Changeset View
Changeset View
Standalone View
Standalone View
swh/web/tests/auth/test_backends.py
Show All 26 Lines | def _authenticate_user(request_factory): | ||||
return authenticate( | return authenticate( | ||||
request=request, | request=request, | ||||
code="some-code", | code="some-code", | ||||
code_verifier="some-code-verifier", | code_verifier="some-code-verifier", | ||||
redirect_uri="https://localhost:5004", | redirect_uri="https://localhost:5004", | ||||
) | ) | ||||
def _check_authenticated_user(user, decoded_token): | def _check_authenticated_user(user, decoded_token, kc_oidc_mock): | ||||
assert user is not None | assert user is not None | ||||
assert isinstance(user, OIDCUser) | assert isinstance(user, OIDCUser) | ||||
assert user.id != 0 | assert user.id != 0 | ||||
assert user.username == decoded_token["preferred_username"] | assert user.username == decoded_token["preferred_username"] | ||||
assert user.password == "" | assert user.password == "" | ||||
assert user.first_name == decoded_token["given_name"] | assert user.first_name == decoded_token["given_name"] | ||||
assert user.last_name == decoded_token["family_name"] | assert user.last_name == decoded_token["family_name"] | ||||
assert user.email == decoded_token["email"] | assert user.email == decoded_token["email"] | ||||
assert user.is_staff == ("/staff" in decoded_token["groups"]) | assert user.is_staff == ("/staff" in decoded_token["groups"]) | ||||
assert user.sub == decoded_token["sub"] | assert user.sub == decoded_token["sub"] | ||||
resource_access = decoded_token.get("resource_access", {}) | |||||
resource_access_client = resource_access.get(kc_oidc_mock, {}) | |||||
assert user.permissions == set(resource_access_client.get("roles", [])) | |||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_oidc_code_pkce_auth_backend_success(mocker, request_factory): | def test_oidc_code_pkce_auth_backend_success(mocker, request_factory): | ||||
ardumont: Maybe add docstring to clarify what's the scenario we are testing.
"Staff member should be… | |||||
Done Inline Actionsanlambert: D3312 | |||||
kc_oidc_mock = mock_keycloak(mocker) | kc_oidc_mock = mock_keycloak(mocker, user_groups=["/staff"]) | ||||
oidc_profile = sample_data.oidc_profile | oidc_profile = sample_data.oidc_profile | ||||
user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
decoded_token = kc_oidc_mock.decode_token(user.access_token) | decoded_token = kc_oidc_mock.decode_token(user.access_token) | ||||
_check_authenticated_user(user, decoded_token) | _check_authenticated_user(user, decoded_token, kc_oidc_mock) | ||||
auth_datetime = datetime.fromtimestamp(decoded_token["auth_time"]) | auth_datetime = datetime.fromtimestamp(decoded_token["auth_time"]) | ||||
exp_datetime = datetime.fromtimestamp(decoded_token["exp"]) | exp_datetime = datetime.fromtimestamp(decoded_token["exp"]) | ||||
refresh_exp_datetime = auth_datetime + timedelta( | refresh_exp_datetime = auth_datetime + timedelta( | ||||
seconds=oidc_profile["refresh_expires_in"] | seconds=oidc_profile["refresh_expires_in"] | ||||
) | ) | ||||
assert user.access_token == oidc_profile["access_token"] | assert user.access_token == oidc_profile["access_token"] | ||||
Show All 15 Lines | def test_oidc_code_pkce_auth_backend_failure(mocker, request_factory): | ||||
mock_keycloak(mocker, auth_success=False) | mock_keycloak(mocker, auth_success=False) | ||||
user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
assert user is None | assert user is None | ||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_oidc_code_pkce_auth_backend_permissions(mocker, request_factory): | |||||
Not Done Inline Actions"User with app permission should be allowed authentication" (please something better if you have that in store ;) ardumont: "User with app permission should be allowed authentication" (please something better if you… | |||||
permission = "webapp.some-permission" | |||||
mock_keycloak(mocker, user_permissions=[permission]) | |||||
user = _authenticate_user(request_factory) | |||||
assert user.has_perm(permission) | |||||
assert user.get_all_permissions() == {permission} | |||||
assert user.get_group_permissions() == {permission} | |||||
assert user.has_module_perms("webapp") | |||||
assert not user.has_module_perms("foo") | |||||
@pytest.mark.django_db | |||||
def test_drf_oidc_bearer_token_auth_backend_success(mocker, api_request_factory): | def test_drf_oidc_bearer_token_auth_backend_success(mocker, api_request_factory): | ||||
url = reverse("api-1-stat-counters") | url = reverse("api-1-stat-counters") | ||||
drf_auth_backend = OIDCBearerTokenAuthentication() | drf_auth_backend = OIDCBearerTokenAuthentication() | ||||
kc_oidc_mock = mock_keycloak(mocker) | kc_oidc_mock = mock_keycloak(mocker) | ||||
access_token = sample_data.oidc_profile["access_token"] | access_token = sample_data.oidc_profile["access_token"] | ||||
decoded_token = kc_oidc_mock.decode_token(access_token) | decoded_token = kc_oidc_mock.decode_token(access_token) | ||||
request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | ||||
user, _ = drf_auth_backend.authenticate(request) | user, _ = drf_auth_backend.authenticate(request) | ||||
_check_authenticated_user(user, decoded_token) | _check_authenticated_user(user, decoded_token, kc_oidc_mock) | ||||
# oidc_profile is not filled when authenticating through bearer token | # oidc_profile is not filled when authenticating through bearer token | ||||
assert hasattr(user, "access_token") and user.access_token is None | assert hasattr(user, "access_token") and user.access_token is None | ||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_drf_oidc_bearer_token_auth_backend_failure(mocker, api_request_factory): | def test_drf_oidc_bearer_token_auth_backend_failure(mocker, api_request_factory): | ||||
url = reverse("api-1-stat-counters") | url = reverse("api-1-stat-counters") | ||||
Show All 33 Lines | def test_drf_oidc_auth_invalid_or_missing_auth_type(api_request_factory): | ||||
with pytest.raises(AuthenticationFailed): | with pytest.raises(AuthenticationFailed): | ||||
drf_auth_backend.authenticate(request) | drf_auth_backend.authenticate(request) | ||||
# Missing authorization type | # Missing authorization type | ||||
request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"{access_token}") | request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"{access_token}") | ||||
with pytest.raises(AuthenticationFailed): | with pytest.raises(AuthenticationFailed): | ||||
drf_auth_backend.authenticate(request) | drf_auth_backend.authenticate(request) | ||||
@pytest.mark.django_db | |||||
def test_drf_oidc_bearer_token_auth_backend_permissions(mocker, api_request_factory): | |||||
Not Done Inline Actions"User with app permission should be allowed api authentication" ? ardumont: "User with app permission should be allowed api authentication" ? | |||||
permission = "webapp.some-permission" | |||||
mock_keycloak(mocker, user_permissions=[permission]) | |||||
drf_auth_backend = OIDCBearerTokenAuthentication() | |||||
access_token = sample_data.oidc_profile["access_token"] | |||||
url = reverse("api-1-stat-counters") | |||||
request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | |||||
user, _ = drf_auth_backend.authenticate(request) | |||||
assert user.has_perm(permission) | |||||
assert user.get_all_permissions() == {permission} | |||||
assert user.get_group_permissions() == {permission} | |||||
assert user.has_module_perms("webapp") | |||||
assert not user.has_module_perms("foo") |
Maybe add docstring to clarify what's the scenario we are testing.
"Staff member should be allowed access" (or something better if you have in store ;)