From 665988759196af369af26bc6eaf249a4b791a34d Mon Sep 17 00:00:00 2001
From: Mark <mark@openappstack.net>
Date: Mon, 30 Sep 2019 17:34:00 +0200
Subject: [PATCH] Add missing permission feature

---
 .gitlab-ci.yml                                    |  5 ++++-
 consent_provider/app.py                           |  5 +++++
 .../test/behave/features/environment.py           |  1 +
 .../test/behave/features/login.feature            | 15 +++++++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86aa1b1..6596cf3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -145,8 +145,10 @@ behave-integration:
     GRAPHQL_URL: "http://172.17.0.6:5000/graphql" # 172.17.0.6 -> backend
     GIT_SUBMODULE_STRATEGY: "recursive"
     TESTUSER_USERNAME: "testuser"
+    TESTUSER_USERNAME2: "testuser2"
     TESTUSER_PASSWORD: "password"
     TESTUSER_EMAIL: "testuser@example.net"
+    TESTUSER_EMAIL2: "testuser2@example.net"
     DSN: "memory"
     SECRETS_SYSTEM: "youReallyNeedToChangeThis"
     OIDC_SUBJECT_TYPES_SUPPORTED: "public,pairwise"
@@ -166,11 +168,12 @@ behave-integration:
   script:
     - echo "WAIT FOR SERVICES TO INITIALIZE" && sleep 20
     - /bin/sh user-panel/utils/create-user.sh ${TESTUSER_USERNAME} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL} backend 5000
+    - /bin/sh user-panel/utils/create-user.sh ${TESTUSER_USERNAME2} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL2} backend 5000
     - /bin/sh user-panel/utils/create-application.sh ${KEY} backend 5000
     - /bin/sh user-panel/utils/grant-access.sh ${TESTUSER_USERNAME} ${KEY} backend 5000
     - /bin/sh test/create-hydra-client.sh ${KEY} ${SECRET} hydra 4445 http://oauth:5000/callback
     - cd test/login_logout/test/behave/
-    - python3 -m behave -D headless=True -D url=http://oauth:5000 -D logout_url=http://oauth:5000/logout -D username=${TESTUSER_USERNAME} -D password=${TESTUSER_PASSWORD}
+    - python3 -m behave -D headless=True -D url=http://oauth:5000 -D logout_url=http://oauth:5000/logout -D username=${TESTUSER_USERNAME} -D username2=${TESTUSER_USERNAME2} -D password=${TESTUSER_PASSWORD}
   artifacts:
     paths:
       - test/login_logout/test/behave/screenshots/
diff --git a/consent_provider/app.py b/consent_provider/app.py
index 8c1cc28..177ca4e 100644
--- a/consent_provider/app.py
+++ b/consent_provider/app.py
@@ -26,6 +26,11 @@ def home():
             grant_access_token_audience=consent_request.requested_access_token_audience,
             session=session,
             ))
+    else:
+        return redirect(consent_request.reject(
+            "Permission denied",
+            error_description="Login request was denied due to missing application permission")
+            )
     abort(400)
 
 if __name__ == '__main__':
diff --git a/test/login_logout/test/behave/features/environment.py b/test/login_logout/test/behave/features/environment.py
index 53dff84..f60dbc8 100644
--- a/test/login_logout/test/behave/features/environment.py
+++ b/test/login_logout/test/behave/features/environment.py
@@ -40,6 +40,7 @@ def before_tag(context, tag):
     values['url'] = userdata.get('url')
     values['logout_url'] = userdata.get('logout_url')
     values['username'] = userdata.get('username')
+    values['username2'] = userdata.get('username2')
     values['password'] = userdata.get('password')
     assert values['url'], 'url variable missing in' \
         'userdata. Provide it with "-D url".'
diff --git a/test/login_logout/test/behave/features/login.feature b/test/login_logout/test/behave/features/login.feature
index b397288..f7a9cc0 100644
--- a/test/login_logout/test/behave/features/login.feature
+++ b/test/login_logout/test/behave/features/login.feature
@@ -25,3 +25,18 @@ Scenario: Logout
     Then I wait on element "input#username" for 1000ms to be visible
     And I expect that element "input#password" is visible
     And I expect that element "input#submit" is visible
+
+Scenario: Login with a valid user without access to an application
+    Given I open the URL
+    Then I wait on element "input#username" for 1000ms to be visible
+    And I expect that element "input#password" is visible
+    And I expect that element "input#submit" is visible
+    When I enter the "username2" in the inputfield "input#username"
+    And I enter the "password" in the inputfield "input#password"
+    And I click on the button "input#submit"
+    Then I wait on element "input#password" for 1000ms to not exist
+    And I expect that element "input#username" does not exist
+    And I expect that the path is "/callback"
+    And I expect that element "body" contains the text "error"
+    And I expect that element "body" contains the text "Permission denied"
+    And I expect that element "body" contains the text "missing application permission"
-- 
GitLab