ariadne/tests/test_oauth2_proxy.py

from __future__ import annotations

from types import SimpleNamespace

from ariadne.services import oauth2_proxy as oauth_module
from ariadne.services.oauth2_proxy import OAuth2ProxyService, _oauth_client_payload, _valid_cookie_secret


def test_oauth_client_payload() -> None:
    payload = _oauth_client_payload("wolf", "https://wolf.bstein.dev")
    assert payload["clientId"] == "wolf"
    assert payload["redirectUris"] == ["https://wolf.bstein.dev/oauth2/callback"]
    assert payload["webOrigins"] == ["https://wolf.bstein.dev"]


def test_valid_cookie_secret() -> None:
    assert _valid_cookie_secret("x" * 32) == "x" * 32
    assert _valid_cookie_secret("short") == ""
    assert _valid_cookie_secret(None) == ""


def test_ensure_wolf_creates_client_and_writes_vault(monkeypatch) -> None:
    monkeypatch.setattr(
        oauth_module,
        "settings",
        SimpleNamespace(
            wolf_oidc_client_id="wolf",
            wolf_oidc_base_url="https://wolf.bstein.dev",
            wolf_oidc_vault_path="game-stream/wolf-oidc",
        ),
    )
    calls: list[str] = []
    written = {}

    class DummyKeycloak:
        def __init__(self) -> None:
            self.created = False

        def ready(self):
            return True

        def find_client(self, client_id):
            if not self.created:
                return None
            return {"id": "client-uuid", "clientId": client_id}

        def create_client(self, _payload):
            self.created = True
            calls.append("create")

        def update_client(self, _client_uuid, _payload):
            calls.append("update")

        def find_client_scope_id(self, name):
            assert name == "groups"
            return "scope-uuid"

        def attach_optional_client_scope(self, _client_uuid, _scope_id):
            calls.append("scope")

        def get_client_secret(self, _client_uuid):
            return "client-secret"

    class DummyVault:
        def read_kv_secret(self, path):
            assert path == "game-stream/wolf-oidc"
            return {"cookie_secret": "a" * 32}

        def write_kv_secret(self, path, data):
            written["path"] = path
            written["data"] = data

    monkeypatch.setattr(oauth_module, "keycloak_admin", DummyKeycloak())
    monkeypatch.setattr(oauth_module, "vault", DummyVault())

    result = OAuth2ProxyService().ensure_wolf()
    assert result["status"] == "ok"
    assert calls == ["create", "update", "scope"]
    assert written["data"]["client_secret"] == "client-secret"
    assert written["data"]["cookie_secret"] == "a" * 32


def test_ensure_wolf_reports_missing_keycloak(monkeypatch) -> None:
    monkeypatch.setattr(
        oauth_module,
        "settings",
        SimpleNamespace(
            wolf_oidc_client_id="wolf",
            wolf_oidc_base_url="https://wolf.bstein.dev",
            wolf_oidc_vault_path="game-stream/wolf-oidc",
        ),
    )
    monkeypatch.setattr(oauth_module, "keycloak_admin", SimpleNamespace(ready=lambda: False))

    assert OAuth2ProxyService().ensure_wolf()["status"] == "error"