nk20/apps/permission/tests/test_oauth2.py

# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

from datetime import timedelta

from django.contrib.auth.models import User
from django.test import TestCase
from django.urls import reverse
from django.utils import timezone
from django.utils.crypto import get_random_string
from member.models import Membership, Club
from note.models import NoteUser
from oauth2_provider.models import Application, AccessToken

from ..models import Role, Permission


class OAuth2TestCase(TestCase):
    fixtures = ('initial', )

    def setUp(self):
        self.user = User.objects.create(
            username="toto",
        )
        self.application = Application.objects.create(
            name="Test",
            client_type=Application.CLIENT_PUBLIC,
            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
            user=self.user,
        )

    def test_oauth2_access(self):
        """
        Create a simple OAuth2 access token that only has the right to see data of the current user
        and check that this token has required access, and nothing more.
        """

        bde = Club.objects.get(name="BDE")
        view_user_perm = Permission.objects.get(pk=1)  # View own user detail

        # Create access token that has access to our own user detail
        token = AccessToken.objects.create(
            user=self.user,
            application=self.application,
            scope=f"{view_user_perm.pk}_{bde.pk}",
            token=get_random_string(64),
            expires=timezone.now() + timedelta(days=365),
        )

        # No access without token
        resp = self.client.get(f'/api/user/{self.user.pk}/')
        self.assertEqual(resp.status_code, 403)

        # Valid token but user has no membership, so the query is not returning the user object
        resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
        self.assertEqual(resp.status_code, 404)

        # Create membership to validate permissions
        NoteUser.objects.create(user=self.user)
        membership = Membership.objects.create(user=self.user, club_id=bde.pk)
        membership.roles.add(Role.objects.get(name="Adhérent BDE"))
        membership.save()

        # User is now a member and can now see its own user detail
        resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})
        self.assertEqual(resp.status_code, 200)

        # Token is not granted to see profile detail
        resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',
                               **{'Authorization': f'Bearer {token.token}'})
        self.assertEqual(resp.status_code, 404)

    def test_scopes(self):
        """
        Ensure that the scopes page is loading.
        """
        self.client.force_login(self.user)

        resp = self.client.get(reverse('permission:scopes'))
        self.assertEqual(resp.status_code, 200)
        self.assertIn(self.application, resp.context['scopes'])
        self.assertNotIn('1_1', resp.context['scopes'][self.application])  # The user has not this permission

        # Create membership to validate permissions
        bde = Club.objects.get(name="BDE")
        NoteUser.objects.create(user=self.user)
        membership = Membership.objects.create(user=self.user, club_id=bde.pk)
        membership.roles.add(Role.objects.get(name="Adhérent BDE"))
        membership.save()

        resp = self.client.get(reverse('permission:scopes'))
        self.assertEqual(resp.status_code, 200)
        self.assertIn(self.application, resp.context['scopes'])
        self.assertIn('1_1', resp.context['scopes'][self.application])  # Now the user has this permission
Update 131 files - /apps/activity/api/serializers.py - /apps/activity/api/urls.py - /apps/activity/api/views.py - /apps/activity/tests/test_activities.py - /apps/activity/__init__.py - /apps/activity/admin.py - /apps/activity/apps.py - /apps/activity/forms.py - /apps/activity/tables.py - /apps/activity/urls.py - /apps/activity/views.py - /apps/api/__init__.py - /apps/api/apps.py - /apps/api/serializers.py - /apps/api/tests.py - /apps/api/urls.py - /apps/api/views.py - /apps/api/viewsets.py - /apps/logs/signals.py - /apps/logs/apps.py - /apps/logs/__init__.py - /apps/logs/api/serializers.py - /apps/logs/api/urls.py - /apps/logs/api/views.py - /apps/member/api/serializers.py - /apps/member/api/urls.py - /apps/member/api/views.py - /apps/member/templatetags/memberinfo.py - /apps/member/__init__.py - /apps/member/admin.py - /apps/member/apps.py - /apps/member/auth.py - /apps/member/forms.py - /apps/member/hashers.py - /apps/member/signals.py - /apps/member/tables.py - /apps/member/urls.py - /apps/member/views.py - /apps/note/api/serializers.py - /apps/note/api/urls.py - /apps/note/api/views.py - /apps/note/models/__init__.py - /apps/note/static/note/js/consos.js - /apps/note/templates/note/mails/negative_balance.txt - /apps/note/templatetags/getenv.py - /apps/note/templatetags/pretty_money.py - /apps/note/tests/test_transactions.py - /apps/note/__init__.py - /apps/note/admin.py - /apps/note/apps.py - /apps/note/forms.py - /apps/note/signals.py - /apps/note/tables.py - /apps/note/urls.py - /apps/note/views.py - /apps/permission/api/serializers.py - /apps/permission/api/urls.py - /apps/permission/api/views.py - /apps/permission/templatetags/perms.py - /apps/permission/tests/test_oauth2.py - /apps/permission/tests/test_permission_denied.py - /apps/permission/tests/test_permission_queries.py - /apps/permission/tests/test_rights_page.py - /apps/permission/__init__.py - /apps/permission/admin.py - /apps/permission/backends.py - /apps/permission/apps.py - /apps/permission/decorators.py - /apps/permission/permissions.py - /apps/permission/scopes.py - /apps/permission/signals.py - /apps/permission/tables.py - /apps/permission/urls.py - /apps/permission/views.py - /apps/registration/tests/test_registration.py - /apps/registration/__init__.py - /apps/registration/apps.py - /apps/registration/forms.py - /apps/registration/tables.py - /apps/registration/tokens.py - /apps/registration/urls.py - /apps/registration/views.py - /apps/treasury/api/serializers.py - /apps/treasury/api/urls.py - /apps/treasury/api/views.py - /apps/treasury/templatetags/escape_tex.py - /apps/treasury/tests/test_treasury.py - /apps/treasury/__init__.py - /apps/treasury/admin.py - /apps/treasury/apps.py - /apps/treasury/forms.py - /apps/treasury/signals.py - /apps/treasury/tables.py - /apps/treasury/urls.py - /apps/treasury/views.py - /apps/wei/api/serializers.py - /apps/wei/api/urls.py - /apps/wei/api/views.py - /apps/wei/forms/surveys/__init__.py - /apps/wei/forms/surveys/base.py - /apps/wei/forms/surveys/wei2021.py - /apps/wei/forms/surveys/wei2022.py - /apps/wei/forms/surveys/wei2023.py - /apps/wei/forms/__init__.py - /apps/wei/forms/registration.py - /apps/wei/management/commands/export_wei_registrations.py - /apps/wei/management/commands/import_scores.py - /apps/wei/management/commands/wei_algorithm.py - /apps/wei/templates/wei/weilist_sample.tex - /apps/wei/tests/test_wei_algorithm_2021.py - /apps/wei/tests/test_wei_algorithm_2022.py - /apps/wei/tests/test_wei_algorithm_2023.py - /apps/wei/tests/test_wei_registration.py - /apps/wei/__init__.py - /apps/wei/admin.py - /apps/wei/apps.py - /apps/wei/tables.py - /apps/wei/urls.py - /apps/wei/views.py - /note_kfet/settings/__init__.py - /note_kfet/settings/base.py - /note_kfet/settings/development.py - /note_kfet/settings/secrets_example.py - /note_kfet/static/js/base.js - /note_kfet/admin.py - /note_kfet/inputs.py - /note_kfet/middlewares.py - /note_kfet/urls.py - /note_kfet/views.py - /note_kfet/wsgi.py - /entrypoint.sh 2024-02-07 01:26:49 +00:00			`# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay`
Simple test to check permissions with the new OAuth2 implementation Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-17 20:29:57 +00:00			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`from datetime import timedelta`

			`from django.contrib.auth.models import User`
			`from django.test import TestCase`
			`from django.urls import reverse`
			`from django.utils import timezone`
			`from django.utils.crypto import get_random_string`
			`from member.models import Membership, Club`
			`from note.models import NoteUser`
			`from oauth2_provider.models import Application, AccessToken`

			`from ..models import Role, Permission`


			`class OAuth2TestCase(TestCase):`
			`fixtures = ('initial', )`

			`def setUp(self):`
			`self.user = User.objects.create(`
			`username="toto",`
			`)`
			`self.application = Application.objects.create(`
			`name="Test",`
			`client_type=Application.CLIENT_PUBLIC,`
			`authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,`
			`user=self.user,`
			`)`

			`def test_oauth2_access(self):`
			`"""`
			`Create a simple OAuth2 access token that only has the right to see data of the current user`
			`and check that this token has required access, and nothing more.`
			`"""`

			`bde = Club.objects.get(name="BDE")`
			`view_user_perm = Permission.objects.get(pk=1) # View own user detail`

			`# Create access token that has access to our own user detail`
			`token = AccessToken.objects.create(`
			`user=self.user,`
			`application=self.application,`
			`scope=f"{view_user_perm.pk}_{bde.pk}",`
			`token=get_random_string(64),`
			`expires=timezone.now() + timedelta(days=365),`
			`)`

			`# No access without token`
			`resp = self.client.get(f'/api/user/{self.user.pk}/')`
			`self.assertEqual(resp.status_code, 403)`

			`# Valid token but user has no membership, so the query is not returning the user object`
			`resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})`
			`self.assertEqual(resp.status_code, 404)`

			`# Create membership to validate permissions`
			`NoteUser.objects.create(user=self.user)`
			`membership = Membership.objects.create(user=self.user, club_id=bde.pk)`
			`membership.roles.add(Role.objects.get(name="Adhérent BDE"))`
			`membership.save()`

			`# User is now a member and can now see its own user detail`
			`resp = self.client.get(f'/api/user/{self.user.pk}/', **{'Authorization': f'Bearer {token.token}'})`
			`self.assertEqual(resp.status_code, 200)`

			`# Token is not granted to see profile detail`
			`resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',`
			`**{'Authorization': f'Bearer {token.token}'})`
			`self.assertEqual(resp.status_code, 404)`

			`def test_scopes(self):`
			`"""`
			`Ensure that the scopes page is loading.`
			`"""`
			`self.client.force_login(self.user)`

			`resp = self.client.get(reverse('permission:scopes'))`
			`self.assertEqual(resp.status_code, 200)`
			`self.assertIn(self.application, resp.context['scopes'])`
			`self.assertNotIn('1_1', resp.context['scopes'][self.application]) # The user has not this permission`

			`# Create membership to validate permissions`
			`bde = Club.objects.get(name="BDE")`
			`NoteUser.objects.create(user=self.user)`
			`membership = Membership.objects.create(user=self.user, club_id=bde.pk)`
			`membership.roles.add(Role.objects.get(name="Adhérent BDE"))`
			`membership.save()`

			`resp = self.client.get(reverse('permission:scopes'))`
			`self.assertEqual(resp.status_code, 200)`
			`self.assertIn(self.application, resp.context['scopes'])`
			`self.assertIn('1_1', resp.context['scopes'][self.application]) # Now the user has this permission`