First run of tests for authentication/authorization

2022-07-05 12:13:36 -04:00 · 2022-07-05 12:13:36 -04:00 · 9bc304f841
parent f29ef3c96d
commit 9bc304f841
2 changed files with 208 additions and 0 deletions
--- a/tests/spiffworkflow_backend/integration/bank-api-authz-config.json
+++ b/tests/spiffworkflow_backend/integration/bank-api-authz-config.json
@ -0,0 +1,106 @@
+{
+  "allowRemoteResourceManagement": true,
+  "policyEnforcementMode": "ENFORCING",
+  "resources": [
+    {
+      "name": "Default Resource",
+      "type": "urn:bank-api:resources:default",
+      "ownerManagedAccess": false,
+      "attributes": {},
+      "_id": "0f0c6dcf-9b86-419d-8331-ce6dd1f779a1",
+      "uris": [
+        "/*"
+      ]
+    },
+    {
+      "name": "View Account Resource",
+      "ownerManagedAccess": false,
+      "displayName": "View Account Resource",
+      "attributes": {},
+      "_id": "6934ad55-cd6a-46d9-8653-7b1966973917",
+      "uris": [
+        "account/{id}"
+      ],
+      "scopes": [
+        {
+          "name": "account:view"
+        }
+      ]
+    }
+  ],
+  "policies": [
+    {
+      "id": "1cec062d-19dd-4896-9ced-07fe20d68b22",
+      "name": "Default Policy",
+      "description": "A policy that grants access only for users within this realm",
+      "type": "js",
+      "logic": "POSITIVE",
+      "decisionStrategy": "AFFIRMATIVE",
+      "config": {
+        "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
+      }
+    },
+    {
+      "id": "2059c4a3-59d4-4a56-bf31-f861141f515c",
+      "name": "Only Bank Teller and Account Owner Policy",
+      "type": "role",
+      "logic": "POSITIVE",
+      "decisionStrategy": "UNANIMOUS",
+      "config": {
+        "roles": "[{\"id\":\"accounts_owner\",\"required\":false},{\"id\":\"bank_teller\",\"required\":false}]"
+      }
+    },
+    {
+      "id": "570a1e09-25ad-4da6-ab0a-0b77101176f2",
+      "name": "Only Account Owner Policy",
+      "type": "role",
+      "logic": "POSITIVE",
+      "decisionStrategy": "UNANIMOUS",
+      "config": {
+        "roles": "[{\"id\":\"accounts_owner\",\"required\":false}]"
+      }
+    },
+    {
+      "id": "13494e3d-5e85-43fe-80e9-ab7b6f1191d5",
+      "name": "Default Permission",
+      "description": "A permission that applies to the default resource type",
+      "type": "resource",
+      "logic": "POSITIVE",
+      "decisionStrategy": "UNANIMOUS",
+      "config": {
+        "defaultResourceType": "urn:bank-api:resources:default",
+        "applyPolicies": "[\"Default Policy\"]"
+      }
+    },
+    {
+      "id": "cf04026c-e44f-401f-92e5-5c330dff2831",
+      "name": "View Account Resource Permission",
+      "type": "resource",
+      "logic": "POSITIVE",
+      "decisionStrategy": "UNANIMOUS",
+      "config": {
+        "resources": "[\"View Account Resource\"]",
+        "applyPolicies": "[\"Only Bank Teller and Account Owner Policy\"]"
+      }
+    },
+    {
+      "id": "6ce39e54-ffe7-4f4e-b689-d190e63e3b2d",
+      "name": "View Account Scope Permission",
+      "description": "View Account Scope Permission",
+      "type": "scope",
+      "logic": "POSITIVE",
+      "decisionStrategy": "UNANIMOUS",
+      "config": {
+        "scopes": "[\"account:view\"]",
+        "applyPolicies": "[\"Only Account Owner Policy\"]"
+      }
+    }
+  ],
+  "scopes": [
+    {
+      "id": "326a57f4-c487-4466-8521-d3f0c25c399f",
+      "name": "account:view"
+    }
+  ],
+  "decisionStrategy": "UNANIMOUS"
+}
--- a/tests/spiffworkflow_backend/integration/test_authentication.py
+++ b/tests/spiffworkflow_backend/integration/test_authentication.py
@ -0,0 +1,102 @@
+"""Test_authentication."""
+from flask.testing import FlaskClient
+
+from keycloak.authorization import Authorization
+from keycloak.keycloak_openid import KeycloakOpenID
+from keycloak.uma_permissions import AuthStatus
+
+from spiffworkflow_backend.services.authentication_service import AuthenticationService
+
+server_url = "http://localhost:8080/"
+client_id = "bank-api"
+realm_name = "stackoverflow-demo"
+client_secret_key = "seciKpRanUReL0ksZaFm5nfjhMUKHVAO"
+
+user = "bob"
+password = "LetMeIn"
+
+resource = "View Account Resource"
+scope = "account:view"
+
+
+def test_get_keycloak_openid_client():
+    keycloak_openid_client = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    assert isinstance(keycloak_openid_client, KeycloakOpenID)
+    assert isinstance(keycloak_openid_client.authorization, Authorization)
+
+
+def test_get_keycloak_token():
+    keycloak_openid = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    token = keycloak_openid.token(user, password)
+    assert isinstance(token, dict)
+    assert isinstance(token['access_token'], str)
+    assert isinstance(token['refresh_token'], str)
+    assert token['expires_in'] == 300
+    assert token['refresh_expires_in'] == 1800
+    assert token['token_type'] == 'Bearer'
+
+
+def test_get_permission_by_token():
+    keycloak_openid = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    keycloak_openid.load_authorization_config("tests/spiffworkflow_backend/integration/bank-api-authz-config.json")
+    token = keycloak_openid.token(user, password)
+
+    permissions = AuthenticationService.get_permission_by_token(keycloak_openid, token)
+    # TODO: permissions comes back as None. Is this right?
+    print("test_get_permission_by_token")
+
+
+def test_get_uma_permissions_by_token():
+    keycloak_openid = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    token = keycloak_openid.token(user, password)
+    uma_permissions = AuthenticationService.get_uma_permissions_by_token(keycloak_openid, token)
+    assert isinstance(uma_permissions, list)
+    assert len(uma_permissions) == 2
+    for permission in uma_permissions:
+        assert 'rsname' in permission
+        if permission['rsname'] == "View Account Resource":
+            assert 'scopes' in permission
+            assert isinstance(permission['scopes'], list)
+            assert len(permission['scopes']) == 1
+            assert permission['scopes'][0] == "account:view"
+
+
+def test_get_uma_permissions_by_token_for_resource_and_scope():
+    keycloak_openid = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    token = keycloak_openid.token(user, password)
+    permissions = AuthenticationService.get_uma_permissions_by_token_for_resource_and_scope(
+        keycloak_openid, token, resource, scope
+    )
+    assert isinstance(permissions, list)
+    assert len(permissions) == 1
+    assert isinstance(permissions[0], dict)
+    permission = permissions[0]
+    assert 'rsname' in permission
+    assert permission['rsname'] == resource
+    assert 'scopes' in permission
+    assert isinstance(permission['scopes'], list)
+    assert len(permission['scopes']) == 1
+    assert permission['scopes'][0] == scope
+
+
+def test_get_auth_status_for_resource_and_scope_by_token():
+    keycloak_openid = AuthenticationService.get_keycloak_openid(
+        server_url, client_id, realm_name, client_secret_key
+    )
+    token = keycloak_openid.token(user, password)
+    auth_status = AuthenticationService.get_auth_status_for_resource_and_scope_by_token(
+        keycloak_openid, token, resource, scope
+    )
+    assert isinstance(auth_status, AuthStatus)
+    assert auth_status.is_logged_in is True
+    assert auth_status.is_authorized is True