Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
746 Commits
14 Branches
95 Tags
15 MiB
Tree: 7bbf4e15b7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7bbf4e15b7'
${ noResults }
python-keycloak/tests/test_keycloak_openid.py

473 lines
17 KiB
Raw Normal View History

test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
1 year ago
test: test of init and well_known of oid
2 years ago
test: added load authorization config test
2 years ago
style: applied isort
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: added load authorization config test
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests for latest keycloak
1 year ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
  1. """Test module for KeycloakOpenID."""
  2. from typing import Tuple
  3. from unittest import mock
  5. import pytest
  7. from keycloak import KeycloakAdmin, KeycloakOpenID
  8. from keycloak.authorization import Authorization
  9. from keycloak.authorization.permission import Permission
  10. from keycloak.authorization.policy import Policy
  11. from keycloak.authorization.role import Role
  12. from keycloak.connection import ConnectionManager
  13. from keycloak.exceptions import (
  14. KeycloakAuthenticationError,
  15. KeycloakAuthorizationConfigError,
  16. KeycloakDeprecationError,
  17. KeycloakInvalidTokenError,
  18. KeycloakPostError,
  19. KeycloakRPTNotFound,
  20. )
  23. def test_keycloak_openid_init(env):
  24. """Test KeycloakOpenId's init method.
  26. :param env: Environment fixture
  27. :type env: KeycloakTestEnv
  28. """
  29. oid = KeycloakOpenID(
  30. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  31. realm_name="master",
  32. client_id="admin-cli",
  33. )
  35. assert oid.client_id == "admin-cli"
  36. assert oid.client_secret_key is None
  37. assert oid.realm_name == "master"
  38. assert isinstance(oid.connection, ConnectionManager)
  39. assert isinstance(oid.authorization, Authorization)
  42. def test_well_known(oid: KeycloakOpenID):
  43. """Test the well_known method.
  45. :param oid: Keycloak OpenID client
  46. :type oid: KeycloakOpenID
  47. """
  48. res = oid.well_known()
  49. assert res is not None
  50. assert res != dict()
  51. for key in [
  52. "acr_values_supported",
  53. "authorization_encryption_alg_values_supported",
  54. "authorization_encryption_enc_values_supported",
  55. "authorization_endpoint",
  56. "authorization_signing_alg_values_supported",
  57. "backchannel_authentication_endpoint",
  58. "backchannel_authentication_request_signing_alg_values_supported",
  59. "backchannel_logout_session_supported",
  60. "backchannel_logout_supported",
  61. "backchannel_token_delivery_modes_supported",
  62. "check_session_iframe",
  63. "claim_types_supported",
  64. "claims_parameter_supported",
  65. "claims_supported",
  66. "code_challenge_methods_supported",
  67. "device_authorization_endpoint",
  68. "end_session_endpoint",
  69. "frontchannel_logout_session_supported",
  70. "frontchannel_logout_supported",
  71. "grant_types_supported",
  72. "id_token_encryption_alg_values_supported",
  73. "id_token_encryption_enc_values_supported",
  74. "id_token_signing_alg_values_supported",
  75. "introspection_endpoint",
  76. "introspection_endpoint_auth_methods_supported",
  77. "introspection_endpoint_auth_signing_alg_values_supported",
  78. "issuer",
  79. "jwks_uri",
  80. "mtls_endpoint_aliases",
  81. "pushed_authorization_request_endpoint",
  82. "registration_endpoint",
  83. "request_object_encryption_alg_values_supported",
  84. "request_object_encryption_enc_values_supported",
  85. "request_object_signing_alg_values_supported",
  86. "request_parameter_supported",
  87. "request_uri_parameter_supported",
  88. "require_pushed_authorization_requests",
  89. "require_request_uri_registration",
  90. "response_modes_supported",
  91. "response_types_supported",
  92. "revocation_endpoint",
  93. "revocation_endpoint_auth_methods_supported",
  94. "revocation_endpoint_auth_signing_alg_values_supported",
  95. "scopes_supported",
  96. "subject_types_supported",
  97. "tls_client_certificate_bound_access_tokens",
  98. "token_endpoint",
  99. "token_endpoint_auth_methods_supported",
  100. "token_endpoint_auth_signing_alg_values_supported",
  101. "userinfo_encryption_alg_values_supported",
  102. "userinfo_encryption_enc_values_supported",
  103. "userinfo_endpoint",
  104. "userinfo_signing_alg_values_supported",
  105. ]:
  106. assert key in res
  109. def test_auth_url(env, oid: KeycloakOpenID):
  110. """Test the auth_url method.
  112. :param env: Environment fixture
  113. :type env: KeycloakTestEnv
  114. :param oid: Keycloak OpenID client
  115. :type oid: KeycloakOpenID
  116. """
  117. res = oid.auth_url(redirect_uri="http://test.test/*")
  118. assert (
  119. res
  120. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  121. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  122. + "&redirect_uri=http://test.test/*&scope=email&state="
  123. )
  126. def test_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  127. """Test the token method.
  129. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  130. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  131. """
  132. oid, username, password = oid_with_credentials
  133. token = oid.token(username=username, password=password)
  134. assert token == {
  135. "access_token": mock.ANY,
  136. "expires_in": 300,
  137. "id_token": mock.ANY,
  138. "not-before-policy": 0,
  139. "refresh_expires_in": 1800,
  140. "refresh_token": mock.ANY,
  141. "scope": mock.ANY,
  142. "session_state": mock.ANY,
  143. "token_type": "Bearer",
  144. }
  146. # Test with dummy totp
  147. token = oid.token(username=username, password=password, totp="123456")
  148. assert token == {
  149. "access_token": mock.ANY,
  150. "expires_in": 300,
  151. "id_token": mock.ANY,
  152. "not-before-policy": 0,
  153. "refresh_expires_in": 1800,
  154. "refresh_token": mock.ANY,
  155. "scope": mock.ANY,
  156. "session_state": mock.ANY,
  157. "token_type": "Bearer",
  158. }
  160. # Test with extra param
  161. token = oid.token(username=username, password=password, extra_param="foo")
  162. assert token == {
  163. "access_token": mock.ANY,
  164. "expires_in": 300,
  165. "id_token": mock.ANY,
  166. "not-before-policy": 0,
  167. "refresh_expires_in": 1800,
  168. "refresh_token": mock.ANY,
  169. "scope": mock.ANY,
  170. "session_state": mock.ANY,
  171. "token_type": "Bearer",
  172. }
  175. def test_exchange_token(
  176. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  177. ):
  178. """Test the exchange token method.
  180. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  181. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  182. :param admin: Keycloak Admin client
  183. :type admin: KeycloakAdmin
  184. """
  185. # Verify existing user
  186. oid, username, password = oid_with_credentials
  188. # Allow impersonation
  189. admin.realm_name = oid.realm_name
  190. admin.assign_client_role(
  191. user_id=admin.get_user_id(username=username),
  192. client_id=admin.get_client_id(client_id="realm-management"),
  193. roles=[
  194. admin.get_client_role(
  195. client_id=admin.get_client_id(client_id="realm-management"),
  196. role_name="impersonation",
  197. )
  198. ],
  199. )
  201. token = oid.token(username=username, password=password)
  202. assert oid.userinfo(token=token["access_token"]) == {
  203. "email": f"{username}@test.test",
  204. "email_verified": False,
  205. "preferred_username": username,
  206. "sub": mock.ANY,
  207. }
  209. # Exchange token with the new user
  210. new_token = oid.exchange_token(
  211. token=token["access_token"],
  212. client_id=oid.client_id,
  213. audience=oid.client_id,
  214. subject=username,
  215. )
  216. assert oid.userinfo(token=new_token["access_token"]) == {
  217. "email": f"{username}@test.test",
  218. "email_verified": False,
  219. "preferred_username": username,
  220. "sub": mock.ANY,
  221. }
  222. assert token != new_token
  225. def test_logout(oid_with_credentials):
  226. """Test logout.
  228. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  229. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  230. """
  231. oid, username, password = oid_with_credentials
  233. token = oid.token(username=username, password=password)
  234. assert oid.userinfo(token=token["access_token"]) != dict()
  235. assert oid.logout(refresh_token=token["refresh_token"]) == dict()
  237. with pytest.raises(KeycloakAuthenticationError):
  238. oid.userinfo(token=token["access_token"])
  241. def test_certs(oid: KeycloakOpenID):
  242. """Test certificates.
  244. :param oid: Keycloak OpenID client
  245. :type oid: KeycloakOpenID
  246. """
  247. assert len(oid.certs()["keys"]) == 2
  250. def test_public_key(oid: KeycloakOpenID):
  251. """Test public key.
  253. :param oid: Keycloak OpenID client
  254. :type oid: KeycloakOpenID
  255. """
  256. assert oid.public_key() is not None
  259. def test_entitlement(
  260. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  261. ):
  262. """Test entitlement.
  264. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  265. server with client credentials
  266. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  267. :param admin: Keycloak Admin client
  268. :type admin: KeycloakAdmin
  269. """
  270. oid, username, password = oid_with_credentials_authz
  271. token = oid.token(username=username, password=password)
  272. resource_server_id = admin.get_client_authz_resources(
  273. client_id=admin.get_client_id(oid.client_id)
  274. )[0]["_id"]
  276. with pytest.raises(KeycloakDeprecationError):
  277. oid.entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  280. def test_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  281. """Test introspect.
  283. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  284. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  285. """
  286. oid, username, password = oid_with_credentials
  287. token = oid.token(username=username, password=password)
  289. assert oid.introspect(token=token["access_token"])["active"]
  290. assert oid.introspect(
  291. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  292. ) == {"active": False}
  294. with pytest.raises(KeycloakRPTNotFound):
  295. oid.introspect(token=token["access_token"], token_type_hint="requesting_party_token")
  298. def test_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  299. """Test decode token.
  301. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  302. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  303. """
  304. oid, username, password = oid_with_credentials
  305. token = oid.token(username=username, password=password)
  307. assert (
  308. oid.decode_token(
  309. token=token["access_token"],
  310. key="-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----",
  311. options={"verify_aud": False},
  312. )["preferred_username"]
  313. == username
  314. )
  317. def test_load_authorization_config(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  318. """Test load authorization config.
  320. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  321. server with client credentials
  322. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  323. """
  324. oid, username, password = oid_with_credentials_authz
  326. oid.load_authorization_config(path="tests/data/authz_settings.json")
  327. assert "test-authz-rb-policy" in oid.authorization.policies
  328. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  329. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  330. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  331. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  332. assert isinstance(
  333. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  334. )
  337. def test_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  338. """Test get policies.
  340. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  341. server with client credentials
  342. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  343. """
  344. oid, username, password = oid_with_credentials_authz
  345. token = oid.token(username=username, password=password)
  347. with pytest.raises(KeycloakAuthorizationConfigError):
  348. oid.get_policies(token=token["access_token"])
  350. oid.load_authorization_config(path="tests/data/authz_settings.json")
  351. assert oid.get_policies(token=token["access_token"]) is None
  353. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  354. orig_client_id = oid.client_id
  355. oid.client_id = "account"
  356. assert oid.get_policies(token=token["access_token"], method_token_info="decode", key=key) == []
  357. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  358. policy.add_role(role="account/view-profile")
  359. oid.authorization.policies["test"] = policy
  360. assert [
  361. str(x)
  362. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  363. ] == ["Policy: test (role)"]
  364. assert [
  365. repr(x)
  366. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  367. ] == ["<Policy: test (role)>"]
  368. oid.client_id = orig_client_id
  370. oid.logout(refresh_token=token["refresh_token"])
  371. with pytest.raises(KeycloakInvalidTokenError):
  372. oid.get_policies(token=token["access_token"])
  375. def test_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  376. """Test get policies.
  378. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  379. server with client credentials
  380. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  381. """
  382. oid, username, password = oid_with_credentials_authz
  383. token = oid.token(username=username, password=password)
  385. with pytest.raises(KeycloakAuthorizationConfigError):
  386. oid.get_permissions(token=token["access_token"])
  388. oid.load_authorization_config(path="tests/data/authz_settings.json")
  389. assert oid.get_permissions(token=token["access_token"]) is None
  391. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  392. orig_client_id = oid.client_id
  393. oid.client_id = "account"
  394. assert (
  395. oid.get_permissions(token=token["access_token"], method_token_info="decode", key=key) == []
  396. )
  397. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  398. policy.add_role(role="account/view-profile")
  399. policy.add_permission(
  400. permission=Permission(
  401. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  402. )
  403. )
  404. oid.authorization.policies["test"] = policy
  405. assert [
  406. str(x)
  407. for x in oid.get_permissions(
  408. token=token["access_token"], method_token_info="decode", key=key
  409. )
  410. ] == ["Permission: test-perm (resource)"]
  411. assert [
  412. repr(x)
  413. for x in oid.get_permissions(
  414. token=token["access_token"], method_token_info="decode", key=key
  415. )
  416. ] == ["<Permission: test-perm (resource)>"]
  417. oid.client_id = orig_client_id
  419. oid.logout(refresh_token=token["refresh_token"])
  420. with pytest.raises(KeycloakInvalidTokenError):
  421. oid.get_permissions(token=token["access_token"])
  424. def test_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  425. """Test UMA permissions.
  427. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  428. server with client credentials
  429. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  430. """
  431. oid, username, password = oid_with_credentials_authz
  432. token = oid.token(username=username, password=password)
  434. assert len(oid.uma_permissions(token=token["access_token"])) == 1
  435. assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
  438. def test_has_uma_access(
  439. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  440. ):
  441. """Test has UMA access.
  443. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  444. server with client credentials
  445. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  446. :param admin: Keycloak Admin client
  447. :type admin: KeycloakAdmin
  448. """
  449. oid, username, password = oid_with_credentials_authz
  450. token = oid.token(username=username, password=password)
  452. assert (
  453. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  454. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  455. )
  456. assert (
  457. str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
  458. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  459. )
  461. with pytest.raises(KeycloakPostError):
  462. oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
  464. oid.logout(refresh_token=token["refresh_token"])
  465. assert (
  466. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  467. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  468. )
  469. assert (
  470. str(oid.has_uma_access(token=admin.token["access_token"], permissions="Default Resource"))
  471. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  472. + "{'Default Resource'})"
  473. )