authentik.core.tests.test_impersonation
impersonation tests
1"""impersonation tests""" 2 3from json import loads 4 5from django.urls import reverse 6from rest_framework.test import APITestCase 7 8from authentik.core.tests.utils import create_test_admin_user, create_test_user 9from authentik.tenants.utils import get_current_tenant 10 11 12class TestImpersonation(APITestCase): 13 """impersonation tests""" 14 15 def setUp(self) -> None: 16 super().setUp() 17 self.other_user = create_test_user() 18 self.user = create_test_admin_user() 19 20 def test_impersonate_simple(self): 21 """test simple impersonation and un-impersonation""" 22 # test with an inactive user to ensure that still works 23 self.other_user.is_active = False 24 self.other_user.save() 25 self.client.force_login(self.user) 26 27 self.client.post( 28 reverse( 29 "authentik_api:user-impersonate", 30 kwargs={"pk": self.other_user.pk}, 31 ), 32 data={"reason": "some reason"}, 33 ) 34 35 response = self.client.get(reverse("authentik_api:user-me")) 36 response_body = loads(response.content.decode()) 37 self.assertEqual(response_body["user"]["username"], self.other_user.username) 38 self.assertEqual(response_body["original"]["username"], self.user.username) 39 40 self.client.get(reverse("authentik_api:user-impersonate-end")) 41 42 response = self.client.get(reverse("authentik_api:user-me")) 43 response_body = loads(response.content.decode()) 44 self.assertEqual(response_body["user"]["username"], self.user.username) 45 self.assertNotIn("original", response_body) 46 47 def test_impersonate_global(self): 48 """Test impersonation with global permissions""" 49 new_user = create_test_user() 50 new_user.assign_perms_to_managed_role("authentik_core.impersonate") 51 new_user.assign_perms_to_managed_role("authentik_core.view_user") 52 self.client.force_login(new_user) 53 54 response = self.client.post( 55 reverse( 56 "authentik_api:user-impersonate", 57 kwargs={"pk": self.other_user.pk}, 58 ), 59 data={"reason": "some reason"}, 60 ) 61 self.assertEqual(response.status_code, 204) 62 63 response = self.client.get(reverse("authentik_api:user-me")) 64 response_body = loads(response.content.decode()) 65 self.assertEqual(response_body["user"]["username"], self.other_user.username) 66 self.assertEqual(response_body["original"]["username"], new_user.username) 67 68 def test_impersonate_scoped(self): 69 """Test impersonation with scoped permissions""" 70 new_user = create_test_user() 71 new_user.assign_perms_to_managed_role("authentik_core.impersonate", self.other_user) 72 new_user.assign_perms_to_managed_role("authentik_core.view_user", self.other_user) 73 self.client.force_login(new_user) 74 75 response = self.client.post( 76 reverse( 77 "authentik_api:user-impersonate", 78 kwargs={"pk": self.other_user.pk}, 79 ), 80 data={"reason": "some reason"}, 81 ) 82 self.assertEqual(response.status_code, 204) 83 84 response = self.client.get(reverse("authentik_api:user-me")) 85 response_body = loads(response.content.decode()) 86 self.assertEqual(response_body["user"]["username"], self.other_user.username) 87 self.assertEqual(response_body["original"]["username"], new_user.username) 88 89 def test_impersonate_denied(self): 90 """test impersonation without permissions""" 91 self.client.force_login(self.other_user) 92 93 response = self.client.post( 94 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 95 data={"reason": "some reason"}, 96 ) 97 self.assertEqual(response.status_code, 403) 98 99 response = self.client.get(reverse("authentik_api:user-me")) 100 response_body = loads(response.content.decode()) 101 self.assertEqual(response_body["user"]["username"], self.other_user.username) 102 103 def test_impersonate_disabled(self): 104 """test impersonation that is disabled""" 105 tenant = get_current_tenant() 106 tenant.impersonation = False 107 tenant.save() 108 self.client.force_login(self.user) 109 110 response = self.client.post( 111 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 112 data={"reason": "some reason"}, 113 ) 114 self.assertEqual(response.status_code, 401) 115 116 response = self.client.get(reverse("authentik_api:user-me")) 117 response_body = loads(response.content.decode()) 118 self.assertEqual(response_body["user"]["username"], self.user.username) 119 120 def test_impersonate_self(self): 121 """test impersonation that user can't impersonate themselves""" 122 self.client.force_login(self.user) 123 124 response = self.client.post( 125 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 126 data={"reason": "some reason"}, 127 ) 128 self.assertEqual(response.status_code, 401) 129 130 response = self.client.get(reverse("authentik_api:user-me")) 131 response_body = loads(response.content.decode()) 132 self.assertEqual(response_body["user"]["username"], self.user.username) 133 134 def test_impersonate_reason_required(self): 135 """test impersonation that user must provide reason""" 136 self.client.force_login(self.user) 137 138 response = self.client.post( 139 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 140 data={"reason": ""}, 141 ) 142 self.assertEqual(response.status_code, 400) 143 144 response = self.client.get(reverse("authentik_api:user-me")) 145 response_body = loads(response.content.decode()) 146 self.assertEqual(response_body["user"]["username"], self.user.username) 147 148 def test_un_impersonate_empty(self): 149 """test un-impersonation without impersonating first""" 150 self.client.force_login(self.other_user) 151 152 response = self.client.get(reverse("authentik_api:user-impersonate-end")) 153 self.assertEqual(response.status_code, 204)
class
TestImpersonation(rest_framework.test.APITestCase):
13class TestImpersonation(APITestCase): 14 """impersonation tests""" 15 16 def setUp(self) -> None: 17 super().setUp() 18 self.other_user = create_test_user() 19 self.user = create_test_admin_user() 20 21 def test_impersonate_simple(self): 22 """test simple impersonation and un-impersonation""" 23 # test with an inactive user to ensure that still works 24 self.other_user.is_active = False 25 self.other_user.save() 26 self.client.force_login(self.user) 27 28 self.client.post( 29 reverse( 30 "authentik_api:user-impersonate", 31 kwargs={"pk": self.other_user.pk}, 32 ), 33 data={"reason": "some reason"}, 34 ) 35 36 response = self.client.get(reverse("authentik_api:user-me")) 37 response_body = loads(response.content.decode()) 38 self.assertEqual(response_body["user"]["username"], self.other_user.username) 39 self.assertEqual(response_body["original"]["username"], self.user.username) 40 41 self.client.get(reverse("authentik_api:user-impersonate-end")) 42 43 response = self.client.get(reverse("authentik_api:user-me")) 44 response_body = loads(response.content.decode()) 45 self.assertEqual(response_body["user"]["username"], self.user.username) 46 self.assertNotIn("original", response_body) 47 48 def test_impersonate_global(self): 49 """Test impersonation with global permissions""" 50 new_user = create_test_user() 51 new_user.assign_perms_to_managed_role("authentik_core.impersonate") 52 new_user.assign_perms_to_managed_role("authentik_core.view_user") 53 self.client.force_login(new_user) 54 55 response = self.client.post( 56 reverse( 57 "authentik_api:user-impersonate", 58 kwargs={"pk": self.other_user.pk}, 59 ), 60 data={"reason": "some reason"}, 61 ) 62 self.assertEqual(response.status_code, 204) 63 64 response = self.client.get(reverse("authentik_api:user-me")) 65 response_body = loads(response.content.decode()) 66 self.assertEqual(response_body["user"]["username"], self.other_user.username) 67 self.assertEqual(response_body["original"]["username"], new_user.username) 68 69 def test_impersonate_scoped(self): 70 """Test impersonation with scoped permissions""" 71 new_user = create_test_user() 72 new_user.assign_perms_to_managed_role("authentik_core.impersonate", self.other_user) 73 new_user.assign_perms_to_managed_role("authentik_core.view_user", self.other_user) 74 self.client.force_login(new_user) 75 76 response = self.client.post( 77 reverse( 78 "authentik_api:user-impersonate", 79 kwargs={"pk": self.other_user.pk}, 80 ), 81 data={"reason": "some reason"}, 82 ) 83 self.assertEqual(response.status_code, 204) 84 85 response = self.client.get(reverse("authentik_api:user-me")) 86 response_body = loads(response.content.decode()) 87 self.assertEqual(response_body["user"]["username"], self.other_user.username) 88 self.assertEqual(response_body["original"]["username"], new_user.username) 89 90 def test_impersonate_denied(self): 91 """test impersonation without permissions""" 92 self.client.force_login(self.other_user) 93 94 response = self.client.post( 95 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 96 data={"reason": "some reason"}, 97 ) 98 self.assertEqual(response.status_code, 403) 99 100 response = self.client.get(reverse("authentik_api:user-me")) 101 response_body = loads(response.content.decode()) 102 self.assertEqual(response_body["user"]["username"], self.other_user.username) 103 104 def test_impersonate_disabled(self): 105 """test impersonation that is disabled""" 106 tenant = get_current_tenant() 107 tenant.impersonation = False 108 tenant.save() 109 self.client.force_login(self.user) 110 111 response = self.client.post( 112 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 113 data={"reason": "some reason"}, 114 ) 115 self.assertEqual(response.status_code, 401) 116 117 response = self.client.get(reverse("authentik_api:user-me")) 118 response_body = loads(response.content.decode()) 119 self.assertEqual(response_body["user"]["username"], self.user.username) 120 121 def test_impersonate_self(self): 122 """test impersonation that user can't impersonate themselves""" 123 self.client.force_login(self.user) 124 125 response = self.client.post( 126 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 127 data={"reason": "some reason"}, 128 ) 129 self.assertEqual(response.status_code, 401) 130 131 response = self.client.get(reverse("authentik_api:user-me")) 132 response_body = loads(response.content.decode()) 133 self.assertEqual(response_body["user"]["username"], self.user.username) 134 135 def test_impersonate_reason_required(self): 136 """test impersonation that user must provide reason""" 137 self.client.force_login(self.user) 138 139 response = self.client.post( 140 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 141 data={"reason": ""}, 142 ) 143 self.assertEqual(response.status_code, 400) 144 145 response = self.client.get(reverse("authentik_api:user-me")) 146 response_body = loads(response.content.decode()) 147 self.assertEqual(response_body["user"]["username"], self.user.username) 148 149 def test_un_impersonate_empty(self): 150 """test un-impersonation without impersonating first""" 151 self.client.force_login(self.other_user) 152 153 response = self.client.get(reverse("authentik_api:user-impersonate-end")) 154 self.assertEqual(response.status_code, 204)
impersonation tests
def
setUp(self) -> None:
16 def setUp(self) -> None: 17 super().setUp() 18 self.other_user = create_test_user() 19 self.user = create_test_admin_user()
Hook method for setting up the test fixture before exercising it.
def
test_impersonate_simple(self):
21 def test_impersonate_simple(self): 22 """test simple impersonation and un-impersonation""" 23 # test with an inactive user to ensure that still works 24 self.other_user.is_active = False 25 self.other_user.save() 26 self.client.force_login(self.user) 27 28 self.client.post( 29 reverse( 30 "authentik_api:user-impersonate", 31 kwargs={"pk": self.other_user.pk}, 32 ), 33 data={"reason": "some reason"}, 34 ) 35 36 response = self.client.get(reverse("authentik_api:user-me")) 37 response_body = loads(response.content.decode()) 38 self.assertEqual(response_body["user"]["username"], self.other_user.username) 39 self.assertEqual(response_body["original"]["username"], self.user.username) 40 41 self.client.get(reverse("authentik_api:user-impersonate-end")) 42 43 response = self.client.get(reverse("authentik_api:user-me")) 44 response_body = loads(response.content.decode()) 45 self.assertEqual(response_body["user"]["username"], self.user.username) 46 self.assertNotIn("original", response_body)
test simple impersonation and un-impersonation
def
test_impersonate_global(self):
48 def test_impersonate_global(self): 49 """Test impersonation with global permissions""" 50 new_user = create_test_user() 51 new_user.assign_perms_to_managed_role("authentik_core.impersonate") 52 new_user.assign_perms_to_managed_role("authentik_core.view_user") 53 self.client.force_login(new_user) 54 55 response = self.client.post( 56 reverse( 57 "authentik_api:user-impersonate", 58 kwargs={"pk": self.other_user.pk}, 59 ), 60 data={"reason": "some reason"}, 61 ) 62 self.assertEqual(response.status_code, 204) 63 64 response = self.client.get(reverse("authentik_api:user-me")) 65 response_body = loads(response.content.decode()) 66 self.assertEqual(response_body["user"]["username"], self.other_user.username) 67 self.assertEqual(response_body["original"]["username"], new_user.username)
Test impersonation with global permissions
def
test_impersonate_scoped(self):
69 def test_impersonate_scoped(self): 70 """Test impersonation with scoped permissions""" 71 new_user = create_test_user() 72 new_user.assign_perms_to_managed_role("authentik_core.impersonate", self.other_user) 73 new_user.assign_perms_to_managed_role("authentik_core.view_user", self.other_user) 74 self.client.force_login(new_user) 75 76 response = self.client.post( 77 reverse( 78 "authentik_api:user-impersonate", 79 kwargs={"pk": self.other_user.pk}, 80 ), 81 data={"reason": "some reason"}, 82 ) 83 self.assertEqual(response.status_code, 204) 84 85 response = self.client.get(reverse("authentik_api:user-me")) 86 response_body = loads(response.content.decode()) 87 self.assertEqual(response_body["user"]["username"], self.other_user.username) 88 self.assertEqual(response_body["original"]["username"], new_user.username)
Test impersonation with scoped permissions
def
test_impersonate_denied(self):
90 def test_impersonate_denied(self): 91 """test impersonation without permissions""" 92 self.client.force_login(self.other_user) 93 94 response = self.client.post( 95 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 96 data={"reason": "some reason"}, 97 ) 98 self.assertEqual(response.status_code, 403) 99 100 response = self.client.get(reverse("authentik_api:user-me")) 101 response_body = loads(response.content.decode()) 102 self.assertEqual(response_body["user"]["username"], self.other_user.username)
test impersonation without permissions
def
test_impersonate_disabled(self):
104 def test_impersonate_disabled(self): 105 """test impersonation that is disabled""" 106 tenant = get_current_tenant() 107 tenant.impersonation = False 108 tenant.save() 109 self.client.force_login(self.user) 110 111 response = self.client.post( 112 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 113 data={"reason": "some reason"}, 114 ) 115 self.assertEqual(response.status_code, 401) 116 117 response = self.client.get(reverse("authentik_api:user-me")) 118 response_body = loads(response.content.decode()) 119 self.assertEqual(response_body["user"]["username"], self.user.username)
test impersonation that is disabled
def
test_impersonate_self(self):
121 def test_impersonate_self(self): 122 """test impersonation that user can't impersonate themselves""" 123 self.client.force_login(self.user) 124 125 response = self.client.post( 126 reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}), 127 data={"reason": "some reason"}, 128 ) 129 self.assertEqual(response.status_code, 401) 130 131 response = self.client.get(reverse("authentik_api:user-me")) 132 response_body = loads(response.content.decode()) 133 self.assertEqual(response_body["user"]["username"], self.user.username)
test impersonation that user can't impersonate themselves
def
test_impersonate_reason_required(self):
135 def test_impersonate_reason_required(self): 136 """test impersonation that user must provide reason""" 137 self.client.force_login(self.user) 138 139 response = self.client.post( 140 reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}), 141 data={"reason": ""}, 142 ) 143 self.assertEqual(response.status_code, 400) 144 145 response = self.client.get(reverse("authentik_api:user-me")) 146 response_body = loads(response.content.decode()) 147 self.assertEqual(response_body["user"]["username"], self.user.username)
test impersonation that user must provide reason
def
test_un_impersonate_empty(self):
149 def test_un_impersonate_empty(self): 150 """test un-impersonation without impersonating first""" 151 self.client.force_login(self.other_user) 152 153 response = self.client.get(reverse("authentik_api:user-impersonate-end")) 154 self.assertEqual(response.status_code, 204)
test un-impersonation without impersonating first