def test_existing_superuser_is_deescalated_from_staff_group( rf, settings, django_user_model ): """ If an existing user is removed from a staff group they should have the staff flag removed. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "STAFF_GROUP", STAFF_GROUP ) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**", is_staff=True, ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_staff is False
def test_existing_user_is_escalated_to_superuser_group(rf, settings, django_user_model): """ If an existing user is added to a superuser group they should be escalated to a superuser. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP ) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**" ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_superuser_token_result, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_superuser
def test_user_is_removed_from_groups(rf, settings, django_user_model): """ When MANAGE_GROUPS is true a user should be removed from a group if it's not included in the token response. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**" ) group = Group.objects.create(name="test-group") user.groups.add(group) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") groups = user.groups.all() assert [("one",), ("two",)] == list(groups.values_list("name"))
def test_middleware_allows_public_url(settings, rf): """ A URL that has been defined as a public url should just pass through our middleware. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "PUBLIC_NAMED_URLS", ("named-url", )) request = rf.get("/named/") request.session = {} mw = OktaMiddleware(Mock(return_value=HttpResponse())) response = mw(request) assert response.status_code == 200
def test_invalid_public_named_urls_are_ignored(settings): """ We don't want to crash if our public named urls don't exist, instead just skip it. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "PUBLIC_NAMED_URLS", ("not-a-valid-url", )) config = Config() assert config.public_urls == [ re.compile("^/accounts/login/$"), re.compile("^/accounts/logout/$"), re.compile("^/accounts/oauth2/callback/$"), ]
def test_public_named_urls_are_built(settings): """ We should have reversed url regexes to match against in our config objects. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "PUBLIC_NAMED_URLS", ("named-url", )) config = Config() assert config.public_urls == [ re.compile("^/named/$"), re.compile("^/accounts/login/$"), re.compile("^/accounts/logout/$"), re.compile("^/accounts/oauth2/callback/$"), ]
def test_user_username_setting_returns_user_by_username_and_not_email( rf, settings, django_user_model ): settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "USE_USERNAME", True) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_token_result ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_auth_code("authcode") assert isinstance(user, django_user_model) assert user.username == "fakemail" assert user.username != "*****@*****.**"
def test_groups_are_created_and_user_added(rf, settings, django_user_model): """ If MANAGE_GROUPS is true the groups should be created and the user should be added to them. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") groups = Group.objects.all() assert [("one",), ("two",)] == list(groups.values_list("name")) assert list(user.groups.all()) == list(Group.objects.all())
def test_created_user_if_part_of_superuser_group(rf, settings, django_user_model): """ If the user is part of the superuser group defined in settings make sure that the created user is a superuser. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_superuser_token_result, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_superuser