authentik.core.tests.test_interface_views

Test interface view redirect behavior by user type

  1"""Test interface view redirect behavior by user type"""
  2
  3from django.test import TestCase
  4from django.urls import reverse
  5
  6from authentik.brands.models import Brand
  7from authentik.core.models import Application, UserTypes
  8from authentik.core.tests.utils import create_test_brand, create_test_user
  9
 10
 11class TestInterfaceRedirects(TestCase):
 12    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
 13
 14    def setUp(self):
 15        self.app = Application.objects.create(name="test-app", slug="test-app")
 16        self.brand: Brand = create_test_brand(default_application=self.app)
 17
 18    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
 19        user = create_test_user(type=user_type)
 20        self.client.force_login(user)
 21        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 22        self.assertRedirects(
 23            response,
 24            reverse(
 25                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 26            ),
 27            fetch_redirect_response=False,
 28        )
 29
 30    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
 31        """Internal users should not be redirected away."""
 32        user = create_test_user(type=user_type)
 33        self.client.force_login(user)
 34        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 35        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
 36        app_url = reverse(
 37            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 38        )
 39        self.assertNotEqual(response.get("Location"), app_url)
 40
 41    # --- RootRedirectView ---
 42
 43    def test_root_redirect_external_user(self):
 44        """External users are redirected to the default app from root"""
 45        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
 46
 47    def test_root_redirect_service_account(self):
 48        """Service accounts are redirected to the default app from root"""
 49        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
 50
 51    def test_root_redirect_internal_service_account(self):
 52        """Internal service accounts are redirected to the default app from root"""
 53        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 54
 55    def test_root_redirect_internal_user(self):
 56        """Internal users are NOT redirected to the app from root"""
 57        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
 58
 59    # --- BrandDefaultRedirectView (if/user/) ---
 60
 61    def test_if_user_external_user(self):
 62        """External users are redirected to the default app from if/user/"""
 63        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
 64
 65    def test_if_user_service_account(self):
 66        """Service accounts are redirected to the default app from if/user/"""
 67        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
 68
 69    def test_if_user_internal_service_account(self):
 70        """Internal service accounts are redirected to the default app from if/user/"""
 71        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 72
 73    def test_if_user_internal_user(self):
 74        """Internal users are NOT redirected to the app from if/user/"""
 75        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
 76
 77    # --- BrandDefaultRedirectView (if/admin/) ---
 78
 79    def test_if_admin_service_account(self):
 80        """Service accounts are redirected to the default app from if/admin/"""
 81        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
 82
 83    def test_if_admin_internal_service_account(self):
 84        """Internal service accounts are redirected to the default app from if/admin/"""
 85        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 86
 87    def test_if_admin_internal_user(self):
 88        """Internal users are NOT redirected to the app from if/admin/"""
 89        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
 90
 91    # --- No default app set ---
 92
 93    def test_service_account_no_default_app_access_denied(self):
 94        """Service accounts get access denied when no default app is configured"""
 95        self.brand.default_application = None
 96        self.brand.save()
 97        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
 98        self.client.force_login(user)
 99        response = self.client.get(reverse("authentik_core:if-user"))
100        self.assertEqual(response.status_code, 200)
101        self.assertIn(b"Interface can only be accessed by internal users", response.content)
class TestInterfaceRedirects(django.test.testcases.TestCase): 
 12class TestInterfaceRedirects(TestCase):
 13    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
 14
 15    def setUp(self):
 16        self.app = Application.objects.create(name="test-app", slug="test-app")
 17        self.brand: Brand = create_test_brand(default_application=self.app)
 18
 19    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
 20        user = create_test_user(type=user_type)
 21        self.client.force_login(user)
 22        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 23        self.assertRedirects(
 24            response,
 25            reverse(
 26                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 27            ),
 28            fetch_redirect_response=False,
 29        )
 30
 31    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
 32        """Internal users should not be redirected away."""
 33        user = create_test_user(type=user_type)
 34        self.client.force_login(user)
 35        response = self.client.get(reverse(f"authentik_core:{url_name}"))
 36        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
 37        app_url = reverse(
 38            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
 39        )
 40        self.assertNotEqual(response.get("Location"), app_url)
 41
 42    # --- RootRedirectView ---
 43
 44    def test_root_redirect_external_user(self):
 45        """External users are redirected to the default app from root"""
 46        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
 47
 48    def test_root_redirect_service_account(self):
 49        """Service accounts are redirected to the default app from root"""
 50        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
 51
 52    def test_root_redirect_internal_service_account(self):
 53        """Internal service accounts are redirected to the default app from root"""
 54        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 55
 56    def test_root_redirect_internal_user(self):
 57        """Internal users are NOT redirected to the app from root"""
 58        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
 59
 60    # --- BrandDefaultRedirectView (if/user/) ---
 61
 62    def test_if_user_external_user(self):
 63        """External users are redirected to the default app from if/user/"""
 64        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
 65
 66    def test_if_user_service_account(self):
 67        """Service accounts are redirected to the default app from if/user/"""
 68        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
 69
 70    def test_if_user_internal_service_account(self):
 71        """Internal service accounts are redirected to the default app from if/user/"""
 72        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 73
 74    def test_if_user_internal_user(self):
 75        """Internal users are NOT redirected to the app from if/user/"""
 76        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
 77
 78    # --- BrandDefaultRedirectView (if/admin/) ---
 79
 80    def test_if_admin_service_account(self):
 81        """Service accounts are redirected to the default app from if/admin/"""
 82        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
 83
 84    def test_if_admin_internal_service_account(self):
 85        """Internal service accounts are redirected to the default app from if/admin/"""
 86        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
 87
 88    def test_if_admin_internal_user(self):
 89        """Internal users are NOT redirected to the app from if/admin/"""
 90        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
 91
 92    # --- No default app set ---
 93
 94    def test_service_account_no_default_app_access_denied(self):
 95        """Service accounts get access denied when no default app is configured"""
 96        self.brand.default_application = None
 97        self.brand.save()
 98        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
 99        self.client.force_login(user)
100        response = self.client.get(reverse("authentik_core:if-user"))
101        self.assertEqual(response.status_code, 200)
102        self.assertIn(b"Interface can only be accessed by internal users", response.content)

Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type

def setUp(self): 
15    def setUp(self):
16        self.app = Application.objects.create(name="test-app", slug="test-app")
17        self.brand: Brand = create_test_brand(default_application=self.app)

Hook method for setting up the test fixture before exercising it.

def test_root_redirect_external_user(self): 
44    def test_root_redirect_external_user(self):
45        """External users are redirected to the default app from root"""
46        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)

External users are redirected to the default app from root

def test_root_redirect_service_account(self): 
48    def test_root_redirect_service_account(self):
49        """Service accounts are redirected to the default app from root"""
50        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from root

def test_root_redirect_internal_service_account(self): 
52    def test_root_redirect_internal_service_account(self):
53        """Internal service accounts are redirected to the default app from root"""
54        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from root

def test_root_redirect_internal_user(self): 
56    def test_root_redirect_internal_user(self):
57        """Internal users are NOT redirected to the app from root"""
58        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from root

def test_if_user_external_user(self): 
62    def test_if_user_external_user(self):
63        """External users are redirected to the default app from if/user/"""
64        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)

External users are redirected to the default app from if/user/

def test_if_user_service_account(self): 
66    def test_if_user_service_account(self):
67        """Service accounts are redirected to the default app from if/user/"""
68        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from if/user/

def test_if_user_internal_service_account(self): 
70    def test_if_user_internal_service_account(self):
71        """Internal service accounts are redirected to the default app from if/user/"""
72        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from if/user/

def test_if_user_internal_user(self): 
74    def test_if_user_internal_user(self):
75        """Internal users are NOT redirected to the app from if/user/"""
76        self._assert_no_redirect("if-user", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from if/user/

def test_if_admin_service_account(self): 
80    def test_if_admin_service_account(self):
81        """Service accounts are redirected to the default app from if/admin/"""
82        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)

Service accounts are redirected to the default app from if/admin/

def test_if_admin_internal_service_account(self): 
84    def test_if_admin_internal_service_account(self):
85        """Internal service accounts are redirected to the default app from if/admin/"""
86        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)

Internal service accounts are redirected to the default app from if/admin/

def test_if_admin_internal_user(self): 
88    def test_if_admin_internal_user(self):
89        """Internal users are NOT redirected to the app from if/admin/"""
90        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)

Internal users are NOT redirected to the app from if/admin/

def test_service_account_no_default_app_access_denied(self): 
 94    def test_service_account_no_default_app_access_denied(self):
 95        """Service accounts get access denied when no default app is configured"""
 96        self.brand.default_application = None
 97        self.brand.save()
 98        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
 99        self.client.force_login(user)
100        response = self.client.get(reverse("authentik_core:if-user"))
101        self.assertEqual(response.status_code, 200)
102        self.assertIn(b"Interface can only be accessed by internal users", response.content)

Service accounts get access denied when no default app is configured