➕(backend) add django-lasuite dependency

Use the OIDC backend from the new library and add settings to setup OIDC token storage required for later calls to OIDC Resource Servers.
2025-01-27 15:21:39 +01:00
parent df173c3ce6
commit 2557c6bc77
13 changed files with 126 additions and 609 deletions
--- a/src/backend/core/tests/authentication/test_backends.py
+++ b/src/backend/core/tests/authentication/test_backends.py
@@ -2,14 +2,14 @@

 import random
 import re
-from logging import Logger
-from unittest import mock

 from django.core.exceptions import SuspiciousOperation
 from django.test.utils import override_settings

 import pytest
 import responses
+from cryptography.fernet import Fernet
+from lasuite.oidc_login.backends import get_oidc_refresh_token

 from core import models
 from core.authentication.backends import OIDCAuthenticationBackend
@@ -57,7 +57,7 @@ def test_authentication_getter_existing_user_via_email(

    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)

-    with django_assert_num_queries(2):
+    with django_assert_num_queries(3):  # user by sub, user by mail, update sub
        user = klass.get_or_create_user(
            access_token="test-token", id_token=None, payload=None
        )
@@ -288,7 +288,7 @@ def test_authentication_getter_new_user_no_email(monkeypatch):
    assert user.email is None
    assert user.full_name is None
    assert user.short_name is None
-    assert user.password == "!"
+    assert user.has_usable_password() is False
    assert models.User.objects.count() == 1


@@ -315,7 +315,7 @@ def test_authentication_getter_new_user_with_email(monkeypatch):
    assert user.email == email
    assert user.full_name == "John Doe"
    assert user.short_name == "John"
-    assert user.password == "!"
+    assert user.has_usable_password() is False
    assert models.User.objects.count() == 1


@@ -345,11 +345,15 @@ def test_authentication_get_userinfo_json_response():

@override_settings(OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo")
@responses.activate
-def test_authentication_get_userinfo_token_response(monkeypatch):
+def test_authentication_get_userinfo_token_response(monkeypatch, settings):
    """Test get_userinfo method with a token response."""
-
+    settings.OIDC_RP_SIGN_ALGO = "HS256"  # disable JWKS URL call
    responses.add(
-        responses.GET, re.compile(r".*/userinfo"), body="fake.jwt.token", status=200
+        responses.GET,
+        re.compile(r".*/userinfo"),
+        body="fake.jwt.token",
+        status=200,
+        content_type="application/jwt",
    )

    def mock_verify_token(self, token):  # pylint: disable=unused-argument
@@ -371,21 +375,25 @@ def test_authentication_get_userinfo_token_response(monkeypatch):

@override_settings(OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo")
@responses.activate
-def test_authentication_get_userinfo_invalid_response():
+def test_authentication_get_userinfo_invalid_response(settings):
    """
    Test get_userinfo method with an invalid JWT response that
    causes verify_token to raise an error.
    """
-
+    settings.OIDC_RP_SIGN_ALGO = "HS256"  # disable JWKS URL call
    responses.add(
-        responses.GET, re.compile(r".*/userinfo"), body="fake.jwt.token", status=200
+        responses.GET,
+        re.compile(r".*/userinfo"),
+        body="fake.jwt.token",
+        status=200,
+        content_type="application/jwt",
    )

    oidc_backend = OIDCAuthenticationBackend()

    with pytest.raises(
        SuspiciousOperation,
-        match="Invalid response format or token verification failed",
+        match="User info response was not valid JWT",
    ):
        oidc_backend.get_userinfo("fake_access_token", None, None)

@@ -450,100 +458,54 @@ def test_authentication_getter_existing_disabled_user_via_email(
    assert models.User.objects.count() == 1


-# Essential claims
-
-
-def test_authentication_verify_claims_default(django_assert_num_queries, monkeypatch):
-    """The sub claim should be mandatory by default."""
-    klass = OIDCAuthenticationBackend()
-
-    def get_userinfo_mocked(*args):
-        return {
-            "test": "123",
-        }
-
-    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
-
-    with (
-        django_assert_num_queries(0),
-        pytest.raises(
-            KeyError,
-            match="sub",
-        ),
-    ):
-        klass.get_or_create_user(access_token="test-token", id_token=None, payload=None)
-
-    assert models.User.objects.exists() is False
-
-
-@pytest.mark.parametrize(
-    "essential_claims, missing_claims",
-    [
-        (["email", "sub"], ["email"]),
-        (["Email", "sub"], ["Email"]),  # Case sensitivity
-    ],
-)
-@override_settings(OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo")
-@mock.patch.object(Logger, "error")
-def test_authentication_verify_claims_essential_missing(
-    mock_logger,
-    essential_claims,
-    missing_claims,
-    django_assert_num_queries,
-    monkeypatch,
+@responses.activate
+def test_authentication_session_tokens(
+    django_assert_num_queries, monkeypatch, rf, settings
 ):
-    """Ensure SuspiciousOperation is raised if essential claims are missing."""
+    """
+    Test that the session contains oidc_refresh_token and oidc_access_token after authentication.
+    """
+    settings.OIDC_OP_TOKEN_ENDPOINT = "http://oidc.endpoint.test/token"
+    settings.OIDC_OP_USER_ENDPOINT = "http://oidc.endpoint.test/userinfo"
+    settings.OIDC_OP_JWKS_ENDPOINT = "http://oidc.endpoint.test/jwks"
+    settings.OIDC_STORE_ACCESS_TOKEN = True
+    settings.OIDC_STORE_REFRESH_TOKEN = True
+    settings.OIDC_STORE_REFRESH_TOKEN_KEY = Fernet.generate_key()

    klass = OIDCAuthenticationBackend()
+    request = rf.get("/some-url", {"state": "test-state", "code": "test-code"})
+    request.session = {}

-    def get_userinfo_mocked(*args):
-        return {
-            "sub": "123",
-            "last_name": "Doe",
-        }
+    def verify_token_mocked(*args, **kwargs):
+        return {"sub": "123", "email": "test@example.com"}

-    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+    monkeypatch.setattr(OIDCAuthenticationBackend, "verify_token", verify_token_mocked)

-    with (
-        django_assert_num_queries(0),
-        pytest.raises(
-            SuspiciousOperation,
-            match="Claims verification failed",
-        ),
-        override_settings(USER_OIDC_ESSENTIAL_CLAIMS=essential_claims),
-    ):
-        klass.get_or_create_user(access_token="test-token", id_token=None, payload=None)
+    responses.add(
+        responses.POST,
+        re.compile(settings.OIDC_OP_TOKEN_ENDPOINT),
+        json={
+            "access_token": "test-access-token",
+            "refresh_token": "test-refresh-token",
+        },
+        status=200,
+    )

-    assert models.User.objects.exists() is False
-    mock_logger.assert_called_once_with("Missing essential claims: %s", missing_claims)
-
-
-@override_settings(
-    OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo",
-    USER_OIDC_ESSENTIAL_CLAIMS=["email", "last_name"],
-)
-def test_authentication_verify_claims_success(django_assert_num_queries, monkeypatch):
-    """Ensure user is authenticated when all essential claims are present."""
-
-    klass = OIDCAuthenticationBackend()
-
-    def get_userinfo_mocked(*args):
-        return {
-            "email": "john.doe@example.com",
-            "last_name": "Doe",
-            "sub": "123",
-        }
-
-    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+    responses.add(
+        responses.GET,
+        re.compile(settings.OIDC_OP_USER_ENDPOINT),
+        json={"sub": "123", "email": "test@example.com"},
+        status=200,
+    )

    with django_assert_num_queries(6):
-        user = klass.get_or_create_user(
-            access_token="test-token", id_token=None, payload=None
+        user = klass.authenticate(
+            request,
+            code="test-code",
+            nonce="test-nonce",
+            code_verifier="test-code-verifier",
        )

-    assert models.User.objects.filter(id=user.id).exists()
-
-    assert user.sub == "123"
-    assert user.full_name == "Doe"
-    assert user.short_name is None
-    assert user.email == "john.doe@example.com"
+    assert user is not None
+    assert request.session["oidc_access_token"] == "test-access-token"
+    assert get_oidc_refresh_token(request.session) == "test-refresh-token"
--- a/src/backend/core/tests/authentication/test_urls.py
+++ b/src/backend/core/tests/authentication/test_urls.py
@@ -1,10 +0,0 @@
-"""Unit tests for the Authentication URLs."""
-
-from core.authentication.urls import urlpatterns
-
-
-def test_urls_override_default_mozilla_django_oidc():
-    """Custom URL patterns should override default ones from Mozilla Django OIDC."""
-
-    url_names = [u.name for u in urlpatterns]
-    assert url_names.index("oidc_logout_custom") < url_names.index("oidc_logout")
--- a/src/backend/core/tests/authentication/test_views.py
+++ b/src/backend/core/tests/authentication/test_views.py
@@ -1,231 +0,0 @@
-"""Unit tests for the Authentication Views."""
-
-from unittest import mock
-from urllib.parse import parse_qs, urlparse
-
-from django.contrib.auth.models import AnonymousUser
-from django.contrib.sessions.middleware import SessionMiddleware
-from django.core.exceptions import SuspiciousOperation
-from django.test import RequestFactory
-from django.test.utils import override_settings
-from django.urls import reverse
-from django.utils import crypto
-
-import pytest
-from rest_framework.test import APIClient
-
-from core import factories
-from core.authentication.views import OIDCLogoutCallbackView, OIDCLogoutView
-
-pytestmark = pytest.mark.django_db
-
-
-@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
-def test_view_logout_anonymous():
-    """Anonymous users calling the logout url,
-    should be redirected to the specified LOGOUT_REDIRECT_URL."""
-
-    url = reverse("oidc_logout_custom")
-    response = APIClient().get(url)
-
-    assert response.status_code == 302
-    assert response.url == "/example-logout"
-
-
-@mock.patch.object(
-    OIDCLogoutView, "construct_oidc_logout_url", return_value="/example-logout"
-)
-def test_view_logout(mocked_oidc_logout_url):
-    """Authenticated users should be redirected to OIDC provider for logout."""
-
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    url = reverse("oidc_logout_custom")
-    response = client.get(url)
-
-    mocked_oidc_logout_url.assert_called_once()
-
-    assert response.status_code == 302
-    assert response.url == "/example-logout"
-
-
-@override_settings(LOGOUT_REDIRECT_URL="/default-redirect-logout")
-@mock.patch.object(
-    OIDCLogoutView, "construct_oidc_logout_url", return_value="/default-redirect-logout"
-)
-def test_view_logout_no_oidc_provider(mocked_oidc_logout_url):
-    """Authenticated users should be logged out when no OIDC provider is available."""
-
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    url = reverse("oidc_logout_custom")
-
-    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
-        response = client.get(url)
-        mocked_oidc_logout_url.assert_called_once()
-        mock_logout.assert_called_once()
-
-    assert response.status_code == 302
-    assert response.url == "/default-redirect-logout"
-
-
-@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
-def test_view_logout_callback_anonymous():
-    """Anonymous users calling the logout callback url,
-    should be redirected to the specified LOGOUT_REDIRECT_URL."""
-
-    url = reverse("oidc_logout_callback")
-    response = APIClient().get(url)
-
-    assert response.status_code == 302
-    assert response.url == "/example-logout"
-
-
-@pytest.mark.parametrize(
-    "initial_oidc_states",
-    [{}, {"other_state": "foo"}],
-)
-def test_view_logout_persist_state(initial_oidc_states):
-    """State value should be persisted in session's data."""
-
-    user = factories.UserFactory()
-
-    request = RequestFactory().request()
-    request.user = user
-
-    middleware = SessionMiddleware(get_response=lambda x: x)
-    middleware.process_request(request)
-
-    if initial_oidc_states:
-        request.session["oidc_states"] = initial_oidc_states
-        request.session.save()
-
-    mocked_state = "mock_state"
-
-    OIDCLogoutView().persist_state(request, mocked_state)
-
-    assert "oidc_states" in request.session
-    assert request.session["oidc_states"] == {
-        "mock_state": {},
-        **initial_oidc_states,
-    }
-
-
-@override_settings(OIDC_OP_LOGOUT_ENDPOINT="/example-logout")
-@mock.patch.object(OIDCLogoutView, "persist_state")
-@mock.patch.object(crypto, "get_random_string", return_value="mocked_state")
-def test_view_logout_construct_oidc_logout_url(
-    mocked_get_random_string, mocked_persist_state
-):
-    """Should construct the logout URL to initiate the logout flow with the OIDC provider."""
-
-    user = factories.UserFactory()
-
-    request = RequestFactory().request()
-    request.user = user
-
-    middleware = SessionMiddleware(get_response=lambda x: x)
-    middleware.process_request(request)
-
-    request.session["oidc_id_token"] = "mocked_oidc_id_token"
-    request.session.save()
-
-    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
-
-    mocked_persist_state.assert_called_once()
-    mocked_get_random_string.assert_called_once()
-
-    params = parse_qs(urlparse(redirect_url).query)
-
-    assert params["id_token_hint"][0] == "mocked_oidc_id_token"
-    assert params["state"][0] == "mocked_state"
-
-    url = reverse("oidc_logout_callback")
-    assert url in params["post_logout_redirect_uri"][0]
-
-
-@override_settings(LOGOUT_REDIRECT_URL="/")
-def test_view_logout_construct_oidc_logout_url_none_id_token():
-    """If no ID token is available in the session,
-    the user should be redirected to the final URL."""
-
-    user = factories.UserFactory()
-
-    request = RequestFactory().request()
-    request.user = user
-
-    middleware = SessionMiddleware(get_response=lambda x: x)
-    middleware.process_request(request)
-
-    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
-
-    assert redirect_url == "/"
-
-
-@pytest.mark.parametrize(
-    "initial_state",
-    [None, {"other_state": "foo"}],
-)
-def test_view_logout_callback_wrong_state(initial_state):
-    """Should raise an error if OIDC state doesn't match session data."""
-
-    user = factories.UserFactory()
-
-    request = RequestFactory().request()
-    request.user = user
-
-    middleware = SessionMiddleware(get_response=lambda x: x)
-    middleware.process_request(request)
-
-    if initial_state:
-        request.session["oidc_states"] = initial_state
-        request.session.save()
-
-    callback_view = OIDCLogoutCallbackView.as_view()
-
-    with pytest.raises(SuspiciousOperation) as excinfo:
-        callback_view(request)
-
-    assert (
-        str(excinfo.value) == "OIDC callback state not found in session `oidc_states`!"
-    )
-
-
-@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
-def test_view_logout_callback():
-    """If state matches, callback should clear OIDC state and redirects."""
-
-    user = factories.UserFactory()
-
-    request = RequestFactory().get("/logout-callback/", data={"state": "mocked_state"})
-    request.user = user
-
-    middleware = SessionMiddleware(get_response=lambda x: x)
-    middleware.process_request(request)
-
-    mocked_state = "mocked_state"
-
-    request.session["oidc_states"] = {mocked_state: {}}
-    request.session.save()
-
-    callback_view = OIDCLogoutCallbackView.as_view()
-
-    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
-
-        def clear_user(request):
-            # Assert state is cleared prior to logout
-            assert request.session["oidc_states"] == {}
-            request.user = AnonymousUser()
-
-        mock_logout.side_effect = clear_user
-        response = callback_view(request)
-        mock_logout.assert_called_once()
-
-    assert response.status_code == 302
-    assert response.url == "/example-logout"