spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py

"""Test_authentication."""
import base64

import jwt
from flask import Flask
from flask.testing import FlaskClient
from tests.spiffworkflow_backend.helpers.base_test import BaseTest


class TestFlaskOpenId(BaseTest):
    """An integrated Open ID that responds to openID requests.

    By referencing a build in YAML file.  Useful for
    local development, testing, demos etc...
    """

    def test_discovery_of_endpoints(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        """Test discovery endpoints."""
        response = client.get("/openid/.well-known/openid-configuration")
        discovered_urls = response.json
        assert "http://localhost/openid" == discovered_urls["issuer"]
        assert (
            "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
        )
        assert "http://localhost/openid/token" == discovered_urls["token_endpoint"]

    def test_get_login_page(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        """It should be possible to get to a login page."""
        data = {"state": {"bubblegum": 1, "daydream": 2}}
        response = client.get("/openid/auth", query_string=data)
        assert b"<h2>Login</h2>" in response.data
        assert b"bubblegum" in response.data

    def test_get_token(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        """Test_get_token."""
        code = "testadmin1:1234123412341234"

        """It should be possible to get a token."""
        backend_basic_auth_string = code
        backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
        backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
            "Authorization": f"Basic {backend_basic_auth.decode('utf-8')}",
        }
        data = {
            "grant_type": "authorization_code",
            "code": code,
            "redirect_url": "http://localhost:7000/v1.0/login_return",
        }
        response = client.post("/openid/token", data=data, headers=headers)
        assert response
        assert response.is_json
        assert "access_token" in response.json
        assert "id_token" in response.json
        assert "refresh_token" in response.json

        decoded_token = jwt.decode(
            response.json["id_token"], options={"verify_signature": False}
        )
        assert "iss" in decoded_token
        assert "email" in decoded_token
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`"""Test_authentication."""`
Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 2022-12-12 15:43:19 -05:00			`import base64`

			`import jwt`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`from flask import Flask`
			`from flask.testing import FlaskClient`
			`from tests.spiffworkflow_backend.helpers.base_test import BaseTest`


Fixes based off KB's super kind review. ------- * Remove unnecessary packages from dockerfile for the demo-connect proxy. * Rename an environment variable that mentioned Status.im in what is now a generic connector. * Fixed a spelling mistake. 2022-12-05 10:46:26 -05:00			`class TestFlaskOpenId(BaseTest):`
I can't say I love flake8. Removing dependency on rust (monkeytype) 2022-12-01 16:22:50 -05:00			`"""An integrated Open ID that responds to openID requests.`

			`By referencing a build in YAML file. Useful for`
			`local development, testing, demos etc...`
			`"""`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`def test_discovery_of_endpoints(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
I can't say I love flake8. Removing dependency on rust (monkeytype) 2022-12-01 16:22:50 -05:00			`"""Test discovery endpoints."""`
A little cleanup of the ui Don't check authorization on static assets Do not require unique username on user table (uniqueness check is on the service and service id composite.) 2022-12-01 11:42:36 -05:00			`response = client.get("/openid/.well-known/openid-configuration")`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`discovered_urls = response.json`
			`assert "http://localhost/openid" == discovered_urls["issuer"]`
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`assert (`
			`"http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]`
			`)`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`assert "http://localhost/openid/token" == discovered_urls["token_endpoint"]`

Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`def test_get_login_page(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
I can't say I love flake8. Removing dependency on rust (monkeytype) 2022-12-01 16:22:50 -05:00			`"""It should be possible to get to a login page."""`
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`data = {"state": {"bubblegum": 1, "daydream": 2}}`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`response = client.get("/openid/auth", query_string=data)`
fixing some typing issues, white space, etal... 2022-12-01 15:01:25 -05:00			`assert b"<h2>Login</h2>" in response.data`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`assert b"bubblegum" in response.data`

Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`def test_get_token(`
			`self,`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`app: Flask,`
			`client: FlaskClient,`
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
pyl w/ burnettk 2022-12-20 15:47:30 -05:00			`"""Test_get_token."""`
			`code = "testadmin1:1234123412341234"`
Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 2022-12-12 15:43:19 -05:00
I can't say I love flake8. Removing dependency on rust (monkeytype) 2022-12-01 16:22:50 -05:00			`"""It should be possible to get a token."""`
Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 2022-12-12 15:43:19 -05:00			`backend_basic_auth_string = code`
			`backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")`
			`backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`headers = {`
			`"Content-Type": "application/x-www-form-urlencoded",`
Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 2022-12-12 15:43:19 -05:00			`"Authorization": f"Basic {backend_basic_auth.decode('utf-8')}",`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`}`
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`data = {`
			`"grant_type": "authorization_code",`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`"code": code,`
Reorder config imports so that instance config is dead last - and can override everything else. Updated docker-compose for running a demo. run_pyl fixes 2022-12-01 14:12:25 -05:00			`"redirect_url": "http://localhost:7000/v1.0/login_return",`
Adding a blueprint for openid - a very lightweight embedded authentication system to make it eaiser to try out SpiffWorkflow when you don't have openID set up with Google etal. Removing all calls to open id's user_info endpoint - as these are unncessiary. Adding a users section to the permission files -- so we can handle all user/group/permissions in one file when needed. There was a very confusing is_admin function on the user model that needed killin. 2022-11-30 11:32:55 -05:00			`}`
			`response = client.post("/openid/token", data=data, headers=headers)`
			`assert response`
Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 2022-12-12 15:43:19 -05:00			`assert response.is_json`
pyl w/ burnettk 2022-12-20 15:47:30 -05:00			`assert "access_token" in response.json`
			`assert "id_token" in response.json`
			`assert "refresh_token" in response.json`
Assure our open-id system can return emails. Update our data from Open ID Systems when users log in 2022-12-13 08:14:44 -05:00
pyl w/ burnettk 2022-12-20 15:47:30 -05:00			`decoded_token = jwt.decode(`
			`response.json["id_token"], options={"verify_signature": False}`
			`)`
			`assert "iss" in decoded_token`
			`assert "email" in decoded_token`