Local Identity OICD bootstrap

local-identity/tests/test_cli.py

@@ -10,7 +10,12 @@ from unittest.mock import patch
 
 import pytest
 
-from local_identity.cli import _resolve_init_params, cmd_init
+from local_identity.cli import (
+    _oidc_bootstrap_payload,
+    _resolve_init_params,
+    cmd_bootstrap_oidc,
+    cmd_init,
+)
 from local_identity.store import init_dirs, list_users, read_config, read_user
 
 
@@ -25,6 +30,25 @@ def _args(username=None, fullname=None, email=None, force=False):
     return ns
 
 
+def _oidc_args(
+    client_id="local-dev",
+    redirect_uri="http://127.0.0.1:3000/callback",
+    port=8443,
+    scheme="https",
+    scope="openid profile email",
+    output="env",
+):
+    ns = argparse.Namespace()
+    ns.client_id = client_id
+    ns.redirect_uri = redirect_uri
+    ns.port = port
+    ns.scheme = scheme
+    ns.scope = scope
+    ns.output = output
+    ns.func = cmd_bootstrap_oidc
+    return ns
+
+
 # ------------------------------------------------------------------ #
 # _resolve_init_params                                                #
 # ------------------------------------------------------------------ #
@@ -149,3 +173,64 @@ class TestCmdInit:
             cmd_init(_args(email="a@b.com"))  # second call should fail
 
         assert exc_info.value.code == 1
+
+
+# ------------------------------------------------------------------ #
+# cmd_bootstrap_oidc                                                  #
+# ------------------------------------------------------------------ #
+
+class TestCmdBootstrapOidc:
+    def test_payload_uses_local_issuer_and_client_settings(self):
+        payload = _oidc_bootstrap_payload(
+            _oidc_args(
+                client_id="example-app",
+                redirect_uri="http://localhost:8080/oidc/callback",
+                port=9443,
+            )
+        )
+
+        assert payload == {
+            "issuer": "https://127.0.0.1:9443",
+            "discovery_url": "https://127.0.0.1:9443/.well-known/openid-configuration",
+            "client_id": "example-app",
+            "redirect_uri": "http://localhost:8080/oidc/callback",
+            "scope": "openid profile email",
+            "token_endpoint_auth_method": "none",
+        }
+
+    def test_rejects_non_loopback_redirect_uri(self):
+        with pytest.raises(ValueError, match="loopback"):
+            _oidc_bootstrap_payload(
+                _oidc_args(redirect_uri="https://example.com/callback")
+            )
+
+    def test_persists_client_bootstrap_config(self, tmp_store, capsys):
+        with patch("local_identity.cli.current_username", return_value="worsch"):
+            cmd_init(_args(username="alice", fullname="Alice Smith", email="alice@example.com"))
+
+        cmd_bootstrap_oidc(
+            _oidc_args(
+                client_id="demo",
+                redirect_uri="http://127.0.0.1:5173/auth/callback",
+                port=9443,
+            )
+        )
+
+        cfg = read_config()
+        assert cfg["last_oidc_bootstrap"] == "demo"
+        assert cfg["oidc_clients"]["demo"]["issuer"] == "https://127.0.0.1:9443"
+        assert cfg["oidc_clients"]["demo"]["redirect_uri"] == "http://127.0.0.1:5173/auth/callback"
+
+        out = capsys.readouterr().out
+        assert "OIDC_ISSUER=https://127.0.0.1:9443" in out
+        assert "OIDC_TOKEN_ENDPOINT_AUTH_METHOD=none" in out
+
+    def test_json_output(self, tmp_store, capsys):
+        with patch("local_identity.cli.current_username", return_value="worsch"):
+            cmd_init(_args(username="alice", fullname="Alice Smith", email="alice@example.com"))
+
+        cmd_bootstrap_oidc(_oidc_args(client_id="json-app", output="json"))
+
+        data = capsys.readouterr().out
+        assert '"client_id": "json-app"' in data
+        assert '"token_endpoint_auth_method": "none"' in data