def test_existing_superuser_is_deescalated_from_staff_group( rf, settings, django_user_model ): """ If an existing user is removed from a staff group they should have the staff flag removed. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "STAFF_GROUP", STAFF_GROUP ) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**", is_staff=True, ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_staff is False
def test_existing_user_is_escalated_to_superuser_group(rf, settings, django_user_model): """ If an existing user is added to a superuser group they should be escalated to a superuser. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP ) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**" ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_superuser_token_result, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_superuser
def test_user_is_removed_from_groups(rf, settings, django_user_model): """ When MANAGE_GROUPS is true a user should be removed from a group if it's not included in the token response. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True) user = django_user_model._default_manager.create_user( username="******", email="*****@*****.**" ) group = Group.objects.create(name="test-group") user.groups.add(group) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") groups = user.groups.all() assert [("one",), ("two",)] == list(groups.values_list("name"))
def test_token_validator_gets_token_from_refresh_token(rf, django_user_model): """ We should get our tokens back with a user. """ c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_token_result ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert "access_token" in tokens assert "id_token" in tokens assert isinstance(user, django_user_model)
def test_groups_are_created_and_user_added(rf, settings, django_user_model): """ If MANAGE_GROUPS is true the groups should be created and the user should be added to them. """ settings.OKTA_AUTH = update_okta_settings(settings.OKTA_AUTH, "MANAGE_GROUPS", True) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_normal_user_with_groups_token, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") groups = Group.objects.all() assert [("one",), ("two",)] == list(groups.values_list("name")) assert list(user.groups.all()) == list(Group.objects.all())
def test_created_user_if_part_of_superuser_group(rf, settings, django_user_model): """ If the user is part of the superuser group defined in settings make sure that the created user is a superuser. """ settings.OKTA_AUTH = update_okta_settings( settings.OKTA_AUTH, "SUPERUSER_GROUP", SUPERUSER_GROUP ) c = Config() req = rf.get("/") add_session(req) with patch( "okta_oauth2.tokens.TokenValidator.call_token_endpoint", get_superuser_token_result, ), patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", req) user, tokens = tv.tokens_from_refresh_token("refresh") assert isinstance(user, django_user_model) assert user.is_superuser