import pytest from unittest.mock import MagicMock, patch from ea_chatbot.auth import OIDCClient from jose import jwt @pytest.fixture def oidc_config(): return { "client_id": "test_id", "client_secret": "test_secret", "server_metadata_url": "https://example.com/.well-known/openid-configuration", "redirect_uri": "http://localhost:5173/auth/callback" } @pytest.fixture def mock_metadata(): return { "issuer": "https://example.com", "jwks_uri": "https://example.com/jwks", "id_token_signing_alg_values_supported": ["RS256"] } def test_oidc_validate_id_token_success(oidc_config, mock_metadata): client = OIDCClient(**oidc_config) id_token_payload = { "iss": "https://example.com", "sub": "user123", "aud": "test_id", "nonce": "test_nonce", "exp": 9999999999, "iat": 1000000000 } # Mock JWT decoding, JWKS fetching, and metadata fetching with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \ patch.object(client, "fetch_jwks") as mock_fetch_jwks, \ patch.object(client, "fetch_metadata") as mock_fetch_metadata: mock_decode.return_value = id_token_payload mock_fetch_metadata.return_value = mock_metadata mock_fetch_jwks.return_value = {"keys": []} claims = client.validate_id_token("fake_token", nonce="test_nonce") assert claims == id_token_payload mock_decode.assert_called_once() def test_oidc_validate_id_token_invalid_nonce(oidc_config, mock_metadata): client = OIDCClient(**oidc_config) id_token_payload = { "iss": "https://example.com", "aud": "test_id", "nonce": "wrong_nonce", "exp": 9999999999 } with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \ patch.object(client, "fetch_jwks") as mock_fetch_jwks, \ patch.object(client, "fetch_metadata") as mock_fetch_metadata: mock_decode.return_value = id_token_payload mock_fetch_metadata.return_value = mock_metadata mock_fetch_jwks.return_value = {"keys": []} with pytest.raises(ValueError, match="Invalid nonce"): client.validate_id_token("fake_token", nonce="test_nonce")