Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
672 Commits
16 Branches
109 Tags
19 MiB
Tree: a34054d089
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a34054d089'
${ noResults }
python-keycloak/tests/test_keycloak_openid.py

471 lines
17 KiB
Raw Normal View History

test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: test of init and well_known of oid
2 years ago
test: added load authorization config test
2 years ago
style: applied isort
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
style: applied isort
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test of init and well_known of oid
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: added auth_url and token tests, more structure to fixtures
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: added more openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added more openid tests
2 years ago
test: added load authorization config test
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added load authorization config test
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added authz tests
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
test: fix the tests, make them compatible with older python versions
2 years ago
test: finished off openid tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: finished off openid tests
2 years ago
  1. """Test module for KeycloakOpenID."""
  2. from typing import Tuple
  3. from unittest import mock
  5. import pytest
  7. from keycloak.authorization import Authorization
  8. from keycloak.authorization.permission import Permission
  9. from keycloak.authorization.policy import Policy
  10. from keycloak.authorization.role import Role
  11. from keycloak.connection import ConnectionManager
  12. from keycloak.exceptions import (
  13. KeycloakAuthenticationError,
  14. KeycloakAuthorizationConfigError,
  15. KeycloakDeprecationError,
  16. KeycloakInvalidTokenError,
  17. KeycloakPostError,
  18. KeycloakRPTNotFound,
  19. )
  20. from keycloak.keycloak_admin import KeycloakAdmin
  21. from keycloak.keycloak_openid import KeycloakOpenID
  24. def test_keycloak_openid_init(env):
  25. """Test KeycloakOpenId's init method.
  27. :param env: Environment fixture
  28. :type env: KeycloakTestEnv
  29. """
  30. oid = KeycloakOpenID(
  31. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  32. realm_name="master",
  33. client_id="admin-cli",
  34. )
  36. assert oid.client_id == "admin-cli"
  37. assert oid.client_secret_key is None
  38. assert oid.realm_name == "master"
  39. assert isinstance(oid.connection, ConnectionManager)
  40. assert isinstance(oid.authorization, Authorization)
  43. def test_well_known(oid: KeycloakOpenID):
  44. """Test the well_known method.
  46. :param oid: Keycloak OpenID client
  47. :type oid: KeycloakOpenID
  48. """
  49. res = oid.well_known()
  50. assert res is not None
  51. assert res != dict()
  52. for key in [
  53. "acr_values_supported",
  54. "authorization_encryption_alg_values_supported",
  55. "authorization_encryption_enc_values_supported",
  56. "authorization_endpoint",
  57. "authorization_signing_alg_values_supported",
  58. "backchannel_authentication_endpoint",
  59. "backchannel_authentication_request_signing_alg_values_supported",
  60. "backchannel_logout_session_supported",
  61. "backchannel_logout_supported",
  62. "backchannel_token_delivery_modes_supported",
  63. "check_session_iframe",
  64. "claim_types_supported",
  65. "claims_parameter_supported",
  66. "claims_supported",
  67. "code_challenge_methods_supported",
  68. "device_authorization_endpoint",
  69. "end_session_endpoint",
  70. "frontchannel_logout_session_supported",
  71. "frontchannel_logout_supported",
  72. "grant_types_supported",
  73. "id_token_encryption_alg_values_supported",
  74. "id_token_encryption_enc_values_supported",
  75. "id_token_signing_alg_values_supported",
  76. "introspection_endpoint",
  77. "introspection_endpoint_auth_methods_supported",
  78. "introspection_endpoint_auth_signing_alg_values_supported",
  79. "issuer",
  80. "jwks_uri",
  81. "mtls_endpoint_aliases",
  82. "pushed_authorization_request_endpoint",
  83. "registration_endpoint",
  84. "request_object_encryption_alg_values_supported",
  85. "request_object_encryption_enc_values_supported",
  86. "request_object_signing_alg_values_supported",
  87. "request_parameter_supported",
  88. "request_uri_parameter_supported",
  89. "require_pushed_authorization_requests",
  90. "require_request_uri_registration",
  91. "response_modes_supported",
  92. "response_types_supported",
  93. "revocation_endpoint",
  94. "revocation_endpoint_auth_methods_supported",
  95. "revocation_endpoint_auth_signing_alg_values_supported",
  96. "scopes_supported",
  97. "subject_types_supported",
  98. "tls_client_certificate_bound_access_tokens",
  99. "token_endpoint",
  100. "token_endpoint_auth_methods_supported",
  101. "token_endpoint_auth_signing_alg_values_supported",
  102. "userinfo_encryption_alg_values_supported",
  103. "userinfo_encryption_enc_values_supported",
  104. "userinfo_endpoint",
  105. "userinfo_signing_alg_values_supported",
  106. ]:
  107. assert key in res
  110. def test_auth_url(env, oid: KeycloakOpenID):
  111. """Test the auth_url method.
  113. :param env: Environment fixture
  114. :type env: KeycloakTestEnv
  115. :param oid: Keycloak OpenID client
  116. :type oid: KeycloakOpenID
  117. """
  118. res = oid.auth_url(redirect_uri="http://test.test/*")
  119. assert (
  120. res
  121. == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}/realms/{oid.realm_name}"
  122. + f"/protocol/openid-connect/auth?client_id={oid.client_id}&response_type=code"
  123. + "&redirect_uri=http://test.test/*&scope=email&state="
  124. )
  127. def test_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  128. """Test the token method.
  130. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  131. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  132. """
  133. oid, username, password = oid_with_credentials
  134. token = oid.token(username=username, password=password)
  135. assert token == {
  136. "access_token": mock.ANY,
  137. "expires_in": 300,
  138. "not-before-policy": 0,
  139. "refresh_expires_in": 1800,
  140. "refresh_token": mock.ANY,
  141. "scope": mock.ANY,
  142. "session_state": mock.ANY,
  143. "token_type": "Bearer",
  144. }
  146. # Test with dummy totp
  147. token = oid.token(username=username, password=password, totp="123456")
  148. assert token == {
  149. "access_token": mock.ANY,
  150. "expires_in": 300,
  151. "not-before-policy": 0,
  152. "refresh_expires_in": 1800,
  153. "refresh_token": mock.ANY,
  154. "scope": mock.ANY,
  155. "session_state": mock.ANY,
  156. "token_type": "Bearer",
  157. }
  159. # Test with extra param
  160. token = oid.token(username=username, password=password, extra_param="foo")
  161. assert token == {
  162. "access_token": mock.ANY,
  163. "expires_in": 300,
  164. "not-before-policy": 0,
  165. "refresh_expires_in": 1800,
  166. "refresh_token": mock.ANY,
  167. "scope": mock.ANY,
  168. "session_state": mock.ANY,
  169. "token_type": "Bearer",
  170. }
  173. def test_exchange_token(
  174. oid_with_credentials: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  175. ):
  176. """Test the exchange token method.
  178. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  179. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  180. :param admin: Keycloak Admin client
  181. :type admin: KeycloakAdmin
  182. """
  183. # Verify existing user
  184. oid, username, password = oid_with_credentials
  186. # Allow impersonation
  187. admin.realm_name = oid.realm_name
  188. admin.assign_client_role(
  189. user_id=admin.get_user_id(username=username),
  190. client_id=admin.get_client_id(client_id="realm-management"),
  191. roles=[
  192. admin.get_client_role(
  193. client_id=admin.get_client_id(client_id="realm-management"),
  194. role_name="impersonation",
  195. )
  196. ],
  197. )
  199. token = oid.token(username=username, password=password)
  200. assert oid.userinfo(token=token["access_token"]) == {
  201. "email": f"{username}@test.test",
  202. "email_verified": False,
  203. "preferred_username": username,
  204. "sub": mock.ANY,
  205. }
  207. # Exchange token with the new user
  208. new_token = oid.exchange_token(
  209. token=token["access_token"],
  210. client_id=oid.client_id,
  211. audience=oid.client_id,
  212. subject=username,
  213. )
  214. assert oid.userinfo(token=new_token["access_token"]) == {
  215. "email": f"{username}@test.test",
  216. "email_verified": False,
  217. "preferred_username": username,
  218. "sub": mock.ANY,
  219. }
  220. assert token != new_token
  223. def test_logout(oid_with_credentials):
  224. """Test logout.
  226. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  227. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  228. """
  229. oid, username, password = oid_with_credentials
  231. token = oid.token(username=username, password=password)
  232. assert oid.userinfo(token=token["access_token"]) != dict()
  233. assert oid.logout(refresh_token=token["refresh_token"]) == dict()
  235. with pytest.raises(KeycloakAuthenticationError):
  236. oid.userinfo(token=token["access_token"])
  239. def test_certs(oid: KeycloakOpenID):
  240. """Test certificates.
  242. :param oid: Keycloak OpenID client
  243. :type oid: KeycloakOpenID
  244. """
  245. assert len(oid.certs()["keys"]) == 2
  248. def test_public_key(oid: KeycloakOpenID):
  249. """Test public key.
  251. :param oid: Keycloak OpenID client
  252. :type oid: KeycloakOpenID
  253. """
  254. assert oid.public_key() is not None
  257. def test_entitlement(
  258. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  259. ):
  260. """Test entitlement.
  262. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  263. server with client credentials
  264. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  265. :param admin: Keycloak Admin client
  266. :type admin: KeycloakAdmin
  267. """
  268. oid, username, password = oid_with_credentials_authz
  269. token = oid.token(username=username, password=password)
  270. resource_server_id = admin.get_client_authz_resources(
  271. client_id=admin.get_client_id(oid.client_id)
  272. )[0]["_id"]
  274. with pytest.raises(KeycloakDeprecationError):
  275. oid.entitlement(token=token["access_token"], resource_server_id=resource_server_id)
  278. def test_introspect(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  279. """Test introspect.
  281. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  282. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  283. """
  284. oid, username, password = oid_with_credentials
  285. token = oid.token(username=username, password=password)
  287. assert oid.introspect(token=token["access_token"])["active"]
  288. assert oid.introspect(
  289. token=token["access_token"], rpt="some", token_type_hint="requesting_party_token"
  290. ) == {"active": False}
  292. with pytest.raises(KeycloakRPTNotFound):
  293. oid.introspect(token=token["access_token"], token_type_hint="requesting_party_token")
  296. def test_decode_token(oid_with_credentials: Tuple[KeycloakOpenID, str, str]):
  297. """Test decode token.
  299. :param oid_with_credentials: Keycloak OpenID client with pre-configured user credentials
  300. :type oid_with_credentials: Tuple[KeycloakOpenID, str, str]
  301. """
  302. oid, username, password = oid_with_credentials
  303. token = oid.token(username=username, password=password)
  305. assert (
  306. oid.decode_token(
  307. token=token["access_token"],
  308. key="-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----",
  309. options={"verify_aud": False},
  310. )["preferred_username"]
  311. == username
  312. )
  315. def test_load_authorization_config(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  316. """Test load authorization config.
  318. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  319. server with client credentials
  320. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  321. """
  322. oid, username, password = oid_with_credentials_authz
  324. oid.load_authorization_config(path="tests/data/authz_settings.json")
  325. assert "test-authz-rb-policy" in oid.authorization.policies
  326. assert isinstance(oid.authorization.policies["test-authz-rb-policy"], Policy)
  327. assert len(oid.authorization.policies["test-authz-rb-policy"].roles) == 1
  328. assert isinstance(oid.authorization.policies["test-authz-rb-policy"].roles[0], Role)
  329. assert len(oid.authorization.policies["test-authz-rb-policy"].permissions) == 2
  330. assert isinstance(
  331. oid.authorization.policies["test-authz-rb-policy"].permissions[0], Permission
  332. )
  335. def test_get_policies(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  336. """Test get policies.
  338. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  339. server with client credentials
  340. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  341. """
  342. oid, username, password = oid_with_credentials_authz
  343. token = oid.token(username=username, password=password)
  345. with pytest.raises(KeycloakAuthorizationConfigError):
  346. oid.get_policies(token=token["access_token"])
  348. oid.load_authorization_config(path="tests/data/authz_settings.json")
  349. assert oid.get_policies(token=token["access_token"]) is None
  351. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  352. orig_client_id = oid.client_id
  353. oid.client_id = "account"
  354. assert oid.get_policies(token=token["access_token"], method_token_info="decode", key=key) == []
  355. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  356. policy.add_role(role="account/view-profile")
  357. oid.authorization.policies["test"] = policy
  358. assert [
  359. str(x)
  360. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  361. ] == ["Policy: test (role)"]
  362. assert [
  363. repr(x)
  364. for x in oid.get_policies(token=token["access_token"], method_token_info="decode", key=key)
  365. ] == ["<Policy: test (role)>"]
  366. oid.client_id = orig_client_id
  368. oid.logout(refresh_token=token["refresh_token"])
  369. with pytest.raises(KeycloakInvalidTokenError):
  370. oid.get_policies(token=token["access_token"])
  373. def test_get_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  374. """Test get policies.
  376. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  377. server with client credentials
  378. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  379. """
  380. oid, username, password = oid_with_credentials_authz
  381. token = oid.token(username=username, password=password)
  383. with pytest.raises(KeycloakAuthorizationConfigError):
  384. oid.get_permissions(token=token["access_token"])
  386. oid.load_authorization_config(path="tests/data/authz_settings.json")
  387. assert oid.get_permissions(token=token["access_token"]) is None
  389. key = "-----BEGIN PUBLIC KEY-----\n" + oid.public_key() + "\n-----END PUBLIC KEY-----"
  390. orig_client_id = oid.client_id
  391. oid.client_id = "account"
  392. assert (
  393. oid.get_permissions(token=token["access_token"], method_token_info="decode", key=key) == []
  394. )
  395. policy = Policy(name="test", type="role", logic="POSITIVE", decision_strategy="UNANIMOUS")
  396. policy.add_role(role="account/view-profile")
  397. policy.add_permission(
  398. permission=Permission(
  399. name="test-perm", type="resource", logic="POSITIVE", decision_strategy="UNANIMOUS"
  400. )
  401. )
  402. oid.authorization.policies["test"] = policy
  403. assert [
  404. str(x)
  405. for x in oid.get_permissions(
  406. token=token["access_token"], method_token_info="decode", key=key
  407. )
  408. ] == ["Permission: test-perm (resource)"]
  409. assert [
  410. repr(x)
  411. for x in oid.get_permissions(
  412. token=token["access_token"], method_token_info="decode", key=key
  413. )
  414. ] == ["<Permission: test-perm (resource)>"]
  415. oid.client_id = orig_client_id
  417. oid.logout(refresh_token=token["refresh_token"])
  418. with pytest.raises(KeycloakInvalidTokenError):
  419. oid.get_permissions(token=token["access_token"])
  422. def test_uma_permissions(oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]):
  423. """Test UMA permissions.
  425. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  426. server with client credentials
  427. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  428. """
  429. oid, username, password = oid_with_credentials_authz
  430. token = oid.token(username=username, password=password)
  432. assert len(oid.uma_permissions(token=token["access_token"])) == 1
  433. assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
  436. def test_has_uma_access(
  437. oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
  438. ):
  439. """Test has UMA access.
  441. :param oid_with_credentials_authz: Keycloak OpenID client configured as an authorization
  442. server with client credentials
  443. :type oid_with_credentials_authz: Tuple[KeycloakOpenID, str, str]
  444. :param admin: Keycloak Admin client
  445. :type admin: KeycloakAdmin
  446. """
  447. oid, username, password = oid_with_credentials_authz
  448. token = oid.token(username=username, password=password)
  450. assert (
  451. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  452. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  453. )
  454. assert (
  455. str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
  456. == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
  457. )
  459. with pytest.raises(KeycloakPostError):
  460. oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
  462. oid.logout(refresh_token=token["refresh_token"])
  463. assert (
  464. str(oid.has_uma_access(token=token["access_token"], permissions=""))
  465. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
  466. )
  467. assert (
  468. str(oid.has_uma_access(token=admin.token["access_token"], permissions="Default Resource"))
  469. == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
  470. + "{'Default Resource'})"
  471. )