def test_when_oauth2_github(self):
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
provider=models.SSOConnection.GITHUB,
is_enabled=True,
entity_id='metamapper-io',
sso_url=None,
x509cert=None,
extras={
'login': '******',
'ident': '543210',
},
)
self.workspace.active_sso = connection
self.workspace.save()
variables = {'workspaceSlug': self.workspace.slug}
response = self.execute(variables=variables)
response = response['data'][self.operation]
redirect = ('https://github.com/login/oauth/authorize'
'?client_id={}'
'&scope=user%3Aemail%2Cread%3Aorg%2Crepo').format(
conf.settings.GITHUB_CLIENT_ID)
self.assertTrue(redirect in response['redirectUrl'])
def test_when_saml2_generic(self, mock_auth_request):
the_mock = mock.MagicMock()
the_mock.login.return_value = 'http://this-is-the-sso-url/hi'
mock_auth_request.return_value = the_mock
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
provider=models.SSOConnection.GENERIC,
is_enabled=True,
entity_id='urn:auth0:metamapper',
x509cert=None,
extras={
'mappings': {
'user_id': 'identifier',
'user_email': 'user_email',
'fname': 'first_name',
'lname': 'last_name',
},
},
)
self.workspace.active_sso = connection
self.workspace.save()
variables = {'workspaceSlug': self.workspace.slug}
response = self.execute(variables=variables)
response = response['data'][self.operation]
self.assertEqual(response, {
'redirectUrl': 'http://this-is-the-sso-url/hi',
})
def test_when_oauth2_google(self):
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
provider=models.SSOConnection.GOOGLE,
is_enabled=True,
entity_id='metamapper.io',
sso_url=None,
x509cert=None,
extras={
'domain': 'metamapper.io',
},
)
self.workspace.active_sso = connection
self.workspace.save()
variables = {'workspaceSlug': self.workspace.slug}
response = self.execute(variables=variables)
response = response['data'][self.operation]
redirect = ('https://accounts.google.com/o/oauth2/auth'
'?client_id={}'
'&scope=openid+email+profile').format(
conf.settings.GOOGLE_CLIENT_ID)
self.assertTrue(redirect in response['redirectUrl'])
def test_when_domain_is_not_verified(self, github_client):
"""It should redirect with an error.
"""
github_client.return_value.is_org_member.return_value = True
github_client.return_value.get_user.return_value = {
"uid": self.user.pk,
"id": "1234",
"email": self.user.email,
"verified": True,
}
connection = factories.SSOConnectionFactory(workspace=self.workspace,
is_enabled=True)
response = self.client.get(
reverse('sso-oauth2-github'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
'Domain is not authorized for the provided workspace.',
)
def test_when_valid(self, github_client):
"""It authenticate the user.
"""
github_client.return_value.is_org_member.return_value = True
github_client.return_value.get_user.return_value = {
"uid": self.user.pk,
"id": "1234",
"email": self.user.email,
"verified": True,
}
connection = factories.SSOConnectionFactory(workspace=self.workspace,
is_enabled=True)
sso_domain = factories.SSODomainFactory(
workspace=self.workspace,
domain=self.user.email.split("@")[-1],
)
sso_domain.mark_as_verified()
response = self.client.get(
reverse('sso-oauth2-github'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
self.user.refresh_from_db()
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
response.url,
f'{settings.WEBSERVER_ORIGIN}/{self.workspace.slug}/sso/{self.user.pk}/{self.user.sso_access_token}',
)
def test_with_not_part_of_github_organization(self, github_client):
"""It should redirect with an error.
"""
github_client.return_value.is_org_member.return_value = False
github_client.return_value.get_user.return_value = {
"uid": self.user.pk,
"id": "1234",
}
connection = factories.SSOConnectionFactory(workspace=self.workspace,
is_enabled=True)
response = self.client.get(
reverse('sso-oauth2-github'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
'You are not an authorized member of the connected GitHub organization.',
)
def test_when_domain_is_not_verified(self, google_client):
"""It should redirect with an error.
"""
domain = self.user.email.split("@")[-1]
google_client.return_value.get_user_domain.return_value = domain
google_client.return_value.get_user.return_value = {
"sub": "1234",
"email": self.user.email,
"given_name": self.user.fname,
"family_name": self.user.lname,
"email_verified": True,
}
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
is_enabled=True,
extras={'domain': domain},
)
response = self.client.get(
reverse('sso-oauth2-google'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
'Domain is not authorized for the provided workspace.',
)
def test_with_not_part_of_google_organization(self, google_client):
"""It should redirect with an error.
"""
domain = 'metamapper.io'
google_client.return_value.get_user_domain.return_value = domain
google_client.return_value.get_user.return_value = {
"sub": "1234",
"email": self.user.email,
"given_name": self.user.fname,
"family_name": self.user.lname,
"email_verified": True,
}
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
is_enabled=True,
extras={'domain': 'metamapper.dev'},
)
response = self.client.get(
reverse('sso-oauth2-google'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
f'The domain for your Google account ({domain}) is not allowed to authenticate with this provider.',
)
def setUp(self):
super().setUp()
self.sso_domain = models.SSODomain.objects.create(
workspace=self.workspace,
domain='metamapper.io',
)
self.sso_connection = factories.SSOConnectionFactory(
workspace=self.workspace,
is_enabled=True,
)
self.email = '*****@*****.**'
def test_when_connection_is_disabled(self):
"""It should redirect with an error.
"""
connection = factories.SSOConnectionFactory(workspace=self.workspace,
is_enabled=False)
response = self.client.post(
reverse('sso-saml-acs') + f'?connection={connection.pk}')
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
'The workspace does not exist or does not have SSO enabled.',
)
def setUp(self):
super().setUp()
self.connection = factories.SSOConnectionFactory(
workspace=self.workspace,
provider=models.SSOConnection.GENERIC,
is_enabled=True,
entity_id='urn:auth0:metamapper',
x509cert=None,
extras={
'mappings': {
'user_id': 'identifier',
'user_email': 'user_email',
'fname': 'first_name',
'lname': 'last_name',
},
},
)
def test_when_valid(self, google_client):
"""It authenticate the user.
"""
domain = self.user.email.split("@")[-1]
google_client.return_value.get_user_domain.return_value = domain
google_client.return_value.get_user.return_value = {
"sub": "1234",
"email": self.user.email,
"given_name": self.user.fname,
"family_name": self.user.lname,
"email_verified": True,
}
connection = factories.SSOConnectionFactory(
workspace=self.workspace,
is_enabled=True,
extras={'domain': domain},
)
sso_domain = factories.SSODomainFactory(
workspace=self.workspace,
domain=domain,
)
sso_domain.mark_as_verified()
response = self.client.get(
reverse('sso-oauth2-google'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
self.user.refresh_from_db()
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
response.url,
f'{settings.WEBSERVER_ORIGIN}/{self.workspace.slug}/sso/{self.user.pk}/{self.user.sso_access_token}',
)
def test_when_connection_is_disabled(self, github_client):
"""It should redirect with an error.
"""
connection = factories.SSOConnectionFactory(workspace=self.workspace,
is_enabled=False)
response = self.client.get(
reverse('sso-oauth2-github'), {
'code':
'meowmeowmeow',
'state':
b64encode(('connection=%s' % connection.pk).encode('utf-8')),
})
urlparams = parse_qs(urlparse(response.url).query)
self.assertTrue(isinstance(response, (HttpResponseRedirect, )))
self.assertEqual(
b64decode(urlparams['error'][0]).decode('utf-8'),
'The workspace does not exist or does not have SSO enabled.',
)