Added more unit tests

snok · Aug 18, 2022 · 1852042 · 1852042
1 parent 922258f
commit 1852042
Show file tree

Hide file tree

Showing 4 changed files with 326 additions and 20 deletions.
diff --git a/tests/mock_files/azure-openid-configuration-v2.json b/tests/mock_files/azure-openid-configuration-v2.json
@@ -0,0 +1,62 @@
+{
+    "authorization_endpoint": "https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/oauth2/v2.0/authorize",
+    "token_endpoint": "https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/oauth2/v2.0/token",
+    "token_endpoint_auth_methods_supported": [
+      "client_secret_post",
+      "private_key_jwt",
+      "client_secret_basic"
+    ],
+    "jwks_uri": "https://login.microsoftonline.com/common/discovery/keys",
+    "response_modes_supported": [
+      "query",
+      "fragment",
+      "form_post"
+    ],
+    "subject_types_supported": [
+      "pairwise"
+    ],
+    "id_token_signing_alg_values_supported": [
+      "RS256"
+    ],
+    "http_logout_supported": true,
+    "frontchannel_logout_supported": true,
+    "end_session_endpoint": "https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/oauth2/v2.0/logout",
+    "response_types_supported": [
+      "code",
+      "id_token",
+      "code id_token",
+      "token id_token",
+      "token"
+    ],
+    "scopes_supported": [
+      "openid"
+    ],
+    "issuer": "https://sts.windows.net/01234567-89ab-cdef-0123-456789abcdef/",
+    "claims_supported": [
+      "sub",
+      "iss",
+      "cloud_instance_name",
+      "cloud_instance_host_name",
+      "cloud_graph_host_name",
+      "msgraph_host",
+      "aud",
+      "exp",
+      "iat",
+      "auth_time",
+      "acr",
+      "amr",
+      "nonce",
+      "email",
+      "given_name",
+      "family_name",
+      "nickname"
+    ],
+    "microsoft_multi_refresh_token": true,
+    "check_session_iframe": "https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/oauth2/v2.0/checksession",
+    "userinfo_endpoint": "https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/openid/userinfo",
+    "tenant_region_scope": "EU",
+    "cloud_instance_name": "microsoftonline.com",
+    "cloud_graph_host_name": "graph.windows.net",
+    "msgraph_host": "graph.microsoft.com",
+    "rbac_url": "https://pas.windows.net"
+  }
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -164,6 +164,17 @@ def test_group_claim(self):
             self.assertEqual(user.email, "john.doe@example.com")
             self.assertEqual(len(user.groups.all()), 0)
 
+    @mock_adfs("2016")
+    def test_no_group_claim(self):
+        backend = AdfsAuthCodeBackend()
+        with patch("django_auth_adfs.backend.settings.GROUPS_CLAIM", None):
+            user = backend.authenticate(self.request, authorization_code="dummycode")
+            self.assertIsInstance(user, User)
+            self.assertEqual(user.first_name, "John")
+            self.assertEqual(user.last_name, "Doe")
+            self.assertEqual(user.email, "john.doe@example.com")
+            self.assertEqual(len(user.groups.all()), 0)
+
     @mock_adfs("2016", empty_keys=True)
     def test_empty_keys(self):
         backend = AdfsAuthCodeBackend()

diff --git a/tests/test_drf_integration.py b/tests/test_drf_integration.py
@@ -162,7 +162,7 @@ def test_access_token_azure_guest_but_no_upn_but_no_guest_username_claim(self):
                         with self.assertRaises(exceptions.AuthenticationFailed):
                             self.drf_auth_class.authenticate(request)
 
-    @mock_adfs("azure")
+    @mock_adfs("azure", requires_obo=True)
     def test_process_group_claim_from_ms_graph(self):
         access_token_header = "Bearer {}".format(self.access_token_azure_groups_in_claim_source)
         request = RequestFactory().get('/api', HTTP_AUTHORIZATION=access_token_header)
@@ -175,18 +175,61 @@ def test_process_group_claim_from_ms_graph(self):
             with patch('django_auth_adfs.backend.settings', Settings()):
                 with patch("django_auth_adfs.config.settings", Settings()):
                     with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
-                        with patch(
-                            "django_auth_adfs.backend.AdfsBaseBackend.get_obo_access_token",
-                            return_value="123456"
-                        ):
-                            with patch(
-                                "django_auth_adfs.backend.AdfsBaseBackend.get_group_memberships_from_ms_graph",
-                                return_value=["group1", "group2"]
-                            ):
-                                user, _ = self.drf_auth_class.authenticate(request)
-                                self.assertEqual(user.username, "testuser")
-                                self.assertEqual(user.groups.all()[0].name, "group1")
-                                self.assertEqual(user.groups.all()[1].name, "group2")
+                        user, _ = self.drf_auth_class.authenticate(request)
+                        self.assertEqual(user.username, "testuser")
+                        self.assertEqual(user.groups.all()[0].name, "group1")
+                        self.assertEqual(user.groups.all()[1].name, "group2")
+
+    @mock_adfs("azure", requires_obo=True, mfa_error=True)
+    def test_get_obo_access_token_mfa_error(self):
+        access_token_header = "Bearer {}".format(self.access_token_azure_groups_in_claim_source)
+        request = RequestFactory().get('/api', HTTP_AUTHORIZATION=access_token_header)
+
+        from django_auth_adfs.config import django_settings
+        settings = deepcopy(django_settings)
+        del settings.AUTH_ADFS["SERVER"]
+        settings.AUTH_ADFS["TENANT_ID"] = "dummy_tenant_id"
+        with patch("django_auth_adfs.config.django_settings", settings):
+            with patch('django_auth_adfs.backend.settings', Settings()):
+                with patch("django_auth_adfs.config.settings", Settings()):
+                    with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
+                        with self.assertRaises(AuthenticationFailed):
+                            self.drf_auth_class.authenticate(request)
+
+    @mock_adfs("azure", requires_obo=True, version='v2.0')
+    def test_get_obo_access_token_version_2(self):
+        access_token_header = "Bearer {}".format(self.access_token_azure_groups_in_claim_source)
+        request = RequestFactory().get('/api', HTTP_AUTHORIZATION=access_token_header)
+
+        from django_auth_adfs.config import django_settings
+        settings = deepcopy(django_settings)
+        del settings.AUTH_ADFS["SERVER"]
+        settings.AUTH_ADFS["TENANT_ID"] = "dummy_tenant_id"
+        settings.AUTH_ADFS["VERSION"] = 'v2.0'
+        with patch("django_auth_adfs.config.django_settings", settings):
+            with patch('django_auth_adfs.backend.settings', Settings()):
+                with patch("django_auth_adfs.config.settings", Settings()):
+                    with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
+                        user, _ = self.drf_auth_class.authenticate(request)
+                        self.assertEqual(user.username, "testuser")
+                        self.assertEqual(user.groups.all()[0].name, "group1")
+                        self.assertEqual(user.groups.all()[1].name, "group2")
+
+    @mock_adfs("azure", requires_obo=True, missing_graph_group_perm=True)
+    def test_missing_ms_graph_group_permission(self):
+        access_token_header = "Bearer {}".format(self.access_token_azure_groups_in_claim_source)
+        request = RequestFactory().get('/api', HTTP_AUTHORIZATION=access_token_header)
+
+        from django_auth_adfs.config import django_settings
+        settings = deepcopy(django_settings)
+        del settings.AUTH_ADFS["SERVER"]
+        settings.AUTH_ADFS["TENANT_ID"] = "dummy_tenant_id"
+        with patch("django_auth_adfs.config.django_settings", settings):
+            with patch('django_auth_adfs.backend.settings', Settings()):
+                with patch("django_auth_adfs.config.settings", Settings()):
+                    with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
+                        with self.assertRaises(AuthenticationFailed):
+                            self.drf_auth_class.authenticate(request)
 
     @mock_adfs("2012")
     def test_access_token_exceptions(self):