Changeset View
Changeset View
Standalone View
Standalone View
swh/auth/tests/django/test_backends.py
Show First 20 Lines • Show All 137 Lines • ▼ Show 20 Lines | |||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_oidc_code_pkce_auth_backend_permissions(keycloak_oidc, request_factory): | def test_oidc_code_pkce_auth_backend_permissions(keycloak_oidc, request_factory): | ||||
""" | """ | ||||
Checks that a permission defined with OpenID Connect is correctly mapped | Checks that a permission defined with OpenID Connect is correctly mapped | ||||
to a Django one when logging from Web UI. | to a Django one when logging from Web UI. | ||||
""" | """ | ||||
permission = "webapp.some-permission" | realm_permission = "swh.some-permission" | ||||
keycloak_oidc.user_permissions = [permission] | client_permission = "webapp.some-permission" | ||||
keycloak_oidc.realm_permissions = [realm_permission] | |||||
keycloak_oidc.client_permissions = [client_permission] | |||||
user = _authenticate_user(request_factory) | user = _authenticate_user(request_factory) | ||||
assert user.has_perm(permission) | assert user.has_perm(realm_permission) | ||||
assert user.get_all_permissions() == {permission} | assert user.has_perm(client_permission) | ||||
assert user.get_group_permissions() == {permission} | assert user.get_all_permissions() == {realm_permission, client_permission} | ||||
assert user.get_group_permissions() == {realm_permission, client_permission} | |||||
assert user.has_module_perms("webapp") | assert user.has_module_perms("webapp") | ||||
assert not user.has_module_perms("foo") | assert not user.has_module_perms("foo") | ||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_drf_oidc_bearer_token_auth_backend_success(keycloak_oidc, api_request_factory): | def test_drf_oidc_bearer_token_auth_backend_success(keycloak_oidc, api_request_factory): | ||||
""" | """ | ||||
Checks successful login based on OpenID Connect bearer token Django REST | Checks successful login based on OpenID Connect bearer token Django REST | ||||
▲ Show 20 Lines • Show All 74 Lines • ▼ Show 20 Lines | |||||
@pytest.mark.django_db | @pytest.mark.django_db | ||||
def test_drf_oidc_bearer_token_auth_backend_permissions( | def test_drf_oidc_bearer_token_auth_backend_permissions( | ||||
keycloak_oidc, api_request_factory | keycloak_oidc, api_request_factory | ||||
): | ): | ||||
""" | """ | ||||
Checks that a permission defined with OpenID Connect is correctly mapped | Checks that a permission defined with OpenID Connect is correctly mapped | ||||
to a Django one when using bearer token authentication. | to a Django one when using bearer token authentication. | ||||
""" | """ | ||||
permission = "webapp.some-permission" | realm_permission = "swh.some-permission" | ||||
keycloak_oidc.user_permissions = [permission] | client_permission = "webapp.some-permission" | ||||
keycloak_oidc.realm_permissions = [realm_permission] | |||||
keycloak_oidc.client_permissions = [client_permission] | |||||
drf_auth_backend = OIDCBearerTokenAuthentication() | drf_auth_backend = OIDCBearerTokenAuthentication() | ||||
oidc_profile = keycloak_oidc.login() | oidc_profile = keycloak_oidc.login() | ||||
refresh_token = oidc_profile["refresh_token"] | refresh_token = oidc_profile["refresh_token"] | ||||
url = reverse("api-test") | url = reverse("api-test") | ||||
request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {refresh_token}") | request = api_request_factory.get(url, HTTP_AUTHORIZATION=f"Bearer {refresh_token}") | ||||
user, _ = drf_auth_backend.authenticate(request) | user, _ = drf_auth_backend.authenticate(request) | ||||
assert user.has_perm(permission) | assert user.has_perm(realm_permission) | ||||
assert user.get_all_permissions() == {permission} | assert user.has_perm(client_permission) | ||||
assert user.get_group_permissions() == {permission} | assert user.get_all_permissions() == {realm_permission, client_permission} | ||||
assert user.get_group_permissions() == {realm_permission, client_permission} | |||||
assert user.has_module_perms("webapp") | assert user.has_module_perms("webapp") | ||||
assert not user.has_module_perms("foo") | assert not user.has_module_perms("foo") |