Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
877 Commits
14 Branches
95 Tags
15 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
python-keycloak/tests/test_keycloak_openid.py

489 lines
18 KiB
Raw Permalink Normal View History

test: added auth_url and token tests, more structure to fixtures
2 years ago
fix: linter check
3 months ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
1 year ago
test: test of init and well_known of oid
2 years ago
test: added load authorization config test
2 years ago
style: applied isort
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: added load authorization config test
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the token test
11 months ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
feat: realm changing helpers
6 months ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
test: Tests with Keycloak 24 (#535)
1 month ago
test: added more openid tests
2 years ago
feat: Adding additional methods to support roles-by-id api calls Most of the methods rely on the role name within python keycloak, which for the vast majority is fine, however there are some role names which cannot be used by the API endpoint as they contain characters that cannot be encoded properly. Therefore this change is to allow the use of the role's id to get, update and delete roles by their id instead.'
3 months ago
test: added more openid tests
2 years ago
test: Tests with Keycloak 24 (#535)
1 month ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added more openid tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added load authorization config test
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
refactor: refactored decode_token complete refactor of the decode_token method in oid BREAKING CHANGE: changes signatures significantly
3 weeks ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: updated tests not to use deprecated attributes
3 weeks ago
test: finished off openid tests
2 years ago
test: added missing tests
3 weeks ago
  1. """Test module for KeycloakOpenID."""
  3. from typing import Tuple
  4. from unittest import mock
  6. import pytest
  8. from keycloak import KeycloakAdmin, KeycloakOpenID
  9. from keycloak.authorization import Authorization
  10. from keycloak.authorization.permission import Permission
  11. from keycloak.authorization.policy import Policy
  12. from keycloak.authorization.role import Role
  13. from keycloak.connection import ConnectionManager
  14. from keycloak.exceptions import (
  15. KeycloakAuthenticationError,
  16. KeycloakAuthorizationConfigError,
  17. KeycloakDeprecationError,
  18. KeycloakInvalidTokenError,
  19. KeycloakPostError,
  20. KeycloakRPTNotFound,
  21. )
  24. def test_keycloak_openid_init(env):
  25. """Test KeycloakOpenId's init method.
  27. :param env: Environment fixture
  28. :type env: KeycloakTestEnv
  29. """
  30. oid = KeycloakOpenID(
  31. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  32. realm_name="master",
  33. client_id="admin-cli",
  34. )
  36. assert oid.client_id == "admin-cli"
  37. assert oid.client_secret_key is None
  38. assert oid.realm_name == "master"
  39. assert isinstance(oid.connection, ConnectionManager)
  40. assert isinstance(oid.authorization, Authorization)
  43. def test_well_known(oid: KeycloakOpenID):
  44. """Test the well_known method.
  46. :param oid: Keycloak OpenID client
  47. :type oid: KeycloakOpenID
  48. """
  49. res = oid.well_known()
  50. assert res is not None
  51. assert res != dict()
  52. for key in [
  53. "acr_values_supported",
  54. "authorization_encryption_alg_values_supported",
  55. "authorization_encryption_enc_values_supported",
  56. "authorization_endpoint",
  57. "authorization_signing_alg_values_supported",
  58. "backchannel_authentication_endpoint",
  59. "backchannel_authentication_request_signing_alg_values_supported",
  60. "backchannel_logout_session_supported",
  61. "backchannel_logout_supported",
  62. "backchannel_token_delivery_modes_supported",
  63. "check_session_iframe",
  64. "claim_types_supported",
  65. "claims_parameter_supported",
  66. "claims_supported",
  67. "code_challenge_methods_supported",
  68. "device_authorization_endpoint",
  69. "end_session_endpoint",
  70. "frontchannel_logout_session_supported",
  71. "frontchannel_logout_supported",
  72. "grant_types_supported",
  73. "id_token_encryption_alg_values_supported",
  74. "id_token_encryption_enc_values_supported",
  75. "id_token_signing_alg_values_supported",
  76. "introspection_endpoint",
  77. "introspection_endpoint_auth_methods_supported",
  78. "introspection_endpoint_auth_signing_alg_values_supported",
  79. "issuer",
  80. "jwks_uri",
  81. "mtls_endpoint_aliases",
  82. "pushed_authorization_request_endpoint",
  83. "registration_endpoint",
  84. "request_object_encryption_alg_values_supported",
  85. "request_object_encryption_enc_values_supported",
  86. "request_object_signing_alg_values_supported",
  87. "request_parameter_supported",
  88. "request_uri_parameter_supported",
  89. "require_pushed_authorization_requests",
  90. "require_request_uri_registration",
  91. "response_modes_supported",
  92. "response_types_supported",
  93. "revocation_endpoint",
  94. "revocation_endpoint_auth_methods_supported",
  95. "revocation_endpoint_auth_signing_alg_values_supported",
  96. "scopes_supported",
  97. "subject_types_supported",
  98. "tls_client_certificate_bound_access_tokens",
  99. "token_endpoint",
  100. "token_endpoint_auth_methods_supported",
  101. "token_endpoint_auth_signing_alg_values_supported",
  102. "userinfo_encryption_alg_values_supported",
  103. "userinfo_encryption_enc_values_supported",
  104. "userinfo_endpoint",
  105. "userinfo_signing_alg_values_supported",
  106. ]:
  107. assert key in res
  110. def test_auth_url(env, oid: KeycloakOpenID):
  111. """Test the auth_url method.
  113. :param env: Environment fixture
  114. :type env: KeycloakTestEnv
  115. :param oid: Keycloak OpenID client
  116. :type oid: KeycloakOpenID
  117. """
  118. res = oid.auth_url(redirect_uri="http://test.test/*")
  119. assert (
  120. res
  121. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  122. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  123. + "&redirect_uri=http://test.test/*&scope=email&state="
  124. )
  127. def test_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  128. """Test the token method.
  130. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  131. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  132. """
  133. oid, username, password = oid_with_credentials
  134. token = oid.token(username=username, password=password)
  135. assert token == {
  136. "access_token": mock.ANY,
  137. "expires_in": mock.ANY,
  138. "id_token": mock.ANY,
  139. "not-before-policy": 0,
  140. "refresh_expires_in": mock.ANY,
  141. "refresh_token": mock.ANY,
  142. "scope": mock.ANY,
  143. "session_state": mock.ANY,
  144. "token_type": "Bearer",
  145. }
  147. # Test with dummy totp
  148. token = oid.token(username=username, password=password, totp="123456")
  149. assert token == {
  150. "access_token": mock.ANY,
  151. "expires_in": mock.ANY,
  152. "id_token": mock.ANY,
  153. "not-before-policy": 0,
  154. "refresh_expires_in": mock.ANY,
  155. "refresh_token": mock.ANY,
  156. "scope": mock.ANY,
  157. "session_state": mock.ANY,
  158. "token_type": "Bearer",
  159. }
  161. # Test with extra param
  162. token = oid.token(username=username, password=password, extra_param="foo")
  163. assert token == {
  164. "access_token": mock.ANY,
  165. "expires_in": mock.ANY,
  166. "id_token": mock.ANY,
  167. "not-before-policy": 0,
  168. "refresh_expires_in": mock.ANY,
  169. "refresh_token": mock.ANY,
  170. "scope": mock.ANY,
  171. "session_state": mock.ANY,
  172. "token_type": "Bearer",
  173. }
  176. def test_exchange_token(
  177. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  178. ):
  179. """Test the exchange token method.
  181. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  182. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  183. :param admin: Keycloak Admin client
  184. :type admin: KeycloakAdmin
  185. """
  186. # Verify existing user
  187. oid, username, password = oid_with_credentials
  189. # Allow impersonation
  190. admin.change_current_realm(oid.realm_name)
  191. admin.assign_client_role(
  192. user_id=admin.get_user_id(username=username),
  193. client_id=admin.get_client_id(client_id="realm-management"),
  194. roles=[
  195. admin.get_client_role(
  196. client_id=admin.get_client_id(client_id="realm-management"),
  197. role_name="impersonation",
  198. )
  199. ],
  200. )
  202. token = oid.token(username=username, password=password)
  203. assert oid.userinfo(token=token["access_token"]) == {
  204. "email": f"{username}@test.test",
  205. "email_verified": True,
  206. "family_name": "last",
  207. "given_name": "first",
  208. "name": "first last",
  209. "preferred_username": username,
  210. "sub": mock.ANY,
  211. }
  213. # Exchange token with the new user
  214. new_token = oid.exchange_token(
  215. token=token["access_token"], audience=oid.client_id, subject=username
  216. )
  217. assert oid.userinfo(token=new_token["access_token"]) == {
  218. "email": f"{username}@test.test",
  219. "email_verified": True,
  220. "family_name": "last",
  221. "given_name": "first",
  222. "name": "first last",
  223. "preferred_username": username,
  224. "sub": mock.ANY,
  225. }
  226. assert token != new_token
  229. def test_logout(oid_with_credentials):
  230. """Test logout.
  232. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  233. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  234. """
  235. oid, username, password = oid_with_credentials
  237. token = oid.token(username=username, password=password)
  238. assert oid.userinfo(token=token["access_token"]) != dict()
  239. assert oid.logout(refresh_token=token["refresh_token"]) == dict()
  241. with pytest.raises(KeycloakAuthenticationError):
  242. oid.userinfo(token=token["access_token"])
  245. def test_certs(oid: KeycloakOpenID):
  246. """Test certificates.
  248. :param oid: Keycloak OpenID client
  249. :type oid: KeycloakOpenID
  250. """
  251. assert len(oid.certs()["keys"]) == 2
  254. def test_public_key(oid: KeycloakOpenID):
  255. """Test public key.
  257. :param oid: Keycloak OpenID client
  258. :type oid: KeycloakOpenID
  259. """
  260. assert oid.public_key() is not None
  263. def test_entitlement(
  264. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  265. ):
  266. """Test entitlement.
  268. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  269. server with client credentials
  270. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  271. :param admin: Keycloak Admin client
  272. :type admin: KeycloakAdmin
  273. """
  274. oid, username, password = oid_with_credentials_authz
  275. token = oid.token(username=username, password=password)
  276. resource_server_id = admin.get_client_authz_resources(
  277. client_id=admin.get_client_id(oid.client_id)
  278. )[0]["_id"]
  280. with pytest.raises(KeycloakDeprecationError):
  281. oid.entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  284. def test_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  285. """Test introspect.
  287. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  288. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  289. """
  290. oid, username, password = oid_with_credentials
  291. token = oid.token(username=username, password=password)
  293. assert oid.introspect(token=token["access_token"])["active"]
  294. assert oid.introspect(
  295. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  296. ) == {"active": False}
  298. with pytest.raises(KeycloakRPTNotFound):
  299. oid.introspect(token=token["access_token"], token_type_hint="requesting_party_token")
  302. def test_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  303. """Test decode token.
  305. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  306. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  307. """
  308. oid, username, password = oid_with_credentials
  309. token = oid.token(username=username, password=password)
  310. decoded_access_token = oid.decode_token(token=token["access_token"])
  311. decoded_access_token_2 = oid.decode_token(token=token["access_token"], validate=False)
  312. decoded_refresh_token = oid.decode_token(token=token["refresh_token"], validate=False)
  314. assert decoded_access_token == decoded_access_token_2
  315. assert decoded_access_token["preferred_username"] == username, decoded_access_token
  316. assert decoded_refresh_token["typ"] == "Refresh", decoded_refresh_token
  319. def test_load_authorization_config(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  320. """Test load authorization config.
  322. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  323. server with client credentials
  324. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  325. """
  326. oid, username, password = oid_with_credentials_authz
  328. oid.load_authorization_config(path="tests/data/authz_settings.json")
  329. assert "test-authz-rb-policy" in oid.authorization.policies
  330. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  331. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  332. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  333. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  334. assert isinstance(
  335. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  336. )
  339. def test_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  340. """Test get policies.
  342. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  343. server with client credentials
  344. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  345. """
  346. oid, username, password = oid_with_credentials_authz
  347. token = oid.token(username=username, password=password)
  349. with pytest.raises(KeycloakAuthorizationConfigError):
  350. oid.get_policies(token=token["access_token"])
  352. oid.load_authorization_config(path="tests/data/authz_settings.json")
  353. assert oid.get_policies(token=token["access_token"]) is None
  355. orig_client_id = oid.client_id
  356. oid.client_id = "account"
  357. assert oid.get_policies(token=token["access_token"], method_token_info="decode") == []
  358. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  359. policy.add_role(role="account/view-profile")
  360. oid.authorization.policies["test"] = policy
  361. assert [
  362. str(x) for x in oid.get_policies(token=token["access_token"], method_token_info="decode")
  363. ] == ["Policy: test (role)"]
  364. assert [
  365. repr(x) for x in oid.get_policies(token=token["access_token"], method_token_info="decode")
  366. ] == ["<Policy: test (role)>"]
  367. oid.client_id = orig_client_id
  369. oid.logout(refresh_token=token["refresh_token"])
  370. with pytest.raises(KeycloakInvalidTokenError):
  371. oid.get_policies(token=token["access_token"])
  374. def test_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  375. """Test get policies.
  377. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  378. server with client credentials
  379. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  380. """
  381. oid, username, password = oid_with_credentials_authz
  382. token = oid.token(username=username, password=password)
  384. with pytest.raises(KeycloakAuthorizationConfigError):
  385. oid.get_permissions(token=token["access_token"])
  387. oid.load_authorization_config(path="tests/data/authz_settings.json")
  388. assert oid.get_permissions(token=token["access_token"]) is None
  390. orig_client_id = oid.client_id
  391. oid.client_id = "account"
  392. assert oid.get_permissions(token=token["access_token"], method_token_info="decode") == []
  393. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  394. policy.add_role(role="account/view-profile")
  395. policy.add_permission(
  396. permission=Permission(
  397. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  398. )
  399. )
  400. oid.authorization.policies["test"] = policy
  401. assert [
  402. str(x)
  403. for x in oid.get_permissions(token=token["access_token"], method_token_info="decode")
  404. ] == ["Permission: test-perm (resource)"]
  405. assert [
  406. repr(x)
  407. for x in oid.get_permissions(token=token["access_token"], method_token_info="decode")
  408. ] == ["<Permission: test-perm (resource)>"]
  409. oid.client_id = orig_client_id
  411. oid.logout(refresh_token=token["refresh_token"])
  412. with pytest.raises(KeycloakInvalidTokenError):
  413. oid.get_permissions(token=token["access_token"])
  416. def test_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  417. """Test UMA permissions.
  419. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  420. server with client credentials
  421. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  422. """
  423. oid, username, password = oid_with_credentials_authz
  424. token = oid.token(username=username, password=password)
  426. assert len(oid.uma_permissions(token=token["access_token"])) == 1
  427. assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
  430. def test_has_uma_access(
  431. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  432. ):
  433. """Test has UMA access.
  435. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  436. server with client credentials
  437. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  438. :param admin: Keycloak Admin client
  439. :type admin: KeycloakAdmin
  440. """
  441. oid, username, password = oid_with_credentials_authz
  442. token = oid.token(username=username, password=password)
  444. assert (
  445. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  446. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  447. )
  448. assert (
  449. str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
  450. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  451. )
  453. with pytest.raises(KeycloakPostError):
  454. oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
  456. oid.logout(refresh_token=token["refresh_token"])
  457. assert (
  458. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  459. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  460. )
  461. assert (
  462. str(
  463. oid.has_uma_access(
  464. token=admin.connection.token["access_token"], permissions="Default Resource"
  465. )
  466. )
  467. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  468. + "{'Default Resource'})"
  469. )
  472. def test_device(oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]):
  473. """Test device authorization flow.
  475. :param oid_with_credentials_device: Keycloak OpenID client with pre-configured user
  476. credentials and device authorization flow enabled
  477. :type oid_with_credentials_device: Tuple[KeycloakOpenID, str, str]
  478. """
  479. oid, _, _ = oid_with_credentials_device
  480. res = oid.device()
  481. assert res == {
  482. "device_code": mock.ANY,
  483. "user_code": mock.ANY,
  484. "verification_uri": f"http://localhost:8081/realms/{oid.realm_name}/device",
  485. "verification_uri_complete": f"http://localhost:8081/realms/{oid.realm_name}/"
  486. + f"device?user_code={res['user_code']}",
  487. "expires_in": 600,
  488. "interval": 5,
  489. }