test: finished off openid tests

2 years ago · 7031123c1f
3 changed files with 43 additions and 3 deletions
--- a/src/keycloak/keycloak_openid.py
+++ b/src/keycloak/keycloak_openid.py
@ -524,7 +524,7 @@ class KeycloakOpenID:
        try:
            granted = self.uma_permissions(token, permissions)
        except (KeycloakPostError, KeycloakAuthenticationError) as e:
-            if e.response_code == 403:
+            if e.response_code == 403:  # pragma: no cover
                return AuthStatus(
                    is_logged_in=True, is_authorized=False, missing_permissions=needed
                )
@ -540,7 +540,7 @@ class KeycloakOpenID:
            if not scopes:
                needed.discard(resource)
                continue
-            for scope in scopes:
+            for scope in scopes:  # pragma: no cover
                needed.discard("{}#{}".format(resource, scope))

        return AuthStatus(
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -192,7 +192,6 @@ def oid_with_credentials_authz(env: KeycloakTestEnv, realm: str, admin: Keycloak
            "roles": [{"id": admin.get_realm_role(role_name="offline_access")["id"]}],
        },
    )
-    admin.create_client_authz_resource
    # Create user
    username = str(uuid.uuid4())
    password = str(uuid.uuid4())
--- a/tests/test_keycloak_openid.py
+++ b/tests/test_keycloak_openid.py
@ -13,6 +13,7 @@ from keycloak.exceptions import (
    KeycloakAuthorizationConfigError,
    KeycloakDeprecationError,
    KeycloakInvalidTokenError,
+    KeycloakPostError,
    KeycloakRPTNotFound,
 )
 from keycloak.keycloak_admin import KeycloakAdmin
@ -349,3 +350,43 @@ def test_get_permissions(oid_with_credentials_authz: tuple[KeycloakOpenID, str,
    oid.logout(refresh_token=token["refresh_token"])
    with pytest.raises(KeycloakInvalidTokenError):
        oid.get_permissions(token=token["access_token"])
+
+
+def test_uma_permissions(oid_with_credentials_authz: tuple[KeycloakOpenID, str, str]):
+    """Test UMA permissions."""
+    oid, username, password = oid_with_credentials_authz
+    token = oid.token(username=username, password=password)
+
+    assert len(oid.uma_permissions(token=token["access_token"])) == 1
+    assert oid.uma_permissions(token=token["access_token"])[0]["rsname"] == "Default Resource"
+
+
+def test_has_uma_access(
+    oid_with_credentials_authz: tuple[KeycloakOpenID, str, str], admin: KeycloakAdmin
+):
+    """Test has UMA access."""
+    oid, username, password = oid_with_credentials_authz
+    token = oid.token(username=username, password=password)
+
+    assert (
+        str(oid.has_uma_access(token=token["access_token"], permissions=""))
+        == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
+    )
+    assert (
+        str(oid.has_uma_access(token=token["access_token"], permissions="Default Resource"))
+        == "AuthStatus(is_authorized=True, is_logged_in=True, missing_permissions=set())"
+    )
+
+    with pytest.raises(KeycloakPostError):
+        oid.has_uma_access(token=token["access_token"], permissions="Does not exist")
+
+    oid.logout(refresh_token=token["refresh_token"])
+    assert (
+        str(oid.has_uma_access(token=token["access_token"], permissions=""))
+        == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions=set())"
+    )
+    assert (
+        str(oid.has_uma_access(token=admin.token["access_token"], permissions="Default Resource"))
+        == "AuthStatus(is_authorized=False, is_logged_in=False, missing_permissions="
+        + "{'Default Resource'})"
+    )