def test_callback_requests_sso_profile_valid_email(get_sso_user_profile, get_access_token): """ Test that if SSO user has a matching email (and relevant flags), then the access is granted. """ fake_state_id = token_urlsafe(settings.ADMIN_OAUTH2_TOKEN_BYTE_LENGTH) adviser = AdviserFactory(email='some@email', is_staff=True, is_active=True) get_access_token.return_value = { 'access_token': 'access-token', 'expires_in': 3600 } get_sso_user_profile.return_value = {'email': 'some@email'} request = get_request_with_session( f'/oauth/callback/?state={fake_state_id}&code=code') request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_302_FOUND assert response.url == reverse('admin:index') assert request.user.is_authenticated assert request.user == adviser
def test_callback_requests_sso_profile_valid_non_staff_user_by_email( get_sso_user_profile, get_access_token, flags, caplog, ): """ Test that if SSO user has a matching email, but Data Hub user has `is_staff` or `is_active` flag not set, then the access is forbidden. """ AdviserFactory(email='some@email', **flags) get_access_token.return_value = {'access_token': 'access-token'} get_sso_user_profile.return_value = {'email': 'some@email'} request = get_request_with_session('/oauth/callback/?state=original&code=code') request.session['oauth.state'] = 'original' response = callback(request) response.render() assert response.status_code == status.HTTP_403_FORBIDDEN assert 'Forbidden.' in str(response.content) assert not request.user.is_authenticated assert len(caplog.records) == 1 assert 'Django Admin OAuth2 authentication failed: User not found.' in caplog.text
def test_callback_without_state(): """Test that a callback without provided state will restart login process.""" request = get_request_with_session('/oauth/callback') response = callback(request) assert response.status_code == status.HTTP_302_FOUND assert response.url == request.build_absolute_uri(reverse('admin:login'))
def test_callback_without_state_includes_next_url(): """ Test that a callback without provided state will restart login process including next URL. """ request = get_request_with_session('/oauth/callback/?next=/protected-area') response = callback(request) assert response.status_code == status.HTTP_302_FOUND next_url = extract_next_url_from_url(response.url) assert next_url == '/protected-area'
def test_callback_without_access_code(): """Test that a callback without a code will return an error page.""" request = get_request_with_session('/oauth/callback/?state=original') request.session['oauth.state'] = 'original' response = callback(request) assert response.status_code == status.HTTP_403_FORBIDDEN response.render() response_content = str(response.content) assert 'Forbidden.' in response_content assert not request.user.is_authenticated
def test_callback_with_state_mismatch(): """Test that a callback without matching state will return an error page.""" request = get_request_with_session('/oauth/callback/?state=wrong-one') request.session['oauth.state'] = 'original' response = callback(request) assert response.status_code == status.HTTP_403_FORBIDDEN response.render() response_content = str(response.content) assert 'State mismatch.' in response_content assert not request.user.is_authenticated
def test_callback_with_state_mismatch(): """Test that a callback without matching state will return an error page.""" fake_state_id = token_urlsafe(settings.ADMIN_OAUTH2_TOKEN_BYTE_LENGTH) request = get_request_with_session('/oauth/callback/?state=wrong-one') request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_403_FORBIDDEN response.render() response_content = str(response.content) assert 'State mismatch.' in response_content assert not request.user.is_authenticated
def test_callback_requests_sso_profile_no_user(get_sso_user_profile, get_access_token): """Test that if SSO user is not found then no access is granted.""" get_access_token.return_value = {'access_token': 'access-token', 'expires_in': 3600} get_sso_user_profile.return_value = {'email': 'some@email'} request = get_request_with_session('/oauth/callback/?state=original&code=code') request.session['oauth.state'] = 'original' response = callback(request) assert response.status_code == status.HTTP_403_FORBIDDEN response.render() response_content = str(response.content) assert 'Forbidden.' in response_content assert not request.user.is_authenticated
def test_callback_validates_next_url(get_sso_user_profile, get_access_token, dangerous_redirect): """Test that successful login redirects user to `next_url`.""" fake_state_id = 'd20141b7-2dcf-445f-9875-e3e6a2d610a4' AdviserFactory(email='some@email', is_staff=True, is_active=True) get_access_token.return_value = {'access_token': 'access-token', 'expires_in': 3600} get_sso_user_profile.return_value = {'email': 'some@email'} request = get_request_with_session( f'/oauth/callback/?next={dangerous_redirect}&state={fake_state_id}&code=code', ) request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_302_FOUND assert response.url == reverse('admin:index')
def test_callback_requests_sso_profile_valid_email(get_sso_user_profile, get_access_token): """ Test that if SSO user has a matching email (and relevant flags), then the access is granted. """ fake_state_id = 'd20141b7-2dcf-445f-9875-e3e6a2d610a4' adviser = AdviserFactory(email='some@email', is_staff=True, is_active=True) get_access_token.return_value = {'access_token': 'access-token', 'expires_in': 3600} get_sso_user_profile.return_value = {'email': 'some@email'} store_oauth2_state(fake_state_id, {}, 3600) request = get_request_with_session(f'/oauth/callback/?state={fake_state_id}&code=code') request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_302_FOUND assert response.url == reverse('admin:index') assert request.user.is_authenticated assert request.user == adviser
def test_callback_redirects_to_next_url(get_sso_user_profile, get_access_token): """Test that successful login redirects user to `next_url`.""" fake_state_id = token_urlsafe(settings.ADMIN_OAUTH2_TOKEN_BYTE_LENGTH) AdviserFactory(email='some@email', is_staff=True, is_active=True) get_access_token.return_value = { 'access_token': 'access-token', 'expires_in': 3600 } get_sso_user_profile.return_value = {'email': 'some@email'} request = get_request_with_session( f'/oauth/callback/?next=/some-location&state={fake_state_id}&code=code', ) request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_302_FOUND assert response.url == '/some-location'
def test_callback_requests_sso_profile_no_user(get_sso_user_profile, get_access_token): """Test that if SSO user is not found then no access is granted.""" get_access_token.return_value = { 'access_token': 'access-token', 'expires_in': 3600 } get_sso_user_profile.return_value = {'email': 'some@email'} fake_state_id = token_urlsafe(settings.ADMIN_OAUTH2_TOKEN_BYTE_LENGTH) request = get_request_with_session( f'/oauth/callback/?state={fake_state_id}&code=code') request.session['oauth.state'] = fake_state_id response = callback(request) assert response.status_code == status.HTTP_403_FORBIDDEN response.render() response_content = str(response.content) assert 'Forbidden.' in response_content assert not request.user.is_authenticated