def test_user(api_client, admin_user_with_k8s_system):
webapp1 = WebApplication(name="webapp1", link_show=True)
webapp1.save()
group1 = PortalGroup(name="group1")
group1.save()
group1.can_web_applications.add(webapp1)
group1.save()
admin_user_with_k8s_system.portal_groups.add(group1)
user_attr_expected = [
'firstname', 'name', 'username', 'user_id', 'primary_email',
'all_emails', 'admin', 'serviceaccount_urls', 'k8s_token',
'webapp_urls', 'group_urls'
]
response = api_client.get(
f'/api/{settings.API_VERSION}/users/{admin_user_with_k8s_system.pk}/')
assert response.status_code == 200
data = response.json()
assert True is data['admin']
for key in user_attr_expected:
assert key in data
assert len(data["group_urls"]) > 0 # all users group, at least
assert len(data["serviceaccount_urls"]) > 0
assert data['all_emails'] == ['*****@*****.**']
assert data['serviceaccount_urls'][0].startswith("http://testserver")
assert data['group_urls'][0].startswith("http://testserver")
def test_webapp_user_not_in_group(self):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
response = self.get(f'/api/{API_VERSION}/webapps/{app1.pk}/')
self.assertEqual(response.status_code, 403)
def test_webapp_user_not_in_group(admin_client):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
response = admin_client.get('/welcome/')
# User is not in a group that has this web app enabled
assert not contains(response, "http://www.heise.de")
def test_webapp_invisible(self):
app1 = WebApplication(name="app1",
link_show=False,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
self.admin_group.can_web_applications.add(app1)
response = self.get(f'/api/{API_VERSION}/webapps/{app1.pk}/')
self.assertEqual(response.status_code, 403)
def test_webapp_user_not_in_group(api_client):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
response = api_client.get(
f'/api/{settings.API_VERSION}/webapps/{app1.pk}/')
assert response.status_code == 404
def test_user_webapps_denied(self):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
self.admin_group.can_web_applications.add(app1)
response = self.get(
f'/api/{API_VERSION}/users/{self.admin.pk}/webapps/')
self.assertEqual(response.status_code, 401)
def test_subauth_view(self):
group1 = PortalGroup()
group1.save()
self.admin.portal_groups.add(group1)
app1 = WebApplication(name="app1", can_subauth=True)
app1.save()
response = self.client.get('/subauthreq/{}/'.format(app1.pk))
self.assertEqual(response.status_code, 401)
def test_single_webapp_denied(api_client_anon, admin_group):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
admin_group.can_web_applications.add(app1)
response = api_client_anon.get(
f'/api/{settings.API_VERSION}/webapps/{app1.pk}/')
assert response.status_code == 401
def test_webapp_invisible(api_client, admin_group):
app1 = WebApplication(name="app1",
link_show=False,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
admin_group.can_web_applications.add(app1)
response = api_client.get(
f'/api/{settings.API_VERSION}/webapps/{app1.pk}/')
assert response.status_code == 404
def test_multiple_groups_one_allowed(rf, admin_user):
client = create_oidc_client()
with pytest.raises(PermissionDenied):
oidc_authenticate(client, rf, admin_user)
app = WebApplication(name="Test Web App", oidc_client=client)
app.save()
create_group(member=admin_user, app=app)
create_group(member=admin_user, app=None)
response = oidc_authenticate(client, rf, admin_user)
assert response.status_code == 302
def test_webapp(self):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
self.admin_group.can_web_applications.add(app1)
response = self.get(f'/api/{API_VERSION}/webapps/{app1.pk}/')
self.assertEqual(response.status_code, 200)
data = response.json()
self.assertEqual(data['link_name'], 'app1')
self.assertEqual(data['link_url'], 'http://www.heise.de')
def test_webapp(api_client, admin_group):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
admin_group.can_web_applications.add(app1)
response = api_client.get(
f'/api/{settings.API_VERSION}/webapps/{app1.pk}/')
assert response.status_code == 200
data = response.json()
assert data['link_name'] == 'app1'
assert data['link_url'] == 'http://www.heise.de'
assert data['category'] == "GENERIC"
def test_webapp_user_in_multiple_groups(admin_client, admin_user):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group1 = PortalGroup()
group1.save()
group1.can_web_applications.add(app1)
group2 = PortalGroup()
group2.save()
group2.can_web_applications.add(app1)
admin_user.portal_groups.add(group1)
admin_user.portal_groups.add(group2)
response = admin_client.get('/welcome/')
assert contains(response, "http://www.heise.de")
assert 1 == str(response.content).count("http://www.heise.de")
def test_webapp_user_in_multiple_groups(self):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group1 = PortalGroup()
group1.save()
group1.can_web_applications.add(app1)
group2 = PortalGroup()
group2.save()
group2.can_web_applications.add(app1)
self.admin.portal_groups.add(group1)
self.admin.portal_groups.add(group2)
response = self.client.get('/welcome/')
self.assertContains(response, "http://www.heise.de")
self.assertEqual(1, str(response.content).count("http://www.heise.de"))
def test_webapp_placeholders(api_client, admin_group,
admin_user_with_k8s_system):
app1 = WebApplication(
name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de/{{{{namespace}}}}/{{{{serviceaccount}}}}"
)
app1.save()
admin_group.can_web_applications.add(app1)
response = api_client.get(
f'/api/{settings.API_VERSION}/webapps/{app1.pk}/')
assert response.status_code == 200
data = response.json()
assert data['link_url'] == 'http://www.heise.de/kube-system/default'
def _prepare_subauth_test(self, user_in_group1, user_in_group2, app_in_group1, app_in_group2, app_enabled):
group1 = PortalGroup()
group1.save()
if user_in_group1:
self.admin.portal_groups.add(group1)
group2 = PortalGroup()
group2.save()
if user_in_group2:
self.admin.portal_groups.add(group2)
app1 = WebApplication(name="app1", can_subauth=app_enabled)
app1.save()
if app_in_group1:
group1.can_web_applications.add(app1)
if app_in_group2:
group2.can_web_applications.add(app1)
return self.client.get('/subauthreq/{}/'.format(app1.pk))
def test_user_webapps(self):
test_values = [
('app1', True, "http://www.heise.de"),
("app2", True, "http://www.spiegel.de"),
("app3", False, "http://www.crappydemo.de"),
("app4", True, "http://www.unrelatedapp.de"),
]
for name, link_show, link_url in test_values:
app = WebApplication(name=name,
link_show=link_show,
link_name=name,
link_url=link_url)
app.save()
if name != 'app4':
self.admin_group.can_web_applications.add(app)
response = self.get(
f'/api/{API_VERSION}/users/{self.admin.pk}/webapps/')
self.assertEqual(response.status_code, 200)
data = response.json()
self.assertIn({
'link_name': 'app1',
'link_url': 'http://www.heise.de'
}, data)
self.assertIn(
{
'link_name': 'app2',
'link_url': 'http://www.spiegel.de'
}, data)
self.assertNotIn(
{
'link_name': 'app3',
'link_url': 'http://www.crappydemo.de'
}, data)
self.assertNotIn(
{
'link_name': 'app4',
'link_url': 'http://www.unrelatedapp.de'
}, data)
def test_subauth_caching(admin_user_with_k8s, admin_client, mocker):
spy = mocker.spy(SubAuthRequestView, 'get')
# Create new user group, add admin
group1 = PortalGroup()
group1.save()
admin_user_with_k8s.portal_groups.add(group1)
# Create new web application
app1 = WebApplication(name="app1", can_subauth=True)
app1.save()
webapp = app1.pk
# allow web application for group
group1.can_web_applications.add(app1)
# Second call should be answered from cache
response = admin_client.get('/subauthreq/{}/'.format(webapp))
assert response.status_code == 200
response = admin_client.get('/subauthreq/{}/'.format(webapp))
assert response.status_code == 200
spy.assert_called_once()
def test_user_web_applications(admin_user):
app1 = WebApplication(name="Test Web App 1", link_show=True)
app1.save()
app2 = WebApplication(name="Test Web App 2", link_show=False)
app2.save()
group = create_group(member=admin_user)
group.can_web_applications.add(app1)
group.can_web_applications.add(app2)
group.save()
admin_user.portal_groups.add(group)
admin_user.save()
assert len(admin_user.web_applications(include_invisible=True)) == 2
assert len(admin_user.web_applications(include_invisible=False)) == 1
def setUp(self):
super().setUp()
self.factory = RequestFactory()
self.client = {}
self.app = {}
for index, name in enumerate(["Fancy chat tool", "Fancy wiki tool"]):
self.client[index] = Client()
self.client[index].name = name
self.client[index].client_id = str(random.randint(1,
999999)).zfill(6)
self.client[index].client_secret = str(random.randint(
1, 999999)).zfill(6)
self.client[index].redirect_uris = ['http://example.com/']
self.client[index].require_consent = False
self.client[index].save()
self.client[index].response_types.add(
ResponseType.objects.get(value='code'))
self.app[index] = WebApplication(name=name,
oidc_client=self.client[index])
self.app[index].save()
self.state = uuid.uuid4().hex
def test_webapp_user_in_group(admin_client, admin_user):
app1 = WebApplication(name="app1",
link_show=True,
link_name="app1",
link_url="http://www.heise.de")
app1.save()
group = PortalGroup()
group.save()
admin_user.portal_groups.add(group)
response = admin_client.get('/welcome/')
# User is in group, but this group has the web app not enabled
assert not contains(response, "http://www.heise.de")
group.can_web_applications.add(app1)
response = admin_client.get('/welcome/')
# User is now in a group that has this web app enabled
assert contains(response, "http://www.heise.de")
assert 1 == str(response.content).count("http://www.heise.de")
app1.link_show = False
app1.save()
response = admin_client.get('/welcome/')
# User is now in a group that has this web app, but disabled
assert not contains(response, "http://www.heise.de")
((True, True, True, False, False), 401),
((True, True, False, True, False), 401),
((True, True, True, True, False), 401),
((True, False, False, False, False), 401),
((True, False, True, False, False), 401),
((True, False, False, True, False), 401),
((True, False, True, True, False), 401),
((False, False, False, False, False), 401),
((False, False, True, False, False), 401),
((False, False, False, True, False), 401),
((False, False, True, True, False), 401)])
def test_subauth_k8s_user(case, expected, admin_user_with_k8s, admin_client):
user_in_group1, user_in_group2, app_in_group1, app_in_group2, app_can_subauth = case
webapp = WebApplication(name="Test Web App", can_subauth=app_can_subauth)
webapp.save()
create_group(admin_user_with_k8s if user_in_group1 else None,
webapp if app_in_group1 else None)
create_group(admin_user_with_k8s if user_in_group2 else None,
webapp if app_in_group2 else None)
response = admin_client.get(f'/subauthreq/{webapp.pk}/')
assert response.status_code == expected
@pytest.mark.skipif(minikube_unavailable(), reason="Minikube is unavailable")
@pytest.mark.django_db
@pytest.mark.skip(reason="Subauth caching disabled, since broken")
def test_subauth_caching(admin_user_with_k8s, admin_client, mocker):
def test_subauth_view_existent_app(self):
app1 = WebApplication(name="app1")
app1.save()
response = self.client.get('/subauthreq/{}/'.format(app1.pk))
self.assertEqual(response.status_code, 401)
def test_subauth_view_existent_app(client):
app1 = WebApplication(name="app1")
app1.save()
response = client.get('/subauthreq/{}/'.format(app1.pk))
assert response.status_code == 401
