def setUp(self): super().setUp() User = get_user_model() self.admin = User(**admin_data) self.admin.save() self.admin_group = PortalGroup(name=self.admin_group_name, can_admin=True) self.admin_group.save() self.admin_group.members.add(self.admin) self.admin_group.save()
def test_subauth_view(self): group1 = PortalGroup() group1.save() self.admin.portal_groups.add(group1) app1 = WebApplication(name="app1", can_subauth=True) app1.save() response = self.client.get('/subauthreq/{}/'.format(app1.pk)) self.assertEqual(response.status_code, 401)
def test_forward_relation_change(self): """ Test the case that a user get her groups changed, not the other way around. """ admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() self.assertEqual(admin_group.members.count(), 0) self.assertEqual(self.second_user.is_staff, False) self.second_user.portal_groups.add(admin_group) self.second_user.save() self.assertEqual(admin_group.members.count(), 1) self.assertEqual(self.second_user.is_staff, True)
def test_forward_relation_change(second_user): """ Test the case that a user get her groups changed, not the other way around. """ admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() assert admin_group.members.count() == 0 assert second_user.is_staff is False second_user.portal_groups.add(admin_group) second_user.save() assert admin_group.members.count() == 1 assert second_user.is_staff is True
def test_admin_attrib_modification_with_members(second_user): future_admin_group = PortalGroup(name="Admins", can_admin=False) future_admin_group.save() future_admin_group.members.add(second_user) second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is False future_admin_group.can_admin = True future_admin_group.save() second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is True future_admin_group.can_admin = False future_admin_group.save() second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is False
class AdminLoggedOutTestCase(BaseTestCase): ''' An administrator is logged out and part of an auto-admin group. Web applications and subauth's are not enabled. ''' def setUp(self): super().setUp() User = get_user_model() self.admin = User(**admin_data) self.admin.save() self.admin_group = PortalGroup(name=self.admin_group_name, can_admin=True) self.admin_group.save() self.admin_group.members.add(self.admin) self.admin_group.save()
def test_dont_touch_superuser(second_user): """ The can_admin signal handler magic should not be applied to superusers, otherwise they may loose the backend access when not be a member of an admin group. """ second_user.is_superuser = True second_user.is_staff = True second_user.username = "******" second_user.save() assert second_user.is_superuser is True assert second_user.is_staff is True non_admin_group = PortalGroup( name="NonAdmins", can_admin=False) non_admin_group.save() second_user.portal_groups.add(non_admin_group) second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_superuser is True assert second_user.is_staff is True
def test_user(api_client, admin_user_with_k8s_system): webapp1 = WebApplication(name="webapp1", link_show=True) webapp1.save() group1 = PortalGroup(name="group1") group1.save() group1.can_web_applications.add(webapp1) group1.save() admin_user_with_k8s_system.portal_groups.add(group1) user_attr_expected = [ 'firstname', 'name', 'username', 'user_id', 'primary_email', 'all_emails', 'admin', 'serviceaccount_urls', 'k8s_token', 'webapp_urls', 'group_urls' ] response = api_client.get( f'/api/{settings.API_VERSION}/users/{admin_user_with_k8s_system.pk}/') assert response.status_code == 200 data = response.json() assert True is data['admin'] for key in user_attr_expected: assert key in data assert len(data["group_urls"]) > 0 # all users group, at least assert len(data["serviceaccount_urls"]) > 0 assert data['all_emails'] == ['*****@*****.**'] assert data['serviceaccount_urls'][0].startswith("http://testserver") assert data['group_urls'][0].startswith("http://testserver")
def test_user_merge_access_approved(admin_index_request, django_user_model): run_minikube_sync() primary = django_user_model( username="******", email="*****@*****.**") primary.save() ns = KubernetesNamespace(name="default") ns.save() new_svc = KubernetesServiceAccount(name="foobar", namespace=ns) new_svc.save() secondary = django_user_model( username="******", state=User.ACCESS_APPROVED, email="*****@*****.**", comments="secondary user comment", service_account=new_svc) secondary.save() group1 = PortalGroup(name="testgroup1") group1.save() group2 = PortalGroup(name="testgroup2") group2.save() secondary.portal_groups.add(group1) secondary.portal_groups.add(group2) secondary.save() # Build full-fledged request object for logged-in admin # approve secondary for cluster access secondary.approve(admin_index_request, new_svc) # the merge method only accepts a queryset of users since that's what # the admin interface creates queryset_of_users = django_user_model.objects.filter( pk__in=[primary.id, secondary.id]) # merge both users. shouldn't return anything assert(not merge_users(UserAdmin, admin_index_request, queryset_of_users)) # the primary user has been altered but the old object is still in memory # we need to query for the updated user again primary = django_user_model.objects.get(pk=primary.id) # Does primary have all the values of secondary user? assert primary.comments == "secondary user comment" assert primary.portal_groups.filter(name=group1.name) assert primary.portal_groups.filter(name=group2.name) assert primary.has_access_approved
def test_subauth_caching(admin_user_with_k8s, admin_client, mocker): spy = mocker.spy(SubAuthRequestView, 'get') # Create new user group, add admin group1 = PortalGroup() group1.save() admin_user_with_k8s.portal_groups.add(group1) # Create new web application app1 = WebApplication(name="app1", can_subauth=True) app1.save() webapp = app1.pk # allow web application for group group1.can_web_applications.add(app1) # Second call should be answered from cache response = admin_client.get('/subauthreq/{}/'.format(webapp)) assert response.status_code == 200 response = admin_client.get('/subauthreq/{}/'.format(webapp)) assert response.status_code == 200 spy.assert_called_once()
def _create_group(self, name, member=None, app=None): group = PortalGroup(name=name) group.save() if member: group.members.add(member) if app: group.can_web_applications.add(app) group.save() return group
def create_group(member=None, app=None): group = PortalGroup(name="Test Group") group.save() if member: group.members.add(member) if app: group.can_web_applications.add(app) group.save() return group
def test_webapp_user_in_group(admin_client, admin_user): app1 = WebApplication(name="app1", link_show=True, link_name="app1", link_url="http://www.heise.de") app1.save() group = PortalGroup() group.save() admin_user.portal_groups.add(group) response = admin_client.get('/welcome/') # User is in group, but this group has the web app not enabled assert not contains(response, "http://www.heise.de") group.can_web_applications.add(app1) response = admin_client.get('/welcome/') # User is now in a group that has this web app enabled assert contains(response, "http://www.heise.de") assert 1 == str(response.content).count("http://www.heise.de") app1.link_show = False app1.save() response = admin_client.get('/welcome/') # User is now in a group that has this web app, but disabled assert not contains(response, "http://www.heise.de")
def test_webapp_user_in_multiple_groups(self): app1 = WebApplication(name="app1", link_show=True, link_name="app1", link_url="http://www.heise.de") app1.save() group1 = PortalGroup() group1.save() group1.can_web_applications.add(app1) group2 = PortalGroup() group2.save() group2.can_web_applications.add(app1) self.admin.portal_groups.add(group1) self.admin.portal_groups.add(group2) response = self.client.get('/welcome/') self.assertContains(response, "http://www.heise.de") self.assertEqual(1, str(response.content).count("http://www.heise.de"))
def test_admin_attrib_add_remove_user(second_user): # Create admin group admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() # Non-member should not become admin second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is False # make member, should become admin admin_group.members.add(second_user) admin_group.save() second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is True # remove again from group, shopuld lose admin status admin_group.members.remove(second_user) admin_group.save() second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is False
def test_webapp_user_in_multiple_groups(admin_client, admin_user): app1 = WebApplication(name="app1", link_show=True, link_name="app1", link_url="http://www.heise.de") app1.save() group1 = PortalGroup() group1.save() group1.can_web_applications.add(app1) group2 = PortalGroup() group2.save() group2.can_web_applications.add(app1) admin_user.portal_groups.add(group1) admin_user.portal_groups.add(group2) response = admin_client.get('/welcome/') assert contains(response, "http://www.heise.de") assert 1 == str(response.content).count("http://www.heise.de")
def test_user_groups(self): group1 = PortalGroup(name="group1") group1.save() group2 = PortalGroup(name="group2") group2.save() self.admin.portal_groups.add(group1) self.admin.portal_groups.add(group2) response = self.get( f'/api/{API_VERSION}/users/{self.admin.pk}/groups/') self.assertEqual(response.status_code, 200) data = response.json() for entry in data: self.assertIn('name', entry.keys()) # Auto group "all users", Test case group "Admins", plus 2 extra self.assertEqual(4, len(data))
def test_permission_adjustment(second_user): assert second_user.user_permissions.all().count() == 0 # Create admin group admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() # make member, should get all model permissions admin_group.members.add(second_user) admin_group.save() second_user.refresh_from_db() # catch changes from signal handlers perm_count = Permission.objects.count() assert second_user.user_permissions.all().count() == perm_count
def _prepare_subauth_test(self, user_in_group1, user_in_group2, app_in_group1, app_in_group2, app_enabled): group1 = PortalGroup() group1.save() if user_in_group1: self.admin.portal_groups.add(group1) group2 = PortalGroup() group2.save() if user_in_group2: self.admin.portal_groups.add(group2) app1 = WebApplication(name="app1", can_subauth=app_enabled) app1.save() if app_in_group1: group1.can_web_applications.add(app1) if app_in_group2: group2.can_web_applications.add(app1) return self.client.get('/subauthreq/{}/'.format(app1.pk))
def handle(self, *args, **option): try: Token.objects.count() except: print( "This is a fresh installation, not database exists. Skipping integrity check." ) exit(0) print("Checking for lost users in OIDC provider tokens ...") for token in Token.objects.all(): try: u = token.user except ObjectDoesNotExist: print( f"Missing referenced user for OIDC provider token {token}. Deleting the token object." ) token.delete() print("Checking for lost users in OIDC provider codes ...") for code in Code.objects.all(): try: u = code.user except ObjectDoesNotExist: print( f"Missing referenced user for OIDC provider code {code}. Deleting the code object." ) code.delete() print("Checking for lost users in OpenID consents ...") for consent in UserConsent.objects.all(): try: u = consent.user except ObjectDoesNotExist: print( f"Missing referenced user for OpenID consent {consent}. Deleting the consent object." ) consent.delete() print("Checking for lost users in portal groups ...") for group in PortalGroup.objects.all(): for entry in group.members.through.objects.all(): try: u = entry.user except ObjectDoesNotExist: print( f"Missing referenced user for group / user relation {entry}. Deleting the relation object." ) entry.delete() print("Deleting obsolete social auth tables ...") with connection.cursor() as cursor: for table in [ "social_auth_usersocialauth", "social_auth_partial", "social_auth_nonce", "social_auth_code", "social_auth_association" ]: try: cursor.execute(f"drop table {table};") except: pass # table already gone print( "Checking for lost namespaces in Kubernetes service accounts ...") # The manager crashes on the normal "objects.all()" access, so we use the ID-based reference check here for entry in KubernetesServiceAccount.objects.values(): try: ns = KubernetesNamespace.objects.get(pk=entry['namespace_id']) except: print( f"Missing referenced namespace for service account {entry}. Deleting the service account object." ) broken_svca = KubernetesServiceAccount.objects.get( pk=entry['id']) broken_svca.delete() print("Check for default portal groups ...") has_admin_group = PortalGroup.objects.filter(can_admin=True).exists() if not has_admin_group: print("Creating missing default group 'Admin users") admin_group = PortalGroup(name="Admin users", can_admin=True) admin_group.save()
def test_group_non_member(self): group1 = PortalGroup(name="group1") group1.save() response = self.get(f'/api/{API_VERSION}/groups/{group1.pk}/') self.assertEqual(response.status_code, 403)
def test_group_non_member(api_client): group1 = PortalGroup(name="group1") group1.save() response = api_client.get( f'/api/{settings.API_VERSION}/groups/{group1.pk}/') assert response.status_code == 404
def test_approval_groups(admin_client, admin_user, client, second_user, mailoutbox, random_namespace_name): client.force_login(second_user) assert second_user.state == second_user.NEW response = client.post('/access/request/', {'selected-administrator': admin_user.username}) assertRedirects(response, '/config/') second_user.refresh_from_db() approval_url = f"/admin/kubeportal/user/{second_user.approval_id}/approve/" # We only check for non-special groups (all / K8s users) here, they are tested elsewhere group1 = PortalGroup(name="Group the user does not have, and gets") group1.save() group2 = PortalGroup(name="Group the user already has, and keeps") group2.save() second_user.portal_groups.add(group2) group3 = PortalGroup( name="Group the user does not have, and still don't get") group3.save() group4 = PortalGroup(name="Group the user already has, and looses") group4.save() second_user.portal_groups.add(group4) # Perform approval with new namespace as admin assert second_user.state == second_user.ACCESS_REQUESTED response = admin_client.post( approval_url, { 'choice': 'approve_create', 'approve_create_name': random_namespace_name, 'comments': '', 'portal_groups': [group1.pk, group2.pk] }) assertRedirects(response, '/admin/kubeportal/user/') second_user.refresh_from_db() assert second_user.k8s_namespaces()[0].name == random_namespace_name assert second_user.state == second_user.ACCESS_APPROVED assert group1 in list(second_user.portal_groups.all()) assert group2 in list(second_user.portal_groups.all()) assert group3 not in list(second_user.portal_groups.all()) assert group4 not in list(second_user.portal_groups.all()) assert second_user.answered_by != None
def test_model_methods(self): admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() admin_group.members.add(self.second_user) self.assertEqual(admin_group.has_member(self.second_user), True)
def test_groups_denied(api_client_anon): group1 = PortalGroup(name="group1") group1.save() response = api_client_anon.get( f'/api/{settings.API_VERSION}/groups/{group1.pk}/') assert response.status_code == 401
def test_admin_attrib_multiple(second_user): # create two admin groups admin_group1 = PortalGroup(name="Admins1", can_admin=True) admin_group1.save() admin_group2 = PortalGroup(name="Admins2", can_admin=True) admin_group2.save() # add same person to both groups admin_group1.members.add(second_user) admin_group2.members.add(second_user) admin_group1.save() admin_group2.save() # person should be admin now second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is True # remove from first group, should still be admin admin_group1.members.remove(second_user) admin_group1.save() second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is True # remove from second group, should lose admin status admin_group2.members.remove(second_user) second_user.refresh_from_db() # catch changes from signal handlers assert second_user.is_staff is False
def test_model_methods(second_user): admin_group = PortalGroup(name="Admins", can_admin=True) admin_group.save() admin_group.members.add(second_user) assert admin_group.has_member(second_user) is True