Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Refactor OIDC tests to better mimic an actual OIDC provider
Browse files Browse the repository at this point in the history
Instead of constantly mocking the internal methods of the OIDC handler,
it now mocks HTTP responses
  • Loading branch information
sandhose committed Sep 22, 2022
1 parent 0d33dd9 commit 865390f
Show file tree
Hide file tree
Showing 2 changed files with 531 additions and 302 deletions.
19 changes: 11 additions & 8 deletions synapse/handlers/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
MacaroonInitException,
MacaroonInvalidSignatureException,
)
from typing_extensions import TypedDict
from typing_extensions import NotRequired, TypedDict

from twisted.web.client import readBody
from twisted.web.http_headers import Headers
Expand Down Expand Up @@ -95,10 +95,10 @@
class Token(TypedDict):
access_token: str
token_type: str
id_token: Optional[str]
refresh_token: Optional[str]
id_token: NotRequired[str]
refresh_token: NotRequired[str]
expires_in: int
scope: Optional[str]
scope: NotRequired[str]


#: A JWK, as per RFC7517 sec 4. The type could be more precise than that, but
Expand Down Expand Up @@ -367,6 +367,7 @@ def __init__(
provider: OidcProviderConfig,
):
self._store = hs.get_datastores().main
self._clock = hs.get_clock()

self._macaroon_generaton = macaroon_generator

Expand Down Expand Up @@ -847,7 +848,9 @@ async def _verify_jwt(

logger.debug("Decoded JWT (%s) %r; validating", claims_cls.__name__, claims)

claims.validate(leeway=120) # allows 2 min of clock skew
claims.validate(
now=self._clock.time(), leeway=120
) # allows 2 min of clock skew
return claims

async def _parse_id_token(self, token: Token, nonce: str) -> CodeIDToken:
Expand All @@ -862,7 +865,7 @@ async def _parse_id_token(self, token: Token, nonce: str) -> CodeIDToken:
Returns:
The decoded claims in the ID token.
"""
id_token = token["id_token"]
id_token = token.get("id_token")

# That has been theoritically been checked by the caller, so even though
# assertion are not enabled in production, it is mainly here to appease mypy
Expand Down Expand Up @@ -1294,8 +1297,8 @@ async def handle_backchannel_logout(
# `user_id`. Hence, we have to iterate over the list of devices and log them out
# one by one.
for device in devices:
user_id = device["user_id"]
device_id = device["device_id"]
user_id: str = device["user_id"]
device_id: str = device["device_id"]

# If the user_id associated with that device/session is not the one we got
# out of the `sub` claim, skip that device and show log an error.
Expand Down
Loading

0 comments on commit 865390f

Please sign in to comment.