def test_user_removed_from_groups(self):
""" Test that a user is removed from a group when their role is updated """
roles = [ADMIN_ROLE, REGISTRIES_AUTHORITY_ROLE]
roles_to_groups(self.test_user, roles)
self.assertEquals(self.test_user.groups.filter(
name=ADMIN_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_AUTHORITY_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_ADJUDICATOR_ROLE).exists(), False)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_VIEWER_ROLE).exists(), False)
roles = [REGISTRIES_ADJUDICATOR_ROLE, REGISTRIES_VIEWER_ROLE]
roles_to_groups(self.test_user, roles)
self.assertEquals(self.test_user.groups.filter(
name=ADMIN_ROLE).exists(), False)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_AUTHORITY_ROLE).exists(), False)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_ADJUDICATOR_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_VIEWER_ROLE).exists(), True)
def setUp(self):
roles = [WELLS_VIEWER_ROLE, WELLS_EDIT_ROLE]
for role in roles:
Group.objects.get_or_create(name=role)
user, _created = User.objects.get_or_create(username='******')
user.profile.username = user.username
user.save()
roles_to_groups(user, roles)
self.client.force_authenticate(user)
def test_groups_created(self):
roles = [REGISTRIES_EDIT_ROLE, REGISTRIES_VIEWER_ROLE]
roles_to_groups(self.test_user, roles)
self.assertEquals(
self.test_user.groups.filter(name=REGISTRIES_EDIT_ROLE).exists(),
True)
self.assertEquals(
self.test_user.groups.filter(name=REGISTRIES_VIEWER_ROLE).exists(),
True)
def setUp(self):
roles = [
WELLS_SUBMISSION_VIEWER_ROLE,
]
for role in roles:
group = Group(name=role)
group.save()
user, created = User.objects.get_or_create(username='******')
roles_to_groups(user, roles)
self.client.force_authenticate(user)
def setUp(self):
roles = [AQUIFERS_EDIT_ROLE]
for role in roles:
group = Group(name=role)
group.save()
user, _created = User.objects.get_or_create(username='******')
user.profile.username = user.username
user.save()
roles_to_groups(user, roles)
self.client.force_authenticate(user)
Aquifer(aquifer_id=1).save()
def setUp(self):
roles = [WELLS_SUBMISSION_ROLE]
for role in roles:
group = Group(name=role)
group.save()
self.user, created = User.objects.get_or_create(username='******')
self.user.profile.username = self.user.username
self.user.save()
roles_to_groups(self.user, roles)
self.client.force_authenticate(self.user)
def setUp(self):
self.user, created = User.objects.get_or_create(username='******')
if created:
Profile.objects.get_or_create(user=self.user)
self.user.is_staff = True
self.user.profile.is_gwells_admin = True
self.user.save()
self.user.profile.save()
roles_to_groups(self.user, ['gwells_admin'])
self.client.force_authenticate(self.user)
def setUp(self):
# Prepare roles in DB ahead of test, to reduce amount of logging during tests.
roles = [REGISTRIES_EDIT_ROLE, REGISTRIES_VIEWER_ROLE]
for role in roles:
group = Group(name=role)
group.save()
self.user, created = User.objects.get_or_create(username='******')
self.user.profile.username = self.user.username
self.user.save()
roles_to_groups(self.user, roles)
self.client.force_authenticate(self.user)
def authenticate_credentials(self, payload):
User = get_user_model()
# get keycloak ID from JWT token
username = payload.get('sub')
if username is None:
raise exceptions.AuthenticationFailed(
'JWT did not contain a "sub" attribute')
# get or create a user with the keycloak ID
try:
user, user_created = User.objects.get_or_create(username=username)
except:
raise exceptions.AuthenticationFailed(
'Failed to retrieve or create user')
if user_created:
# User created, set the email for the 1st time.
user.set_password(User.objects.make_random_password(length=36))
user.email = payload.get('email')
user.save()
elif user.email != payload.get('email'):
# The email has changed, do an update.
user.email = payload.get('email')
user.save()
# load the user's GWELLS profile
try:
profile, profile_created = Profile.objects.get_or_create(
user=user.id)
except:
raise exceptions.AuthenticationFailed(
'Failed to create user profile')
# get the name from the token and store it in the profile. If name not supplied, use the username.
name = payload.get('name') or payload.get('preferred_username')
if profile.name != name:
# Update the profile name if it's changed.
profile.name = name
profile.save()
# get the roles supplied by Keycloak for this user
try:
roles = payload.get('realm_access').get('roles')
except:
raise exceptions.AuthenticationFailed('Failed to retrieve roles')
# put user in groups based on role
roles_to_groups(user, roles)
return user
def setUp(self):
roles = [
WELLS_SUBMISSION_ROLE,
]
for role in roles:
group = Group(name=role)
group.save()
user, created = User.objects.get_or_create(
username='******')
user.profile.username = user.username
user.save()
roles_to_groups(user, roles)
self.client.force_authenticate(user)
def test_create_person_wrong_role(self):
user, created = User.objects.get_or_create(username='******')
if created:
Profile.objects.get_or_create(user=user)
roles_to_groups(user, [REGISTRIES_VIEWER_ROLE, ])
self.client.force_authenticate(user=user)
url = reverse('person-list', kwargs={'version': 'v1'})
data = {'first_name': 'Bobby', 'surname': 'Driller'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_groups_created(self):
roles = [ADMIN_ROLE, REGISTRIES_AUTHORITY_ROLE,
REGISTRIES_ADJUDICATOR_ROLE, REGISTRIES_VIEWER_ROLE]
roles_to_groups(self.test_user, roles)
self.assertEquals(self.test_user.groups.filter(
name=ADMIN_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_AUTHORITY_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_ADJUDICATOR_ROLE).exists(), True)
self.assertEquals(self.test_user.groups.filter(
name=REGISTRIES_VIEWER_ROLE).exists(), True)
def setUp(self):
self.user, created = User.objects.get_or_create(username='******')
if created:
Profile.objects.get_or_create(user=self.user)
self.user.is_staff = True
self.user.profile.is_gwells_admin = True
self.user.save()
self.user.profile.save()
roles_to_groups(self.user, [
REGISTRIES_ADJUDICATOR_ROLE, REGISTRIES_AUTHORITY_ROLE,
REGISTRIES_VIEWER_ROLE
])
self.client.force_authenticate(self.user)
def setUp(self):
roles = [
WELLS_EDIT_ROLE, WELLS_VIEWER_ROLE, WELLS_SUBMISSION_ROLE,
WELLS_SUBMISSION_VIEWER_ROLE
]
for role in roles:
group = Group(name=role)
group.save()
user, created = User.objects.get_or_create(username='******')
user.profile.username = '******'
user.save()
self.user = user
roles_to_groups(user, roles)
self.casing_code_surface = CasingCode.objects.get(code='SURFACE')
self.casing_material_code_other = CasingMaterialCode.objects.get(
code='OTHER')
self.client.force_authenticate(user)
def authenticate_credentials(self, payload):
User = get_user_model()
# Get keycloak ID from JWT token
username = payload.get('sub')
if username is None:
raise exceptions.AuthenticationFailed(
'JWT did not contain a "sub" attribute')
# Make sure the preferred username contains either idir\ or bceid\
# so we know that the user is coming from a known sso authority
if not self.known_sso_authority(payload):
raise exceptions.AuthenticationFailed(
'Preferred username is invalid.')
# There are various values we can get from the Token, we don't technically need most of them,
# but they are useful to put in the user table for debugging purposes.
payload_user_mapping = {
'email': 'email',
'family_name': 'last_name'
}
payload_profile_mapping = {
'preferred_username': '******',
'name': 'name'
}
# We map auth_time to user.last_login ; this is true depending on your point of view. It's the
# last time the user logged into sso, which may not co-incide with the last time the user
# logged into gwells.
auth_time = payload.get('auth_time')
if auth_time:
auth_time = datetime.fromtimestamp(auth_time, tz=timezone.utc)
# Get or create a user with the keycloak ID.
try:
user, update = User.objects.get_or_create(username=username)
except:
raise exceptions.AuthenticationFailed(
'Failed to retrieve or create user')
if update:
# User created, set various values for the 1'st time.
user.set_password(User.objects.make_random_password(length=36))
# If one of these attributes has changed - do an update.
for source, target in payload_user_mapping.items():
value = payload.get(source)
if value and value != getattr(user, target):
update = True
setattr(user, target, value)
if auth_time and user.last_login != auth_time:
update = True
user.last_login = auth_time
if update:
user.save()
# Load the user's GWELLS profile.
try:
profile, update = Profile.objects.get_or_create(user=user.id)
except:
raise exceptions.AuthenticationFailed(
'Failed to create user profile')
for source, target in payload_profile_mapping.items():
value = payload.get(source)
if value and value != getattr(profile, target):
update = True
if source == 'preferred_username':
value = value.upper() # Uppercase to match existing data
setattr(profile, target, value)
if not profile.name and profile.username:
# When the name of the user isn't available, fallback to the username
profile.name = profile.username
update = True
if update:
profile.save()
# Get the roles supplied by Keycloak for this user.
try:
roles = payload.get('realm_access').get('roles')
except:
raise exceptions.AuthenticationFailed('Failed to retrieve roles')
# Put user in groups based on role.
roles_to_groups(user, roles)
return user
def setUp(self):
user, created = User.objects.get_or_create(username='******')
roles_to_groups(user, [
WELLS_EDIT_ROLE,
])
self.client.force_authenticate(user)
def setUp(self):
user, _created = User.objects.get_or_create(username='******')
roles_to_groups(user, [AQUIFERS_EDIT_ROLE])
self.client.force_authenticate(user)
Aquifer(aquifer_id=1).save()
def setUp(self):
user, created = User.objects.get_or_create(username='******')
roles_to_groups(user, [])
self.client.force_authenticate(user)
