✅[#114] add setup configuration tests

maykinmedia · Nov 22, 2024 · a63657e · a63657e
1 parent 5715b80
commit a63657e
Show file tree

Hide file tree

Showing 11 changed files with 390 additions and 0 deletions.
diff --git a/testapp/settings.py b/testapp/settings.py
@@ -80,3 +80,16 @@
 LOGIN_REDIRECT_URL = reverse_lazy("admin:index")
 
 STATIC_URL = "/static/"
+
+# Django setup configuration settings
+try:
+    import django_setup_configuration
+
+    INSTALLED_APPS += ["django_setup_configuration"]
+
+    OIDC_DB_CONFIG_ENABLE = True
+    SETUP_CONFIGURATION_STEPS = [
+        "mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep",
+    ]
+except ImportError:
+    pass
diff --git a/tests/setupconfig/__init__.py b/tests/setupconfig/__init__.py
diff --git a/tests/setupconfig/cassettes/test_steps/test_configure_use_discovery_endpoint.yaml b/tests/setupconfig/cassettes/test_steps/test_configure_use_discovery_endpoint.yaml
@@ -0,0 +1,39 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.3
+    method: GET
+    uri: http://localhost:8080/realms/test/.well-known/openid-configuration
+  response:
+    body:
+      string: '{"issuer":"http://localhost:8080/realms/test","authorization_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/auth","token_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/token","introspection_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"http://localhost:8080/realms/test/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8080/realms/test/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:device_code"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token
+        token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"http://localhost:8080/realms/test/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","email","roles","phone","profile","address","kvk","web-origins","microprofile-jwt","acr","offline_access","bsn"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/token","revocation_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/revoke","introspection_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/token/introspect","device_authorization_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/auth/device","registration_endpoint":"http://localhost:8080/realms/test/clients-registrations/openid-connect","userinfo_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"http://localhost:8080/realms/test/protocol/openid-connect/ext/ciba/auth"},"authorization_response_iss_parameter_supported":true}'
+    headers:
+      Cache-Control:
+      - no-cache, must-revalidate, no-transform, no-store
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '5847'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/tests/setupconfig/conftest.py b/tests/setupconfig/conftest.py
@@ -0,0 +1,35 @@
+import pytest
+from django_setup_configuration.test_utils import build_step_config_from_sources
+
+from mozilla_django_oidc_db.setup_configuration.steps import AdminOIDCConfigurationStep
+
+"""
+Key cloak credentials are setup for the keycloak docker-compose.yml.
+
+`oidc_rp_client_id` and `oidc_rp_client_secret` are taken from the keycloak fixture
+in /docker/import/test-reaml.json
+
+See more info in /docker/README.md
+
+"""
+
+
+@pytest.fixture
+def setup_config_discovery_model(settings):
+    return build_step_config_from_sources(
+        AdminOIDCConfigurationStep, "tests/setupconfig/files/discovery.yml"
+    )
+
+
+@pytest.fixture
+def setup_config_defaults_model(settings):
+    return build_step_config_from_sources(
+        AdminOIDCConfigurationStep, "tests/setupconfig/files/defaults.yml"
+    )
+
+
+@pytest.fixture
+def setup_config_full_model():
+    return build_step_config_from_sources(
+        AdminOIDCConfigurationStep, "tests/setupconfig/files/full_setup.yml"
+    )
diff --git a/tests/setupconfig/files/defaults.yml b/tests/setupconfig/files/defaults.yml
@@ -0,0 +1,8 @@
+ADMIN_OIDC_CONFIG_ENABLE: True
+ADMIN_OIDC:
+  oidc_rp_client_id: client-id
+  oidc_rp_client_secret: secret
+  endpoint_config:
+    oidc_op_authorization_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/auth
+    oidc_op_token_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/token
+    oidc_op_user_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
diff --git a/tests/setupconfig/files/discovery.yml b/tests/setupconfig/files/discovery.yml
@@ -0,0 +1,6 @@
+ADMIN_OIDC_CONFIG_ENABLE: True
+ADMIN_OIDC:
+  oidc_rp_client_id: testid
+  oidc_rp_client_secret: 7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I
+  endpoint_config:
+    oidc_op_discovery_endpoint: http://localhost:8080/realms/test/
diff --git a/tests/setupconfig/files/discovery_disabled.yml b/tests/setupconfig/files/discovery_disabled.yml
@@ -0,0 +1,6 @@
+ADMIN_OIDC_CONFIG_ENABLE: False
+ADMIN_OIDC:
+  oidc_rp_client_id: testid
+  oidc_rp_client_secret: 7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I
+  endpoint_config:
+    oidc_op_discovery_endpoint: http://localhost:8080/realms/test/
diff --git a/tests/setupconfig/files/empty.yml b/tests/setupconfig/files/empty.yml
@@ -0,0 +1,2 @@
+ADMIN_OIDC_CONFIG_ENABLE: True
+ADMIN_OIDC: {}
diff --git a/tests/setupconfig/files/full_setup.yml b/tests/setupconfig/files/full_setup.yml
@@ -0,0 +1,36 @@
+ADMIN_OIDC_CONFIG_ENABLE: True
+ADMIN_OIDC:
+  oidc_rp_client_id: client-id
+  oidc_rp_client_secret: secret
+  oidc_rp_scopes_list:
+  - open_id
+  - email
+  - profile
+  - extra_scope
+  oidc_rp_sign_algo: RS256
+  oidc_rp_idp_sign_key: key
+  oidc_op_jwks_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  endpoint_config:
+      oidc_op_authorization_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/auth
+      oidc_op_token_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/token
+      oidc_op_user_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  username_claim:
+  - claim_name
+  groups_claim:
+  - groups_claim_name
+  claim_mapping:
+    first_name:
+    - given_name
+  sync_groups: false
+  sync_groups_glob_pattern: local.groups.*
+  default_groups:
+  - local.groups.Admins
+  - local.groups.Read-only
+  make_users_staff: true
+  superuser_group_names:
+  - superuser
+  oidc_use_nonce: false
+  oidc_nonce_size: 48
+  oidc_state_size: 48
+  userinfo_claims_source: id_token
+
diff --git a/tests/setupconfig/files/partial_endpoints.yml b/tests/setupconfig/files/partial_endpoints.yml
@@ -0,0 +1,8 @@
+ADMIN_OIDC_CONFIG_ENABLE: True
+ADMIN_OIDC:
+  oidc_rp_client_id: client-id
+  oidc_rp_client_secret: secret
+  endpoint_config:
+    oidc_op_authorization_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/auth
+#    oidc_op_token_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/token
+#    oidc_op_user_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/userinfo