Add some OIDC flow tests.

Enable testing for gregui

Makefile

@@ -38,7 +38,7 @@ install: $(VENV)
 .PHONY: test
 test: $(VENV)
 	$(venv) $(mypy) -p greg
-	$(venv) $(COVERAGE) run --source greg,gregsite -m $(PYTEST)
+	$(venv) $(COVERAGE) run --source greg,gregsite,gregui -m $(PYTEST)
 	$(venv) $(COVERAGE) report
 	$(venv) $(COVERAGE) xml
 

gregsite/settings/testing.py

+from .base import *
+
+AUTHENTICATION_BACKENDS = [
+    "gregui.authentication.auth_backends.DevBackend",  # Fake dev backend
+    "django.contrib.auth.backends.ModelBackend",  # default
+    "gregui.authentication.auth_backends.GregOIDCBackend",
+    "sesame.backends.ModelBackend",  # link login
+]
+
+OIDC_RP_CLIENT_ID = 'lalalalala'
+OIDC_RP_CLIENT_SECRET = 'lalalalala'
+
+LOGIN_REDIRECT_URL = "http://localhost:3000/"
+LOGOUT_REDIRECT_URL = "http://localhost:3000/"
+
+CSRF_COOKIE_SAMESITE = "Strict"
+SESSION_COOKIE_SAMESITE = "Lax"
+# CSRF_COOKIE_HTTPONLY = True
+# SESSION_COOKIE_HTTPONLY = True
+
+
+ALLOWED_HOSTS += ["localhost", "127.0.0.1"]
+# EMAIL_HOST = "smtp.uio.no"
+# EMAIL_PORT = "468"
+# EMAIL_USE_SSL = True
+# EMAIL_TIMEOUT = 2
+# DEFAULT_FROM_EMAIL = "noreply@uio.no"
+EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
+
+ORGREG_CLIENT = {
+    "endpoints": {"base_url": "https://example.com/fake/"},
+    "headers": {"X-Gravitee-Api-Key": "bar"},
+}
+
+Q_CLUSTER = {
+    "name": "greg",
+    "workers": 4,
+    "timeout": 90,
+    "retry": 120,
+    "queue_limit": 50,
+    "bulk": 10,
+    "orm": "default",
+    "sync": True,
+}
+

gregui/tests/conftest.py

-from rest_framework.test import APIClient
+import time
+import pytest
 
-# from django.contrib.auth import get_user_model
+from rest_framework.test import APIClient
+from django.contrib.auth import get_user_model
 
-import pytest
+from greg.models import Person, Sponsor
+from gregui.models import GregUserProfile
 
 # from greg.models import (
 #    Consent,
@@ -17,8 +20,131 @@ import pytest
 #    ConsentType,
 # )
 
+# OIDC stuff
+@pytest.fixture
+def claims():
+    return {
+        "sub": "subsub",
+        "connect-userid_sec": ["feide:frank_foreleser@spusers.feide.no"],
+        "dataporten-userid_sec": [
+            # "feide:frank_foreleser@spusers.feide.no"
+        ],
+        "name": "Frank Foreleser Føllesen",
+        "email": "noreply@feide.no",
+        "email_verified": True,
+        "picture": "https://api.dataporten.no/userinfo/v1/user/media/p:2192dff7-6989-4244-83cc-ae5e78875bdd",
+    }
+
+
+@pytest.fixture
+def id_token_payload():
+    return {
+        "iss": "https://auth.dataporten.no",
+        "jti": "jtijti",
+        "aud": "lalalalala",
+        "sub": "subsub",
+        "iat": 1605174731,
+        "exp": 1605178331,
+        "auth_time": 1605174731,
+        "nonce": "noncenonce",
+    }
+
+@pytest.fixture
+def data():
+    return {
+        "User": {
+            "user1": {
+                "username": "user1",
+                "email": "user1@example.com",
+            },
+            "user2": {
+                "username": "user2",
+                "email": "user2@example.com",
+            },
+            "https://auth.dataporten.nosubsub": {
+                "username": "https://auth.dataporten.nosubsub",
+            },
+        },
+        "Identity": {
+            "person1": {
+                "type": "feide_id",
+                "value": "foo@example.com",
+                "person": { "email": "foo@example.com" }
+            },
+        },
+        "Person": {
+            "person1": {
+                "first_name": "Foo",
+                "last_name": "Baresen",
+                "email": "foo@example.com",
+            },        
+        },
+        "Sponsor": {
+            "sponsor1": {
+                "first_name": "Bar",
+                "last_name": "Bazesen",
+                "feide_id": "bar@example.com",
+            },
+        },
+    }
+
+
+def save_object(model, **kwargs):
+    obj = model(**kwargs)
+    obj.save()
+    return obj
+
+# TODO add person and sponsor
+OBJECT_MAPPING = {
+    "greg"
+    "person": Person,
+    "sponsor": Sponsor,
+    "user": get_user_model(),
+}
+
+
+def create_objects(cls, data):
+    objects = {}
+    for obj_name, kwargs in data.items():
+        create_kwargs = kwargs.copy()
+        for name, selector in kwargs.items():
+            if name in OBJECT_MAPPING:
+                create_kwargs[name] = OBJECT_MAPPING[name].objects.get(**selector)
+        obj = save_object(cls, **create_kwargs)
+        objects[obj_name] = obj
+    return objects
+
 
 @pytest.fixture
 def client() -> APIClient:
     client = APIClient()
     return client
+
+
+@pytest.fixture
+def greg_users(data):
+    return create_objects(get_user_model(), data["User"])
+
+
+@pytest.fixture
+def greg_persons(data):
+    return create_objects(get_user_model(), data["Person"])
+
+
+@pytest.fixture
+def greg_sponsors(data):
+    return create_objects(get_user_model(), data["Sponsor"])
+
+
+@pytest.fixture
+def log_in(client, greg_users):
+    def _log_in(username):
+        user = greg_users[username]
+        client.force_login(user=user)
+        # It seems like the session was not updated automatically this way
+        session = client.session
+        session["oidc_id_token_payload"] = {"iat": time.time()}
+        session.save()
+        return client
+
+    return _log_in
\ No newline at end of file

gregui/tests/test_oidc.py

+import time
+import pytest
+
+from django.core.exceptions import SuspiciousOperation
+from django.conf import settings
+
+from greg.models import Identity, Person, Sponsor
+from gregui.authentication.auth_backends import GregOIDCBackend
+from gregui.models import GregUserProfile
+
+
+pytestmark = pytest.mark.django_db
+
+
+def test_validate_issuer(id_token_payload):
+    backend = GregOIDCBackend()
+    backend.validate_issuer(id_token_payload)
+    id_token_payload["iss"] = "http://suspicious.no"
+    with pytest.raises(SuspiciousOperation):
+        backend.validate_issuer(id_token_payload)
+
+
+def test_validate_audiences(id_token_payload):
+    backend = GregOIDCBackend()
+    backend.validate_audience(id_token_payload)
+
+    id_token_payload["aud"] = [id_token_payload["aud"], "other_aud"]
+    with pytest.raises(SuspiciousOperation):
+        backend.validate_audience(id_token_payload)
+
+
+def test_validate_expiry(id_token_payload):
+    backend = GregOIDCBackend()
+    with pytest.raises(SuspiciousOperation):
+        backend.validate_expiry(id_token_payload)
+
+    id_token_payload["exp"] = int(time.time()) + 3600
+    backend.validate_expiry(id_token_payload)
+
+
+def test_filter_users(greg_users, claims):
+    backend = GregOIDCBackend()
+    user = backend.filter_users_by_claims(claims).get()
+    assert user.username == greg_users["https://auth.dataporten.nosubsub"].username
+
+    claims["sub"] = "non-existant-sub"
+    users = backend.filter_users_by_claims(claims)
+    assert len(users) == 0
+
+
+def test_create_user(claims):
+    backend = GregOIDCBackend()
+    user = backend.create_user(claims)
+    assert user.first_name == "Frank Foreleser"
+    assert user.last_name == "Føllesen"
+    assert user.email == "noreply@feide.no"
+
+    userProfile = GregUserProfile.objects.get(user=user)
+    assert userProfile
+
+    person = userProfile.person
+    assert person.first_name == user.first_name
+    assert person.last_name == user.last_name
+    assert person.email == user.email
+
+    ids = Identity.objects.get(person=person, type='feide_id')
+    assert ids.value == 'frank_foreleser@spusers.feide.no'
+
+
+def test_update_user(greg_users, claims):
+    backend = GregOIDCBackend()
+    user = backend.update_user(None, claims)
+
+    assert user.first_name == "Frank Foreleser"
+    assert user.last_name == "Føllesen"
+    assert user.email == "noreply@feide.no"

pytest.ini

 [pytest]
-DJANGO_SETTINGS_MODULE = gregsite.settings.dev
+DJANGO_SETTINGS_MODULE = gregsite.settings.testing