示例#1
0
def test_existing_superuser_is_deescalated_from_staff_group(
    rf, settings, django_user_model
):
    """
    If an existing user is removed from a staff group they should
    have the staff flag removed.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "STAFF_GROUP", STAFF_GROUP
    )

    user = django_user_model._default_manager.create_user(
        username="******",
        email="*****@*****.**",
        is_staff=True,
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_staff is False
示例#2
0
def test_existing_user_is_escalated_to_superuser_group(rf, settings, django_user_model):
    """
    If an existing user is added to a superuser group they should
    be escalated to a superuser.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
    )

    user = django_user_model._default_manager.create_user(
        username="******", email="*****@*****.**"
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_superuser_token_result,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_superuser
示例#3
0
def test_user_is_removed_from_groups(rf, settings, django_user_model):
    """
    When MANAGE_GROUPS is true a user should be removed from a
    group if it's not included in the token response.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)

    user = django_user_model._default_manager.create_user(
        username="******", email="*****@*****.**"
    )
    group = Group.objects.create(name="test-group")

    user.groups.add(group)

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")

        groups = user.groups.all()
        assert [("one",), ("two",)] == list(groups.values_list("name"))
示例#4
0
def test_token_validator_gets_token_from_refresh_token(rf, django_user_model):
    """
    We should get our tokens back with a user.
    """
    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_token_result
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert "access_token" in tokens
        assert "id_token" in tokens
        assert isinstance(user, django_user_model)
示例#5
0
def test_groups_are_created_and_user_added(rf, settings, django_user_model):
    """
    If MANAGE_GROUPS is true the groups should be created and the user
    should be added to them.
    """
    settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True)

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_normal_user_with_groups_token,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")

        groups = Group.objects.all()
        assert [("one",), ("two",)] == list(groups.values_list("name"))
        assert list(user.groups.all()) == list(Group.objects.all())
示例#6
0
def test_created_user_if_part_of_superuser_group(rf, settings, django_user_model):
    """
    If the user is part of the superuser group defined
    in settings make sure that the created user is a superuser.
    """
    settings.OKTA_AUTH = update_okta_settings(
        settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP
    )

    c = Config()
    req = rf.get("/")
    add_session(req)

    with patch(
        "okta_oauth2.tokens.TokenValidator.call_token_endpoint",
        get_superuser_token_result,
    ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
        tv = TokenValidator(c, "defaultnonce", req)
        user, tokens = tv.tokens_from_refresh_token("refresh")
        assert isinstance(user, django_user_model)
        assert user.is_superuser