def test_authorize_with_invitation_existing_user(
id_token_generator, auth_req_generator, users_m, login_m, invitation_getter
):
# Attach an invitation that is associated to a user. That user should be
# logged in and associated to the remote.
id_token, claims = id_token_generator()
request = auth_req_generator(id_token, user=None)
user = User(username="******")
invitation_getter.return_value = models.Invitation(
slug="foo", user=user, created_at=timezone.now(), email=claims["email"]
)
request.session[views.INVITATION_KEY] = "foo"
response = views.authorize(request)
assert response.status_code == 302 # 302 redirect to success url: all checks passed
assert response.url == "http://testserver/success"
# check if the invitation was looked up
invitation_getter.assert_called_with(slug="foo")
# check if create_remote_user was called
users_m.create_remote_user.assert_called_with(user, claims)
# check if login was called
login_m.assert_called_with(request, user)
assert user.backend == "nens_auth_client.backends.RemoteUserBackend"
# check if update_user was called
users_m.update_user.assert_called_with(user, claims)
args, kwargs = users_m.update_remote_user.call_args
assert args[0] == claims
assert args[1].keys() == {"id_token"}
def test_authorize_with_invitation_email_unverified(
id_token_generator, auth_req_generator, users_m, login_m, invitation_getter
):
# It does not matter whether email is verified for checking invite email
id_token, claims = id_token_generator()
claims["email_verified"] = False
request = auth_req_generator(id_token, user=None)
request.session[views.INVITATION_KEY] = "foo"
invitation_getter.return_value = models.Invitation(
created_at=timezone.now(), email=claims["email"]
)
response = views.authorize(request)
assert response.status_code == 302
assert response.url == "http://testserver/success"
def test_authorize_with_expired_invitation(
id_token_generator, auth_req_generator, users_m, login_m, invitation_getter
):
id_token, claims = id_token_generator()
request = auth_req_generator(id_token, user=None)
request.session[views.INVITATION_KEY] = "foo"
invitation_getter.return_value = models.Invitation(
created_at=timezone.now() - timedelta(days=14)
)
with pytest.raises(PermissionDenied, match=".*has expired.*"):
views.authorize(request)
invitation_getter.assert_called_with(slug="foo")
assert not login_m.called
assert not users_m.create_user.called
assert not users_m.create_remote_user.called
assert not users_m.update_user.called
def test_authorize_with_nonacceptable_invitation(
id_token_generator, auth_req_generator, users_m, login_m, invitation_getter
):
id_token, claims = id_token_generator()
request = auth_req_generator(id_token, user=None)
request.session[views.INVITATION_KEY] = "foo"
invitation_getter.return_value = models.Invitation(
status=models.Invitation.ACCEPTED
)
with pytest.raises(PermissionDenied, match=".*has been used already.*"):
views.authorize(request)
invitation_getter.assert_called_with(slug="foo")
assert not login_m.called
assert not users_m.create_user.called
assert not users_m.create_remote_user.called
assert not users_m.update_user.called
def test_authorize_with_mismatching_invitation(
id_token_generator, auth_req_generator, users_m, login_m, invitation_getter
):
id_token, claims = id_token_generator()
request = auth_req_generator(id_token, user=None)
request.session[views.INVITATION_KEY] = "foo"
invitation_getter.return_value = models.Invitation(
created_at=timezone.now(), email="*****@*****.**"
)
with pytest.raises(
PermissionDenied,
match=".*intended for a user with email '*****@*****.**'.*"
):
views.authorize(request)
invitation_getter.assert_called_with(slug="foo")
assert not login_m.called
assert not users_m.create_user.called
assert not users_m.create_remote_user.called
assert not users_m.update_user.called