def test_get_user_id(self):
user = UserFactory(email="*****@*****.**")
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
assert processor.get_user_id(user, None, None, None) == user.email
def test_user_has_access_is_disabled(self, rf):
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(is_active=False)
assert not processor.has_access(request)
def test_has_access_user_not_in_profile(self, rf):
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory()
assert not processor.has_access(request)
def test_is_valid_ip_with_ip_restriction_disabled(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert processor.has_access(request)
def test_has_access_ip_restriction_no_x_forwarded_header(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="1.1.1.1")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_has_access_by_email_domain(self, rf, email, allowed_emails,
expected):
SamlApplicationFactory(entity_id="an_entity_id",
allow_access_by_email_suffix=allowed_emails)
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(email=email)
assert processor.has_access(request) == expected
def test_has_access_ip_restriction_ip_not_whitelisted(self, rf):
saml_app = SamlApplicationFactory(entity_id="an_entity_id",
allowed_ips="8.8.8.8")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/",
HTTP_X_FORWARDED_FOR="1.1.1.1, 2.2.2.2, 3.3.3.3")
request.user = UserFactory(add_access_profiles=[ap])
assert not processor.has_access(request)
def test_user_id_field_uses_email_if_contact_email_is_empty(self):
user = UserFactory(email="*****@*****.**", contact_email="")
SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
processor.USER_ID_FIELD = "contact_email"
assert not user.contact_email
assert processor.get_user_id(user, None, None, None) == user.email
def test_x_application_logging_without_access(self, rf, mocker):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory()
mock_create_x_access_log = mocker.patch(
"sso.samlidp.processors.create_x_access_log")
processor.has_access(request)
mock_create_x_access_log.assert_called_once_with(
request, 403, application=saml_app.name)
def test_x_application_logging(self, rf, mocker):
saml_app = SamlApplicationFactory(entity_id="an_entity_id")
ap = AccessProfileFactory(saml_apps_list=[saml_app])
processor = ModelProcessor("an_entity_id")
request = rf.get("/whatever/")
request.user = UserFactory(add_access_profiles=[ap])
mock_create_x_access_log = mocker.patch(
"sso.samlidp.processors.create_x_access_log")
processor.has_access(request)
mock_create_x_access_log.assert_called_once_with(
request, 200, application=saml_app.name)
def test_get_user_id_with_service_override(self):
service_email = "*****@*****.**"
user = UserFactory(
email="*****@*****.**",
email_list=[service_email, "*****@*****.**"],
)
ap = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
ServiceEmailAddressFactory(user=user,
saml_application=ap,
email=user.emails.get(email=service_email))
assert processor.get_user_id(user, None, None, None) == service_email
def test_get_service_email(self):
ap = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor(entity_id="an_entity_id")
user = UserFactory(email="*****@*****.**",
email_list=["*****@*****.**"])
user2 = UserFactory(email="*****@*****.**")
ServiceEmailAddressFactory(
user=user,
saml_application=ap,
email=user.emails.get(email="*****@*****.**"),
)
assert processor.get_service_email(user) == "*****@*****.**"
assert not processor.get_service_email(user2)
def test_model_does_not_exist(self):
with pytest.raises(SamlApplication.DoesNotExist):
ModelProcessor("a_non_existent_entity_id")
def test_model_is_loaded(self):
app = SamlApplicationFactory(entity_id="an_entity_id")
processor = ModelProcessor("an_entity_id")
assert processor._application == app