Changeset View
Changeset View
Standalone View
Standalone View
swh/auth/tests/django/test_drf_bearer_token_auth.py
| # Copyright (C) 2020-2021 The Software Heritage developers | # Copyright (C) 2020-2021 The Software Heritage developers | ||||
| # See the AUTHORS file at the top-level directory of this distribution | # See the AUTHORS file at the top-level directory of this distribution | ||||
| # License: GNU Affero General Public License version 3, or any later version | # License: GNU Affero General Public License version 3, or any later version | ||||
| # See top-level LICENSE file for more information | # See top-level LICENSE file for more information | ||||
| import json | |||||
| from django.contrib.auth.models import AnonymousUser, User | from django.contrib.auth.models import AnonymousUser, User | ||||
| from django.core.cache import cache | |||||
| import pytest | import pytest | ||||
| from swh.auth.django.models import OIDCUser | from swh.auth.django.models import OIDCUser | ||||
| from swh.auth.django.utils import reverse | from swh.auth.django.utils import reverse | ||||
| from swh.auth.keycloak import KeycloakError | |||||
| @pytest.fixture | |||||
| def api_client(api_client): | |||||
| # ensure django cache is cleared before each test | |||||
| cache.clear() | |||||
| return api_client | |||||
| @pytest.mark.django_db | @pytest.mark.django_db | ||||
| def test_drf_django_session_auth_success(keycloak_oidc, client): | def test_drf_django_session_auth_success(keycloak_oidc, client): | ||||
| """ | """ | ||||
| Check user gets authenticated when querying the web api | Check user gets authenticated when querying the web api | ||||
| through a web browser. | through a web browser. | ||||
| """ | """ | ||||
| ▲ Show 20 Lines • Show All 83 Lines • ▼ Show 20 Lines | def test_drf_oidc_auth_invalid_or_missing_authorization_type(keycloak_oidc, api_client): | ||||
| # invalid authorization type | # invalid authorization type | ||||
| api_client.credentials(HTTP_AUTHORIZATION="Foo token") | api_client.credentials(HTTP_AUTHORIZATION="Foo token") | ||||
| response = api_client.get(url) | response = api_client.get(url) | ||||
| assert response.status_code == 403 | assert response.status_code == 403 | ||||
| request = response.wsgi_request | request = response.wsgi_request | ||||
| assert isinstance(request.user, AnonymousUser) | assert isinstance(request.user, AnonymousUser) | ||||
| @pytest.mark.django_db | |||||
| def test_drf_oidc_bearer_token_expired_token(keycloak_oidc, api_client): | |||||
| url = reverse("api-test") | |||||
| oidc_profile = keycloak_oidc.login() | |||||
| refresh_token = oidc_profile["refresh_token"] | |||||
| api_client.credentials(HTTP_AUTHORIZATION=f"Bearer {refresh_token}") | |||||
| kc_error_dict = { | |||||
| "error": "invalid_grant", | |||||
| "error_description": "Offline user session not found", | |||||
| } | |||||
| keycloak_oidc.refresh_token.side_effect = KeycloakError( | |||||
| error_message=json.dumps(kc_error_dict).encode(), response_code=400 | |||||
| ) | |||||
| response = api_client.get(url) | |||||
| expected_error_msg = ( | |||||
| "Bearer token expired after a long period of inactivity; " | |||||
| "please generate a new one." | |||||
| ) | |||||
| assert response.status_code == 403 | |||||
| assert expected_error_msg in json.dumps(response.data) | |||||
| request = response.wsgi_request | |||||
| assert isinstance(request.user, AnonymousUser) | |||||