Changeset View
Changeset View
Standalone View
Standalone View
swh/web/tests/auth/test_backends.py
# Copyright (C) 2020 The Software Heritage developers | # Copyright (C) 2020 The Software Heritage developers | ||||
# See the AUTHORS file at the top-level directory of this distribution | # See the AUTHORS file at the top-level directory of this distribution | ||||
# License: GNU Affero General Public License version 3, or any later version | # License: GNU Affero General Public License version 3, or any later version | ||||
# See top-level LICENSE file for more information | # See top-level LICENSE file for more information | ||||
from datetime import datetime, timedelta | from datetime import datetime, timedelta | ||||
from unittest.mock import Mock | |||||
import pytest | import pytest | ||||
from django.conf import settings | from django.conf import settings | ||||
from django.contrib.auth import authenticate, get_backends | from django.contrib.auth import authenticate, get_backends | ||||
from rest_framework.exceptions import AuthenticationFailed | from rest_framework.exceptions import AuthenticationFailed | ||||
from swh.web.auth.backends import OIDCBearerTokenAuthentication | from swh.web.auth.backends import OIDCBearerTokenAuthentication | ||||
▲ Show 20 Lines • Show All 73 Lines • ▼ Show 20 Lines | def test_oidc_code_pkce_auth_backend_failure(mocker, request_factory): | ||||
mock_keycloak(mocker, auth_success=False) | mock_keycloak(mocker, auth_success=False) | ||||
user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
assert user is None | assert user is None | ||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_oidc_code_pkce_auth_backend_refresh_token_success(mocker, request_factory): | |||||
""" | |||||
Checks access token renewal success using refresh token. | |||||
""" | |||||
kc_oidc_mock = mock_keycloak(mocker) | |||||
oidc_profile = sample_data.oidc_profile | |||||
decoded_token = kc_oidc_mock.decode_token(oidc_profile["access_token"]) | |||||
new_access_token = "new_access_token" | |||||
def _refresh_token(refresh_token): | |||||
oidc_profile = dict(sample_data.oidc_profile) | |||||
oidc_profile["access_token"] = new_access_token | |||||
return oidc_profile | |||||
def _decode_token(access_token): | |||||
if access_token != new_access_token: | |||||
raise Exception("access token token has expired") | |||||
else: | |||||
return decoded_token | |||||
kc_oidc_mock.decode_token = Mock() | |||||
kc_oidc_mock.decode_token.side_effect = _decode_token | |||||
kc_oidc_mock.refresh_token.side_effect = _refresh_token | |||||
user = _authenticate_user(request_factory) | |||||
kc_oidc_mock.refresh_token.assert_called_with( | |||||
sample_data.oidc_profile["refresh_token"] | |||||
) | |||||
assert user is not None | |||||
@pytest.mark.django_db | |||||
def test_oidc_code_pkce_auth_backend_refresh_token_failure(mocker, request_factory): | |||||
""" | |||||
Checks access token renewal failure using refresh token. | |||||
""" | |||||
kc_oidc_mock = mock_keycloak(mocker) | |||||
def _refresh_token(refresh_token): | |||||
raise Exception("OIDC session has expired") | |||||
def _decode_token(access_token): | |||||
raise Exception("access token token has expired") | |||||
kc_oidc_mock.decode_token = Mock() | |||||
kc_oidc_mock.decode_token.side_effect = _decode_token | |||||
kc_oidc_mock.refresh_token.side_effect = _refresh_token | |||||
user = _authenticate_user(request_factory) | |||||
kc_oidc_mock.refresh_token.assert_called_with( | |||||
sample_data.oidc_profile["refresh_token"] | |||||
) | |||||
assert user is None | |||||
@pytest.mark.django_db | |||||
def test_oidc_code_pkce_auth_backend_permissions(mocker, request_factory): | def test_oidc_code_pkce_auth_backend_permissions(mocker, request_factory): | ||||
""" | """ | ||||
Checks that a permission defined with OpenID Connect is correctly mapped | Checks that a permission defined with OpenID Connect is correctly mapped | ||||
to a Django one when logging from Web UI. | to a Django one when logging from Web UI. | ||||
""" | """ | ||||
permission = "webapp.some-permission" | permission = "webapp.some-permission" | ||||
mock_keycloak(mocker, user_permissions=[permission]) | mock_keycloak(mocker, user_permissions=[permission]) | ||||
user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
▲ Show 20 Lines • Show All 103 Lines • Show Last 20 Lines |