Changeset View
Changeset View
Standalone View
Standalone View
swh/web/tests/auth/test_backends.py
| Show All 26 Lines | def _authenticate_user(request_factory): | ||||
| return authenticate( | return authenticate( | ||||
| request=request, | request=request, | ||||
| code="some-code", | code="some-code", | ||||
| code_verifier="some-code-verifier", | code_verifier="some-code-verifier", | ||||
| redirect_uri="https://localhost:5004", | redirect_uri="https://localhost:5004", | ||||
| ) | ) | ||||
| def _check_authenticated_user(user, decoded_token): | def _check_authenticated_user(user, decoded_token, kc_oidc_mock): | ||||
| assert user is not None | assert user is not None | ||||
| assert isinstance(user, OIDCUser) | assert isinstance(user, OIDCUser) | ||||
| assert user.id != 0 | assert user.id != 0 | ||||
| assert user.username == decoded_token["preferred_username"] | assert user.username == decoded_token["preferred_username"] | ||||
| assert user.password == "" | assert user.password == "" | ||||
| assert user.first_name == decoded_token["given_name"] | assert user.first_name == decoded_token["given_name"] | ||||
| assert user.last_name == decoded_token["family_name"] | assert user.last_name == decoded_token["family_name"] | ||||
| assert user.email == decoded_token["email"] | assert user.email == decoded_token["email"] | ||||
| assert user.is_staff == ("/staff" in decoded_token["groups"]) | assert user.is_staff == ("/staff" in decoded_token["groups"]) | ||||
| assert user.sub == decoded_token["sub"] | assert user.sub == decoded_token["sub"] | ||||
| resource_access = decoded_token.get("resource_access", {}) | |||||
| resource_access_client = resource_access.get(kc_oidc_mock, {}) | |||||
| assert user.permissions == set(resource_access_client.get("roles", [])) | |||||
| @pytest.mark.django_db | @pytest.mark.django_db | ||||
| def test_oidc_code_pkce_auth_backend_success(mocker, request_factory): | def test_oidc_code_pkce_auth_backend_success(mocker, request_factory): | ||||
ardumont: Maybe add docstring to clarify what's the scenario we are testing.
"Staff member should be… | |||||
Done Inline Actionsanlambert: D3312 | |||||
| kc_oidc_mock = mock_keycloak(mocker) | kc_oidc_mock = mock_keycloak(mocker, user_groups=["/staff"]) | ||||
| oidc_profile = sample_data.oidc_profile | oidc_profile = sample_data.oidc_profile | ||||
| user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
| decoded_token = kc_oidc_mock.decode_token(user.access_token) | decoded_token = kc_oidc_mock.decode_token(user.access_token) | ||||
| _check_authenticated_user(user, decoded_token) | _check_authenticated_user(user, decoded_token, kc_oidc_mock) | ||||
| auth_datetime = datetime.fromtimestamp(decoded_token["auth_time"]) | auth_datetime = datetime.fromtimestamp(decoded_token["auth_time"]) | ||||
| exp_datetime = datetime.fromtimestamp(decoded_token["exp"]) | exp_datetime = datetime.fromtimestamp(decoded_token["exp"]) | ||||
| refresh_exp_datetime = auth_datetime + timedelta( | refresh_exp_datetime = auth_datetime + timedelta( | ||||
| seconds=oidc_profile["refresh_expires_in"] | seconds=oidc_profile["refresh_expires_in"] | ||||
| ) | ) | ||||
| assert user.access_token == oidc_profile["access_token"] | assert user.access_token == oidc_profile["access_token"] | ||||
| Show All 15 Lines | def test_oidc_code_pkce_auth_backend_failure(mocker, request_factory): | ||||
| mock_keycloak(mocker, auth_success=False) | mock_keycloak(mocker, auth_success=False) | ||||
| user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
| assert user is None | assert user is None | ||||
| @pytest.mark.django_db | @pytest.mark.django_db | ||||
| def test_oidc_code_pkce_auth_backend_permissions(mocker, request_factory): | |||||
Not Done Inline Actions"User with app permission should be allowed authentication" (please something better if you have that in store ;) ardumont: "User with app permission should be allowed authentication" (please something better if you… | |||||
| permission = "webapp.some-permission" | |||||
| mock_keycloak(mocker, user_permissions=[permission]) | |||||
| user = _authenticate_user(request_factory) | |||||
| assert user.has_perm(permission) | |||||
| assert user.get_all_permissions() == {permission} | |||||
| assert user.get_group_permissions() == {permission} | |||||
| assert user.has_module_perms("webapp") | |||||
| assert not user.has_module_perms("foo") | |||||
| @pytest.mark.django_db | |||||
| def test_drf_oidc_bearer_token_auth_backend_success(mocker, api_request_factory): | def test_drf_oidc_bearer_token_auth_backend_success(mocker, api_request_factory): | ||||
| url = reverse("api-1-stat-counters") | url = reverse("api-1-stat-counters") | ||||
| drf_auth_backend = OIDCBearerTokenAuthentication() | drf_auth_backend = OIDCBearerTokenAuthentication() | ||||
| kc_oidc_mock = mock_keycloak(mocker) | kc_oidc_mock = mock_keycloak(mocker) | ||||
| access_token = sample_data.oidc_profile["access_token"] | access_token = sample_data.oidc_profile["access_token"] | ||||
| decoded_token = kc_oidc_mock.decode_token(access_token) | decoded_token = kc_oidc_mock.decode_token(access_token) | ||||
| request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | ||||
| user, _ = drf_auth_backend.authenticate(request) | user, _ = drf_auth_backend.authenticate(request) | ||||
| _check_authenticated_user(user, decoded_token) | _check_authenticated_user(user, decoded_token, kc_oidc_mock) | ||||
| # oidc_profile is not filled when authenticating through bearer token | # oidc_profile is not filled when authenticating through bearer token | ||||
| assert hasattr(user, "access_token") and user.access_token is None | assert hasattr(user, "access_token") and user.access_token is None | ||||
| @pytest.mark.django_db | @pytest.mark.django_db | ||||
| def test_drf_oidc_bearer_token_auth_backend_failure(mocker, api_request_factory): | def test_drf_oidc_bearer_token_auth_backend_failure(mocker, api_request_factory): | ||||
| url = reverse("api-1-stat-counters") | url = reverse("api-1-stat-counters") | ||||
| Show All 33 Lines | def test_drf_oidc_auth_invalid_or_missing_auth_type(api_request_factory): | ||||
| with pytest.raises(AuthenticationFailed): | with pytest.raises(AuthenticationFailed): | ||||
| drf_auth_backend.authenticate(request) | drf_auth_backend.authenticate(request) | ||||
| # Missing authorization type | # Missing authorization type | ||||
| request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"{access_token}") | request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"{access_token}") | ||||
| with pytest.raises(AuthenticationFailed): | with pytest.raises(AuthenticationFailed): | ||||
| drf_auth_backend.authenticate(request) | drf_auth_backend.authenticate(request) | ||||
| @pytest.mark.django_db | |||||
| def test_drf_oidc_bearer_token_auth_backend_permissions(mocker, api_request_factory): | |||||
Not Done Inline Actions"User with app permission should be allowed api authentication" ? ardumont: "User with app permission should be allowed api authentication" ? | |||||
| permission = "webapp.some-permission" | |||||
| mock_keycloak(mocker, user_permissions=[permission]) | |||||
| drf_auth_backend = OIDCBearerTokenAuthentication() | |||||
| access_token = sample_data.oidc_profile["access_token"] | |||||
| url = reverse("api-1-stat-counters") | |||||
| request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {access_token}") | |||||
| user, _ = drf_auth_backend.authenticate(request) | |||||
| assert user.has_perm(permission) | |||||
| assert user.get_all_permissions() == {permission} | |||||
| assert user.get_group_permissions() == {permission} | |||||
| assert user.has_module_perms("webapp") | |||||
| assert not user.has_module_perms("foo") | |||||
Maybe add docstring to clarify what's the scenario we are testing.
"Staff member should be allowed access" (or something better if you have in store ;)