def create_fake_client(response_type, is_public=False, require_consent=True):
"""
Create a test client, response_type argument MUST be:
'code', 'id_token' or 'id_token token'.
Return a Client object.
"""
client = Client()
client.name = 'Some Client'
client.client_id = str(random.randint(1, 999999)).zfill(6)
if is_public:
client.client_type = 'public'
client.client_secret = ''
else:
client.client_secret = str(random.randint(1, 999999)).zfill(6)
client.redirect_uris = ['http://example.com/']
client.require_consent = require_consent
client.scope = ['openid', 'email']
client.save()
# check if response_type is a string in a python 2 and 3 compatible way
if isinstance(response_type, ("".__class__, u"".__class__)):
response_type = (response_type, )
for value in response_type:
client.response_types.add(ResponseType.objects.get(value=value))
return client
def create_fake_client(response_type, is_public=False, require_consent=True):
"""
Create a test client, response_type argument MUST be:
'code', 'id_token' or 'id_token token'.
Return a Client object.
"""
client = Client()
client.name = 'Some Client'
client.client_id = str(random.randint(1, 999999)).zfill(6)
if is_public:
client.client_type = 'public'
client.client_secret = ''
else:
client.client_secret = str(random.randint(1, 999999)).zfill(6)
client.redirect_uris = ['http://example.com/']
client.require_consent = require_consent
client.save()
# check if response_type is a string in a python 2 and 3 compatible way
if isinstance(response_type, ("".__class__, u"".__class__)):
response_type = (response_type,)
for value in response_type:
client.response_types.add(ResponseType.objects.get(value=value))
return client
def create_oidc_client():
factory = RequestFactory()
client = Client()
client.name = "OIDC"
client.client_id = str(random.randint(1, 999999)).zfill(6)
client.client_secret = str(random.randint(1, 999999)).zfill(6)
client.redirect_uris = ['http://example.com/']
client.require_consent = False
client.save()
client.response_types.add(ResponseType.objects.get(value='code'))
return client
def create_api_preconditions_with_scope(user, scopes):
assert isinstance(scopes, list)
bearer = uuid.uuid4().hex
client = Client(name='test_client')
client.save()
expires_at = timezone.now() + timezone.timedelta(days=30)
t = Token(scope=scopes, access_token=bearer, user=user, expires_at=expires_at, client=client)
t.save()
return bearer
def handle(self, *args, **options):
name = options['name'][0]
client_id = options['client_id'][0]
client_secret = options['client_secret']
client_type = options['client_type']
response_type = options['response_type'][0]
redirect_uris = options['redirect_uris']
reuse_consent = options['reuse_consent']
require_consent = options['require_consent']
c = Client(name=name, client_id=client_id, client_secret=client_secret, client_type=client_type, response_type=response_type, redirect_uris=redirect_uris, reuse_consent=reuse_consent, require_consent=require_consent)
c.save()
def create_fake_client(response_type, is_public=False):
"""
Create a test client, response_type argument MUST be:
'code', 'id_token' or 'id_token token'.
Return a Client object.
"""
client = Client()
client.name = 'Some Client'
client.client_id = str(random.randint(1, 999999)).zfill(6)
if is_public:
client.client_type = 'public'
client.client_secret = ''
else:
client.client_secret = str(random.randint(1, 999999)).zfill(6)
client.response_type = response_type
client.redirect_uris = ['http://example.com/']
client.save()
return client
def create_fake_client(response_type, is_public=False):
"""
Create a test client, response_type argument MUST be:
'code', 'id_token' or 'id_token token'.
Return a Client object.
"""
client = Client()
client.name = 'Some Client'
client.client_id = str(random.randint(1, 999999)).zfill(6)
if is_public:
client.client_type = 'public'
client.client_secret = ''
else:
client.client_secret = str(random.randint(1, 999999)).zfill(6)
client.response_type = response_type
client.redirect_uris = ['http://example.com/']
client.save()
return client
class OIDCAuthorizationTest(TestCase):
def setUp(self):
from contest.models import Edition
from datetime import timedelta
from django.utils import timezone
self.oidc_client = OIDCClient(name="test_client")
self.oidc_client.save()
self.user = get_user_model()(username="******")
self.user.save()
self.edition = Edition(year=settings.PROLOGIN_EDITION,
date_begin=timezone.now(),
date_end=timezone.now() + timedelta(days=365))
self.edition.save()
def test_allowed_in_client_without_policy(self):
self.assertEqual(
oidc_authz.authorize(None, self.user, self.oidc_client), None)
def test_not_allowed_in_client_with_empty_policy(self):
from django.core.exceptions import PermissionDenied
policy = OpenIDClientPolicy(openid_client=self.oidc_client)
policy.save()
with self.assertRaises(PermissionDenied):
oidc_authz.authorize(None, self.user, self.oidc_client)
policy.delete()
def test_staff_allowed_in_staff_only_policy(self):
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_staff=True)
user = get_user_model()(username="******",
email="*****@*****.**",
is_staff=True)
user.save()
self.assertTrue(policy.is_user_allowed(user))
user.delete()
def test_non_staff_not_allowed_in_staff_only_policy(self):
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_staff=True)
user = get_user_model()(username="******", email="*****@*****.**")
user.save()
self.assertTrue(not policy.is_user_allowed(user))
user.delete()
def test_group_member_in_group_allowed(self):
from django.contrib.auth.models import Group
group = Group(name="allowed_group")
other_group = Group(name="other_group")
group.save()
other_group.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client)
policy.allow_groups.set([group, other_group])
policy.save()
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
user.groups.set([group])
user.save()
self.assertTrue(policy.is_user_allowed(user))
other_group.delete()
group.delete()
user.delete()
policy.delete()
def test_not_group_member_in_group_allowed(self):
from django.contrib.auth.models import Group
group = Group(name="allowed_group2")
group.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client)
policy.save()
policy.allow_groups.set([group])
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
self.assertTrue(not policy.is_user_allowed(user))
group.delete()
user.delete()
policy.delete()
def test_assigned_semifinal_in_assigned_semifinal(self):
from contest.models import Contestant
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
contestant = Contestant(edition=self.edition,
user=user,
assignation_semifinal=2)
contestant.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_assigned_semifinal=True)
policy.save()
self.assertTrue(policy.is_user_allowed(user))
user.delete()
policy.delete()
def test_not_assigned_semifinal_in_assigned_semifinal(self):
from contest.models import Contestant
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
contestant = Contestant(edition=self.edition, user=user)
contestant.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_assigned_semifinal=True)
policy.save()
self.assertFalse(policy.is_user_allowed(user))
user.delete()
policy.delete()
def test_assigned_final_in_assigned_final(self):
from contest.models import Contestant
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
contestant = Contestant(edition=self.edition,
user=user,
assignation_final=2)
contestant.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_assigned_final=True)
self.assertTrue(policy.is_user_allowed(user))
user.delete()
policy.delete()
def test_not_assigned_final_in_assigned_final(self):
from contest.models import Contestant
user = get_user_model()(username="******",
email="*****@*****.**")
user.save()
contestant = Contestant(edition=self.edition,
user=user,
assignation_final=0)
contestant.save()
policy = OpenIDClientPolicy(openid_client=self.oidc_client,
allow_assigned_final=True)
policy.save()
self.assertFalse(policy.is_user_allowed(user))
user.delete()
policy.delete()
