authentik.core.tests.test_application_entitlements
Test Application Entitlements API
1"""Test Application Entitlements API""" 2 3from django.urls import reverse 4from rest_framework.test import APITestCase 5 6from authentik.core.models import Application, ApplicationEntitlement, Group 7from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user 8from authentik.lib.generators import generate_id 9from authentik.policies.dummy.models import DummyPolicy 10from authentik.policies.models import PolicyBinding 11from authentik.providers.oauth2.models import OAuth2Provider 12 13 14class TestApplicationEntitlements(APITestCase): 15 """Test application entitlements""" 16 17 def setUp(self) -> None: 18 self.user = create_test_user() 19 self.other_user = create_test_user() 20 self.provider = OAuth2Provider.objects.create( 21 name="test", 22 authorization_flow=create_test_flow(), 23 ) 24 self.app: Application = Application.objects.create( 25 name=generate_id(), 26 slug=generate_id(), 27 provider=self.provider, 28 ) 29 30 def test_user(self): 31 """Test user-direct assignment""" 32 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 33 PolicyBinding.objects.create(target=ent, user=self.user, order=0) 34 ents = self.user.app_entitlements(self.app) 35 self.assertEqual(len(ents), 1) 36 self.assertEqual(ents[0].name, ent.name) 37 38 def test_group(self): 39 """Test direct group""" 40 group = Group.objects.create(name=generate_id()) 41 self.user.groups.add(group) 42 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 43 PolicyBinding.objects.create(target=ent, group=group, order=0) 44 ents = self.user.app_entitlements(self.app) 45 self.assertEqual(len(ents), 1) 46 self.assertEqual(ents[0].name, ent.name) 47 48 def test_group_indirect(self): 49 """Test indirect group""" 50 parent = Group.objects.create(name=generate_id()) 51 group = Group.objects.create(name=generate_id()) 52 group.parents.add(parent) 53 self.user.groups.add(group) 54 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 55 PolicyBinding.objects.create(target=ent, group=parent, order=0) 56 ents = self.user.app_entitlements(self.app) 57 self.assertEqual(len(ents), 1) 58 self.assertEqual(ents[0].name, ent.name) 59 60 def test_negate_user(self): 61 """Test with negate flag""" 62 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 63 PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True) 64 ents = self.user.app_entitlements(self.app) 65 self.assertEqual(len(ents), 1) 66 self.assertEqual(ents[0].name, ent.name) 67 68 def test_negate_group(self): 69 """Test with negate flag""" 70 other_group = Group.objects.create(name=generate_id()) 71 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 72 PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True) 73 ents = self.user.app_entitlements(self.app) 74 self.assertEqual(len(ents), 1) 75 self.assertEqual(ents[0].name, ent.name) 76 77 def test_api_perms_global(self): 78 """Test API creation with global permissions""" 79 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 80 self.user.assign_perms_to_managed_role("authentik_core.view_application") 81 self.client.force_login(self.user) 82 res = self.client.post( 83 reverse("authentik_api:applicationentitlement-list"), 84 data={ 85 "name": generate_id(), 86 "app": self.app.pk, 87 }, 88 ) 89 self.assertEqual(res.status_code, 201) 90 91 def test_api_perms_scoped(self): 92 """Test API creation with scoped permissions""" 93 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 94 self.user.assign_perms_to_managed_role("authentik_core.view_application", self.app) 95 self.client.force_login(self.user) 96 res = self.client.post( 97 reverse("authentik_api:applicationentitlement-list"), 98 data={ 99 "name": generate_id(), 100 "app": self.app.pk, 101 }, 102 ) 103 self.assertEqual(res.status_code, 201) 104 105 def test_api_perms_missing(self): 106 """Test API creation with no permissions""" 107 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 108 self.client.force_login(self.user) 109 res = self.client.post( 110 reverse("authentik_api:applicationentitlement-list"), 111 data={ 112 "name": generate_id(), 113 "app": self.app.pk, 114 }, 115 ) 116 self.assertEqual(res.status_code, 400) 117 self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]}) 118 119 def test_api_bindings_policy(self): 120 """Test that API doesn't allow policies to be bound to this""" 121 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 122 policy = DummyPolicy.objects.create(name=generate_id()) 123 admin = create_test_admin_user() 124 self.client.force_login(admin) 125 response = self.client.post( 126 reverse("authentik_api:policybinding-list"), 127 data={ 128 "target": ent.pbm_uuid, 129 "policy": policy.pk, 130 "order": 0, 131 }, 132 ) 133 self.assertJSONEqual( 134 response.content.decode(), 135 {"non_field_errors": ["One of 'group', 'user' must be set."]}, 136 ) 137 138 def test_api_bindings_group(self): 139 """Test that API doesn't allow policies to be bound to this""" 140 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 141 group = Group.objects.create(name=generate_id()) 142 admin = create_test_admin_user() 143 self.client.force_login(admin) 144 response = self.client.post( 145 reverse("authentik_api:policybinding-list"), 146 data={ 147 "target": ent.pbm_uuid, 148 "group": group.pk, 149 "order": 0, 150 }, 151 ) 152 self.assertEqual(response.status_code, 201) 153 self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
class
TestApplicationEntitlements(rest_framework.test.APITestCase):
15class TestApplicationEntitlements(APITestCase): 16 """Test application entitlements""" 17 18 def setUp(self) -> None: 19 self.user = create_test_user() 20 self.other_user = create_test_user() 21 self.provider = OAuth2Provider.objects.create( 22 name="test", 23 authorization_flow=create_test_flow(), 24 ) 25 self.app: Application = Application.objects.create( 26 name=generate_id(), 27 slug=generate_id(), 28 provider=self.provider, 29 ) 30 31 def test_user(self): 32 """Test user-direct assignment""" 33 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 34 PolicyBinding.objects.create(target=ent, user=self.user, order=0) 35 ents = self.user.app_entitlements(self.app) 36 self.assertEqual(len(ents), 1) 37 self.assertEqual(ents[0].name, ent.name) 38 39 def test_group(self): 40 """Test direct group""" 41 group = Group.objects.create(name=generate_id()) 42 self.user.groups.add(group) 43 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 44 PolicyBinding.objects.create(target=ent, group=group, order=0) 45 ents = self.user.app_entitlements(self.app) 46 self.assertEqual(len(ents), 1) 47 self.assertEqual(ents[0].name, ent.name) 48 49 def test_group_indirect(self): 50 """Test indirect group""" 51 parent = Group.objects.create(name=generate_id()) 52 group = Group.objects.create(name=generate_id()) 53 group.parents.add(parent) 54 self.user.groups.add(group) 55 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 56 PolicyBinding.objects.create(target=ent, group=parent, order=0) 57 ents = self.user.app_entitlements(self.app) 58 self.assertEqual(len(ents), 1) 59 self.assertEqual(ents[0].name, ent.name) 60 61 def test_negate_user(self): 62 """Test with negate flag""" 63 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 64 PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True) 65 ents = self.user.app_entitlements(self.app) 66 self.assertEqual(len(ents), 1) 67 self.assertEqual(ents[0].name, ent.name) 68 69 def test_negate_group(self): 70 """Test with negate flag""" 71 other_group = Group.objects.create(name=generate_id()) 72 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 73 PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True) 74 ents = self.user.app_entitlements(self.app) 75 self.assertEqual(len(ents), 1) 76 self.assertEqual(ents[0].name, ent.name) 77 78 def test_api_perms_global(self): 79 """Test API creation with global permissions""" 80 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 81 self.user.assign_perms_to_managed_role("authentik_core.view_application") 82 self.client.force_login(self.user) 83 res = self.client.post( 84 reverse("authentik_api:applicationentitlement-list"), 85 data={ 86 "name": generate_id(), 87 "app": self.app.pk, 88 }, 89 ) 90 self.assertEqual(res.status_code, 201) 91 92 def test_api_perms_scoped(self): 93 """Test API creation with scoped permissions""" 94 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 95 self.user.assign_perms_to_managed_role("authentik_core.view_application", self.app) 96 self.client.force_login(self.user) 97 res = self.client.post( 98 reverse("authentik_api:applicationentitlement-list"), 99 data={ 100 "name": generate_id(), 101 "app": self.app.pk, 102 }, 103 ) 104 self.assertEqual(res.status_code, 201) 105 106 def test_api_perms_missing(self): 107 """Test API creation with no permissions""" 108 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 109 self.client.force_login(self.user) 110 res = self.client.post( 111 reverse("authentik_api:applicationentitlement-list"), 112 data={ 113 "name": generate_id(), 114 "app": self.app.pk, 115 }, 116 ) 117 self.assertEqual(res.status_code, 400) 118 self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]}) 119 120 def test_api_bindings_policy(self): 121 """Test that API doesn't allow policies to be bound to this""" 122 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 123 policy = DummyPolicy.objects.create(name=generate_id()) 124 admin = create_test_admin_user() 125 self.client.force_login(admin) 126 response = self.client.post( 127 reverse("authentik_api:policybinding-list"), 128 data={ 129 "target": ent.pbm_uuid, 130 "policy": policy.pk, 131 "order": 0, 132 }, 133 ) 134 self.assertJSONEqual( 135 response.content.decode(), 136 {"non_field_errors": ["One of 'group', 'user' must be set."]}, 137 ) 138 139 def test_api_bindings_group(self): 140 """Test that API doesn't allow policies to be bound to this""" 141 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 142 group = Group.objects.create(name=generate_id()) 143 admin = create_test_admin_user() 144 self.client.force_login(admin) 145 response = self.client.post( 146 reverse("authentik_api:policybinding-list"), 147 data={ 148 "target": ent.pbm_uuid, 149 "group": group.pk, 150 "order": 0, 151 }, 152 ) 153 self.assertEqual(response.status_code, 201) 154 self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
Test application entitlements
def
setUp(self) -> None:
18 def setUp(self) -> None: 19 self.user = create_test_user() 20 self.other_user = create_test_user() 21 self.provider = OAuth2Provider.objects.create( 22 name="test", 23 authorization_flow=create_test_flow(), 24 ) 25 self.app: Application = Application.objects.create( 26 name=generate_id(), 27 slug=generate_id(), 28 provider=self.provider, 29 )
Hook method for setting up the test fixture before exercising it.
def
test_user(self):
31 def test_user(self): 32 """Test user-direct assignment""" 33 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 34 PolicyBinding.objects.create(target=ent, user=self.user, order=0) 35 ents = self.user.app_entitlements(self.app) 36 self.assertEqual(len(ents), 1) 37 self.assertEqual(ents[0].name, ent.name)
Test user-direct assignment
def
test_group(self):
39 def test_group(self): 40 """Test direct group""" 41 group = Group.objects.create(name=generate_id()) 42 self.user.groups.add(group) 43 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 44 PolicyBinding.objects.create(target=ent, group=group, order=0) 45 ents = self.user.app_entitlements(self.app) 46 self.assertEqual(len(ents), 1) 47 self.assertEqual(ents[0].name, ent.name)
Test direct group
def
test_group_indirect(self):
49 def test_group_indirect(self): 50 """Test indirect group""" 51 parent = Group.objects.create(name=generate_id()) 52 group = Group.objects.create(name=generate_id()) 53 group.parents.add(parent) 54 self.user.groups.add(group) 55 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 56 PolicyBinding.objects.create(target=ent, group=parent, order=0) 57 ents = self.user.app_entitlements(self.app) 58 self.assertEqual(len(ents), 1) 59 self.assertEqual(ents[0].name, ent.name)
Test indirect group
def
test_negate_user(self):
61 def test_negate_user(self): 62 """Test with negate flag""" 63 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 64 PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True) 65 ents = self.user.app_entitlements(self.app) 66 self.assertEqual(len(ents), 1) 67 self.assertEqual(ents[0].name, ent.name)
Test with negate flag
def
test_negate_group(self):
69 def test_negate_group(self): 70 """Test with negate flag""" 71 other_group = Group.objects.create(name=generate_id()) 72 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 73 PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True) 74 ents = self.user.app_entitlements(self.app) 75 self.assertEqual(len(ents), 1) 76 self.assertEqual(ents[0].name, ent.name)
Test with negate flag
def
test_api_perms_global(self):
78 def test_api_perms_global(self): 79 """Test API creation with global permissions""" 80 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 81 self.user.assign_perms_to_managed_role("authentik_core.view_application") 82 self.client.force_login(self.user) 83 res = self.client.post( 84 reverse("authentik_api:applicationentitlement-list"), 85 data={ 86 "name": generate_id(), 87 "app": self.app.pk, 88 }, 89 ) 90 self.assertEqual(res.status_code, 201)
Test API creation with global permissions
def
test_api_perms_scoped(self):
92 def test_api_perms_scoped(self): 93 """Test API creation with scoped permissions""" 94 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 95 self.user.assign_perms_to_managed_role("authentik_core.view_application", self.app) 96 self.client.force_login(self.user) 97 res = self.client.post( 98 reverse("authentik_api:applicationentitlement-list"), 99 data={ 100 "name": generate_id(), 101 "app": self.app.pk, 102 }, 103 ) 104 self.assertEqual(res.status_code, 201)
Test API creation with scoped permissions
def
test_api_perms_missing(self):
106 def test_api_perms_missing(self): 107 """Test API creation with no permissions""" 108 self.user.assign_perms_to_managed_role("authentik_core.add_applicationentitlement") 109 self.client.force_login(self.user) 110 res = self.client.post( 111 reverse("authentik_api:applicationentitlement-list"), 112 data={ 113 "name": generate_id(), 114 "app": self.app.pk, 115 }, 116 ) 117 self.assertEqual(res.status_code, 400) 118 self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
Test API creation with no permissions
def
test_api_bindings_policy(self):
120 def test_api_bindings_policy(self): 121 """Test that API doesn't allow policies to be bound to this""" 122 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 123 policy = DummyPolicy.objects.create(name=generate_id()) 124 admin = create_test_admin_user() 125 self.client.force_login(admin) 126 response = self.client.post( 127 reverse("authentik_api:policybinding-list"), 128 data={ 129 "target": ent.pbm_uuid, 130 "policy": policy.pk, 131 "order": 0, 132 }, 133 ) 134 self.assertJSONEqual( 135 response.content.decode(), 136 {"non_field_errors": ["One of 'group', 'user' must be set."]}, 137 )
Test that API doesn't allow policies to be bound to this
def
test_api_bindings_group(self):
139 def test_api_bindings_group(self): 140 """Test that API doesn't allow policies to be bound to this""" 141 ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id()) 142 group = Group.objects.create(name=generate_id()) 143 admin = create_test_admin_user() 144 self.client.force_login(admin) 145 response = self.client.post( 146 reverse("authentik_api:policybinding-list"), 147 data={ 148 "target": ent.pbm_uuid, 149 "group": group.pk, 150 "order": 0, 151 }, 152 ) 153 self.assertEqual(response.status_code, 201) 154 self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
Test that API doesn't allow policies to be bound to this