(test) OIDC testing

2024-11-28 09:24:24 +01:00 · 2023-03-02 17:13:46 +01:00 · 2023-03-02 17:13:46 +01:00 · 18447f8371
commit 18447f8371
parent 6d14a8dc77
7 changed files with 98 additions and 5 deletions
--- a/app/views/application/sso_redirect.html.erb
+++ b/app/views/application/sso_redirect.html.erb
@ -7,7 +7,7 @@
 </head>
 <body>
  <% param = @authorization_token ? "?auth_token=#{@authorization_token}" : '' %>
-  <% url_path = File.join(root_url, "users/auth/#{@active_provider.strategy_name}#{param}") %>
+  <% url_path = URI.join("#{ENV.fetch('DEFAULT_PROTOCOL')}://#{ENV.fetch('DEFAULT_HOST')}", "users/auth/#{@active_provider.strategy_name}#{param}") %>
  <form id="redirect-form" action="<%=url_path%>" method="post" target="_self">
    <%= hidden_field_tag :authenticity_token, @authentication_token %>
    <noscript>
--- a/env.example
+++ b/env.example
@ -15,6 +15,8 @@ STRIPE_PUBLISHABLE_KEY=
 # oAuth SSO keys for tests
 OAUTH_CLIENT_ID=github-oauth-app-id
 OAUTH_CLIENT_SECRET=github-oauth-app-secret
+OIDC_CLIENT_ID=oidc-client-id
+OIDC_CLIENT_SECRET=oidc-client-secret

 # Configure carefully!
 DEFAULT_HOST=localhost:5000
--- a/scripts/tests.sh
+++ b/scripts/tests.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Use this script to safely run the test suite.
+# Use this script to safely run the test suite after any database changes.
 # This must be preferred over `rails test`.

 stripe_public_key=$(RAILS_ENV='test' bin/rails runner "puts ENV['STRIPE_PUBLISHABLE_KEY']")
--- a/test/fixtures/history_values.yml
+++ b/test/fixtures/history_values.yml
@ -648,7 +648,7 @@ history_value_66:
 history_value_67:
  id: 67
  setting_id: 67
-  value: pk_test_aScrMu3y4AocfCN5XLJjGzmQ
+  value: <%=ENV.fetch('STRIPE_PUBLISHABLE_KEY', 'pk_test_faketestfaketestfaketest') %>
  created_at: '2020-06-08 17:12:16.846525'
  updated_at: '2021-05-31 15:00:37.210049'
  footprint: 4984215605d9f30ac4f9594bc0d552d6b5e280f650801399b698aa43188001a5
@ -657,7 +657,7 @@ history_value_67:
 history_value_68:
  id: 68
  setting_id: 68
-  value: sk_test_mGokO9TGtrVxMOyK4yZiktBE
+  value: <%=ENV.fetch('STRIPE_API_KEY', 'sk_test_testfaketestfaketestfake') %>
  created_at: '2020-06-08 17:12:16.846525'
  updated_at: '2021-05-31 15:00:37.280668'
  footprint: 48db504877d3329e39d1e816b243629c44b47be9f2837e2e4af4f30ca7cbd3e8
--- a/test/helpers/auth_provider_helper.rb
+++ b/test/helpers/auth_provider_helper.rb
@ -32,4 +32,32 @@ module AuthProviderHelper
      ]
    }
  end
+
+  def keycloak_provider_params(name)
+    {
+      name: name,
+      providable_type: 'OpenIdConnectProvider',
+      providable_attributes: {
+        issuer: 'https://sso.sleede.dev/auth/realms/master',
+        discovery: true,
+        client_auth_method: 'basic',
+        scope: %w[openid profile email toto],
+        prompt: 'consent',
+        send_scope_to_token_endpoint: true,
+        profile_url: 'https://sso.sleede.dev/auth/realms/master/account/',
+        client__identifier: ENV.fetch('OIDC_CLIENT_ID', 'oidc-client-id'),
+        client__secret: ENV.fetch('OIDC_CLIENT_SECRET', 'oidc-client-secret'),
+        client__authorization_endpoint: '',
+        client__token_endpoint: '',
+        client__userinfo_endpoint: '',
+        client__end_session_endpoint: ''
+      },
+      auth_provider_mappings_attributes: [
+        { id: '', local_model: 'user', local_field: 'uid', api_endpoint: 'user_info', api_data_type: 'json', api_field: 'sub' },
+        { id: '', local_model: 'user', local_field: 'email', api_endpoint: 'user_info', api_data_type: 'json', api_field: 'email' },
+        { id: '', local_model: 'profile', local_field: 'first_name', api_endpoint: 'user_info', api_data_type: 'json', api_field: 'given_name' },
+        { id: '', local_model: 'profile', local_field: 'last_name', api_endpoint: 'user_info', api_data_type: 'json', api_field: 'family_name' }
+      ]
+    }
+  end
 end
--- a/test/integration/open_id_connect_test.rb
+++ b/test/integration/open_id_connect_test.rb
@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+require 'helpers/auth_provider_helper'
+
+class OpenIdConnectTest < ActionDispatch::IntegrationTest
+  include AuthProviderHelper
+
+  setup do
+    @admin = User.find_by(username: 'admin')
+    login_as(@admin, scope: :user)
+    Fablab::Application.load_tasks if Rake::Task.tasks.empty?
+  end
+
+  test 'create and activate an OIDC provider' do
+    name = 'Sleede'
+    post '/api/auth_providers',
+         params: {
+           auth_provider: keycloak_provider_params(name)
+         }.to_json,
+         headers: default_headers
+
+    # Check response format & status
+    assert_equal 201, response.status, response.body
+    assert_equal Mime[:json], response.content_type
+
+    # Check the provider was correctly created
+    db_provider = OpenIdConnectProvider.includes(:auth_provider).where('auth_providers.name': name).first&.auth_provider
+    assert_not_nil db_provider
+
+    provider = json_response(response.body)
+    assert_equal name, provider[:name]
+    assert_equal db_provider&.id, provider[:id]
+    assert_equal 'pending', provider[:status]
+    assert_equal 4, provider[:auth_provider_mappings_attributes].length
+
+    # now let's activate this new provider
+    Rake::Task['fablab:auth:switch_provider'].execute(Rake::TaskArguments.new([:provider], [name]))
+
+    # Check it is correctly activated
+    db_provider&.reload
+    assert_equal 'active', db_provider&.status
+    assert_equal AuthProvider.active.id, db_provider&.id
+
+    # TODO, login with the SSO (need debugging)
+    ## The following doesn't work but I can't find out why... Maybe configuring Devise like this is not the right way,
+    ## but when testing the process with Capybara, I always fall with the message "Not found. Authentication passthru."
+
+    # Simulate an application restart (reload routes and change devise setup)
+    # logout
+    # Devise.setup do |config|
+    #   require_relative '../../lib/omni_auth/openid_connect'
+    #   config.omniauth OmniAuth::Strategies::SsoOpenidConnectProvider.name&.to_sym,
+    #                   db_provider&.providable&.config
+    # end
+    # User.devise :omniauthable, omniauth_providers: [db_provider&.strategy_name&.to_sym]
+    # Rails.application.reload_routes!
+  end
+end
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@ -19,7 +19,11 @@ VCR.configure do |config|
  config.hook_into :webmock
  config.filter_sensitive_data('sk_test_testfaketestfaketestfake') { Setting.get('stripe_secret_key') }
  config.filter_sensitive_data('pk_test_faketestfaketestfaketest') { Setting.get('stripe_public_key') }
-  config.ignore_request { |req| URI(req.uri).port == 9200 }
+  config.filter_sensitive_data('github-oauth-app-id') { ENV.fetch('OAUTH_CLIENT_ID') }
+  config.filter_sensitive_data('github-oauth-app-secret') { ENV.fetch('OAUTH_CLIENT_SECRET') }
+  config.filter_sensitive_data('oidc-client-id') { ENV.fetch('OIDC_CLIENT_ID') }
+  config.filter_sensitive_data('oidc-client-secret') { ENV.fetch('OIDC_CLIENT_SECRET') }
+  config.ignore_request { |req| URI(req.uri).port == 9200 || URI(req.uri).host == '127.0.0.1' }
 end

 Sidekiq::Testing.fake!