def test_user_conflict(dcos_api_session: DcosApiSession) -> None: # Note: the empty request body is not the decisive criterion here. r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={}) assert r.status_code == 201, r.text r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={}) assert r.status_code == 409, r.text
def test_legacy_user_creation_with_empty_json_doc( dcos_api_session: DcosApiSession) -> None: # Legacy HTTP clients built for dcos-oauth such as the web UI (up to DC/OS # 1.12) might insert users in the following way: uid appears to be an email # address, and the JSON document in the request body does not provide a # `public_key` or a `password` property (indicating local user), or is # empty. The legacy web UI would insert users like that and expect those # users to be remote users, usable with the legacy OIDC ID Token login # method through the 'https://dcos.auth0.com/' provider. This behavior is # maintained in Bouncer for backwards compatibility. r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={}) assert r.status_code == 201, r.text # Bouncer annotates the created user (this is new compared to dcos-oauth). r = dcos_api_session.get('/acs/api/v1/users/[email protected]') assert r.json()['provider_type'] == 'oidc' assert r.json()['provider_id'] == 'https://dcos.auth0.com/' assert r.json()['is_remote'] is True # When the uid however does not appear to be an email address the more sane # behavior of Bouncer takes effect: an empty (meaningless) JSON body # results in a useful error message. r = dcos_api_session.put('/acs/api/v1/users/user1', json={}) assert r.status_code == 400 assert 'One of `password` or `public_key` must be provided' in r.text
def test_user_put_email_uid_and_description( dcos_api_session: DcosApiSession) -> None: r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={'description': 'integration test user'}) assert r.status_code == 201, r.text users = get_users(dcos_api_session) assert len(users) > 1 assert '*****@*****.**' in users
def test_user_delete(dcos_api_session: DcosApiSession) -> None: r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={}) r.raise_for_status() assert r.status_code == 201 r = dcos_api_session.delete('/acs/api/v1/users/[email protected]') r.raise_for_status() assert r.status_code == 204 users = get_users(dcos_api_session) assert '*****@*****.**' not in users
def test_user_put_with_legacy_body(dcos_api_session: DcosApiSession) -> None: # The UI up to DC/OS 1.12 sends the `creator_uid` and the `cluster_url` # properties although they are not used by dcos-oauth. Bouncer supports # these two properties for legacy reasons. Note(JP): As a follow-up task we # should change the UI to not send these properties anymore, and then remove # the properties from Bouncer's UserCreate JSON schema again, ideally within # the 1.13 development cycle. r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={ 'creator_uid': '*****@*****.**', 'cluster_url': 'foobar' }) assert r.status_code == 201, r.text
def test_user_put_no_email_uid_empty_body( dcos_api_session: DcosApiSession) -> None: # This test mainly demonstrates a subtle API difference between dcos-oauth # (legacy) and Bouncer. r = dcos_api_session.put('/acs/api/v1/users/user1') # This is the old behavior in dcos-oauth. # assert r.status_code == 500 # assert 'invalid email' in r.text # With Bouncer non-email uids are valid, and the request fails as of the # missing request body. assert r.status_code == 400 assert 'Request has bad Content-Type or lacks JSON data' in r.text
def test_user_put_requires_authentication( noauth_api_session: DcosApiSession) -> None: r = noauth_api_session.put('/acs/api/v1/users/[email protected]', json={}) assert r.status_code == 401, r.text