Phil Skentelbery
115e733604
Merges Phase 4a work including: Implementation: - Metadata discovery endpoint (/api/.well-known/oauth-authorization-server) - h-app microformat parser service - Enhanced authorization endpoint with client info display - Configuration management system - Dependency injection framework Documentation: - Comprehensive gap analysis for v1.0.0 compliance - Phase 4a clarifications on development approach - Phase 4-5 critical components breakdown Testing: - Unit tests for h-app parser (308 lines, comprehensive coverage) - Unit tests for metadata endpoint (134 lines) - Unit tests for configuration system (18 lines) - Integration test updates All tests passing with high coverage. Ready for Phase 4b security hardening.
135 lines
5.4 KiB
Python
135 lines
5.4 KiB
Python
"""Tests for metadata endpoint."""
|
|
import json
|
|
|
|
import pytest
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
class TestMetadataEndpoint:
|
|
"""Tests for OAuth 2.0 Authorization Server Metadata endpoint."""
|
|
|
|
@pytest.fixture
|
|
def client(self, monkeypatch):
|
|
"""Create test client with valid configuration."""
|
|
monkeypatch.setenv("GONDULF_SECRET_KEY", "test-secret-key-must-be-at-least-32-chars-long")
|
|
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
|
|
|
|
# Import app AFTER setting env vars
|
|
from gondulf.main import app
|
|
|
|
return TestClient(app)
|
|
|
|
def test_metadata_endpoint_returns_200(self, client):
|
|
"""Test metadata endpoint returns 200 OK."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
assert response.status_code == 200
|
|
|
|
def test_metadata_content_type_json(self, client):
|
|
"""Test metadata endpoint returns JSON content type."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
assert response.headers["content-type"] == "application/json"
|
|
|
|
def test_metadata_cache_control_header(self, client):
|
|
"""Test metadata endpoint sets Cache-Control header."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
assert "cache-control" in response.headers
|
|
assert "public" in response.headers["cache-control"]
|
|
assert "max-age=86400" in response.headers["cache-control"]
|
|
|
|
def test_metadata_all_required_fields_present(self, client):
|
|
"""Test metadata response contains all required fields."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
required_fields = [
|
|
"issuer",
|
|
"authorization_endpoint",
|
|
"token_endpoint",
|
|
"response_types_supported",
|
|
"grant_types_supported",
|
|
"code_challenge_methods_supported",
|
|
"token_endpoint_auth_methods_supported",
|
|
"revocation_endpoint_auth_methods_supported",
|
|
"scopes_supported"
|
|
]
|
|
|
|
for field in required_fields:
|
|
assert field in data, f"Missing required field: {field}"
|
|
|
|
def test_metadata_issuer_matches_base_url(self, client):
|
|
"""Test issuer field matches BASE_URL configuration."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["issuer"] == "https://auth.example.com"
|
|
|
|
def test_metadata_authorization_endpoint_correct(self, client):
|
|
"""Test authorization_endpoint field is correct."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["authorization_endpoint"] == "https://auth.example.com/authorize"
|
|
|
|
def test_metadata_token_endpoint_correct(self, client):
|
|
"""Test token_endpoint field is correct."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["token_endpoint"] == "https://auth.example.com/token"
|
|
|
|
def test_metadata_response_types_supported(self, client):
|
|
"""Test response_types_supported contains only 'code'."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["response_types_supported"] == ["code"]
|
|
|
|
def test_metadata_grant_types_supported(self, client):
|
|
"""Test grant_types_supported contains only 'authorization_code'."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["grant_types_supported"] == ["authorization_code"]
|
|
|
|
def test_metadata_code_challenge_methods_empty(self, client):
|
|
"""Test code_challenge_methods_supported is empty array."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["code_challenge_methods_supported"] == []
|
|
|
|
def test_metadata_token_endpoint_auth_methods(self, client):
|
|
"""Test token_endpoint_auth_methods_supported contains 'none'."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["token_endpoint_auth_methods_supported"] == ["none"]
|
|
|
|
def test_metadata_revocation_endpoint_auth_methods(self, client):
|
|
"""Test revocation_endpoint_auth_methods_supported contains 'none'."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["revocation_endpoint_auth_methods_supported"] == ["none"]
|
|
|
|
def test_metadata_scopes_supported_empty(self, client):
|
|
"""Test scopes_supported is empty array."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
data = response.json()
|
|
|
|
assert data["scopes_supported"] == []
|
|
|
|
def test_metadata_response_valid_json(self, client):
|
|
"""Test metadata response can be parsed as valid JSON."""
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
|
|
# Should not raise exception
|
|
data = json.loads(response.content)
|
|
assert isinstance(data, dict)
|
|
|
|
def test_metadata_endpoint_no_authentication_required(self, client):
|
|
"""Test metadata endpoint is accessible without authentication."""
|
|
# No authentication headers
|
|
response = client.get("/.well-known/oauth-authorization-server")
|
|
assert response.status_code == 200
|