feat: Add OIDC_CLIENT_SECRET and other changes for v2 (#4254)

Co-authored-by: boc-the-git <3479092+boc-the-git@users.noreply.github.com>
2025-08-06 14:05:21 +02:00 · 2024-10-05 16:12:11 -05:00 · 2024-10-05 16:12:11 -05:00 · 5ed0ec029b
commit 5ed0ec029b
parent 4f1abcf4a3
31 changed files with 530 additions and 349 deletions
--- a/tests/e2e/docker/docker-compose.yml
+++ b/tests/e2e/docker/docker-compose.yml
@ -2,7 +2,7 @@ version: "3.4"
 services:
  oidc-mock-server:
    container_name: oidc-mock-server
-    image: ghcr.io/navikt/mock-oauth2-server:2.1.0
+    image: ghcr.io/navikt/mock-oauth2-server:2.1.9
    network_mode: host
    environment:
      LOG_LEVEL: "debug"
@ -34,6 +34,7 @@ services:
      OIDC_ADMIN_GROUP: admin
      OIDC_CONFIGURATION_URL: http://localhost:8080/default/.well-known/openid-configuration
      OIDC_CLIENT_ID: default
+      OIDC_CLIENT_SECRET: secret

      LDAP_AUTH_ENABLED: True
      LDAP_SERVER_URL: ldap://localhost:10389
--- a/tests/e2e/yarn.lock
+++ b/tests/e2e/yarn.lock
@ -3,39 +3,39 @@


 "@playwright/test@^1.40.1":
-  version "1.40.1"
-  resolved "https://registry.yarnpkg.com/@playwright/test/-/test-1.40.1.tgz#9e66322d97b1d74b9f8718bacab15080f24cde65"
-  integrity sha512-EaaawMTOeEItCRvfmkI9v6rBkF1svM8wjl/YPRrg2N2Wmp+4qJYkWtJsbew1szfKKDm6fPLy4YAanBhIlf9dWw==
+  version "1.47.2"
+  resolved "https://registry.yarnpkg.com/@playwright/test/-/test-1.47.2.tgz#dbe7051336bfc5cc599954214f9111181dbc7475"
+  integrity sha512-jTXRsoSPONAs8Za9QEQdyjFn+0ZQFjCiIztAIF6bi1HqhBzG9Ma7g1WotyiGqFSBRZjIEqMdT8RUlbk1QVhzCQ==
  dependencies:
-    playwright "1.40.1"
+    playwright "1.47.2"

 "@types/node@^20.10.4":
-  version "20.10.4"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.4.tgz#b246fd84d55d5b1b71bf51f964bd514409347198"
-  integrity sha512-D08YG6rr8X90YB56tSIuBaddy/UXAA9RKJoFvrsnogAum/0pmjkgi4+2nx96A330FmioegBWmEYQ+syqCFaveg==
+  version "20.16.5"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-20.16.5.tgz#d43c7f973b32ffdf9aa7bd4f80e1072310fd7a53"
+  integrity sha512-VwYCweNo3ERajwy0IUlqqcyZ8/A7Zwa9ZP3MnENWcB11AejO+tLy3pu850goUW2FC/IJMdZUfKpX/yxL1gymCA==
  dependencies:
-    undici-types "~5.26.4"
+    undici-types "~6.19.2"

 fsevents@2.3.2:
  version "2.3.2"
  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
  integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==

-playwright-core@1.40.1:
-  version "1.40.1"
-  resolved "https://registry.yarnpkg.com/playwright-core/-/playwright-core-1.40.1.tgz#442d15e86866a87d90d07af528e0afabe4c75c05"
-  integrity sha512-+hkOycxPiV534c4HhpfX6yrlawqVUzITRKwHAmYfmsVreltEl6fAZJ3DPfLMOODw0H3s1Itd6MDCWmP1fl/QvQ==
+playwright-core@1.47.2:
+  version "1.47.2"
+  resolved "https://registry.yarnpkg.com/playwright-core/-/playwright-core-1.47.2.tgz#7858da9377fa32a08be46ba47d7523dbd9460a4e"
+  integrity sha512-3JvMfF+9LJfe16l7AbSmU555PaTl2tPyQsVInqm3id16pdDfvZ8TTZ/pyzmkbDrZTQefyzU7AIHlZqQnxpqHVQ==

-playwright@1.40.1:
-  version "1.40.1"
-  resolved "https://registry.yarnpkg.com/playwright/-/playwright-1.40.1.tgz#a11bf8dca15be5a194851dbbf3df235b9f53d7ae"
-  integrity sha512-2eHI7IioIpQ0bS1Ovg/HszsN/XKNwEG1kbzSDDmADpclKc7CyqkHw7Mg2JCz/bbCxg25QUPcjksoMW7JcIFQmw==
+playwright@1.47.2:
+  version "1.47.2"
+  resolved "https://registry.yarnpkg.com/playwright/-/playwright-1.47.2.tgz#155688aa06491ee21fb3e7555b748b525f86eb20"
+  integrity sha512-nx1cLMmQWqmA3UsnjaaokyoUpdVaaDhJhMoxX2qj3McpjnsqFHs516QAKYhqHAgOP+oCFTEOCOAaD1RgD/RQfA==
  dependencies:
-    playwright-core "1.40.1"
+    playwright-core "1.47.2"
  optionalDependencies:
    fsevents "2.3.2"

-undici-types@~5.26.4:
-  version "5.26.5"
-  resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617"
-  integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==
+undici-types@~6.19.2:
+  version "6.19.8"
+  resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-6.19.8.tgz#35111c9d1437ab83a7cdc0abae2f26d88eda0a02"
+  integrity sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==
--- a/tests/unit_tests/core/security/providers/test_openid_provider.py
+++ b/tests/unit_tests/core/security/providers/test_openid_provider.py
@ -0,0 +1,127 @@
+from pytest import MonkeyPatch, Session
+
+from mealie.core.config import get_app_settings
+from mealie.core.security.providers.openid_provider import OpenIDProvider
+from mealie.repos.all_repositories import get_repositories
+from tests.utils.fixture_schemas import TestUser
+
+
+def test_no_claims():
+    auth_provider = OpenIDProvider(None, None)
+
+    assert auth_provider.authenticate() is None
+
+
+def test_empty_claims():
+    auth_provider = OpenIDProvider(None, {})
+
+    assert auth_provider.authenticate() is None
+
+
+def test_missing_claims():
+    data = {"preferred_username": "dude1"}
+    auth_provider = OpenIDProvider(None, data)
+
+    assert auth_provider.authenticate() is None
+
+
+def test_missing_groups_claim(monkeypatch: MonkeyPatch):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude1",
+        "email": "email@email.com",
+        "name": "Firstname Lastname",
+    }
+    auth_provider = OpenIDProvider(None, data)
+
+    assert auth_provider.authenticate() is None
+
+
+def test_missing_user_group(monkeypatch: MonkeyPatch):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude1",
+        "email": "email@email.com",
+        "name": "Firstname Lastname",
+        "groups": ["not_mealie_user"],
+    }
+    auth_provider = OpenIDProvider(None, data)
+
+    assert auth_provider.authenticate() is None
+
+
+def test_has_user_group_existing_user(monkeypatch: MonkeyPatch, unique_user: TestUser):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude1",
+        "email": unique_user.email,
+        "name": "Firstname Lastname",
+        "groups": ["mealie_user"],
+    }
+    auth_provider = OpenIDProvider(unique_user.repos.session, data)
+
+    assert auth_provider.authenticate() is not None
+
+
+def test_has_admin_group_existing_user(monkeypatch: MonkeyPatch, unique_user: TestUser):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    monkeypatch.setenv("OIDC_ADMIN_GROUP", "mealie_admin")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude1",
+        "email": unique_user.email,
+        "name": "Firstname Lastname",
+        "groups": ["mealie_admin"],
+    }
+    auth_provider = OpenIDProvider(unique_user.repos.session, data)
+
+    assert auth_provider.authenticate() is not None
+
+
+def test_has_user_group_new_user(monkeypatch: MonkeyPatch, session: Session):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    monkeypatch.setenv("OIDC_ADMIN_GROUP", "mealie_admin")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude1",
+        "email": "dude1@email.com",
+        "name": "Firstname Lastname",
+        "groups": ["mealie_user"],
+    }
+    auth_provider = OpenIDProvider(session, data)
+
+    assert auth_provider.authenticate() is not None
+
+    db = get_repositories(session, group_id=None, household_id=None)
+    user = db.users.get_one("dude1", "username")
+    assert user is not None
+    assert not user.admin
+
+
+def test_has_admin_group_new_user(monkeypatch: MonkeyPatch, session: Session):
+    monkeypatch.setenv("OIDC_USER_GROUP", "mealie_user")
+    monkeypatch.setenv("OIDC_ADMIN_GROUP", "mealie_admin")
+    get_app_settings.cache_clear()
+
+    data = {
+        "preferred_username": "dude2",
+        "email": "dude2@email.com",
+        "name": "Firstname Lastname",
+        "groups": ["mealie_admin"],
+    }
+    auth_provider = OpenIDProvider(session, data)
+
+    assert auth_provider.authenticate() is not None
+
+    db = get_repositories(session, group_id=None, household_id=None)
+    user = db.users.get_one("dude2", "username")
+    assert user is not None
+    assert user.admin
--- a/tests/unit_tests/test_security.py
+++ b/tests/unit_tests/test_security.py
@ -6,7 +6,10 @@ from pytest import MonkeyPatch
 from mealie.core import security
 from mealie.core.config import get_app_settings
 from mealie.core.dependencies import validate_file_token
-from mealie.core.security.providers.credentials_provider import CredentialsProvider, CredentialsRequest
+from mealie.core.security.providers.credentials_provider import (
+    CredentialsProvider,
+    CredentialsRequest,
+)
 from mealie.core.security.providers.ldap_provider import LDAPProvider
 from mealie.db.db_setup import session_context
 from mealie.db.models.users.users import AuthMethod
@ -102,7 +105,10 @@ def setup_env(monkeypatch: MonkeyPatch):
    monkeypatch.setenv("LDAP_BASE_DN", base_dn)
    monkeypatch.setenv("LDAP_QUERY_BIND", query_bind)
    monkeypatch.setenv("LDAP_QUERY_PASSWORD", query_password)
-    monkeypatch.setenv("LDAP_USER_FILTER", "(&(objectClass=user)(|({id_attribute}={input})({mail_attribute}={input})))")
+    monkeypatch.setenv(
+        "LDAP_USER_FILTER",
+        "(&(objectClass=user)(|({id_attribute}={input})({mail_attribute}={input})))",
+    )

    return user, mail, name, password, query_bind, query_password

@ -208,15 +214,11 @@ def test_ldap_user_creation_admin(monkeypatch: MonkeyPatch):
 def test_ldap_disabled(monkeypatch: MonkeyPatch):
    monkeypatch.setenv("LDAP_AUTH_ENABLED", "False")

-    class Request:
-        def __init__(self, auth_strategy: str):
-            self.cookies = {"mealie.auth.strategy": auth_strategy}
-
    get_app_settings.cache_clear()

    with session_context() as session:
        form = CredentialsRequestForm("username", "password", False)
-        provider = security.get_auth_provider(session, Request("local"), form)
+        provider = security.get_auth_provider(session, form)

    assert isinstance(provider, CredentialsProvider)

@ -230,7 +232,15 @@ def test_user_login_ldap_auth_method(monkeypatch: MonkeyPatch, ldap_user: Privat

    def ldap_initialize_mock(url):
        assert url == ""
-        return LdapConnMock(ldap_user.username, ldap_password, False, query_bind, query_password, ldap_user.email, name)
+        return LdapConnMock(
+            ldap_user.username,
+            ldap_password,
+            False,
+            query_bind,
+            query_password,
+            ldap_user.email,
+            name,
+        )

    monkeypatch.setattr(ldap, "initialize", ldap_initialize_mock)

--- a/tests/utils/api_routes/init.py
+++ b/tests/utils/api_routes/init.py
@ -45,6 +45,10 @@ app_about_theme = "/api/app/about/theme"
 """`/api/app/about/theme`"""
 auth_logout = "/api/auth/logout"
 """`/api/auth/logout`"""
+auth_oauth = "/api/auth/oauth"
+"""`/api/auth/oauth`"""
+auth_oauth_callback = "/api/auth/oauth/callback"
+"""`/api/auth/oauth/callback`"""
 auth_refresh = "/api/auth/refresh"
 """`/api/auth/refresh`"""
 auth_token = "/api/auth/token"