authentik.core.tests.test_interface_views

Test interface view redirect behavior by user type

  1"""Test interface view redirect behavior by user type"""
  2
  3from django.test import TestCase
  4from django.urls import reverse
  5
  6from authentik.brands.models import Brand
  7from authentik.core.apps import Setup
  8from authentik.core.models import Application, UserTypes
  9from authentik.core.tests.utils import create_test_brand, create_test_user
 10
 11
 12class TestInterfaceRedirects(TestCase):
 13    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
 14
 15    def setUp(self):
 16        Setup.set(True)
 17        self.app = Application.objects.create(name="test-app", slug="test-app")
 18        self.brand: Brand = create_test_brand(default_application=self.app)
 19
 20    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
 21        user = create_test_user(type=user_type)
 22        self.client.force_login(user)
 23        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 24        self.assertRedirects(
 25            response,
 26            reverse(
 27                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 28            ),
 29            fetch_redirect_response=False,
 30        )
 31
 32    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
 33        """Internal users should not be redirected away."""
 34        user = create_test_user(type=user_type)
 35        self.client.force_login(user)
 36        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 37        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
 38        app_url = reverse(
 39            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 40        )
 41        self.assertNotEqual(response.get("Location"), app_url)
 42
 43    # --- RootRedirectView ---
 44
 45    def test_root_redirect_external_user(self):
 46        """External users are redirected to the default app from root"""
 47        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
 48
 49    def test_root_redirect_service_account(self):
 50        """Service accounts are redirected to the default app from root"""
 51        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
 52
 53    def test_root_redirect_internal_service_account(self):
 54        """Internal service accounts are redirected to the default app from root"""
 55        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 56
 57    def test_root_redirect_internal_user(self):
 58        """Internal users are NOT redirected to the app from root"""
 59        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
 60
 61    # --- BrandDefaultRedirectView (if/user/) ---
 62
 63    def test_if_user_external_user(self):
 64        """External users are redirected to the default app from if/user/"""
 65        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
 66
 67    def test_if_user_service_account(self):
 68        """Service accounts are redirected to the default app from if/user/"""
 69        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
 70
 71    def test_if_user_internal_service_account(self):
 72        """Internal service accounts are redirected to the default app from if/user/"""
 73        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 74
 75    def test_if_user_internal_user(self):
 76        """Internal users are NOT redirected to the app from if/user/"""
 77        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
 78
 79    # --- BrandDefaultRedirectView (if/admin/) ---
 80
 81    def test_if_admin_service_account(self):
 82        """Service accounts are redirected to the default app from if/admin/"""
 83        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
 84
 85    def test_if_admin_internal_service_account(self):
 86        """Internal service accounts are redirected to the default app from if/admin/"""
 87        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 88
 89    def test_if_admin_internal_user(self):
 90        """Internal users are NOT redirected to the app from if/admin/"""
 91        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
 92
 93    # --- No default app set ---
 94
 95    def test_service_account_no_default_app_access_denied(self):
 96        """Service accounts get access denied when no default app is configured"""
 97        self.brand.default_application = None
 98        self.brand.save()
 99        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
100        self.client.force_login(user)
101        response = self.client.get(reverse("authentik_core:if-user"))
102        self.assertEqual(response.status_code, 200)
103        self.assertIn(b"Interface can only be accessed by internal users", response.content)
class TestInterfaceRedirects(django.test.testcases.TestCase): 
 13class TestInterfaceRedirects(TestCase):
 14    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
 15
 16    def setUp(self):
 17        Setup.set(True)
 18        self.app = Application.objects.create(name="test-app", slug="test-app")
 19        self.brand: Brand = create_test_brand(default_application=self.app)
 20
 21    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
 22        user = create_test_user(type=user_type)
 23        self.client.force_login(user)
 24        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 25        self.assertRedirects(
 26            response,
 27            reverse(
 28                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 29            ),
 30            fetch_redirect_response=False,
 31        )
 32
 33    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
 34        """Internal users should not be redirected away."""
 35        user = create_test_user(type=user_type)
 36        self.client.force_login(user)
 37        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 38        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
 39        app_url = reverse(
 40            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 41        )
 42        self.assertNotEqual(response.get("Location"), app_url)
 43
 44    # --- RootRedirectView ---
 45
 46    def test_root_redirect_external_user(self):
 47        """External users are redirected to the default app from root"""
 48        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
 49
 50    def test_root_redirect_service_account(self):
 51        """Service accounts are redirected to the default app from root"""
 52        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
 53
 54    def test_root_redirect_internal_service_account(self):
 55        """Internal service accounts are redirected to the default app from root"""
 56        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 57
 58    def test_root_redirect_internal_user(self):
 59        """Internal users are NOT redirected to the app from root"""
 60        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
 61
 62    # --- BrandDefaultRedirectView (if/user/) ---
 63
 64    def test_if_user_external_user(self):
 65        """External users are redirected to the default app from if/user/"""
 66        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
 67
 68    def test_if_user_service_account(self):
 69        """Service accounts are redirected to the default app from if/user/"""
 70        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
 71
 72    def test_if_user_internal_service_account(self):
 73        """Internal service accounts are redirected to the default app from if/user/"""
 74        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 75
 76    def test_if_user_internal_user(self):
 77        """Internal users are NOT redirected to the app from if/user/"""
 78        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
 79
 80    # --- BrandDefaultRedirectView (if/admin/) ---
 81
 82    def test_if_admin_service_account(self):
 83        """Service accounts are redirected to the default app from if/admin/"""
 84        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
 85
 86    def test_if_admin_internal_service_account(self):
 87        """Internal service accounts are redirected to the default app from if/admin/"""
 88        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 89
 90    def test_if_admin_internal_user(self):
 91        """Internal users are NOT redirected to the app from if/admin/"""
 92        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
 93
 94    # --- No default app set ---
 95
 96    def test_service_account_no_default_app_access_denied(self):
 97        """Service accounts get access denied when no default app is configured"""
 98        self.brand.default_application = None
 99        self.brand.save()
100        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
101        self.client.force_login(user)
102        response = self.client.get(reverse("authentik_core:if-user"))
103        self.assertEqual(response.status_code, 200)
104        self.assertIn(b"Interface can only be accessed by internal users", response.content)

Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type

def setUp(self): 
16    def setUp(self):
17        Setup.set(True)
18        self.app = Application.objects.create(name="test-app", slug="test-app")
19        self.brand: Brand = create_test_brand(default_application=self.app)

Hook method for setting up the test fixture before exercising it.

def test_root_redirect_external_user(self): 
46    def test_root_redirect_external_user(self):
47        """External users are redirected to the default app from root"""
48        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)

External users are redirected to the default app from root

def test_root_redirect_service_account(self): 
50    def test_root_redirect_service_account(self):
51        """Service accounts are redirected to the default app from root"""
52        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from root

def test_root_redirect_internal_service_account(self): 
54    def test_root_redirect_internal_service_account(self):
55        """Internal service accounts are redirected to the default app from root"""
56        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from root

def test_root_redirect_internal_user(self): 
58    def test_root_redirect_internal_user(self):
59        """Internal users are NOT redirected to the app from root"""
60        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from root

def test_if_user_external_user(self): 
64    def test_if_user_external_user(self):
65        """External users are redirected to the default app from if/user/"""
66        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)

External users are redirected to the default app from if/user/

def test_if_user_service_account(self): 
68    def test_if_user_service_account(self):
69        """Service accounts are redirected to the default app from if/user/"""
70        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from if/user/

def test_if_user_internal_service_account(self): 
72    def test_if_user_internal_service_account(self):
73        """Internal service accounts are redirected to the default app from if/user/"""
74        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from if/user/

def test_if_user_internal_user(self): 
76    def test_if_user_internal_user(self):
77        """Internal users are NOT redirected to the app from if/user/"""
78        self._assert_no_redirect("if-user", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from if/user/

def test_if_admin_service_account(self): 
82    def test_if_admin_service_account(self):
83        """Service accounts are redirected to the default app from if/admin/"""
84        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from if/admin/

def test_if_admin_internal_service_account(self): 
86    def test_if_admin_internal_service_account(self):
87        """Internal service accounts are redirected to the default app from if/admin/"""
88        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from if/admin/

def test_if_admin_internal_user(self): 
90    def test_if_admin_internal_user(self):
91        """Internal users are NOT redirected to the app from if/admin/"""
92        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from if/admin/

def test_service_account_no_default_app_access_denied(self): 
 96    def test_service_account_no_default_app_access_denied(self):
 97        """Service accounts get access denied when no default app is configured"""
 98        self.brand.default_application = None
 99        self.brand.save()
100        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
101        self.client.force_login(user)
102        response = self.client.get(reverse("authentik_core:if-user"))
103        self.assertEqual(response.status_code, 200)
104        self.assertIn(b"Interface can only be accessed by internal users", response.content)

Service accounts get access denied when no default app is configured