namespace Tests\Auth;
use BookStack\Actions\ActivityType;
+use BookStack\Auth\Role;
use BookStack\Auth\User;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Response;
'oidc.token_endpoint' => 'https://oidc.local/token',
'oidc.discover' => false,
'oidc.dump_user_details' => false,
+ 'oidc.additional_scopes' => '',
+ 'oidc.user_to_groups' => false,
+ 'oidc.group_attribute' => 'group',
+ 'oidc.remove_from_groups' => false,
]);
}
$this->assertActivityExists(ActivityType::AUTH_LOGIN, null, "oidc; ({$user->id}) Barry Scott");
}
+ public function test_login_uses_custom_additional_scopes_if_defined()
+ {
+ config()->set([
+ 'oidc.additional_scopes' => 'groups, badgers',
+ ]);
+
+ $redirect = $this->post('/oidc/login')->headers->get('location');
+
+ $this->assertStringContainsString('scope=openid%20profile%20email%20groups%20badgers', $redirect);
+ }
+
public function test_callback_fails_if_no_state_present_or_matching()
{
$this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=abc124');
$this->assertTrue(auth()->check());
}
+ public function test_login_group_sync()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.group_attribute' => 'groups',
+ 'oidc.remove_from_groups' => false,
+ ]);
+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+ $roleB = Role::factory()->create(['display_name' => 'ZooFolks', 'external_auth_id' => 'zookeepers']);
+ $roleC = Role::factory()->create(['display_name' => 'Another Role']);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'groups' => ['Wizards', 'Zookeepers'],
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+
+ $this->assertTrue($user->hasRole($roleA->id));
+ $this->assertTrue($user->hasRole($roleB->id));
+ $this->assertFalse($user->hasRole($roleC->id));
+ }
+
+ public function test_login_group_sync_with_nested_groups_in_token()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.group_attribute' => 'my.custom.groups.attr',
+ 'oidc.remove_from_groups' => false,
+ ]);
+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'my' => [
+ 'custom' => [
+ 'groups' => [
+ 'attr' => ['Wizards'],
+ ],
+ ],
+ ],
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+ $this->assertTrue($user->hasRole($roleA->id));
+ }
+
protected function withAutodiscovery()
{
config()->set([