def test_prompt_none_logged_in_client_not_cfg(client, oauth_client):
"""
Test ``prompt=none`` when user is authN'd and client does not
have pre-configured consent for the requested Claims.
"""
data = {'prompt': 'none'}
# TODO make client not have pre-cfg consent
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client, data=data)
# make sure no consent screen/page appears
assert render_mock.called is False
# Now use fake user consent confirmation
auth_response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=True)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'access_denied'
def test_prompt_none_not_logged_in_client_not_cfg(app, client, oauth_client,
monkeypatch):
"""
Test ``prompt=none`` when user is not authN'd and client does not
have pre-configured consent for the requested Claims.
"""
data = {'prompt': 'none'}
# TODO make client not have pre-cfg consent
# don't mock auth so there isn't a logged in user
monkeypatch.setitem(app.config, 'MOCK_AUTH', False)
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL', '/login/google')
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL_REDIRECT_PARAM',
'redirect')
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client, data=data)
# make sure no consent screen/page appears
assert render_mock.called is False
# Now use fake user consent confirmation
auth_response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=True)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'access_denied'
def test_prompt_none_not_logged_in_client_cfg(app, client, oauth_client,
monkeypatch):
"""
Test ``prompt=none`` when user is not authN'd and client
has pre-configured consent for the requested Claims.
"""
data = {'prompt': 'none'}
# don't mock auth so there isn't a logged in user
monkeypatch.setitem(app.config, 'MOCK_AUTH', False)
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL', '/login/google')
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL_REDIRECT_PARAM',
'redirect')
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client, data=data)
# make sure no consent screen/page appears
assert render_mock.called is False
# TODO give client pre-cfg consent
auth_response = oauth2.get_authorize(client, oauth_client, data=data)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
# for some reason, query_params for error come back as a list,
# even though its just a string in response. So get the first (and
# only) item
assert query_params['error'][0] == 'access_denied'
def test_no_prompt_provided(client, oauth_client):
"""
``prompt`` is optional; test that omitting it is fine.
"""
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client)
# make sure consent screen/page appears
assert render_mock.called is True
# Now use fake user consent confirmation
response = oauth2.get_authorize(client, oauth_client, confirm=True)
assert response.status_code == 302
assert 'Location' in response.headers
assert oauth2.code_from_authorize_response(response)
def test_prompt_login(client, oauth_client):
"""
Test ``prompt=login`` when user re-AuthN's.
"""
data = {'prompt': 'login'}
with patch('fence.blueprints.oauth2.handle_login') as handle_login_mock:
response = oauth2.get_authorize(client, oauth_client, data=data)
assert handle_login_mock.called is True
# Now use fake user consent confirmation
response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=True)
assert response.status_code == 302
assert 'Location' in response.headers
assert oauth2.code_from_authorize_response(response)
def test_prompt_consent(app, client, oauth_client):
"""
Test ``prompt=consent`` when user approves. Should display consent
screen and then have correct response.
"""
data = {'prompt': 'consent'}
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client)
# make sure consent screen/page appears
assert render_mock.called is True
# Now use fake user consent confirmation
response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=True)
assert response.status_code == 302
assert 'Location' in response.headers
assert oauth2.code_from_authorize_response(response)
def test_prompt_select_account(client, oauth_client):
"""
Test ``prompt=select_account`` when user chooses an account.
"""
data = {'prompt': 'select_account'}
# TODO check that account selection screen shows up
response = oauth2.get_authorize(client, oauth_client, data=data)
assert response.status_code == 302
assert 'Location' in response.headers
assert oauth2.code_from_authorize_response(response)
def test_prompt_none_logged_in_client_cfg(client, oauth_client):
"""
Test ``prompt=none`` when user is authN'd and client
has pre-configured consent for the requested Claims. This is the
only case where a successful response occurs.
"""
data = {'prompt': 'none'}
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client, data=data)
# make sure no consent screen/page appears
assert render_mock.called is False
# Now use fake user consent confirmation
response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=True)
assert response.status_code == 302
assert 'Location' in response.headers
assert oauth2.code_from_authorize_response(response)
def test_prompt_login_no_consent(app, client, oauth_client):
"""
Test ``prompt=login`` when user does not consent. Should still show
consent screen but then return with error.
"""
data = {'prompt': 'login'}
with patch('flask.render_template') as render_mock:
oauth2.get_authorize(client, oauth_client, data=data)
# make sure consent screen/page appears
assert render_mock.called is True
# Now use fake user consent confirmation
auth_response = oauth2.get_authorize(client,
oauth_client,
data=data,
confirm=False)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'access_denied'
def test_prompt_select_account_no_choice(client, oauth_client):
"""
Test ``prompt=select_account`` when choice cannot be obtained.
"""
data = {'prompt': 'select_account'}
# TODO check that account selection screen shows up
# TODO force result to be no choice from selection options
auth_response = oauth2.get_authorize(client, oauth_client, data=data)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'account_selection_required'
def test_prompt_login_no_authn(client, oauth_client):
"""
Test ``prompt=login`` when unable to re-AuthN.
"""
data = {'prompt': 'login'}
with patch('fence.blueprints.oauth2.handle_login') as handle_login_mock:
handle_login_mock.side_effect = Unauthorized('couldnt authN')
auth_response = oauth2.get_authorize(client, oauth_client, data=data)
assert auth_response.status_code == 302
assert 'Location' in auth_response.headers
query_params = parse_qs(
urlparse(auth_response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'access_denied'
def test_prompt_consent_no_login(app, client, oauth_client, monkeypatch):
"""
Test ``prompt=consent`` when user is not logged in, should raise error.
"""
data = {'prompt': 'consent'}
# don't mock auth so there isn't a logged in user
monkeypatch.setitem(app.config, 'MOCK_AUTH', False)
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL', '/login/google')
monkeypatch.setitem(app.config, 'DEFAULT_LOGIN_URL_REDIRECT_PARAM',
'redirect')
response = oauth2.get_authorize(client, oauth_client, data=data)
assert response.status_code == 302
assert 'Location' in response.headers
query_params = parse_qs(urlparse(response.headers['Location']).query)
assert 'error' in query_params
assert query_params['error'][0] == 'access_denied'
