def test_login__known_openid_client(issuer, call_api, snapshot):
oc = register_client(issuer)
oid_client = OpenIdClient.objects.create(
name="Test",
issuer=issuer,
client_id=oc.client_id,
client_secret=oc.client_secret,
)
app_redirect_uri = "http://i.am.pirate"
openid_uid = "*****@*****.**"
query = """
mutation {{
login (input: {{ openidUid: "{uid}", redirectUri: "{uri}" }}) {{
authorizationUrl
}}
}}
""".format(
uid=openid_uid, uri=app_redirect_uri
)
# Keycloak server used for tests does not support issuer discovery by UID, so we mock it
with patch(
"openlobby.core.api.mutations.discover_issuer", return_value=issuer
) as mock:
response = call_api(query)
mock.assert_called_once_with(openid_uid)
assert "errors" not in response
authorization_url = response["data"]["login"]["authorizationUrl"]
la = LoginAttempt.objects.get(openid_client__id=oid_client.id)
assert la.app_redirect_uri == app_redirect_uri
assert la.openid_uid == openid_uid
check_authorization_url(authorization_url, oid_client, la.state, snapshot)
def test_login_by_shortcut(issuer, client, snapshot):
oc = register_client(issuer)
oid_client = OpenIdClient.objects.create(
name="Test",
is_shortcut=True,
issuer=issuer,
client_id=oc.client_id,
client_secret=oc.client_secret,
)
app_redirect_uri = "http://i.am.pirate"
query = """
mutation {{
loginByShortcut (input: {{ shortcutId: "{id}", redirectUri: "{uri}" }}) {{
authorizationUrl
}}
}}
""".format(id=to_global_id("LoginShortcut", oid_client.id),
uri=app_redirect_uri)
response = call_api(client, query)
assert "errors" not in response
authorization_url = response["data"]["loginByShortcut"]["authorizationUrl"]
la = LoginAttempt.objects.get(openid_client__id=oid_client.id)
assert la.app_redirect_uri == app_redirect_uri
assert la.openid_uid is None
check_authorization_url(authorization_url, oid_client, la.state, snapshot)
def test_login_redirect__existing_user(client, issuer):
state = 'IDDQD'
sub = 'IDKFA'
openid_uid = 'elon.musk@openid'
first_name = 'Elon'
last_name = 'Musk'
email = '*****@*****.**'
app_redirect_uri = 'http://doom.is.legend'
oc = register_client(issuer)
oid_client = OpenIdClient.objects.create(name='Test', issuer=issuer,
client_id=oc.client_id, client_secret=oc.client_secret)
LoginAttempt.objects.create(openid_client=oid_client, state=state,
app_redirect_uri=app_redirect_uri, openid_uid=openid_uid)
User.objects.create(username=sub, first_name=first_name, last_name=last_name,
email=email, openid_uid=openid_uid)
# we are not testing real redirect url params, so we mock communication with
# OpenID Provider
user_info = {
'sub': sub,
# return different details
'given_name': 'Elons',
'family_name': 'Mustache',
'email': '*****@*****.**',
}
with patch('openlobby.core.views.get_user_info', return_value=user_info) as mock:
response = client.get(reverse('login-redirect'), {'state': state})
m_client, m_query_string = mock.call_args[0]
assert m_client.client_id == oc.client_id
assert m_query_string == 'state={}'.format(state)
assert response.status_code == 302
url, query_string = response.url.split('?')
qs = urllib.parse.parse_qs(query_string)
assert url == app_redirect_uri
assert sub == parse_access_token(qs['token'][0])
# check there is still just one user, who's details are not updated
user = User.objects.get()
assert user.username == sub
assert user.first_name == first_name
assert user.last_name == last_name
assert user.email == email
assert user.openid_uid == openid_uid