Beispiel #1
0
def test_existing_superuser_is_deescalated_from_staff_group(
    rf, settings, django_user_model
):
    """
    If an existing user is removed from a staff group they should
    have the staff flag removed.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "STAFF_GROUP", STAFF_GROUP
    )

    user = django_user_model._default_manager.create_user(
        username="******",
        email="*****@*****.**",
        is_staff=True,
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_staff is False
Beispiel #2
0
def test_existing_user_is_escalated_to_superuser_group(rf, settings, django_user_model):
    """
    If an existing user is added to a superuser group they should
    be escalated to a superuser.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
    )

    user = django_user_model._default_manager.create_user(
        username="******", email="*****@*****.**"
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_superuser_token_result,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_superuser
Beispiel #3
0
def test_user_is_removed_from_groups(rf, settings, django_user_model):
    """
    When MANAGE_GROUPS is true a user should be removed from a
    group if it's not included in the token response.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)

    user = django_user_model._default_manager.create_user(
        username="******", email="*****@*****.**"
    )
    group = Group.objects.create(name="test-group")

    user.groups.add(group)

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")

        groups = user.groups.all()
        assert [("one",), ("two",)] == list(groups.values_list("name"))
Beispiel #4
0
def test_middleware_allows_public_url(settings, rf):
    """
    A URL that has been defined as a public url
    should just pass through our middleware.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
                                              "PUBLIC_NAMED_URLS",
                                              ("named-url", ))
    request = rf.get("/named/")
    request.session = {}
    mw = OktaMiddleware(Mock(return_value=HttpResponse()))
    response = mw(request)
    assert response.status_code == 200
def test_invalid_public_named_urls_are_ignored(settings):
    """
    We don't want to crash if our public named urls don't
    exist, instead just skip it.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
                                              "PUBLIC_NAMED_URLS",
                                              ("not-a-valid-url", ))
    config = Config()
    assert config.public_urls == [
        re.compile("^/accounts/login/$"),
        re.compile("^/accounts/logout/$"),
        re.compile("^/accounts/oauth2/callback/$"),
    ]
def test_public_named_urls_are_built(settings):
    """
    We should have reversed url regexes to match against
    in our config objects.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
                                              "PUBLIC_NAMED_URLS",
                                              ("named-url", ))
    config = Config()
    assert config.public_urls == [
        re.compile("^/named/$"),
        re.compile("^/accounts/login/$"),
        re.compile("^/accounts/logout/$"),
        re.compile("^/accounts/oauth2/callback/$"),
    ]
Beispiel #7
0
def test_user_username_setting_returns_user_by_username_and_not_email(
    rf, settings, django_user_model
):
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "USE_USERNAME", True)

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_token_result
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_auth_code("authcode")
        assert isinstance(user, django_user_model)
        assert user.username == "fakemail"
        assert user.username != "*****@*****.**"
Beispiel #8
0
def test_groups_are_created_and_user_added(rf, settings, django_user_model):
    """
    If MANAGE_GROUPS is true the groups should be created and the user
    should be added to them.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")

        groups = Group.objects.all()
        assert [("one",), ("two",)] == list(groups.values_list("name"))
        assert list(user.groups.all()) == list(Group.objects.all())
Beispiel #9
0
def test_created_user_if_part_of_superuser_group(rf, settings, django_user_model):
    """
    If the user is part of the superuser group defined
    in settings make sure that the created user is a superuser.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_superuser_token_result,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_superuser