5f144ba4d2
- Add for/id attributes to all form labels for accessibility compliance - Add <title> tags to PDF templates (rgpd_access, rgpd_no_data, rgpd_deletion, contrat_revendeur) - Add role="presentation" to email layout tables - Remove deprecated cellpadding/cellspacing attributes from all templates - Fix PHPUnit notices by replacing createMock with createStub where no expectations are set Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
178 lines
6.8 KiB
PHP
178 lines
6.8 KiB
PHP
<?php
|
|
|
|
namespace App\Tests\Security;
|
|
|
|
use App\Entity\User;
|
|
use App\Repository\UserRepository;
|
|
use App\Security\KeycloakAuthenticator;
|
|
use Doctrine\ORM\EntityManagerInterface;
|
|
use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
|
|
use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
|
|
use League\OAuth2\Client\Provider\ResourceOwnerInterface;
|
|
use League\OAuth2\Client\Token\AccessToken;
|
|
use PHPUnit\Framework\TestCase;
|
|
use Symfony\Component\HttpFoundation\RedirectResponse;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
|
|
use Symfony\Component\HttpFoundation\Session\FlashBagAwareSessionInterface;
|
|
use Symfony\Component\Routing\RouterInterface;
|
|
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
|
|
|
|
class KeycloakAuthenticatorTest extends TestCase
|
|
{
|
|
private ClientRegistry $clientRegistry;
|
|
private EntityManagerInterface $em;
|
|
private UserRepository $userRepository;
|
|
private RouterInterface $router;
|
|
private KeycloakAuthenticator $authenticator;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
$this->clientRegistry = $this->createStub(ClientRegistry::class);
|
|
$this->em = $this->createStub(EntityManagerInterface::class);
|
|
$this->userRepository = $this->createStub(UserRepository::class);
|
|
$this->router = $this->createStub(RouterInterface::class);
|
|
|
|
$this->authenticator = new KeycloakAuthenticator(
|
|
$this->clientRegistry,
|
|
$this->em,
|
|
$this->userRepository,
|
|
$this->router,
|
|
);
|
|
}
|
|
|
|
public function testSupports(): void
|
|
{
|
|
$request = new Request();
|
|
$request->attributes->set('_route', 'connect_keycloak_check');
|
|
$this->assertTrue($this->authenticator->supports($request));
|
|
|
|
$request->attributes->set('_route', 'other_route');
|
|
$this->assertFalse($this->authenticator->supports($request));
|
|
}
|
|
|
|
public function testAuthenticate(): void
|
|
{
|
|
$request = new Request();
|
|
$client = $this->createStub(OAuth2ClientInterface::class);
|
|
|
|
$accessToken = new AccessToken(['access_token' => 'fake-token']);
|
|
|
|
$this->clientRegistry->method('getClient')->willReturn($client);
|
|
$client->method('getAccessToken')->willReturn($accessToken);
|
|
|
|
$passport = $this->authenticator->authenticate($request);
|
|
$this->assertInstanceOf(SelfValidatingPassport::class, $passport);
|
|
|
|
$userBadge = $passport->getBadge(UserBadge::class);
|
|
$this->assertNotNull($userBadge);
|
|
|
|
$keycloakUser = $this->createStub(ResourceOwnerInterface::class);
|
|
$keycloakUser->method('toArray')->willReturn([
|
|
'sub' => '123',
|
|
'email' => 'test@example.com',
|
|
'given_name' => 'John',
|
|
'family_name' => 'Doe',
|
|
'groups' => ['super_admin_asso'],
|
|
]);
|
|
|
|
$client->method('fetchUserFromToken')->willReturn($keycloakUser);
|
|
$this->userRepository->method('findOneBy')->willReturn(null);
|
|
|
|
$em = $this->createMock(EntityManagerInterface::class);
|
|
$em->expects($this->once())->method('persist');
|
|
$em->expects($this->once())->method('flush');
|
|
|
|
// Recreate authenticator with mock em for expectations
|
|
$authenticator = new KeycloakAuthenticator(
|
|
$this->clientRegistry,
|
|
$em,
|
|
$this->userRepository,
|
|
$this->router,
|
|
);
|
|
$passport = $authenticator->authenticate($request);
|
|
$userBadge = $passport->getBadge(UserBadge::class);
|
|
|
|
$user = $userBadge->getUser();
|
|
$this->assertInstanceOf(User::class, $user);
|
|
$this->assertEquals('123', $user->getKeycloakId());
|
|
$this->assertEquals('test@example.com', $user->getEmail());
|
|
$this->assertContains('ROLE_ROOT', $user->getRoles());
|
|
}
|
|
|
|
public function testAuthenticateExistingUserByEmail(): void
|
|
{
|
|
$request = new Request();
|
|
$client = $this->createStub(OAuth2ClientInterface::class);
|
|
$accessToken = new AccessToken(['access_token' => 'fake-token']);
|
|
$this->clientRegistry->method('getClient')->willReturn($client);
|
|
$client->method('getAccessToken')->willReturn($accessToken);
|
|
|
|
$passport = $this->authenticator->authenticate($request);
|
|
$userBadge = $passport->getBadge(UserBadge::class);
|
|
|
|
$keycloakUser = $this->createStub(ResourceOwnerInterface::class);
|
|
$keycloakUser->method('toArray')->willReturn([
|
|
'sub' => '123',
|
|
'email' => 'existing@example.com',
|
|
'groups' => [],
|
|
]);
|
|
$client->method('fetchUserFromToken')->willReturn($keycloakUser);
|
|
|
|
$existingUser = new User();
|
|
$this->userRepository->method('findOneBy')->willReturnCallback(function ($criteria) use ($existingUser) {
|
|
if (isset($criteria['email']) && 'existing@example.com' === $criteria['email']) {
|
|
return $existingUser;
|
|
}
|
|
|
|
return null;
|
|
});
|
|
|
|
$user = $userBadge->getUser();
|
|
$this->assertSame($existingUser, $user);
|
|
$this->assertEquals('123', $user->getKeycloakId());
|
|
$this->assertContains('ROLE_EMPLOYE', $user->getRoles());
|
|
}
|
|
|
|
public function testOnAuthenticationSuccess(): void
|
|
{
|
|
$request = new Request();
|
|
$token = $this->createStub(TokenInterface::class);
|
|
$this->router->method('generate')->willReturn('/home');
|
|
|
|
$response = $this->authenticator->onAuthenticationSuccess($request, $token, 'main');
|
|
$this->assertInstanceOf(RedirectResponse::class, $response);
|
|
$this->assertEquals('/home', $response->getTargetUrl());
|
|
}
|
|
|
|
public function testOnAuthenticationFailure(): void
|
|
{
|
|
$request = $this->createStub(Request::class);
|
|
|
|
$flashBag = $this->createMock(FlashBagInterface::class);
|
|
$flashBag->expects($this->once())->method('add')->with('error', $this->anything());
|
|
|
|
$session = $this->createStub(FlashBagAwareSessionInterface::class);
|
|
$session->method('getFlashBag')->willReturn($flashBag);
|
|
|
|
$request->method('getSession')->willReturn($session);
|
|
$this->router->method('generate')->willReturn('/home');
|
|
|
|
$response = $this->authenticator->onAuthenticationFailure($request, new AuthenticationException());
|
|
$this->assertInstanceOf(RedirectResponse::class, $response);
|
|
}
|
|
|
|
public function testStart(): void
|
|
{
|
|
$request = new Request();
|
|
$this->router->method('generate')->willReturn('/home');
|
|
|
|
$response = $this->authenticator->start($request);
|
|
$this->assertInstanceOf(RedirectResponse::class, $response);
|
|
$this->assertEquals('/home', $response->getTargetUrl());
|
|
}
|
|
}
|