authentik.rbac.tests.test_api_assigned_by_roles
Test RoleAssignedPermissionViewSet api
1"""Test RoleAssignedPermissionViewSet api""" 2 3from django.urls import reverse 4from rest_framework.test import APITestCase 5 6from authentik.core.models import Group 7from authentik.core.tests.utils import create_test_admin_user, create_test_user 8from authentik.lib.generators import generate_id 9from authentik.rbac.api.rbac_assigned_by_roles import RoleAssignedObjectPermissionSerializer 10from authentik.rbac.models import Role 11from authentik.stages.invitation.models import Invitation 12 13 14class TestRBACRoleAPI(APITestCase): 15 """Test RoleAssignedPermissionViewSet api""" 16 17 def setUp(self) -> None: 18 # Make sure we have no roles to start with (e.g. Read-only from blueprints) 19 Role.objects.all().delete() 20 21 self.superuser = create_test_admin_user() 22 23 self.user = create_test_user() 24 self.role = Role.objects.create(name=generate_id()) 25 self.group = Group.objects.create(name=generate_id()) 26 self.group.roles.add(self.role) 27 self.group.users.add(self.user) 28 29 def test_filter_assigned(self): 30 """Test RoleAssignedPermissionViewSet's filters""" 31 inv = Invitation.objects.create( 32 name=generate_id(), 33 created_by=self.superuser, 34 ) 35 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 36 # self.user doesn't have permissions to see their (object) permissions 37 self.client.force_login(self.superuser) 38 res = self.client.get( 39 reverse("authentik_api:permissions-assigned-by-roles-list"), 40 { 41 "model": "authentik_stages_invitation.invitation", 42 "object_pk": str(inv.pk), 43 "ordering": "pk", 44 }, 45 ) 46 self.assertEqual(res.status_code, 200) 47 self.assertJSONEqual( 48 res.content.decode(), 49 { 50 "autocomplete": {}, 51 "pagination": { 52 "next": 0, 53 "previous": 0, 54 "count": 1, 55 "current": 1, 56 "total_pages": 1, 57 "start_index": 1, 58 "end_index": 1, 59 }, 60 "results": [ 61 RoleAssignedObjectPermissionSerializer(instance=self.role).data, 62 ], 63 }, 64 ) 65 66 def test_assign_global(self): 67 """Test permission assign""" 68 self.client.force_login(self.superuser) 69 res = self.client.post( 70 reverse( 71 "authentik_api:permissions-assigned-by-roles-assign", 72 kwargs={ 73 "pk": self.role.pk, 74 }, 75 ), 76 { 77 "permissions": ["authentik_stages_invitation.view_invitation"], 78 }, 79 ) 80 self.assertEqual(res.status_code, 200) 81 self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation")) 82 83 def test_assign_object(self): 84 """Test permission assign (object)""" 85 inv = Invitation.objects.create( 86 name=generate_id(), 87 created_by=self.superuser, 88 ) 89 self.client.force_login(self.superuser) 90 res = self.client.post( 91 reverse( 92 "authentik_api:permissions-assigned-by-roles-assign", 93 kwargs={ 94 "pk": self.role.pk, 95 }, 96 ), 97 { 98 "permissions": ["authentik_stages_invitation.view_invitation"], 99 "model": "authentik_stages_invitation.invitation", 100 "object_pk": str(inv.pk), 101 }, 102 ) 103 self.assertEqual(res.status_code, 200) 104 self.assertTrue( 105 self.user.has_perm( 106 "authentik_stages_invitation.view_invitation", 107 inv, 108 ) 109 ) 110 111 def test_unassign_global(self): 112 """Test permission unassign""" 113 self.role.assign_perms("authentik_stages_invitation.view_invitation") 114 self.client.force_login(self.superuser) 115 res = self.client.patch( 116 reverse( 117 "authentik_api:permissions-assigned-by-roles-unassign", 118 kwargs={ 119 "pk": str(self.role.pk), 120 }, 121 ), 122 { 123 "permissions": ["authentik_stages_invitation.view_invitation"], 124 }, 125 ) 126 self.assertEqual(res.status_code, 204) 127 self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation")) 128 129 def test_unassign_object(self): 130 """Test permission unassign (object)""" 131 inv = Invitation.objects.create( 132 name=generate_id(), 133 created_by=self.superuser, 134 ) 135 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 136 self.client.force_login(self.superuser) 137 res = self.client.patch( 138 reverse( 139 "authentik_api:permissions-assigned-by-roles-unassign", 140 kwargs={ 141 "pk": str(self.role.pk), 142 }, 143 ), 144 { 145 "permissions": ["authentik_stages_invitation.view_invitation"], 146 "model": "authentik_stages_invitation.invitation", 147 "object_pk": str(inv.pk), 148 }, 149 ) 150 self.assertEqual(res.status_code, 204) 151 self.assertFalse( 152 self.user.has_perm( 153 "authentik_stages_invitation.view_invitation", 154 inv, 155 ) 156 )
class
TestRBACRoleAPI(rest_framework.test.APITestCase):
15class TestRBACRoleAPI(APITestCase): 16 """Test RoleAssignedPermissionViewSet api""" 17 18 def setUp(self) -> None: 19 # Make sure we have no roles to start with (e.g. Read-only from blueprints) 20 Role.objects.all().delete() 21 22 self.superuser = create_test_admin_user() 23 24 self.user = create_test_user() 25 self.role = Role.objects.create(name=generate_id()) 26 self.group = Group.objects.create(name=generate_id()) 27 self.group.roles.add(self.role) 28 self.group.users.add(self.user) 29 30 def test_filter_assigned(self): 31 """Test RoleAssignedPermissionViewSet's filters""" 32 inv = Invitation.objects.create( 33 name=generate_id(), 34 created_by=self.superuser, 35 ) 36 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 37 # self.user doesn't have permissions to see their (object) permissions 38 self.client.force_login(self.superuser) 39 res = self.client.get( 40 reverse("authentik_api:permissions-assigned-by-roles-list"), 41 { 42 "model": "authentik_stages_invitation.invitation", 43 "object_pk": str(inv.pk), 44 "ordering": "pk", 45 }, 46 ) 47 self.assertEqual(res.status_code, 200) 48 self.assertJSONEqual( 49 res.content.decode(), 50 { 51 "autocomplete": {}, 52 "pagination": { 53 "next": 0, 54 "previous": 0, 55 "count": 1, 56 "current": 1, 57 "total_pages": 1, 58 "start_index": 1, 59 "end_index": 1, 60 }, 61 "results": [ 62 RoleAssignedObjectPermissionSerializer(instance=self.role).data, 63 ], 64 }, 65 ) 66 67 def test_assign_global(self): 68 """Test permission assign""" 69 self.client.force_login(self.superuser) 70 res = self.client.post( 71 reverse( 72 "authentik_api:permissions-assigned-by-roles-assign", 73 kwargs={ 74 "pk": self.role.pk, 75 }, 76 ), 77 { 78 "permissions": ["authentik_stages_invitation.view_invitation"], 79 }, 80 ) 81 self.assertEqual(res.status_code, 200) 82 self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation")) 83 84 def test_assign_object(self): 85 """Test permission assign (object)""" 86 inv = Invitation.objects.create( 87 name=generate_id(), 88 created_by=self.superuser, 89 ) 90 self.client.force_login(self.superuser) 91 res = self.client.post( 92 reverse( 93 "authentik_api:permissions-assigned-by-roles-assign", 94 kwargs={ 95 "pk": self.role.pk, 96 }, 97 ), 98 { 99 "permissions": ["authentik_stages_invitation.view_invitation"], 100 "model": "authentik_stages_invitation.invitation", 101 "object_pk": str(inv.pk), 102 }, 103 ) 104 self.assertEqual(res.status_code, 200) 105 self.assertTrue( 106 self.user.has_perm( 107 "authentik_stages_invitation.view_invitation", 108 inv, 109 ) 110 ) 111 112 def test_unassign_global(self): 113 """Test permission unassign""" 114 self.role.assign_perms("authentik_stages_invitation.view_invitation") 115 self.client.force_login(self.superuser) 116 res = self.client.patch( 117 reverse( 118 "authentik_api:permissions-assigned-by-roles-unassign", 119 kwargs={ 120 "pk": str(self.role.pk), 121 }, 122 ), 123 { 124 "permissions": ["authentik_stages_invitation.view_invitation"], 125 }, 126 ) 127 self.assertEqual(res.status_code, 204) 128 self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation")) 129 130 def test_unassign_object(self): 131 """Test permission unassign (object)""" 132 inv = Invitation.objects.create( 133 name=generate_id(), 134 created_by=self.superuser, 135 ) 136 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 137 self.client.force_login(self.superuser) 138 res = self.client.patch( 139 reverse( 140 "authentik_api:permissions-assigned-by-roles-unassign", 141 kwargs={ 142 "pk": str(self.role.pk), 143 }, 144 ), 145 { 146 "permissions": ["authentik_stages_invitation.view_invitation"], 147 "model": "authentik_stages_invitation.invitation", 148 "object_pk": str(inv.pk), 149 }, 150 ) 151 self.assertEqual(res.status_code, 204) 152 self.assertFalse( 153 self.user.has_perm( 154 "authentik_stages_invitation.view_invitation", 155 inv, 156 ) 157 )
Test RoleAssignedPermissionViewSet api
def
setUp(self) -> None:
18 def setUp(self) -> None: 19 # Make sure we have no roles to start with (e.g. Read-only from blueprints) 20 Role.objects.all().delete() 21 22 self.superuser = create_test_admin_user() 23 24 self.user = create_test_user() 25 self.role = Role.objects.create(name=generate_id()) 26 self.group = Group.objects.create(name=generate_id()) 27 self.group.roles.add(self.role) 28 self.group.users.add(self.user)
Hook method for setting up the test fixture before exercising it.
def
test_filter_assigned(self):
30 def test_filter_assigned(self): 31 """Test RoleAssignedPermissionViewSet's filters""" 32 inv = Invitation.objects.create( 33 name=generate_id(), 34 created_by=self.superuser, 35 ) 36 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 37 # self.user doesn't have permissions to see their (object) permissions 38 self.client.force_login(self.superuser) 39 res = self.client.get( 40 reverse("authentik_api:permissions-assigned-by-roles-list"), 41 { 42 "model": "authentik_stages_invitation.invitation", 43 "object_pk": str(inv.pk), 44 "ordering": "pk", 45 }, 46 ) 47 self.assertEqual(res.status_code, 200) 48 self.assertJSONEqual( 49 res.content.decode(), 50 { 51 "autocomplete": {}, 52 "pagination": { 53 "next": 0, 54 "previous": 0, 55 "count": 1, 56 "current": 1, 57 "total_pages": 1, 58 "start_index": 1, 59 "end_index": 1, 60 }, 61 "results": [ 62 RoleAssignedObjectPermissionSerializer(instance=self.role).data, 63 ], 64 }, 65 )
Test RoleAssignedPermissionViewSet's filters
def
test_assign_global(self):
67 def test_assign_global(self): 68 """Test permission assign""" 69 self.client.force_login(self.superuser) 70 res = self.client.post( 71 reverse( 72 "authentik_api:permissions-assigned-by-roles-assign", 73 kwargs={ 74 "pk": self.role.pk, 75 }, 76 ), 77 { 78 "permissions": ["authentik_stages_invitation.view_invitation"], 79 }, 80 ) 81 self.assertEqual(res.status_code, 200) 82 self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation"))
Test permission assign
def
test_assign_object(self):
84 def test_assign_object(self): 85 """Test permission assign (object)""" 86 inv = Invitation.objects.create( 87 name=generate_id(), 88 created_by=self.superuser, 89 ) 90 self.client.force_login(self.superuser) 91 res = self.client.post( 92 reverse( 93 "authentik_api:permissions-assigned-by-roles-assign", 94 kwargs={ 95 "pk": self.role.pk, 96 }, 97 ), 98 { 99 "permissions": ["authentik_stages_invitation.view_invitation"], 100 "model": "authentik_stages_invitation.invitation", 101 "object_pk": str(inv.pk), 102 }, 103 ) 104 self.assertEqual(res.status_code, 200) 105 self.assertTrue( 106 self.user.has_perm( 107 "authentik_stages_invitation.view_invitation", 108 inv, 109 ) 110 )
Test permission assign (object)
def
test_unassign_global(self):
112 def test_unassign_global(self): 113 """Test permission unassign""" 114 self.role.assign_perms("authentik_stages_invitation.view_invitation") 115 self.client.force_login(self.superuser) 116 res = self.client.patch( 117 reverse( 118 "authentik_api:permissions-assigned-by-roles-unassign", 119 kwargs={ 120 "pk": str(self.role.pk), 121 }, 122 ), 123 { 124 "permissions": ["authentik_stages_invitation.view_invitation"], 125 }, 126 ) 127 self.assertEqual(res.status_code, 204) 128 self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation"))
Test permission unassign
def
test_unassign_object(self):
130 def test_unassign_object(self): 131 """Test permission unassign (object)""" 132 inv = Invitation.objects.create( 133 name=generate_id(), 134 created_by=self.superuser, 135 ) 136 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 137 self.client.force_login(self.superuser) 138 res = self.client.patch( 139 reverse( 140 "authentik_api:permissions-assigned-by-roles-unassign", 141 kwargs={ 142 "pk": str(self.role.pk), 143 }, 144 ), 145 { 146 "permissions": ["authentik_stages_invitation.view_invitation"], 147 "model": "authentik_stages_invitation.invitation", 148 "object_pk": str(inv.pk), 149 }, 150 ) 151 self.assertEqual(res.status_code, 204) 152 self.assertFalse( 153 self.user.has_perm( 154 "authentik_stages_invitation.view_invitation", 155 inv, 156 ) 157 )
Test permission unassign (object)