-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
144 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
49 changes: 49 additions & 0 deletions
49
testsuite/tests/kuadrant/authorino/identity/extended_properties/test_extended_properties.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| """Basic tests for extended properties""" | ||
| import pytest | ||
|
|
||
| from testsuite.objects import Value, ValueFrom | ||
| from testsuite.utils import extract_response | ||
|
|
||
|
|
||
| @pytest.fixture(scope="module") | ||
| def authorization(authorization, rhsso): | ||
| """ | ||
| Add new identity with list of extended properties. This list contains: | ||
| - Static `value` and dynamic `jsonPath` properties | ||
| - Dynamic chaining properties which point to another extended property location before its created | ||
| Add simple response to inspect 'auth.identity' part of authJson where the properties will be created. | ||
| """ | ||
| authorization.identity.oidc( | ||
| "rhsso", | ||
| rhsso.well_known["issuer"], | ||
| extended_properties=[ | ||
| Value("static", name="property_static"), | ||
| # ValueFrom points to the request uri | ||
| ValueFrom("context.request.http.path", name="property_dynamic"), | ||
| ValueFrom("auth.identity.property_static", name="property_chain_static"), | ||
| ValueFrom("auth.identity.property_dynamic", name="property_chain_dynamic"), | ||
| ValueFrom("auth.identity.property_chain_self", name="property_chain_self", overwrite=True), | ||
| ], | ||
| ) | ||
| authorization.responses.add_simple("auth.identity") | ||
| return authorization | ||
|
|
||
|
|
||
| def test_basic(client, auth): | ||
| """ | ||
| This test checks if static and dynamic extended properties are created and have the right value. | ||
| """ | ||
| response = client.get("/anything/abc", auth=auth) | ||
| assert extract_response(response)["property_static"] % "MISSING" == "static" | ||
| assert extract_response(response)["property_dynamic"] % "MISSING" == "/anything/abc" | ||
|
|
||
|
|
||
| def test_chain(client, auth): | ||
| """ | ||
| This test checks if chaining extended properties have value None as chaining is not supported. | ||
| This behavior is undocumented but confirmed to be correct with dev team. | ||
| """ | ||
| response = client.get("/anything/abc", auth=auth) | ||
| assert extract_response(response)["property_chain_static"] % "MISSING" is None | ||
| assert extract_response(response)["property_chain_dynamic"] % "MISSING" is None | ||
| assert extract_response(response)["property_chain_self"] % "MISSING" is None |
36 changes: 36 additions & 0 deletions
36
testsuite/tests/kuadrant/authorino/identity/extended_properties/test_overwriting.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| """https://github.com/Kuadrant/authorino/pull/399""" | ||
| import pytest | ||
|
|
||
| from testsuite.objects import Value | ||
| from testsuite.utils import extract_response | ||
|
|
||
|
|
||
| @pytest.fixture(scope="module") | ||
| def authorization(authorization): | ||
| """ | ||
| Add plain authentication with three extended properties: | ||
| explicit False, explicit True and missing which should be default False. | ||
| Add simple response to expose `auth.identity` part of AuthJson | ||
| """ | ||
| authorization.identity.plain( | ||
| "plain", | ||
| "context.request.http.headers.x-user|@fromstr", | ||
| extended_properties=[ | ||
| Value("bar", name="name", overwrite=False), | ||
| Value(35, name="age", overwrite=True), | ||
| Value("admin", name="group"), | ||
| ], | ||
| ) | ||
| authorization.responses.add_simple("auth.identity") | ||
|
|
||
| return authorization | ||
|
|
||
|
|
||
| def test_overwrite(client): | ||
| """ | ||
| Test the ExtendedProperty overwrite functionality overwriting the value in headers when True. | ||
| """ | ||
| response = client.get("/get", headers={"x-user": '{"name":"foo","age":30,"group":"guest"}'}) | ||
| assert extract_response(response)["name"] % "MISSING" == "foo" | ||
| assert extract_response(response)["age"] % 0 == 35 | ||
| assert extract_response(response)["group"] % "MISSING" == "guest" |
59 changes: 59 additions & 0 deletions
59
testsuite/tests/kuadrant/authorino/identity/extended_properties/test_token_normalization.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| """https://github.com/Kuadrant/authorino/blob/main/docs/user-guides/token-normalization.md""" | ||
| import pytest | ||
| from testsuite.objects import Value, ValueFrom, Rule | ||
| from testsuite.httpx.auth import HeaderApiKeyAuth, HttpxOidcClientAuth | ||
|
|
||
|
|
||
| @pytest.fixture(scope="module") | ||
| def auth_api_key(create_api_key, module_label): | ||
| """Creates API key Secret and returns auth for it.""" | ||
| api_key = create_api_key("api-key", module_label, "api_key_value") | ||
| return HeaderApiKeyAuth(api_key) | ||
|
|
||
|
|
||
| @pytest.fixture(scope="module") | ||
| def auth_oidc_admin(rhsso, blame): | ||
| """Creates new user with new 'admin' role and return auth for it.""" | ||
| realm_role = rhsso.realm.create_realm_role("admin") | ||
| user = rhsso.realm.create_user(blame("someuser"), blame("password")) | ||
| user.assign_realm_role(realm_role) | ||
| return HttpxOidcClientAuth.from_user(rhsso.get_token, user, "authorization") | ||
|
|
||
|
|
||
| @pytest.fixture(scope="module") | ||
| def authorization(authorization, rhsso, module_label): | ||
| """ | ||
| Add rhsso identity provider with extended property "roles" which is dynamically mapped to | ||
| list of granted realm roles 'auth.identity.realm_access.roles' | ||
| Add api_key identity with extended property "roles" which is static list of one role 'admin'. | ||
| Add authorization rule allowing DELETE method only to users with role 'admin' in 'auth.identity.roles' | ||
| """ | ||
| authorization.identity.oidc( | ||
| "rhsso", | ||
| rhsso.well_known["issuer"], | ||
| extended_properties=[ValueFrom("auth.identity.realm_access.roles", name="roles")], | ||
| ) | ||
| authorization.identity.api_key( | ||
| "api_key", match_label=module_label, extended_properties=[Value(["admin"], name="roles")] | ||
| ) | ||
|
|
||
| rule = Rule(selector="auth.identity.roles", operator="incl", value="admin") | ||
| when = Rule(selector="context.request.http.method", operator="eq", value="DELETE") | ||
| authorization.authorization.auth_rule("only-admins-can-delete", rule=rule, when=[when]) | ||
| return authorization | ||
|
|
||
|
|
||
| def test_token_normalization(client, auth, auth_oidc_admin, auth_api_key): | ||
| """ | ||
| Tests token normalization scenario where three users with different types of authentication have "roles" value | ||
| normalized via extended_properties. Only user with an 'admin' role can use method DELETE. | ||
| - auth: oidc user without 'admin' role | ||
| - auth_oidc_admin: oidc user with 'admin' role | ||
| - auth_api_key: api key user which has static 'admin' role | ||
| """ | ||
|
|
||
| assert client.get("/get", auth=auth).status_code == 200 | ||
| assert client.delete("/delete", auth=auth).status_code == 403 | ||
| assert client.delete("/delete", auth=auth_oidc_admin).status_code == 200 | ||
| assert client.delete("/delete", auth=auth_api_key).status_code == 200 |