authentik.rbac.tests.test_api_filters
RBAC role tests
1"""RBAC role tests""" 2 3from django.urls import reverse 4from rest_framework.test import APITestCase 5 6from authentik.core.models import Group 7from authentik.core.tests.utils import create_test_admin_user, create_test_user 8from authentik.lib.generators import generate_id 9from authentik.rbac.models import Role 10from authentik.stages.invitation.api import InvitationSerializer 11from authentik.stages.invitation.models import Invitation 12 13 14class TestAPIPerms(APITestCase): 15 """Test API Permission and filtering""" 16 17 def setUp(self) -> None: 18 self.superuser = create_test_admin_user() 19 20 self.user = create_test_user() 21 self.role = Role.objects.create(name=generate_id()) 22 self.group = Group.objects.create(name=generate_id()) 23 self.group.roles.add(self.role) 24 self.group.users.add(self.user) 25 26 def test_list_simple(self): 27 """Test list (single object, role has global permission)""" 28 self.client.force_login(self.user) 29 self.role.assign_perms("authentik_stages_invitation.view_invitation") 30 31 Invitation.objects.all().delete() 32 inv = Invitation.objects.create( 33 name=generate_id(), 34 created_by=self.superuser, 35 ) 36 res = self.client.get(reverse("authentik_api:invitation-list")) 37 self.assertEqual(res.status_code, 200) 38 self.assertJSONEqual( 39 res.content.decode(), 40 { 41 "autocomplete": {}, 42 "pagination": { 43 "next": 0, 44 "previous": 0, 45 "count": 1, 46 "current": 1, 47 "total_pages": 1, 48 "start_index": 1, 49 "end_index": 1, 50 }, 51 "results": [ 52 InvitationSerializer(instance=inv).data, 53 ], 54 }, 55 ) 56 57 def test_list_object_perm(self): 58 """Test list""" 59 self.client.force_login(self.user) 60 61 Invitation.objects.all().delete() 62 Invitation.objects.create( 63 name=generate_id(), 64 created_by=self.superuser, 65 ) 66 inv2 = Invitation.objects.create( 67 name=generate_id(), 68 created_by=self.superuser, 69 ) 70 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv2) 71 72 res = self.client.get(reverse("authentik_api:invitation-list")) 73 self.assertEqual(res.status_code, 200) 74 self.assertJSONEqual( 75 res.content.decode(), 76 { 77 "autocomplete": {}, 78 "pagination": { 79 "next": 0, 80 "previous": 0, 81 "count": 1, 82 "current": 1, 83 "total_pages": 1, 84 "start_index": 1, 85 "end_index": 1, 86 }, 87 "results": [ 88 InvitationSerializer(instance=inv2).data, 89 ], 90 }, 91 ) 92 93 def test_list_denied(self): 94 """Test list without adding permission""" 95 self.client.force_login(self.user) 96 97 res = self.client.get(reverse("authentik_api:invitation-list")) 98 self.assertEqual(res.status_code, 403) 99 self.assertJSONEqual( 100 res.content.decode(), 101 {"detail": "You do not have permission to perform this action."}, 102 ) 103 104 def test_create_simple(self): 105 """Test create with permission""" 106 self.client.force_login(self.user) 107 self.role.assign_perms("authentik_stages_invitation.add_invitation") 108 res = self.client.post( 109 reverse("authentik_api:invitation-list"), 110 data={ 111 "name": generate_id(), 112 }, 113 ) 114 self.assertEqual(res.status_code, 201) 115 116 def test_create_simple_denied(self): 117 """Test create without assigning permission""" 118 self.client.force_login(self.user) 119 res = self.client.post( 120 reverse("authentik_api:invitation-list"), 121 data={ 122 "name": generate_id(), 123 }, 124 ) 125 self.assertEqual(res.status_code, 403) 126 127 def test_update_simple(self): 128 """Test update with permission""" 129 self.client.force_login(self.user) 130 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 131 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 132 self.role.assign_perms("authentik_stages_invitation.change_invitation", obj=inv) 133 res = self.client.patch( 134 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 135 data={ 136 "name": generate_id(), 137 }, 138 ) 139 self.assertEqual(res.status_code, 200) 140 141 def test_update_simple_denied(self): 142 """Test update without assigning permission""" 143 self.client.force_login(self.user) 144 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 145 res = self.client.patch( 146 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 147 data={ 148 "name": generate_id(), 149 }, 150 ) 151 self.assertEqual(res.status_code, 403) 152 153 def test_anonymous_user_denied(self): 154 """Test anonymous user denied""" 155 res = self.client.get(reverse("authentik_api:invitation-list")) 156 self.assertEqual(res.status_code, 403) 157 158 res = self.client.get(reverse("authentik_api:user-detail", kwargs={"pk": self.user.pk})) 159 self.assertEqual(res.status_code, 403)
class
TestAPIPerms(rest_framework.test.APITestCase):
15class TestAPIPerms(APITestCase): 16 """Test API Permission and filtering""" 17 18 def setUp(self) -> None: 19 self.superuser = create_test_admin_user() 20 21 self.user = create_test_user() 22 self.role = Role.objects.create(name=generate_id()) 23 self.group = Group.objects.create(name=generate_id()) 24 self.group.roles.add(self.role) 25 self.group.users.add(self.user) 26 27 def test_list_simple(self): 28 """Test list (single object, role has global permission)""" 29 self.client.force_login(self.user) 30 self.role.assign_perms("authentik_stages_invitation.view_invitation") 31 32 Invitation.objects.all().delete() 33 inv = Invitation.objects.create( 34 name=generate_id(), 35 created_by=self.superuser, 36 ) 37 res = self.client.get(reverse("authentik_api:invitation-list")) 38 self.assertEqual(res.status_code, 200) 39 self.assertJSONEqual( 40 res.content.decode(), 41 { 42 "autocomplete": {}, 43 "pagination": { 44 "next": 0, 45 "previous": 0, 46 "count": 1, 47 "current": 1, 48 "total_pages": 1, 49 "start_index": 1, 50 "end_index": 1, 51 }, 52 "results": [ 53 InvitationSerializer(instance=inv).data, 54 ], 55 }, 56 ) 57 58 def test_list_object_perm(self): 59 """Test list""" 60 self.client.force_login(self.user) 61 62 Invitation.objects.all().delete() 63 Invitation.objects.create( 64 name=generate_id(), 65 created_by=self.superuser, 66 ) 67 inv2 = Invitation.objects.create( 68 name=generate_id(), 69 created_by=self.superuser, 70 ) 71 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv2) 72 73 res = self.client.get(reverse("authentik_api:invitation-list")) 74 self.assertEqual(res.status_code, 200) 75 self.assertJSONEqual( 76 res.content.decode(), 77 { 78 "autocomplete": {}, 79 "pagination": { 80 "next": 0, 81 "previous": 0, 82 "count": 1, 83 "current": 1, 84 "total_pages": 1, 85 "start_index": 1, 86 "end_index": 1, 87 }, 88 "results": [ 89 InvitationSerializer(instance=inv2).data, 90 ], 91 }, 92 ) 93 94 def test_list_denied(self): 95 """Test list without adding permission""" 96 self.client.force_login(self.user) 97 98 res = self.client.get(reverse("authentik_api:invitation-list")) 99 self.assertEqual(res.status_code, 403) 100 self.assertJSONEqual( 101 res.content.decode(), 102 {"detail": "You do not have permission to perform this action."}, 103 ) 104 105 def test_create_simple(self): 106 """Test create with permission""" 107 self.client.force_login(self.user) 108 self.role.assign_perms("authentik_stages_invitation.add_invitation") 109 res = self.client.post( 110 reverse("authentik_api:invitation-list"), 111 data={ 112 "name": generate_id(), 113 }, 114 ) 115 self.assertEqual(res.status_code, 201) 116 117 def test_create_simple_denied(self): 118 """Test create without assigning permission""" 119 self.client.force_login(self.user) 120 res = self.client.post( 121 reverse("authentik_api:invitation-list"), 122 data={ 123 "name": generate_id(), 124 }, 125 ) 126 self.assertEqual(res.status_code, 403) 127 128 def test_update_simple(self): 129 """Test update with permission""" 130 self.client.force_login(self.user) 131 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 132 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 133 self.role.assign_perms("authentik_stages_invitation.change_invitation", obj=inv) 134 res = self.client.patch( 135 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 136 data={ 137 "name": generate_id(), 138 }, 139 ) 140 self.assertEqual(res.status_code, 200) 141 142 def test_update_simple_denied(self): 143 """Test update without assigning permission""" 144 self.client.force_login(self.user) 145 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 146 res = self.client.patch( 147 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 148 data={ 149 "name": generate_id(), 150 }, 151 ) 152 self.assertEqual(res.status_code, 403) 153 154 def test_anonymous_user_denied(self): 155 """Test anonymous user denied""" 156 res = self.client.get(reverse("authentik_api:invitation-list")) 157 self.assertEqual(res.status_code, 403) 158 159 res = self.client.get(reverse("authentik_api:user-detail", kwargs={"pk": self.user.pk})) 160 self.assertEqual(res.status_code, 403)
Test API Permission and filtering
def
setUp(self) -> None:
18 def setUp(self) -> None: 19 self.superuser = create_test_admin_user() 20 21 self.user = create_test_user() 22 self.role = Role.objects.create(name=generate_id()) 23 self.group = Group.objects.create(name=generate_id()) 24 self.group.roles.add(self.role) 25 self.group.users.add(self.user)
Hook method for setting up the test fixture before exercising it.
def
test_list_simple(self):
27 def test_list_simple(self): 28 """Test list (single object, role has global permission)""" 29 self.client.force_login(self.user) 30 self.role.assign_perms("authentik_stages_invitation.view_invitation") 31 32 Invitation.objects.all().delete() 33 inv = Invitation.objects.create( 34 name=generate_id(), 35 created_by=self.superuser, 36 ) 37 res = self.client.get(reverse("authentik_api:invitation-list")) 38 self.assertEqual(res.status_code, 200) 39 self.assertJSONEqual( 40 res.content.decode(), 41 { 42 "autocomplete": {}, 43 "pagination": { 44 "next": 0, 45 "previous": 0, 46 "count": 1, 47 "current": 1, 48 "total_pages": 1, 49 "start_index": 1, 50 "end_index": 1, 51 }, 52 "results": [ 53 InvitationSerializer(instance=inv).data, 54 ], 55 }, 56 )
Test list (single object, role has global permission)
def
test_list_object_perm(self):
58 def test_list_object_perm(self): 59 """Test list""" 60 self.client.force_login(self.user) 61 62 Invitation.objects.all().delete() 63 Invitation.objects.create( 64 name=generate_id(), 65 created_by=self.superuser, 66 ) 67 inv2 = Invitation.objects.create( 68 name=generate_id(), 69 created_by=self.superuser, 70 ) 71 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv2) 72 73 res = self.client.get(reverse("authentik_api:invitation-list")) 74 self.assertEqual(res.status_code, 200) 75 self.assertJSONEqual( 76 res.content.decode(), 77 { 78 "autocomplete": {}, 79 "pagination": { 80 "next": 0, 81 "previous": 0, 82 "count": 1, 83 "current": 1, 84 "total_pages": 1, 85 "start_index": 1, 86 "end_index": 1, 87 }, 88 "results": [ 89 InvitationSerializer(instance=inv2).data, 90 ], 91 }, 92 )
Test list
def
test_list_denied(self):
94 def test_list_denied(self): 95 """Test list without adding permission""" 96 self.client.force_login(self.user) 97 98 res = self.client.get(reverse("authentik_api:invitation-list")) 99 self.assertEqual(res.status_code, 403) 100 self.assertJSONEqual( 101 res.content.decode(), 102 {"detail": "You do not have permission to perform this action."}, 103 )
Test list without adding permission
def
test_create_simple(self):
105 def test_create_simple(self): 106 """Test create with permission""" 107 self.client.force_login(self.user) 108 self.role.assign_perms("authentik_stages_invitation.add_invitation") 109 res = self.client.post( 110 reverse("authentik_api:invitation-list"), 111 data={ 112 "name": generate_id(), 113 }, 114 ) 115 self.assertEqual(res.status_code, 201)
Test create with permission
def
test_create_simple_denied(self):
117 def test_create_simple_denied(self): 118 """Test create without assigning permission""" 119 self.client.force_login(self.user) 120 res = self.client.post( 121 reverse("authentik_api:invitation-list"), 122 data={ 123 "name": generate_id(), 124 }, 125 ) 126 self.assertEqual(res.status_code, 403)
Test create without assigning permission
def
test_update_simple(self):
128 def test_update_simple(self): 129 """Test update with permission""" 130 self.client.force_login(self.user) 131 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 132 self.role.assign_perms("authentik_stages_invitation.view_invitation", obj=inv) 133 self.role.assign_perms("authentik_stages_invitation.change_invitation", obj=inv) 134 res = self.client.patch( 135 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 136 data={ 137 "name": generate_id(), 138 }, 139 ) 140 self.assertEqual(res.status_code, 200)
Test update with permission
def
test_update_simple_denied(self):
142 def test_update_simple_denied(self): 143 """Test update without assigning permission""" 144 self.client.force_login(self.user) 145 inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser) 146 res = self.client.patch( 147 reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}), 148 data={ 149 "name": generate_id(), 150 }, 151 ) 152 self.assertEqual(res.status_code, 403)
Test update without assigning permission
def
test_anonymous_user_denied(self):
154 def test_anonymous_user_denied(self): 155 """Test anonymous user denied""" 156 res = self.client.get(reverse("authentik_api:invitation-list")) 157 self.assertEqual(res.status_code, 403) 158 159 res = self.client.get(reverse("authentik_api:user-detail", kwargs={"pk": self.user.pk})) 160 self.assertEqual(res.status_code, 403)
Test anonymous user denied