Fixed local_secure_restricted preventing attachment uploads

[bookstack] / tests / Auth / OidcTest.php

diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
index 34fd70115e345a839b0ea2441d18494d72a62555..8c6e0635ff6949c8e16b198a283573d73841fea3 100644 (file)
--- a/tests/Auth/OidcTest.php
+++ b/tests/Auth/OidcTest.php
@@ -3,12 +3,13 @@
 namespace Tests\Auth;
 
 use BookStack\Actions\ActivityType;
+use BookStack\Auth\Role;
 use BookStack\Auth\User;
 use GuzzleHttp\Psr7\Request;
 use GuzzleHttp\Psr7\Response;
+use Illuminate\Testing\TestResponse;
 use Tests\Helpers\OidcJwtHelper;
 use Tests\TestCase;
-use Tests\TestResponse;
 
 class OidcTest extends TestCase
 {
@@ -26,7 +27,6 @@ class OidcTest extends TestCase
 
         config()->set([
             'auth.method'                 => 'oidc',
-            'auth.auto_redirect'          => false,
             'auth.defaults.guard'         => 'oidc',
             'oidc.name'                   => 'SingleSignOn-Testing',
             'oidc.display_name_claims'    => ['name'],
@@ -38,6 +38,10 @@ class OidcTest extends TestCase
             'oidc.token_endpoint'         => 'https://oidc.local/token',
             'oidc.discover'               => false,
             'oidc.dump_user_details'      => false,
+            'oidc.additional_scopes'      => '',
+            'oidc.user_to_groups'         => false,
+            'oidc.group_attribute'        => 'group',
+            'oidc.remove_from_groups'     => false,
         ]);
     }
 
@@ -53,7 +57,7 @@ class OidcTest extends TestCase
     {
         $req = $this->get('/login');
         $req->assertSeeText('SingleSignOn-Testing');
-        $req->assertElementExists('form[action$="/oidc/login"][method=POST] button');
+        $this->withHtml($req)->assertElementExists('form[action$="/oidc/login"][method=POST] button');
     }
 
     public function test_oidc_routes_are_only_active_if_oidc_enabled()
@@ -112,19 +116,6 @@ class OidcTest extends TestCase
         $this->assertPermissionError($resp);
     }
 
-    public function test_automatic_redirect_on_login()
-    {
-        config()->set([
-            'auth.auto_redirect'        => true,
-            'services.google.client_id' => false,
-            'services.github.client_id' => false,
-        ]);
-        $req = $this->get('/login');
-        $req->assertSeeText('SingleSignOn-Testing');
-        $req->assertElementExists('form[action$="/oidc/login"][method=POST] button');
-        $req->assertElementExists('div#loginredirect-wrapper');
-    }
-
     public function test_login()
     {
         $req = $this->post('/oidc/login');
@@ -173,6 +164,17 @@ class OidcTest extends TestCase
         $this->assertActivityExists(ActivityType::AUTH_LOGIN, null, "oidc; ({$user->id}) Barry Scott");
     }
 
+    public function test_login_uses_custom_additional_scopes_if_defined()
+    {
+        config()->set([
+            'oidc.additional_scopes' => 'groups, badgers',
+        ]);
+
+        $redirect = $this->post('/oidc/login')->headers->get('location');
+
+        $this->assertStringContainsString('scope=openid%20profile%20email%20groups%20badgers', $redirect);
+    }
+
     public function test_callback_fails_if_no_state_present_or_matching()
     {
         $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=abc124');
@@ -358,6 +360,59 @@ class OidcTest extends TestCase
         $this->assertTrue(auth()->check());
     }
 
+    public function test_login_group_sync()
+    {
+        config()->set([
+            'oidc.user_to_groups'     => true,
+            'oidc.group_attribute'    => 'groups',
+            'oidc.remove_from_groups' => false,
+        ]);
+        $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+        $roleB = Role::factory()->create(['display_name' => 'ZooFolks', 'external_auth_id' => 'zookeepers']);
+        $roleC = Role::factory()->create(['display_name' => 'Another Role']);
+
+        $resp = $this->runLogin([
+            'email'  => '[email protected]',
+            'sub'    => 'benny1010101',
+            'groups' => ['Wizards', 'Zookeepers'],
+        ]);
+        $resp->assertRedirect('/');
+
+        /** @var User $user */
+        $user = User::query()->where('email', '=', '[email protected]')->first();
+
+        $this->assertTrue($user->hasRole($roleA->id));
+        $this->assertTrue($user->hasRole($roleB->id));
+        $this->assertFalse($user->hasRole($roleC->id));
+    }
+
+    public function test_login_group_sync_with_nested_groups_in_token()
+    {
+        config()->set([
+            'oidc.user_to_groups'     => true,
+            'oidc.group_attribute'    => 'my.custom.groups.attr',
+            'oidc.remove_from_groups' => false,
+        ]);
+        $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+
+        $resp = $this->runLogin([
+            'email'  => '[email protected]',
+            'sub'    => 'benny1010101',
+            'my'     => [
+                'custom' => [
+                    'groups' => [
+                        'attr' => ['Wizards'],
+                    ],
+                ],
+            ],
+        ]);
+        $resp->assertRedirect('/');
+
+        /** @var User $user */
+        $user = User::query()->where('email', '=', '[email protected]')->first();
+        $this->assertTrue($user->hasRole($roleA->id));
+    }
+
     protected function withAutodiscovery()
     {
         config()->set([