def test_existing_superuser_is_deescalated_from_staff_group(
rf, settings, django_user_model
):
"""
If an existing user is removed from a staff group they should
have the staff flag removed.
"""
settings.OKTA_AUTH = update_okta_settings(
settings.OKTA_AUTH, "STAFF_GROUP", STAFF_GROUP
)
user = django_user_model._default_manager.create_user(
username="******",
email="*****@*****.**",
is_staff=True,
)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint",
get_normal_user_with_groups_token,
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_refresh_token("refresh")
assert isinstance(user, django_user_model)
assert user.is_staff is False
def test_existing_user_is_escalated_to_superuser_group(rf, settings, django_user_model):
"""
If an existing user is added to a superuser group they should
be escalated to a superuser.
"""
settings.OKTA_AUTH = update_okta_settings(
settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
)
user = django_user_model._default_manager.create_user(
username="******", email="*****@*****.**"
)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint",
get_superuser_token_result,
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_refresh_token("refresh")
assert isinstance(user, django_user_model)
assert user.is_superuser
def test_user_is_removed_from_groups(rf, settings, django_user_model):
"""
When MANAGE_GROUPS is true a user should be removed from a
group if it's not included in the token response.
"""
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)
user = django_user_model._default_manager.create_user(
username="******", email="*****@*****.**"
)
group = Group.objects.create(name="test-group")
user.groups.add(group)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint",
get_normal_user_with_groups_token,
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_refresh_token("refresh")
groups = user.groups.all()
assert [("one",), ("two",)] == list(groups.values_list("name"))
def test_middleware_allows_public_url(settings, rf):
"""
A URL that has been defined as a public url
should just pass through our middleware.
"""
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
"PUBLIC_NAMED_URLS",
("named-url", ))
request = rf.get("/named/")
request.session = {}
mw = OktaMiddleware(Mock(return_value=HttpResponse()))
response = mw(request)
assert response.status_code == 200
def test_invalid_public_named_urls_are_ignored(settings):
"""
We don't want to crash if our public named urls don't
exist, instead just skip it.
"""
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
"PUBLIC_NAMED_URLS",
("not-a-valid-url", ))
config = Config()
assert config.public_urls == [
re.compile("^/accounts/login/$"),
re.compile("^/accounts/logout/$"),
re.compile("^/accounts/oauth2/callback/$"),
]
def test_public_named_urls_are_built(settings):
"""
We should have reversed url regexes to match against
in our config objects.
"""
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH,
"PUBLIC_NAMED_URLS",
("named-url", ))
config = Config()
assert config.public_urls == [
re.compile("^/named/$"),
re.compile("^/accounts/login/$"),
re.compile("^/accounts/logout/$"),
re.compile("^/accounts/oauth2/callback/$"),
]
def test_user_username_setting_returns_user_by_username_and_not_email(
rf, settings, django_user_model
):
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "USE_USERNAME", True)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_token_result
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_auth_code("authcode")
assert isinstance(user, django_user_model)
assert user.username == "fakemail"
assert user.username != "*****@*****.**"
def test_groups_are_created_and_user_added(rf, settings, django_user_model):
"""
If MANAGE_GROUPS is true the groups should be created and the user
should be added to them.
"""
settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint",
get_normal_user_with_groups_token,
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_refresh_token("refresh")
groups = Group.objects.all()
assert [("one",), ("two",)] == list(groups.values_list("name"))
assert list(user.groups.all()) == list(Group.objects.all())
def test_created_user_if_part_of_superuser_group(rf, settings, django_user_model):
"""
If the user is part of the superuser group defined
in settings make sure that the created user is a superuser.
"""
settings.OKTA_AUTH = update_okta_settings(
settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
)
c = Config()
req = rf.get("/")
add_session(req)
with patch(
"okta_oauth2.tokens.TokenValidator.call_token_endpoint",
get_superuser_token_result,
), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", req)
user, tokens = tv.tokens_from_refresh_token("refresh")
assert isinstance(user, django_user_model)
assert user.is_superuser
