Skip to content

Commit

Permalink
tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@sergei-maertens
sergei-maertens committed May 22, 2024
1 parent 76906da commit f02e4ef
Show file tree
Hide file tree
Showing 15 changed files with 1,498 additions and 919 deletions.
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/prepare-release.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ assignees: sergei-maertens
- [ ] Appoinments: Qmatic
- [ ] Suwinet
- [ ] DigiD/eHerkenning (Signicat)
- [ ] DigiD/eHerkenning via OIDC (`openforms.authentication.contrib.digid_eherkenning_oidc`)
- [ ] Haal Centraal BRP Personen bevragen
- [ ] `src.soap.tests.test_client`
- [ ] BRK (Kadaster)
Expand Down
4 changes: 4 additions & 0 deletions src/digid_eherkenning_oidc_generics/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ class Meta:
verbose_name = _("OpenID Connect configuration")
abstract = True

@classproperty
def oidcdb_check_idp_availability(cls) -> bool:
return True


class OpenIDConnectPublicConfig(OpenIDConnectBaseConfig):
"""
Expand Down
11 changes: 9 additions & 2 deletions src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import logging

from django.contrib.auth.models import AnonymousUser
from django.core.exceptions import SuspiciousOperation
from django.core.exceptions import PermissionDenied, SuspiciousOperation
from django.http import HttpRequest

from glom import Path, PathAccessError, glom
Expand Down Expand Up @@ -58,7 +58,14 @@ def get_or_create_user(
claims_verified = self.verify_claims(user_info)
if not claims_verified:
msg = "Claims verification failed"
raise SuspiciousOperation(msg)
# Raise PermissionDenied rather than SuspiciousOperation - this makes it
# Django stops trying other (OIDC) authentication backends, which fail
# because the code was already exchanged for an access token.
# Note that this backend only runs for the DigiD/eHerkenning configs at all,
# and those aren't particularly compatible with the admin-OIDC flow anyway.
# See :meth:`_check_candidate_backend` that prevents this backend from being
# used for admin OIDC.
raise PermissionDenied(msg)

self._extract_and_store_claims(payload)

Expand Down
25 changes: 25 additions & 0 deletions src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# README

The integration tests for the OIDC flavour of DigiD/eHerkenning uses VCR.py. To (re-) record the
cassettes, perform the following steps (from the root of the repo):

1. Bring up the Keycloak instance

```bash
cd docker/
docker compose -f docker-compose.keycloak.yml up -d
```

2. Delete the old cassettes

```bash
rm -rf src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes
```

3. Run the tests

```bash
python src/manage.py test openforms.authentication.contrib.digid_eherkenning_oidc
```

4. Inspect the diff and commit the changes.
91 changes: 91 additions & 0 deletions ...ts/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
interactions:
- request:
body: null
headers:
Accept:
- '*/*'
Accept-Encoding:
- gzip, deflate, br
Connection:
- keep-alive
User-Agent:
- python-requests/2.31.0
method: GET
uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
response:
body:
string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n <meta charset=\"utf-8\">\n
\ <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
/>\n <meta name=\"robots\" content=\"noindex, nofollow\">\n\n <meta
name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n <title>Sign
in to test</title>\n <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
/>\n <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/login/keycloak/css/login.css\"
rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
\ <div id=\"kc-header\" class=\"login-pf-page-header\">\n <div id=\"kc-header-wrapper\"\n
\ class=\"\">test</div>\n </div>\n <div class=\"card-pf\">\n
\ <header class=\"login-pf-header\">\n <h1 id=\"kc-page-title\">
\ We are sorry...\n</h1>\n </header>\n <div id=\"kc-content\">\n
\ <div id=\"kc-content-wrapper\">\n\n\n <div id=\"kc-error-message\">\n
\ <p class=\"instruction\">Invalid Request</p>\n </div>\n\n\n\n
\ </div>\n </div>\n\n </div>\n </div>\n</body>\n</html>\n"
headers:
Content-Language:
- en
Content-Security-Policy:
- frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Content-Type:
- text/html;charset=utf-8
Referrer-Policy:
- no-referrer
Strict-Transport-Security:
- max-age=31536000; includeSubDomains
X-Content-Type-Options:
- nosniff
X-Frame-Options:
- SAMEORIGIN
X-Robots-Tag:
- none
X-XSS-Protection:
- 1; mode=block
content-length:
- '1573'
status:
code: 400
message: Bad Request
- request:
body: null
headers:
Accept:
- '*/*'
Accept-Encoding:
- gzip, deflate, br
Connection:
- keep-alive
User-Agent:
- python-requests/2.31.0
method: GET
uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
response:
body:
string: ''
headers:
Location:
- http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
Referrer-Policy:
- no-referrer
Strict-Transport-Security:
- max-age=31536000; includeSubDomains
X-Content-Type-Options:
- nosniff
X-XSS-Protection:
- 1; mode=block
content-length:
- '0'
status:
code: 302
message: Found
version: 1
91 changes: 91 additions & 0 deletions ...iDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
interactions:
- request:
body: null
headers:
Accept:
- '*/*'
Accept-Encoding:
- gzip, deflate, br
Connection:
- keep-alive
User-Agent:
- python-requests/2.31.0
method: GET
uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
response:
body:
string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n <meta charset=\"utf-8\">\n
\ <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
/>\n <meta name=\"robots\" content=\"noindex, nofollow\">\n\n <meta
name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n <title>Sign
in to test</title>\n <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
/>\n <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
rel=\"stylesheet\" />\n <link href=\"/resources/883g6/login/keycloak/css/login.css\"
rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
\ <div id=\"kc-header\" class=\"login-pf-page-header\">\n <div id=\"kc-header-wrapper\"\n
\ class=\"\">test</div>\n </div>\n <div class=\"card-pf\">\n
\ <header class=\"login-pf-header\">\n <h1 id=\"kc-page-title\">
\ We are sorry...\n</h1>\n </header>\n <div id=\"kc-content\">\n
\ <div id=\"kc-content-wrapper\">\n\n\n <div id=\"kc-error-message\">\n
\ <p class=\"instruction\">Invalid Request</p>\n </div>\n\n\n\n
\ </div>\n </div>\n\n </div>\n </div>\n</body>\n</html>\n"
headers:
Content-Language:
- en
Content-Security-Policy:
- frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Content-Type:
- text/html;charset=utf-8
Referrer-Policy:
- no-referrer
Strict-Transport-Security:
- max-age=31536000; includeSubDomains
X-Content-Type-Options:
- nosniff
X-Frame-Options:
- SAMEORIGIN
X-Robots-Tag:
- none
X-XSS-Protection:
- 1; mode=block
content-length:
- '1573'
status:
code: 400
message: Bad Request
- request:
body: null
headers:
Accept:
- '*/*'
Accept-Encoding:
- gzip, deflate, br
Connection:
- keep-alive
User-Agent:
- python-requests/2.31.0
method: GET
uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
response:
body:
string: ''
headers:
Location:
- http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
Referrer-Policy:
- no-referrer
Strict-Transport-Security:
- max-age=31536000; includeSubDomains
X-Content-Type-Options:
- nosniff
X-XSS-Protection:
- 1; mode=block
content-length:
- '0'
status:
code: 302
message: Found
version: 1
Loading

0 comments on commit f02e4ef

Please sign in to comment.