def test_username_associated_with_different_email(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert Forbidden.code == result.status_code
assert LOGIN_ERROR_USERNAME_ASSOCIATE_WITH_DIFFERENT_EMAIL in result.data.decode()
assert not current_user.is_authenticated
def test_impersonation_prevention(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert Forbidden.code == result.status_code
assert LOGIN_ERROR_EMAIL_ASSOCIATED_WITH_DIFFERENT_SUB in result.data.decode()
assert not current_user.is_authenticated
def test_token_authorization_fails(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert BadRequest.code == result.status_code
assert "foo bar error" in result.data.decode()
assert not current_user.is_authenticated
assert not User.query.all()
def test_missing_group_from_token(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert BadRequest.code == result.status_code
assert LOGIN_ERROR_MISSING_GROUPS_FROM_TOKEN in result.data.decode()
assert not current_user.is_authenticated
assert not User.query.all()
def test_permission_denied_lack_of_group(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert Forbidden.code == result.status_code
assert LOGIN_ERROR_PERMISSION_DENIED in result.data.decode()
assert not current_user.is_authenticated
assert not User.query.all()
def test_verified_email_requirement(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert Forbidden.code == result.status_code
assert LOGIN_ERROR_EMAIL_ADDRESS_NOT_VERIFIED in result.data.decode()
assert not current_user.is_authenticated
assert not User.query.all()
def test_jit_provisioning(app, db):
with app.test_request_context('/login'):
result = sso_auth()
assert 302 == result.status_code
assert current_user.is_authenticated
assert current_user.email == DEFAULTEMAIL
assert current_user.role == UserRole.administrator
assert current_user.idp_id == TESTINGSUB
assert current_user.name == TESTINGNAME
assert current_user.active
def test_successful_authentication_and_role_email_update(app, db):
initial_user = User.query.all()[0]
assert initial_user.email != UPDATEDEMAIL
assert initial_user.role != UserRole.administrator
with app.test_request_context('/login'):
result = sso_auth()
assert 302 == result.status_code
assert len(User.query.all()) == 1
assert current_user.is_authenticated
assert current_user.email == UPDATEDEMAIL
assert current_user.role == UserRole.administrator