Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
643 Commits
15 Branches
98 Tags
17 MiB
Tree: 39f4afe9b6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '39f4afe9b6'
${ noResults }
python-keycloak/tests/test_keycloak_openid.py

393 lines
14 KiB
Raw Normal View History

test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: test of init and well_known of oid
2 years ago
test: added load authorization config test
2 years ago
style: applied isort
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
style: applied isort
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
  1. """Test module for KeycloakOpenID."""
  2. from typing import Tuple
  3. from unittest import mock
  5. import pytest
  7. from keycloak.authorization import Authorization
  8. from keycloak.authorization.permission import Permission
  9. from keycloak.authorization.policy import Policy
  10. from keycloak.authorization.role import Role
  11. from keycloak.connection import ConnectionManager
  12. from keycloak.exceptions import (
  13. KeycloakAuthenticationError,
  14. KeycloakAuthorizationConfigError,
  15. KeycloakDeprecationError,
  16. KeycloakInvalidTokenError,
  17. KeycloakPostError,
  18. KeycloakRPTNotFound,
  19. )
  20. from keycloak.keycloak_admin import KeycloakAdmin
  21. from keycloak.keycloak_openid import KeycloakOpenID
  24. def test_keycloak_openid_init(env):
  25. """Test KeycloakOpenId's init method."""
  26. oid = KeycloakOpenID(
  27. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  28. realm_name="master",
  29. client_id="admin-cli",
  30. )
  32. assert oid.client_id == "admin-cli"
  33. assert oid.client_secret_key is None
  34. assert oid.realm_name == "master"
  35. assert isinstance(oid.connection, ConnectionManager)
  36. assert isinstance(oid.authorization, Authorization)
  39. def test_well_known(oid: KeycloakOpenID):
  40. """Test the well_known method."""
  41. res = oid.well_known()
  42. assert res is not None
  43. assert res != dict()
  44. for key in [
  45. "acr_values_supported",
  46. "authorization_encryption_alg_values_supported",
  47. "authorization_encryption_enc_values_supported",
  48. "authorization_endpoint",
  49. "authorization_signing_alg_values_supported",
  50. "backchannel_authentication_endpoint",
  51. "backchannel_authentication_request_signing_alg_values_supported",
  52. "backchannel_logout_session_supported",
  53. "backchannel_logout_supported",
  54. "backchannel_token_delivery_modes_supported",
  55. "check_session_iframe",
  56. "claim_types_supported",
  57. "claims_parameter_supported",
  58. "claims_supported",
  59. "code_challenge_methods_supported",
  60. "device_authorization_endpoint",
  61. "end_session_endpoint",
  62. "frontchannel_logout_session_supported",
  63. "frontchannel_logout_supported",
  64. "grant_types_supported",
  65. "id_token_encryption_alg_values_supported",
  66. "id_token_encryption_enc_values_supported",
  67. "id_token_signing_alg_values_supported",
  68. "introspection_endpoint",
  69. "introspection_endpoint_auth_methods_supported",
  70. "introspection_endpoint_auth_signing_alg_values_supported",
  71. "issuer",
  72. "jwks_uri",
  73. "mtls_endpoint_aliases",
  74. "pushed_authorization_request_endpoint",
  75. "registration_endpoint",
  76. "request_object_encryption_alg_values_supported",
  77. "request_object_encryption_enc_values_supported",
  78. "request_object_signing_alg_values_supported",
  79. "request_parameter_supported",
  80. "request_uri_parameter_supported",
  81. "require_pushed_authorization_requests",
  82. "require_request_uri_registration",
  83. "response_modes_supported",
  84. "response_types_supported",
  85. "revocation_endpoint",
  86. "revocation_endpoint_auth_methods_supported",
  87. "revocation_endpoint_auth_signing_alg_values_supported",
  88. "scopes_supported",
  89. "subject_types_supported",
  90. "tls_client_certificate_bound_access_tokens",
  91. "token_endpoint",
  92. "token_endpoint_auth_methods_supported",
  93. "token_endpoint_auth_signing_alg_values_supported",
  94. "userinfo_encryption_alg_values_supported",
  95. "userinfo_encryption_enc_values_supported",
  96. "userinfo_endpoint",
  97. "userinfo_signing_alg_values_supported",
  98. ]:
  99. assert key in res
  102. def test_auth_url(env, oid: KeycloakOpenID):
  103. """Test the auth_url method."""
  104. res = oid.auth_url(redirect_uri="http://test.test/*")
  105. assert (
  106. res
  107. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  108. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  109. + "&redirect_uri=http://test.test/*&scope=email&state="
  110. )
  113. def test_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  114. """Test the token method."""
  115. oid, username, password = oid_with_credentials
  116. token = oid.token(username=username, password=password)
  117. assert token == {
  118. "access_token": mock.ANY,
  119. "expires_in": 300,
  120. "not-before-policy": 0,
  121. "refresh_expires_in": 1800,
  122. "refresh_token": mock.ANY,
  123. "scope": mock.ANY,
  124. "session_state": mock.ANY,
  125. "token_type": "Bearer",
  126. }
  128. # Test with dummy totp
  129. token = oid.token(username=username, password=password, totp="123456")
  130. assert token == {
  131. "access_token": mock.ANY,
  132. "expires_in": 300,
  133. "not-before-policy": 0,
  134. "refresh_expires_in": 1800,
  135. "refresh_token": mock.ANY,
  136. "scope": mock.ANY,
  137. "session_state": mock.ANY,
  138. "token_type": "Bearer",
  139. }
  141. # Test with extra param
  142. token = oid.token(username=username, password=password, extra_param="foo")
  143. assert token == {
  144. "access_token": mock.ANY,
  145. "expires_in": 300,
  146. "not-before-policy": 0,
  147. "refresh_expires_in": 1800,
  148. "refresh_token": mock.ANY,
  149. "scope": mock.ANY,
  150. "session_state": mock.ANY,
  151. "token_type": "Bearer",
  152. }
  155. def test_exchange_token(
  156. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  157. ):
  158. """Test the exchange token method."""
  159. # Verify existing user
  160. oid, username, password = oid_with_credentials
  162. # Allow impersonation
  163. admin.realm_name = oid.realm_name
  164. admin.assign_client_role(
  165. user_id=admin.get_user_id(username=username),
  166. client_id=admin.get_client_id(client_id="realm-management"),
  167. roles=[
  168. admin.get_client_role(
  169. client_id=admin.get_client_id(client_id="realm-management"),
  170. role_name="impersonation",
  171. )
  172. ],
  173. )
  175. token = oid.token(username=username, password=password)
  176. assert oid.userinfo(token=token["access_token"]) == {
  177. "email": f"{username}@test.test",
  178. "email_verified": False,
  179. "preferred_username": username,
  180. "sub": mock.ANY,
  181. }
  183. # Exchange token with the new user
  184. new_token = oid.exchange_token(
  185. token=token["access_token"],
  186. client_id=oid.client_id,
  187. audience=oid.client_id,
  188. subject=username,
  189. )
  190. assert oid.userinfo(token=new_token["access_token"]) == {
  191. "email": f"{username}@test.test",
  192. "email_verified": False,
  193. "preferred_username": username,
  194. "sub": mock.ANY,
  195. }
  196. assert token != new_token
  199. def test_logout(oid_with_credentials):
  200. """Test logout."""
  201. oid, username, password = oid_with_credentials
  203. token = oid.token(username=username, password=password)
  204. assert oid.userinfo(token=token["access_token"]) != dict()
  205. assert oid.logout(refresh_token=token["refresh_token"]) == dict()
  207. with pytest.raises(KeycloakAuthenticationError):
  208. oid.userinfo(token=token["access_token"])
  211. def test_certs(oid: KeycloakOpenID):
  212. """Test certificates."""
  213. assert len(oid.certs()["keys"]) == 2
  216. def test_public_key(oid: KeycloakOpenID):
  217. """Test public key."""
  218. assert oid.public_key() is not None
  221. def test_entitlement(
  222. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  223. ):
  224. """Test entitlement."""
  225. oid, username, password = oid_with_credentials_authz
  226. token = oid.token(username=username, password=password)
  227. resource_server_id = admin.get_client_authz_resources(
  228. client_id=admin.get_client_id(oid.client_id)
  229. )[0]["_id"]
  231. with pytest.raises(KeycloakDeprecationError):
  232. oid.entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  235. def test_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  236. """Test introspect."""
  237. oid, username, password = oid_with_credentials
  238. token = oid.token(username=username, password=password)
  240. assert oid.introspect(token=token["access_token"])["active"]
  241. assert oid.introspect(
  242. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  243. ) == {"active": False}
  245. with pytest.raises(KeycloakRPTNotFound):
  246. oid.introspect(token=token["access_token"], token_type_hint="requesting_party_token")
  249. def test_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  250. """Test decode token."""
  251. oid, username, password = oid_with_credentials
  252. token = oid.token(username=username, password=password)
  254. assert (
  255. oid.decode_token(
  256. token=token["access_token"],
  257. key="-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----",
  258. options={"verify_aud": False},
  259. )["preferred_username"]
  260. == username
  261. )
  264. def test_load_authorization_config(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  265. """Test load authorization config."""
  266. oid, username, password = oid_with_credentials_authz
  268. oid.load_authorization_config(path="tests/data/authz_settings.json")
  269. assert "test-authz-rb-policy" in oid.authorization.policies
  270. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  271. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  272. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  273. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  274. assert isinstance(
  275. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  276. )
  279. def test_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  280. """Test get policies."""
  281. oid, username, password = oid_with_credentials_authz
  282. token = oid.token(username=username, password=password)
  284. with pytest.raises(KeycloakAuthorizationConfigError):
  285. oid.get_policies(token=token["access_token"])
  287. oid.load_authorization_config(path="tests/data/authz_settings.json")
  288. assert oid.get_policies(token=token["access_token"]) is None
  290. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  291. orig_client_id = oid.client_id
  292. oid.client_id = "account"
  293. assert oid.get_policies(token=token["access_token"], method_token_info="decode", key=key) == []
  294. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  295. policy.add_role(role="account/view-profile")
  296. oid.authorization.policies["test"] = policy
  297. assert [
  298. str(x)
  299. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  300. ] == ["Policy: test (role)"]
  301. assert [
  302. repr(x)
  303. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  304. ] == ["<Policy: test (role)>"]
  305. oid.client_id = orig_client_id
  307. oid.logout(refresh_token=token["refresh_token"])
  308. with pytest.raises(KeycloakInvalidTokenError):
  309. oid.get_policies(token=token["access_token"])
  312. def test_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  313. """Test get policies."""
  314. oid, username, password = oid_with_credentials_authz
  315. token = oid.token(username=username, password=password)
  317. with pytest.raises(KeycloakAuthorizationConfigError):
  318. oid.get_permissions(token=token["access_token"])
  320. oid.load_authorization_config(path="tests/data/authz_settings.json")
  321. assert oid.get_permissions(token=token["access_token"]) is None
  323. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  324. orig_client_id = oid.client_id
  325. oid.client_id = "account"
  326. assert (
  327. oid.get_permissions(token=token["access_token"], method_token_info="decode", key=key) == []
  328. )
  329. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  330. policy.add_role(role="account/view-profile")
  331. policy.add_permission(
  332. permission=Permission(
  333. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  334. )
  335. )
  336. oid.authorization.policies["test"] = policy
  337. assert [
  338. str(x)
  339. for x in oid.get_permissions(
  340. token=token["access_token"], method_token_info="decode", key=key
  341. )
  342. ] == ["Permission: test-perm (resource)"]
  343. assert [
  344. repr(x)
  345. for x in oid.get_permissions(
  346. token=token["access_token"], method_token_info="decode", key=key
  347. )
  348. ] == ["<Permission: test-perm (resource)>"]
  349. oid.client_id = orig_client_id
  351. oid.logout(refresh_token=token["refresh_token"])
  352. with pytest.raises(KeycloakInvalidTokenError):
  353. oid.get_permissions(token=token["access_token"])
  356. def test_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  357. """Test UMA permissions."""
  358. oid, username, password = oid_with_credentials_authz
  359. token = oid.token(username=username, password=password)
  361. assert len(oid.uma_permissions(token=token["access_token"])) == 1
  362. assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
  365. def test_has_uma_access(
  366. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  367. ):
  368. """Test has UMA access."""
  369. oid, username, password = oid_with_credentials_authz
  370. token = oid.token(username=username, password=password)
  372. assert (
  373. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  374. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  375. )
  376. assert (
  377. str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
  378. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  379. )
  381. with pytest.raises(KeycloakPostError):
  382. oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
  384. oid.logout(refresh_token=token["refresh_token"])
  385. assert (
  386. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  387. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  388. )
  389. assert (
  390. str(oid.has_uma_access(token=admin.token["access_token"], permissions="Default Resource"))
  391. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  392. + "{'Default Resource'})"
  393. )