spiff-arena/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_authentication.py

import ast
import base64
import re
import time
from typing import Any

from flask.app import Flask
from flask.testing import FlaskClient
from spiffworkflow_backend.models.db import db
from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.services.authentication_service import AuthenticationService
from spiffworkflow_backend.services.authorization_service import AuthorizationService
from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict
from spiffworkflow_backend.services.service_account_service import ServiceAccountService
from spiffworkflow_backend.services.user_service import UserService

from tests.spiffworkflow_backend.helpers.base_test import BaseTest


class TestAuthentication(BaseTest):
    def test_get_login_state(self) -> None:
        redirect_url = "http://example.com/"
        state = AuthenticationService.generate_state(redirect_url, authentication_identifier="default")
        state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))

        assert isinstance(state_dict, dict)
        assert "redirect_url" in state_dict.keys()
        assert state_dict["redirect_url"] == redirect_url

    def test_properly_adds_user_to_groups_from_token_on_login(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", True):
            user = self.find_or_create_user("testing@e.com")
            user.email = "testing@e.com"
            user.service = app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"]
            db.session.add(user)
            db.session.commit()

            access_token = user.encode_auth_token(
                {
                    "groups": ["group_one", "group_two"],
                    "iss": app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"],
                    "aud": "spiffworkflow-backend",
                    "iat": round(time.time()),
                    "exp": round(time.time()) + 1000,
                }
            )
            response = None
            response = client.post(
                f"/v1.0/login_with_access_token?access_token={access_token}&authentication_identifier=default",
            )
            assert response.status_code == 200
            assert len(user.groups) == 3
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one", "group_two"]

            access_token = user.encode_auth_token(
                {
                    "groups": ["group_one"],
                    "iss": app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"],
                    "aud": "spiffworkflow-backend",
                    "iat": round(time.time()),
                    "exp": round(time.time()) + 1000,
                }
            )
            response = client.post(
                f"/v1.0/login_with_access_token?access_token={access_token}&authentication_identifier=default",
            )
            assert response.status_code == 200
            user = UserModel.query.filter_by(username=user.username).first()
            assert len(user.groups) == 2
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one"]

            # make sure running refresh_permissions doesn't remove the user from the group
            group_info: list[GroupPermissionsDict] = [
                {
                    "users": [],
                    "name": "group_one",
                    "permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],
                }
            ]
            AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)
            user = UserModel.query.filter_by(username=user.username).first()
            assert len(user.groups) == 2
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one"]
            self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey")
            self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey:yo")

    def test_does_not_remove_permissions_from_service_accounts_on_refresh(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
        with_super_admin_user: UserModel,
    ) -> None:
        service_account = ServiceAccountService.create_service_account("sa_api_key", with_super_admin_user)
        service_account_permissions_before = sorted(
            UserService.get_permission_targets_for_user(service_account.user, check_groups=False)
        )

        # make sure running refresh_permissions doesn't remove the user from the group
        group_info: list[GroupPermissionsDict] = [
            {
                "users": [],
                "name": "group_one",
                "permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],
            }
        ]
        AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)

        service_account_permissions_after = sorted(
            UserService.get_permission_targets_for_user(service_account.user, check_groups=False)
        )
        assert service_account_permissions_before == service_account_permissions_after

    def test_can_login_with_valid_user(
        self,
        app: Flask,
        mocker: Any,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        redirect_uri = f"{app.config['SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND']}/test-redirect-dne"
        auth_uri = app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"]
        login_return_uri = f"{app.config['SPIFFWORKFLOW_BACKEND_URL']}/v1.0/login_return"

        class_method_mock = mocker.patch(
            "spiffworkflow_backend.services.authentication_service.AuthenticationService.open_id_endpoint_for_name",
            return_value=auth_uri,
        )

        response = client.get(
            f"/v1.0/login?redirect_url={redirect_uri}&authentication_identifier=default",
        )

        assert class_method_mock.call_count == 1
        assert response.status_code == 302
        assert response.location.startswith(auth_uri)
        assert re.search(r"\bredirect_uri=" + re.escape(login_return_uri), response.location) is not None

    def test_raises_error_if_invalid_redirect_url(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        redirect_url = "http://www.bad_url.com/test-redirect-dne"
        response = client.get(
            f"/v1.0/login?redirect_url={redirect_url}&authentication_identifier=DOES_NOT_MATTER",
        )
        assert response.status_code == 500
        assert response.json is not None
        assert response.json["message"].startswith("InvalidRedirectUrlError:")
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 14:22:22 +00:00			`import ast`
			`import base64`
bugfix/guest-login-multiple-auths (#782) * This fixes guest login with using multiple auths, removes empty items from ApiError, and raises if redirect_url given to login does not match expected frontend host w/ burnettk * get body for debug * try to get the logs from the correct place to upload w/ burnettk * mock the openid call instead of actually calling it w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-30 18:51:01 +00:00			`import re`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00			`import time`
bugfix/guest-login-multiple-auths (#782) * This fixes guest login with using multiple auths, removes empty items from ApiError, and raises if redirect_url given to login does not match expected frontend host w/ burnettk * get body for debug * try to get the logs from the correct place to upload w/ burnettk * mock the openid call instead of actually calling it w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-30 18:51:01 +00:00			`from typing import Any`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 14:22:22 +00:00
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00			`from flask.app import Flask`
			`from flask.testing import FlaskClient`
			`from spiffworkflow_backend.models.db import db`
			`from spiffworkflow_backend.models.user import UserModel`
let ruff sort imports and ditch duplicative pre-commit linters 2023-05-27 00:01:08 +00:00			`from spiffworkflow_backend.services.authentication_service import AuthenticationService`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00			`from spiffworkflow_backend.services.authorization_service import AuthorizationService`
			`from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict`
Feature/api keys (#489) * some initial work to support user api keys w/ burnettk * some updates to store and use service accounts - migrations do not work in sqlite atm * pyl * minor tweak to the migration * refactored user route * this is working if returning user that created the service account * put back migrations from main w/ burnettk * tests pass with new migration w/ burnettk * do not remove service account permissions on refresh_permissions w/ burnettk * added new component to make some api calls to populate child components and routes w/ burnettk * allow displaying extensions in configuration tab w/ burnettk * removed service accounts controller in favor of extension and encrypt the api keys * add fuzz to username to make deleting and recreating service accounts easier * allow specifying the process id to use when running an extension w/ burnettk * allow extensions to navigate to each other on form submit w/ burnettk * removed commented out debug code --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-15 14:10:57 +00:00			`from spiffworkflow_backend.services.service_account_service import ServiceAccountService`
			`from spiffworkflow_backend.services.user_service import UserService`
pyl is passing w/ burnettk cullerton 2022-11-18 21:45:44 +00:00
let ruff sort imports and ditch duplicative pre-commit linters 2023-05-27 00:01:08 +00:00			`from tests.spiffworkflow_backend.helpers.base_test import BaseTest`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 14:22:22 +00:00

			`class TestAuthentication(BaseTest):`
			`def test_get_login_state(self) -> None:`
			`redirect_url = "http://example.com/"`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`state = AuthenticationService.generate_state(redirect_url, authentication_identifier="default")`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 14:22:22 +00:00			`state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))`

			`assert isinstance(state_dict, dict)`
			`assert "redirect_url" in state_dict.keys()`
			`assert state_dict["redirect_url"] == redirect_url`

Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00			`def test_properly_adds_user_to_groups_from_token_on_login(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", True):`
			`user = self.find_or_create_user("testing@e.com")`
			`user.email = "testing@e.com"`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`user.service = app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"]`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`db.session.add(user)`
			`db.session.commit()`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 14:22:22 +00:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`access_token = user.encode_auth_token(`
			`{`
			`"groups": ["group_one", "group_two"],`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`"iss": app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"],`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`"aud": "spiffworkflow-backend",`
			`"iat": round(time.time()),`
			`"exp": round(time.time()) + 1000,`
			`}`
			`)`
			`response = None`
			`response = client.post(`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`f"/v1.0/login_with_access_token?access_token={access_token}&authentication_identifier=default",`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`)`
			`assert response.status_code == 200`
			`assert len(user.groups) == 3`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one", "group_two"]`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`access_token = user.encode_auth_token(`
			`{`
			`"groups": ["group_one"],`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`"iss": app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"],`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`"aud": "spiffworkflow-backend",`
			`"iat": round(time.time()),`
			`"exp": round(time.time()) + 1000,`
			`}`
			`)`
			`response = client.post(`
Feature/support multiple auth (#602) * added some support for configs to have mutliple auths * multiple openids services are mostly working - still needs some cleanup * some cleanup for pyl and fixed login_return for internal openid server w/ burnettk * if only one auth is returned from backend then just do that w/ burnettk * login page has been formatted w/ burnettk * some extra formatting on the login page w/ burnettk * relabel test openid providers and add user --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-09 15:34:07 +00:00			`f"/v1.0/login_with_access_token?access_token={access_token}&authentication_identifier=default",`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`)`
			`assert response.status_code == 200`
			`user = UserModel.query.filter_by(username=user.username).first()`
			`assert len(user.groups) == 2`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one"]`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 15:17:40 +00:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 16:54:32 +00:00			`# make sure running refresh_permissions doesn't remove the user from the group`
			`group_info: list[GroupPermissionsDict] = [`
			`{`
			`"users": [],`
			`"name": "group_one",`
			`"permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],`
			`}`
			`]`
			`AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)`
			`user = UserModel.query.filter_by(username=user.username).first()`
			`assert len(user.groups) == 2`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one"]`
			`self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey")`
			`self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey:yo")`
Feature/api keys (#489) * some initial work to support user api keys w/ burnettk * some updates to store and use service accounts - migrations do not work in sqlite atm * pyl * minor tweak to the migration * refactored user route * this is working if returning user that created the service account * put back migrations from main w/ burnettk * tests pass with new migration w/ burnettk * do not remove service account permissions on refresh_permissions w/ burnettk * added new component to make some api calls to populate child components and routes w/ burnettk * allow displaying extensions in configuration tab w/ burnettk * removed service accounts controller in favor of extension and encrypt the api keys * add fuzz to username to make deleting and recreating service accounts easier * allow specifying the process id to use when running an extension w/ burnettk * allow extensions to navigate to each other on form submit w/ burnettk * removed commented out debug code --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-15 14:10:57 +00:00
			`def test_does_not_remove_permissions_from_service_accounts_on_refresh(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`with_super_admin_user: UserModel,`
			`) -> None:`
			`service_account = ServiceAccountService.create_service_account("sa_api_key", with_super_admin_user)`
			`service_account_permissions_before = sorted(`
			`UserService.get_permission_targets_for_user(service_account.user, check_groups=False)`
			`)`

			`# make sure running refresh_permissions doesn't remove the user from the group`
			`group_info: list[GroupPermissionsDict] = [`
			`{`
			`"users": [],`
			`"name": "group_one",`
			`"permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],`
			`}`
			`]`
			`AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)`

			`service_account_permissions_after = sorted(`
			`UserService.get_permission_targets_for_user(service_account.user, check_groups=False)`
			`)`
			`assert service_account_permissions_before == service_account_permissions_after`
bugfix/guest-login-multiple-auths (#782) * This fixes guest login with using multiple auths, removes empty items from ApiError, and raises if redirect_url given to login does not match expected frontend host w/ burnettk * get body for debug * try to get the logs from the correct place to upload w/ burnettk * mock the openid call instead of actually calling it w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2023-11-30 18:51:01 +00:00
			`def test_can_login_with_valid_user(`
			`self,`
			`app: Flask,`
			`mocker: Any,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
			`redirect_uri = f"{app.config['SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND']}/test-redirect-dne"`
			`auth_uri = app.config["SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS"][0]["uri"]`
			`login_return_uri = f"{app.config['SPIFFWORKFLOW_BACKEND_URL']}/v1.0/login_return"`

			`class_method_mock = mocker.patch(`
			`"spiffworkflow_backend.services.authentication_service.AuthenticationService.open_id_endpoint_for_name",`
			`return_value=auth_uri,`
			`)`

			`response = client.get(`
			`f"/v1.0/login?redirect_url={redirect_uri}&authentication_identifier=default",`
			`)`

			`assert class_method_mock.call_count == 1`
			`assert response.status_code == 302`
			`assert response.location.startswith(auth_uri)`
			`assert re.search(r"\bredirect_uri=" + re.escape(login_return_uri), response.location) is not None`

			`def test_raises_error_if_invalid_redirect_url(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
			`redirect_url = "http://www.bad_url.com/test-redirect-dne"`
			`response = client.get(`
			`f"/v1.0/login?redirect_url={redirect_url}&authentication_identifier=DOES_NOT_MATTER",`
			`)`
			`assert response.status_code == 500`
			`assert response.json is not None`
			`assert response.json["message"].startswith("InvalidRedirectUrlError:")`