def test_user_conflict(dcos_api_session: DcosApiSession) -> None:
# Note: the empty request body is not the decisive criterion here.
r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={})
assert r.status_code == 201, r.text
r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={})
assert r.status_code == 409, r.text
def test_legacy_user_creation_with_empty_json_doc(
dcos_api_session: DcosApiSession) -> None:
# Legacy HTTP clients built for dcos-oauth such as the web UI (up to DC/OS
# 1.12) might insert users in the following way: uid appears to be an email
# address, and the JSON document in the request body does not provide a
# `public_key` or a `password` property (indicating local user), or is
# empty. The legacy web UI would insert users like that and expect those
# users to be remote users, usable with the legacy OIDC ID Token login
# method through the 'https://dcos.auth0.com/' provider. This behavior is
# maintained in Bouncer for backwards compatibility.
r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={})
assert r.status_code == 201, r.text
# Bouncer annotates the created user (this is new compared to dcos-oauth).
r = dcos_api_session.get('/acs/api/v1/users/[email protected]')
assert r.json()['provider_type'] == 'oidc'
assert r.json()['provider_id'] == 'https://dcos.auth0.com/'
assert r.json()['is_remote'] is True
# When the uid however does not appear to be an email address the more sane
# behavior of Bouncer takes effect: an empty (meaningless) JSON body
# results in a useful error message.
r = dcos_api_session.put('/acs/api/v1/users/user1', json={})
assert r.status_code == 400
assert 'One of `password` or `public_key` must be provided' in r.text
def test_user_put_email_uid_and_description(
dcos_api_session: DcosApiSession) -> None:
r = dcos_api_session.put('/acs/api/v1/users/[email protected]',
json={'description': 'integration test user'})
assert r.status_code == 201, r.text
users = get_users(dcos_api_session)
assert len(users) > 1
assert '*****@*****.**' in users
def test_user_delete(dcos_api_session: DcosApiSession) -> None:
r = dcos_api_session.put('/acs/api/v1/users/[email protected]', json={})
r.raise_for_status()
assert r.status_code == 201
r = dcos_api_session.delete('/acs/api/v1/users/[email protected]')
r.raise_for_status()
assert r.status_code == 204
users = get_users(dcos_api_session)
assert '*****@*****.**' not in users
def test_user_put_with_legacy_body(dcos_api_session: DcosApiSession) -> None:
# The UI up to DC/OS 1.12 sends the `creator_uid` and the `cluster_url`
# properties although they are not used by dcos-oauth. Bouncer supports
# these two properties for legacy reasons. Note(JP): As a follow-up task we
# should change the UI to not send these properties anymore, and then remove
# the properties from Bouncer's UserCreate JSON schema again, ideally within
# the 1.13 development cycle.
r = dcos_api_session.put('/acs/api/v1/users/[email protected]',
json={
'creator_uid': '*****@*****.**',
'cluster_url': 'foobar'
})
assert r.status_code == 201, r.text
def test_user_put_no_email_uid_empty_body(
dcos_api_session: DcosApiSession) -> None:
# This test mainly demonstrates a subtle API difference between dcos-oauth
# (legacy) and Bouncer.
r = dcos_api_session.put('/acs/api/v1/users/user1')
# This is the old behavior in dcos-oauth.
# assert r.status_code == 500
# assert 'invalid email' in r.text
# With Bouncer non-email uids are valid, and the request fails as of the
# missing request body.
assert r.status_code == 400
assert 'Request has bad Content-Type or lacks JSON data' in r.text
def test_user_put_requires_authentication(
noauth_api_session: DcosApiSession) -> None:
r = noauth_api_session.put('/acs/api/v1/users/[email protected]', json={})
assert r.status_code == 401, r.text
