430. policy.add_role(role="account/view-profile")
  431. policy.add_permission(
  432. permission=Permission(
  433. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  434. )
  435. )
  436. oid.authorization.policies["test"] = policy
  437. assert [
  438. str(x)
  439. for x in oid.get_permissions(token=token["access_token"], method_token_info="decode")
  440. ] == ["Permission: test-perm (resource)"]
  441. assert [
  442. repr(x)
  443. for x in oid.get_permissions(token=token["access_token"], method_token_info="decode")
  444. ] == ["<Permission: test-perm (resource)>"]
  445. oid.client_id = orig_client_id
  447. oid.logout(refresh_token=token["refresh_token"])
  448. with pytest.raises(KeycloakInvalidTokenError):
  449. oid.get_permissions(token=token["access_token"])
  452. def test_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  453. """Test UMA permissions.
  455. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  456. server with client credentials
  457. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  458. """
  459. oid, username, password = oid_with_credentials_authz
  460. token = oid.token(username=username, password=password)
  462. assert len(oid.uma_permissions(token=token["access_token"])) == 1
  463. assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
  466. def test_has_uma_access(
  467. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  468. ):
  469. """Test has UMA access.
  471. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  472. server with client credentials
  473. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  474. :param admin: Keycloak Admin client
  475. :type admin: KeycloakAdmin
  476. """
  477. oid, username, password = oid_with_credentials_authz
  478. token = oid.token(username=username, password=password)
  480. assert (
  481. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  482. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  483. )
  484. assert (
  485. str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
  486. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  487. )
  489. with pytest.raises(KeycloakPostError):
  490. oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
  492. oid.logout(refresh_token=token["refresh_token"])
  493. assert (
  494. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  495. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  496. )
  497. assert (
  498. str(
  499. oid.has_uma_access(
  500. token=admin.connection.token["access_token"], permissions="Default Resource"
  501. )
  502. )
  503. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  504. + "{'Default Resource'})"
  505. )
  508. def test_device(oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]):
  509. """Test device authorization flow.
  511. :param oid_with_credentials_device: Keycloak OpenID client with pre-configured user
  512. credentials and device authorization flow enabled
  513. :type oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]
  514. """
  515. oid, _, _ = oid_with_credentials_device
  516. res = oid.device()
  517. assert res == {
  518. "device_code": mock.ANY,
  519. "user_code": mock.ANY,
  520. "verification_uri": f"http://localhost:8081/realms/{oid.realm_name}/device",
  521. "verification_uri_complete": f"http://localhost:8081/realms/{oid.realm_name}/"
  522. + f"device?user_code={res['user_code']}",
  523. "expires_in": 600,
  524. "interval": 5,
  525. }
  528. # async function start
  531. @pytest.mark.asyncio
  532. async def test_a_well_known(oid: KeycloakOpenID):
  533. """Test the well_known method.
  535. :param oid: Keycloak OpenID client
  536. :type oid: KeycloakOpenID
  537. """
  538. res = await oid.a_well_known()
  539. assert res is not None
  540. assert res != dict()
  541. for key in [
  542. "acr_values_supported",
  543. "authorization_encryption_alg_values_supported",
  544. "authorization_encryption_enc_values_supported",
  545. "authorization_endpoint",
  546. "authorization_signing_alg_values_supported",
  547. "backchannel_authentication_endpoint",
  548. "backchannel_authentication_request_signing_alg_values_supported",
  549. "backchannel_logout_session_supported",
  550. "backchannel_logout_supported",
  551. "backchannel_token_delivery_modes_supported",
  552. "check_session_iframe",
  553. "claim_types_supported",
  554. "claims_parameter_supported",
  555. "claims_supported",
  556. "code_challenge_methods_supported",
  557. "device_authorization_endpoint",
  558. "end_session_endpoint",
  559. "frontchannel_logout_session_supported",
  560. "frontchannel_logout_supported",
  561. "grant_types_supported",
  562. "id_token_encryption_alg_values_supported",
  563. "id_token_encryption_enc_values_supported",
  564. "id_token_signing_alg_values_supported",
  565. "introspection_endpoint",
  566. "introspection_endpoint_auth_methods_supported",
  567. "introspection_endpoint_auth_signing_alg_values_supported",
  568. "issuer",
  569. "jwks_uri",
  570. "mtls_endpoint_aliases",
  571. "pushed_authorization_request_endpoint",
  572. "registration_endpoint",
  573. "request_object_encryption_alg_values_supported",
  574. "request_object_encryption_enc_values_supported",
  575. "request_object_signing_alg_values_supported",
  576. "request_parameter_supported",
  577. "request_uri_parameter_supported",
  578. "require_pushed_authorization_requests",
  579. "require_request_uri_registration",
  580. "response_modes_supported",
  581. "response_types_supported",
  582. "revocation_endpoint",
  583. "revocation_endpoint_auth_methods_supported",
  584. "revocation_endpoint_auth_signing_alg_values_supported",
  585. "scopes_supported",
  586. "subject_types_supported",
  587. "tls_client_certificate_bound_access_tokens",
  588. "token_endpoint",
  589. "token_endpoint_auth_methods_supported",
  590. "token_endpoint_auth_signing_alg_values_supported",
  591. "userinfo_encryption_alg_values_supported",
  592. "userinfo_encryption_enc_values_supported",
  593. "userinfo_endpoint",
  594. "userinfo_signing_alg_values_supported",
  595. ]:
  596. assert key in res
  599. @pytest.mark.asyncio
  600. async def test_a_auth_url(env, oid: KeycloakOpenID):
  601. """Test the auth_url method.
  603. :param env: Environment fixture
  604. :type env: KeycloakTestEnv
  605. :param oid: Keycloak OpenID client
  606. :type oid: KeycloakOpenID
  607. """
  608. res = await oid.a_auth_url(redirect_uri="http://test.test/*")
  609. assert (
  610. res
  611. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  612. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  613. + "&redirect_uri=http://test.test/*&scope=email&state=&nonce="
  614. )
  617. @pytest.mark.asyncio
  618. async def test_a_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  619. """Test the token method.
  621. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  622. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  623. """
  624. oid, username, password = oid_with_credentials
  625. token = await oid.a_token(username=username, password=password)
  626. assert token == {
  627. "access_token": mock.ANY,
  628. "expires_in": mock.ANY,
  629. "id_token": mock.ANY,
  630. "not-before-policy": 0,
  631. "refresh_expires_in": mock.ANY,
  632. "refresh_token": mock.ANY,
  633. "scope": mock.ANY,
  634. "session_state": mock.ANY,
  635. "token_type": "Bearer",
  636. }
  638. # Test with dummy totp
  639. token = await oid.a_token(username=username, password=password, totp="123456")
  640. assert token == {
  641. "access_token": mock.ANY,
  642. "expires_in": mock.ANY,
  643. "id_token": mock.ANY,
  644. "not-before-policy": 0,
  645. "refresh_expires_in": mock.ANY,
  646. "refresh_token": mock.ANY,
  647. "scope": mock.ANY,
  648. "session_state": mock.ANY,
  649. "token_type": "Bearer",
  650. }
  652. # Test with extra param
  653. token = await oid.a_token(username=username, password=password, extra_param="foo")
  654. assert token == {
  655. "access_token": mock.ANY,
  656. "expires_in": mock.ANY,
  657. "id_token": mock.ANY,
  658. "not-before-policy": 0,
  659. "refresh_expires_in": mock.ANY,
  660. "refresh_token": mock.ANY,
  661. "scope": mock.ANY,
  662. "session_state": mock.ANY,
  663. "token_type": "Bearer",
  664. }
  667. @pytest.mark.asyncio
  668. async def test_a_exchange_token(
  669. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  670. ):
  671. """Test the exchange token method.
  673. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  674. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  675. :param admin: Keycloak Admin client
  676. :type admin: KeycloakAdmin
  677. """
  678. # Verify existing user
  679. oid, username, password = oid_with_credentials
  681. # Allow impersonation
  682. await admin.a_change_current_realm(oid.realm_name)
  683. await admin.a_assign_client_role(
  684. user_id=await admin.a_get_user_id(username=username),
  685. client_id=await admin.a_get_client_id(client_id="realm-management"),
  686. roles=[
  687. await admin.a_get_client_role(
  688. client_id=admin.get_client_id(client_id="realm-management"),
  689. role_name="impersonation",
  690. )
  691. ],
  692. )
  694. token = await oid.a_token(username=username, password=password)
  695. assert await oid.a_userinfo(token=token["access_token"]) == {
  696. "email": f"{username}@test.test",
  697. "email_verified": True,
  698. "family_name": "last",
  699. "given_name": "first",
  700. "name": "first last",
  701. "preferred_username": username,
  702. "sub": mock.ANY,
  703. }
  705. # Exchange token with the new user
  706. new_token = oid.exchange_token(
  707. token=token["access_token"], audience=oid.client_id, subject=username
  708. )
  709. assert await oid.a_userinfo(token=new_token["access_token"]) == {
  710. "email": f"{username}@test.test",
  711. "email_verified": True,
  712. "family_name": "last",
  713. "given_name": "first",
  714. "name": "first last",
  715. "preferred_username": username,
  716. "sub": mock.ANY,
  717. }
  718. assert token != new_token
  721. @pytest.mark.asyncio
  722. async def test_a_logout(oid_with_credentials):
  723. """Test logout.
  725. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  726. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  727. """
  728. oid, username, password = oid_with_credentials
  730. token = await oid.a_token(username=username, password=password)
  731. assert await oid.a_userinfo(token=token["access_token"]) != dict()
  732. assert await oid.a_logout(refresh_token=token["refresh_token"]) == dict()
  734. with pytest.raises(KeycloakAuthenticationError):
  735. await oid.a_userinfo(token=token["access_token"])
  738. @pytest.mark.asyncio
  739. async def test_a_certs(oid: KeycloakOpenID):
  740. """Test certificates.
  742. :param oid: Keycloak OpenID client
  743. :type oid: KeycloakOpenID
  744. """
  745. assert len((await oid.a_certs())["keys"]) == 2
  748. @pytest.mark.asyncio
  749. async def test_a_public_key(oid: KeycloakOpenID):
  750. """Test public key.
  752. :param oid: Keycloak OpenID client
  753. :type oid: KeycloakOpenID
  754. """
  755. assert await oid.a_public_key() is not None
  758. @pytest.mark.asyncio
  759. async def test_a_entitlement(
  760. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  761. ):
  762. """Test entitlement.
  764. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  765. server with client credentials
  766. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  767. :param admin: Keycloak Admin client
  768. :type admin: KeycloakAdmin
  769. """
  770. oid, username, password = oid_with_credentials_authz
  771. token = await oid.a_token(username=username, password=password)
  772. resource_server_id = admin.get_client_authz_resources(
  773. client_id=admin.get_client_id(oid.client_id)
  774. )[0]["_id"]
  776. with pytest.raises(KeycloakDeprecationError):
  777. await oid.a_entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  780. @pytest.mark.asyncio
  781. async def test_a_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  782. """Test introspect.
  784. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  785. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  786. """
  787. oid, username, password = oid_with_credentials
  788. token = await oid.a_token(username=username, password=password)
  790. assert (await oid.a_introspect(token=token["access_token"]))["active"]
  791. assert await oid.a_introspect(
  792. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  793. ) == {"active": False}
  795. with pytest.raises(KeycloakRPTNotFound):
  796. await oid.a_introspect(
  797. token=token["access_token"], token_type_hint="requesting_party_token"
  798. )
  801. @pytest.mark.asyncio
  802. async def test_a_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  803. """Test decode token asynchronously.
  805. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  806. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  807. """
  808. oid, username, password = oid_with_credentials
  809. token = await oid.a_token(username=username, password=password)
  810. decoded_access_token = await oid.a_decode_token(token=token["access_token"])
  811. decoded_access_token_2 = await oid.a_decode_token(token=token["access_token"], validate=False)
  812. decoded_refresh_token = await oid.a_decode_token(token=token["refresh_token"], validate=False)
  814. assert decoded_access_token == decoded_access_token_2
  815. assert decoded_access_token["preferred_username"] == username, decoded_access_token
  816. assert decoded_refresh_token["typ"] == "Refresh", decoded_refresh_token
  819. @pytest.mark.asyncio
  820. async def test_a_decode_token_invalid_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  821. """Test decode token asynchronously an invalid token.
  823. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  824. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  825. """
  826. oid, username, password = oid_with_credentials
  827. token = await oid.a_token(username=username, password=password)
  828. access_token = token["access_token"]
  829. decoded_access_token = await oid.a_decode_token(token=access_token)
  831. key = await oid.a_public_key()
  832. key = "-----BEGIN PUBLIC KEY-----\n" + key + "\n-----END PUBLIC KEY-----"
  833. key = jwcrypto.jwk.JWK.from_pem(key.encode("utf-8"))
  835. invalid_access_token = access_token + "a"
  836. with pytest.raises(jwcrypto.jws.InvalidJWSSignature):
  837. decoded_invalid_access_token = await oid.a_decode_token(
  838. token=invalid_access_token, validate=True
  839. )
  841. with pytest.raises(jwcrypto.jws.InvalidJWSSignature):
  842. decoded_invalid_access_token = await oid.a_decode_token(
  843. token=invalid_access_token, validate=True, key=key
  844. )
  846. decoded_invalid_access_token = await oid.a_decode_token(
  847. token=invalid_access_token, validate=False
  848. )
  849. assert decoded_access_token == decoded_invalid_access_token
  851. decoded_invalid_access_token = await oid.a_decode_token(
  852. token=invalid_access_token, validate=False, key=key
  853. )
  854. assert decoded_access_token == decoded_invalid_access_token
  857. @pytest.mark.asyncio
  858. async def test_a_load_authorization_config(
  859. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  860. ):
  861. """Test load authorization config.
  863. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  864. server with client credentials
  865. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  866. """
  867. oid, username, password = oid_with_credentials_authz
  869. await oid.a_load_authorization_config(path="tests/data/authz_settings.json")
  870. assert "test-authz-rb-policy" in oid.authorization.policies
  871. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  872. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  873. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  874. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  875. assert isinstance(
  876. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  877. )
  880. @pytest.mark.asyncio
  881. async def test_a_has_uma_access(
  882. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  883. ):
  884. """Test has UMA access.
  886. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  887. server with client credentials
  888. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  889. :param admin: Keycloak Admin client
  890. :type admin: KeycloakAdmin
  891. """
  892. oid, username, password = oid_with_credentials_authz
  893. token = await oid.a_token(username=username, password=password)
  895. assert (
  896. str(await oid.a_has_uma_access(token=token["access_token"], permissions=""))
  897. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  898. )
  899. assert (
  900. str(
  901. await oid.a_has_uma_access(token=token["access_token"], permissions="Default Resource")
  902. )
  903. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  904. )
  906. with pytest.raises(KeycloakPostError):
  907. await oid.a_has_uma_access(token=token["access_token"], permissions="Does not exist")
  909. await oid.a_logout(refresh_token=token["refresh_token"])
  910. assert (
  911. str(await oid.a_has_uma_access(token=token["access_token"], permissions=""))
  912. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  913. )
  914. assert (
  915. str(
  916. await oid.a_has_uma_access(
  917. token=admin.connection.token["access_token"], permissions="Default Resource"
  918. )
  919. )
  920. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  921. + "{'Default Resource'})"
  922. )
  925. @pytest.mark.asyncio
  926. async def test_a_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  927. """Test get policies.
  929. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  930. server with client credentials
  931. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  932. """
  933. oid, username, password = oid_with_credentials_authz
  934. token = await oid.a_token(username=username, password=password)
  936. with pytest.raises(KeycloakAuthorizationConfigError):
  937. await oid.a_get_policies(token=token["access_token"])
  939. await oid.a_load_authorization_config(path="tests/data/authz_settings.json")
  940. assert await oid.a_get_policies(token=token["access_token"]) is None
  942. orig_client_id = oid.client_id
  943. oid.client_id = "account"
  944. assert await oid.a_get_policies(token=token["access_token"], method_token_info="decode") == []
  945. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  946. policy.add_role(role="account/view-profile")
  947. oid.authorization.policies["test"] = policy
  948. assert [
  949. str(x)
  950. for x in await oid.a_get_policies(token=token["access_token"], method_token_info="decode")
  951. ] == ["Policy: test (role)"]
  952. assert [
  953. repr(x)
  954. for x in await oid.a_get_policies(token=token["access_token"], method_token_info="decode")
  955. ] == ["<Policy: test (role)>"]
  956. oid.client_id = orig_client_id
  958. await oid.a_logout(refresh_token=token["refresh_token"])
  959. with pytest.raises(KeycloakInvalidTokenError):
  960. await oid.a_get_policies(token=token["access_token"])
  963. @pytest.mark.asyncio
  964. async def test_a_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  965. """Test get policies.
  967. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  968. server with client credentials
  969. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  970. """
  971. oid, username, password = oid_with_credentials_authz
  972. token = await oid.a_token(username=username, password=password)
  974. with pytest.raises(KeycloakAuthorizationConfigError):
  975. await oid.a_get_permissions(token=token["access_token"])
  977. await oid.a_load_authorization_config(path="tests/data/authz_settings.json")
  978. assert await oid.a_get_permissions(token=token["access_token"]) is None
  980. orig_client_id = oid.client_id
  981. oid.client_id = "account"
  982. assert (
  983. await oid.a_get_permissions(token=token["access_token"], method_token_info="decode") == []
  984. )
  985. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  986. policy.add_role(role="account/view-profile")
  987. policy.add_permission(
  988. permission=Permission(
  989. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  990. )
  991. )
  992. oid.authorization.policies["test"] = policy
  993. assert [
  994. str(x)
  995. for x in await oid.a_get_permissions(
  996. token=token["access_token"], method_token_info="decode"
  997. )
  998. ] == ["Permission: test-perm (resource)"]
  999. assert [
  1000. repr(x)
  1001. for x in await oid.a_get_permissions(
  1002. token=token["access_token"], method_token_info="decode"
  1003. )
  1004. ] == ["<Permission: test-perm (resource)>"]
  1005. oid.client_id = orig_client_id
  1007. await oid.a_logout(refresh_token=token["refresh_token"])
  1008. with pytest.raises(KeycloakInvalidTokenError):
  1009. await oid.a_get_permissions(token=token["access_token"])
  1012. @pytest.mark.asyncio
  1013. async def test_a_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  1014. """Test UMA permissions.
  1016. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  1017. server with client credentials
  1018. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  1019. """
  1020. oid, username, password = oid_with_credentials_authz
  1021. token = await oid.a_token(username=username, password=password)
  1023. assert len(await oid.a_uma_permissions(token=token["access_token"])) == 1
  1024. assert (await oid.a_uma_permissions(token=token["access_token"]))[0][
  1025. "rsname"
  1026. ] == "Default Resource"
  1029. @pytest.mark.asyncio
  1030. async def test_a_device(oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]):
  1031. """Test device authorization flow.
  1033. :param oid_with_credentials_device: Keycloak OpenID client with pre-configured user
  1034. credentials and device authorization flow enabled
  1035. :type oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]
  1036. """
  1037. oid, _, _ = oid_with_credentials_device
  1038. res = await oid.a_device()
  1039. assert res == {
  1040. "device_code": mock.ANY,
  1041. "user_code": mock.ANY,
  1042. "verification_uri": f"http://localhost:8081/realms/{oid.realm_name}/device",
  1043. "verification_uri_complete": f"http://localhost:8081/realms/{oid.realm_name}/"
  1044. + f"device?user_code={res['user_code']}",
  1045. "expires_in": 600,
  1046. "interval": 5,
  1047. }
  1050. def test_counter_part():
  1051. """Test that each function has its async counter part."""
  1052. openid_methods = [
  1053. func for func in dir(KeycloakOpenID) if callable(getattr(KeycloakOpenID, func))
  1054. ]
  1055. sync_methods = [
  1056. method
  1057. for method in openid_methods
  1058. if not method.startswith("a_") and not method.startswith("_")
  1059. ]
  1060. async_methods = [
  1061. method for method in openid_methods if iscoroutinefunction(getattr(KeycloakOpenID, method))
  1062. ]
  1064. for method in sync_methods:
  1065. async_method = f"a_{method}"
  1066. assert (async_method in openid_methods) is True
  1067. sync_sign = signature(getattr(KeycloakOpenID, method))
  1068. async_sign = signature(getattr(KeycloakOpenID, async_method))
  1069. assert sync_sign.parameters == async_sign.parameters
  1071. for async_method in async_methods:
  1072. if async_method[2:].startswith("_"):
  1073. continue
  1075. assert async_method[2:] in sync_methods