spiff-arena/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_authentication.py

import ast
import base64
import time

from flask.app import Flask
from flask.testing import FlaskClient
from spiffworkflow_backend.models.db import db
from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.services.authentication_service import AuthenticationService
from spiffworkflow_backend.services.authorization_service import AuthorizationService
from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict

from tests.spiffworkflow_backend.helpers.base_test import BaseTest


class TestAuthentication(BaseTest):
    def test_get_login_state(self) -> None:
        redirect_url = "http://example.com/"
        state = AuthenticationService.generate_state(redirect_url)
        state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))

        assert isinstance(state_dict, dict)
        assert "redirect_url" in state_dict.keys()
        assert state_dict["redirect_url"] == redirect_url

    def test_properly_adds_user_to_groups_from_token_on_login(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", True):
            user = self.find_or_create_user("testing@e.com")
            user.email = "testing@e.com"
            user.service = app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"]
            db.session.add(user)
            db.session.commit()

            access_token = user.encode_auth_token(
                {
                    "groups": ["group_one", "group_two"],
                    "iss": app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"],
                    "aud": "spiffworkflow-backend",
                    "iat": round(time.time()),
                    "exp": round(time.time()) + 1000,
                }
            )
            response = None
            response = client.post(
                f"/v1.0/login_with_access_token?access_token={access_token}",
            )
            assert response.status_code == 200
            assert len(user.groups) == 3
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one", "group_two"]

            access_token = user.encode_auth_token(
                {
                    "groups": ["group_one"],
                    "iss": app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"],
                    "aud": "spiffworkflow-backend",
                    "iat": round(time.time()),
                    "exp": round(time.time()) + 1000,
                }
            )
            response = client.post(
                f"/v1.0/login_with_access_token?access_token={access_token}",
            )
            assert response.status_code == 200
            user = UserModel.query.filter_by(username=user.username).first()
            assert len(user.groups) == 2
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one"]

            # make sure running refresh_permissions doesn't remove the user from the group
            group_info: list[GroupPermissionsDict] = [
                {
                    "users": [],
                    "name": "group_one",
                    "permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],
                }
            ]
            AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)
            user = UserModel.query.filter_by(username=user.username).first()
            assert len(user.groups) == 2
            group_identifiers = [g.identifier for g in user.groups]
            assert sorted(group_identifiers) == ["everybody", "group_one"]
            self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey")
            self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey:yo")
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 10:22:22 -04:00			`import ast`
			`import base64`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00			`import time`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 10:22:22 -04:00
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00			`from flask.app import Flask`
			`from flask.testing import FlaskClient`
			`from spiffworkflow_backend.models.db import db`
			`from spiffworkflow_backend.models.user import UserModel`
let ruff sort imports and ditch duplicative pre-commit linters 2023-05-26 20:01:08 -04:00			`from spiffworkflow_backend.services.authentication_service import AuthenticationService`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00			`from spiffworkflow_backend.services.authorization_service import AuthorizationService`
			`from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict`
pyl is passing w/ burnettk cullerton 2022-11-18 16:45:44 -05:00
let ruff sort imports and ditch duplicative pre-commit linters 2023-05-26 20:01:08 -04:00			`from tests.spiffworkflow_backend.helpers.base_test import BaseTest`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 10:22:22 -04:00

			`class TestAuthentication(BaseTest):`
			`def test_get_login_state(self) -> None:`
			`redirect_url = "http://example.com/"`
Squashed 'spiffworkflow-backend/' changes from f9c2fa21e..5225a8b4c 5225a8b4c pyl 259f74a1e Merge branch 'main' into bug/refresh-token d452208ef Merge pull request #135 from sartography/feature/permissions3 8e1075406 Merge branch 'main' into bug/refresh-token 2b01d2fe7 fixed authentication_callback and getting the user w/ burnettk 476e36c7d mypy changes 6403e62c0 Fix migration after merging main 594a32b67 merged in main and resolved conflicts w/ burnettk b285ba1a1 added updated columns to secrets and updated flask-bpmn 7c53fc9fa Merge remote-tracking branch 'origin/main' into feature/permissions3 201a6918a pyl changes a6112f7fb Merge branch 'main' into bug/refresh-token 87f65a6c6 auth_token should be dictionary, not string f163de61c pyl 1f443bb94 PublicAuthenticationService -> AuthenticationService 6c491a3df Don't refresh token here. They just logged in. We are validating the returned token. If it is bad, raise an error. 91b8649f8 id_token -> auth_token fc94774bb Move `store_refresh_token` to authentication_service 00d66e9c5 mypy c4e415dbe mypy 1e75716eb Pre commit a72b03e09 Rename method. We pass it auth_tokens, not id_tokens 9a6700a6d Too many things expect g.token. Reverting my change 74883fb23 Noe store refresh_token, and try to use it if auth_token is expired Renamed some methods to use correct token type be0557013 Cleanup - remove unused code cf01f0d51 Add refresh_token model 1c0c937af added method to delete all permissions so we can recreate them w/ burnettk aaeaac879 Merge remote-tracking branch 'origin/main' into feature/permissions3 44856fce2 added api endpoint to check if user has permissions based on given target uris w/ burnettk ae830054d precommit w/ burnettk 94d50efb1 created common method to check whether an api method should have auth w/ burnettk c955335d0 precommit w/ burnettk 37caf1a69 added a finance user to keycloak and fixed up the staging permission yml w/ burnettk 93c456294 merged in main and resolved conflicts w/ burnettk 06a7c6485 remaining tests are now passing w/ burnettk 50529d04c added test to make sure api gives a 403 if a permission is not found w/ burnettk 6a9d0a68a api calls are somewhat respecting permissions now and the process api tests are passing d07fbbeff attempting to respect permissions w/ burnettk git-subtree-dir: spiffworkflow-backend git-subtree-split: 5225a8b4c101133567d4f7efa33632d36c29c81d 2022-10-20 16:00:12 -04:00			`state = AuthenticationService.generate_state(redirect_url)`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 10:22:22 -04:00			`state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))`

			`assert isinstance(state_dict, dict)`
			`assert "redirect_url" in state_dict.keys()`
			`assert state_dict["redirect_url"] == redirect_url`

Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00			`def test_properly_adds_user_to_groups_from_token_on_login(`
			`self,`
			`app: Flask,`
			`client: FlaskClient,`
			`with_db_and_bpmn_file_cleanup: None,`
			`) -> None:`
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 12:54:32 -04:00			`with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", True):`
			`user = self.find_or_create_user("testing@e.com")`
			`user.email = "testing@e.com"`
			`user.service = app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"]`
			`db.session.add(user)`
			`db.session.commit()`
Squashed 'spiffworkflow-backend/' content from commit 50f28073 git-subtree-dir: spiffworkflow-backend git-subtree-split: 50f28073add91265f00826bd175c8b2fff76cdc5 2022-10-12 10:22:22 -04:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 12:54:32 -04:00			`access_token = user.encode_auth_token(`
			`{`
			`"groups": ["group_one", "group_two"],`
			`"iss": app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"],`
			`"aud": "spiffworkflow-backend",`
			`"iat": round(time.time()),`
			`"exp": round(time.time()) + 1000,`
			`}`
			`)`
			`response = None`
			`response = client.post(`
			`f"/v1.0/login_with_access_token?access_token={access_token}",`
			`)`
			`assert response.status_code == 200`
			`assert len(user.groups) == 3`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one", "group_two"]`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 12:54:32 -04:00			`access_token = user.encode_auth_token(`
			`{`
			`"groups": ["group_one"],`
			`"iss": app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"],`
			`"aud": "spiffworkflow-backend",`
			`"iat": round(time.time()),`
			`"exp": round(time.time()) + 1000,`
			`}`
			`)`
			`response = client.post(`
			`f"/v1.0/login_with_access_token?access_token={access_token}",`
			`)`
			`assert response.status_code == 200`
			`user = UserModel.query.filter_by(username=user.username).first()`
			`assert len(user.groups) == 2`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one"]`
Feature/group mapping from keycloak (#457) * some basics to set a user groups based on info in keycloak w/ burnettk * test for adding groups from token now passes * do not remove users from groups when running refresh_permissions if specified --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-09-07 11:17:40 -04:00
add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false 2023-09-08 12:54:32 -04:00			`# make sure running refresh_permissions doesn't remove the user from the group`
			`group_info: list[GroupPermissionsDict] = [`
			`{`
			`"users": [],`
			`"name": "group_one",`
			`"permissions": [{"actions": ["create", "read"], "uri": "PG:hey"}],`
			`}`
			`]`
			`AuthorizationService.refresh_permissions(group_info, group_permissions_only=True)`
			`user = UserModel.query.filter_by(username=user.username).first()`
			`assert len(user.groups) == 2`
			`group_identifiers = [g.identifier for g in user.groups]`
			`assert sorted(group_identifiers) == ["everybody", "group_one"]`
			`self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey")`
			`self.assert_user_has_permission(user, "read", "/v1.0/process-groups/hey:yo")`