BookStack Code Mirror - bookstack/blobdiff

index e7665a679a44a892bbe743863aa01579c3e780c0..8c6e0635ff6949c8e16b198a283573d73841fea3 100644 (file)

--- a/tests/Auth/OidcTest.php

+++ b/tests/Auth/OidcTest.php

@@ -3,17 +3,17 @@

namespace Tests\Auth;

use BookStack\Actions\ActivityType;

+use BookStack\Auth\Role;

use BookStack\Auth\User;

use GuzzleHttp\Psr7\Request;

use GuzzleHttp\Psr7\Response;

-use Illuminate\Filesystem\Cache;

+use Illuminate\Testing\TestResponse;

use Tests\Helpers\OidcJwtHelper;

use Tests\TestCase;

-use Tests\TestResponse;

class OidcTest extends TestCase

{

- protected $keyFilePath;

+ protected string $keyFilePath;

protected $keyFile;

protected function setUp(): void

@@ -38,6 +38,10 @@ class OidcTest extends TestCase

'oidc.token_endpoint' => 'https://oidc.local/token',

'oidc.discover' => false,

'oidc.dump_user_details' => false,

+ 'oidc.additional_scopes' => '',

+ 'oidc.user_to_groups' => false,

+ 'oidc.group_attribute' => 'group',

+ 'oidc.remove_from_groups' => false,

]);

}

@@ -53,7 +57,7 @@ class OidcTest extends TestCase

{

$req = $this->get('/login');

$req->assertSeeText('SingleSignOn-Testing');

- $req->assertElementExists('form[action$="/oidc/login"][method=POST] button');

+ $this->withHtml($req)->assertElementExists('form[action$="/oidc/login"][method=POST] button');

}

public function test_oidc_routes_are_only_active_if_oidc_enabled()

@@ -90,7 +94,7 @@ class OidcTest extends TestCase

public function test_logout_route_functions()

{

$this->actingAs($this->getEditor());

- $this->get('/logout');

+ $this->post('/logout');

$this->assertFalse(auth()->check());

}

@@ -160,6 +164,17 @@ class OidcTest extends TestCase

$this->assertActivityExists(ActivityType::AUTH_LOGIN, null, "oidc; ({$user->id}) Barry Scott");

}

+ public function test_login_uses_custom_additional_scopes_if_defined()

+ {

+ config()->set([

+ 'oidc.additional_scopes' => 'groups, badgers',

+ ]);

+ $redirect = $this->post('/oidc/login')->headers->get('location');

+ $this->assertStringContainsString('scope=openid%20profile%20email%20groups%20badgers', $redirect);

+ }

public function test_callback_fails_if_no_state_present_or_matching()

{

$this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=abc124');

@@ -236,22 +251,24 @@ class OidcTest extends TestCase

$this->assertFalse(auth()->check());

- $this->runLogin([

+ $resp = $this->runLogin([

'email' => $editor->email,

'sub' => 'benny505',

]);

+ $resp = $this->followRedirects($resp);

- $this->assertSessionError('A user with the email ' . $editor->email . ' already exists but with different credentials.');

+ $resp->assertSeeText('A user with the email ' . $editor->email . ' already exists but with different credentials.');

$this->assertFalse(auth()->check());

}

public function test_auth_login_with_invalid_token_fails()

{

- $this->runLogin([

+ $resp = $this->runLogin([

'sub' => null,

]);

+ $resp = $this->followRedirects($resp);

- $this->assertSessionError('ID token validate failed with error: Missing token subject value');

+ $resp->assertSeeText('ID token validate failed with error: Missing token subject value');

$this->assertFalse(auth()->check());

}

@@ -287,9 +304,9 @@ class OidcTest extends TestCase

new Response(404, [], 'Not found'),

]);

- $this->runLogin();

+ $resp = $this->followRedirects($this->runLogin());

$this->assertFalse(auth()->check());

- $this->assertSessionError('Login using SingleSignOn-Testing failed, system did not provide successful authorization');

+ $resp->assertSeeText('Login using SingleSignOn-Testing failed, system did not provide successful authorization');

}

public function test_autodiscovery_calls_are_cached()

@@ -318,6 +335,84 @@ class OidcTest extends TestCase

$this->assertCount(4, $transactions);

}

+ public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property()

+ {

+ $this->withAutodiscovery();

+ $keyArray = OidcJwtHelper::publicJwkKeyArray();

+ unset($keyArray['alg']);

+ $this->mockHttpClient([

+ $this->getAutoDiscoveryResponse(),

+ new Response(200, [

+ 'Content-Type' => 'application/json',

+ 'Cache-Control' => 'no-cache, no-store',

+ 'Pragma' => 'no-cache',

+ ], json_encode([

+ 'keys' => [

+ $keyArray,

+ ],

+ ])),

+ ]);

+ $this->assertFalse(auth()->check());

+ $this->runLogin();

+ $this->assertTrue(auth()->check());

+ }

+ public function test_login_group_sync()

+ {

+ config()->set([

+ 'oidc.user_to_groups' => true,

+ 'oidc.group_attribute' => 'groups',

+ 'oidc.remove_from_groups' => false,

+ ]);

+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);

+ $roleB = Role::factory()->create(['display_name' => 'ZooFolks', 'external_auth_id' => 'zookeepers']);

+ $roleC = Role::factory()->create(['display_name' => 'Another Role']);

+ $resp = $this->runLogin([

+ 'email' => '[email protected]',

+ 'sub' => 'benny1010101',

+ 'groups' => ['Wizards', 'Zookeepers'],

+ ]);

+ $resp->assertRedirect('/');

+ /** @var User $user */

+ $user = User::query()->where('email', '=', '[email protected]')->first();

+ $this->assertTrue($user->hasRole($roleA->id));

+ $this->assertTrue($user->hasRole($roleB->id));

+ $this->assertFalse($user->hasRole($roleC->id));

+ }

+ public function test_login_group_sync_with_nested_groups_in_token()

+ {

+ config()->set([

+ 'oidc.user_to_groups' => true,

+ 'oidc.group_attribute' => 'my.custom.groups.attr',

+ 'oidc.remove_from_groups' => false,

+ ]);

+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);

+ $resp = $this->runLogin([

+ 'email' => '[email protected]',

+ 'sub' => 'benny1010101',

+ 'my' => [

+ 'custom' => [

+ 'groups' => [

+ 'attr' => ['Wizards'],

+ ],

+ ]);

+ $resp->assertRedirect('/');

+ /** @var User $user */

+ $user = User::query()->where('email', '=', '[email protected]')->first();

+ $this->assertTrue($user->hasRole($roleA->id));

+ }

protected function withAutodiscovery()

{

config()->set([