authentik.rbac.tests.test_initial_permissions
Test InitialPermissions
1"""Test InitialPermissions""" 2 3from django.contrib.auth.models import Permission 4from rest_framework.reverse import reverse 5from rest_framework.test import APITestCase 6 7from authentik.core.models import Group 8from authentik.core.tests.utils import create_test_user 9from authentik.lib.generators import generate_id 10from authentik.rbac.models import InitialPermissions, Role 11from authentik.stages.dummy.models import DummyStage 12 13 14class TestInitialPermissions(APITestCase): 15 """Test InitialPermissions""" 16 17 def setUp(self) -> None: 18 self.user = create_test_user() 19 self.same_role_user = create_test_user() 20 self.different_role_user = create_test_user() 21 22 self.role = Role.objects.create(name=generate_id()) 23 self.different_role = Role.objects.create(name=generate_id()) 24 25 self.group = Group.objects.create(name=generate_id()) 26 self.different_group = Group.objects.create(name=generate_id()) 27 28 self.group.roles.add(self.role) 29 self.group.users.add(self.user, self.same_role_user) 30 self.different_group.roles.add(self.different_role) 31 self.different_group.users.add(self.different_role_user) 32 33 self.ip = InitialPermissions.objects.create(name=generate_id(), role=self.role) 34 self.view_role = Permission.objects.filter(codename="view_role").first() 35 self.ip.permissions.add(self.view_role) 36 37 self.user.assign_perms_to_managed_role("authentik_rbac.add_role") 38 self.client.force_login(self.user) 39 40 def test_different_role(self): 41 """InitialPermissions for different role does nothing""" 42 self.ip.role = self.different_role 43 self.ip.save() 44 45 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 46 47 role = Role.objects.filter(name="test-role").first() 48 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role)) 49 50 def test_different_model(self): 51 """InitialPermissions for different model does nothing""" 52 self.user.assign_perms_to_managed_role("authentik_stages_dummy.add_dummystage") 53 54 self.client.post( 55 reverse("authentik_api:stages-dummy-list"), {"name": "test-stage", "throw-error": False} 56 ) 57 58 role = Role.objects.filter(name="test-role").first() 59 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role)) 60 stage = DummyStage.objects.filter(name="test-stage").first() 61 self.assertFalse(self.user.has_perm("authentik_stages_dummy.view_dummystage", stage)) 62 63 def test_single_permission(self): 64 """InitialPermissions adds role permission""" 65 self.ip.save() 66 67 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 68 69 role = Role.objects.filter(name="test-role").first() 70 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 71 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role)) 72 73 def test_many_permissions(self): 74 """InitialPermissions can add multiple permissions""" 75 change_role = Permission.objects.filter(codename="change_role").first() 76 self.ip.permissions.add(change_role) 77 78 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 79 80 role = Role.objects.filter(name="test-role").first() 81 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 82 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role)) 83 84 def test_permissions_separated_by_role(self): 85 """When the triggering user is part of two different roles with InitialPermissions it only 86 adds permissions to the relevant role.""" 87 self.ip.save() 88 different_ip = InitialPermissions.objects.create( 89 name=generate_id(), role=self.different_role 90 ) 91 change_role = Permission.objects.filter(codename="change_role").first() 92 different_ip.permissions.add(change_role) 93 self.different_group.users.add(self.user) 94 95 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 96 97 role = Role.objects.filter(name="test-role").first() 98 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 99 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role)) 100 self.assertFalse(self.different_role_user.has_perm("authentik_rbac.view_role", role)) 101 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role)) 102 self.assertFalse(self.same_role_user.has_perm("authentik_rbac.change_role", role)) 103 self.assertTrue(self.different_role_user.has_perm("authentik_rbac.change_role", role))
class
TestInitialPermissions(rest_framework.test.APITestCase):
15class TestInitialPermissions(APITestCase): 16 """Test InitialPermissions""" 17 18 def setUp(self) -> None: 19 self.user = create_test_user() 20 self.same_role_user = create_test_user() 21 self.different_role_user = create_test_user() 22 23 self.role = Role.objects.create(name=generate_id()) 24 self.different_role = Role.objects.create(name=generate_id()) 25 26 self.group = Group.objects.create(name=generate_id()) 27 self.different_group = Group.objects.create(name=generate_id()) 28 29 self.group.roles.add(self.role) 30 self.group.users.add(self.user, self.same_role_user) 31 self.different_group.roles.add(self.different_role) 32 self.different_group.users.add(self.different_role_user) 33 34 self.ip = InitialPermissions.objects.create(name=generate_id(), role=self.role) 35 self.view_role = Permission.objects.filter(codename="view_role").first() 36 self.ip.permissions.add(self.view_role) 37 38 self.user.assign_perms_to_managed_role("authentik_rbac.add_role") 39 self.client.force_login(self.user) 40 41 def test_different_role(self): 42 """InitialPermissions for different role does nothing""" 43 self.ip.role = self.different_role 44 self.ip.save() 45 46 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 47 48 role = Role.objects.filter(name="test-role").first() 49 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role)) 50 51 def test_different_model(self): 52 """InitialPermissions for different model does nothing""" 53 self.user.assign_perms_to_managed_role("authentik_stages_dummy.add_dummystage") 54 55 self.client.post( 56 reverse("authentik_api:stages-dummy-list"), {"name": "test-stage", "throw-error": False} 57 ) 58 59 role = Role.objects.filter(name="test-role").first() 60 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role)) 61 stage = DummyStage.objects.filter(name="test-stage").first() 62 self.assertFalse(self.user.has_perm("authentik_stages_dummy.view_dummystage", stage)) 63 64 def test_single_permission(self): 65 """InitialPermissions adds role permission""" 66 self.ip.save() 67 68 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 69 70 role = Role.objects.filter(name="test-role").first() 71 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 72 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role)) 73 74 def test_many_permissions(self): 75 """InitialPermissions can add multiple permissions""" 76 change_role = Permission.objects.filter(codename="change_role").first() 77 self.ip.permissions.add(change_role) 78 79 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 80 81 role = Role.objects.filter(name="test-role").first() 82 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 83 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role)) 84 85 def test_permissions_separated_by_role(self): 86 """When the triggering user is part of two different roles with InitialPermissions it only 87 adds permissions to the relevant role.""" 88 self.ip.save() 89 different_ip = InitialPermissions.objects.create( 90 name=generate_id(), role=self.different_role 91 ) 92 change_role = Permission.objects.filter(codename="change_role").first() 93 different_ip.permissions.add(change_role) 94 self.different_group.users.add(self.user) 95 96 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 97 98 role = Role.objects.filter(name="test-role").first() 99 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 100 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role)) 101 self.assertFalse(self.different_role_user.has_perm("authentik_rbac.view_role", role)) 102 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role)) 103 self.assertFalse(self.same_role_user.has_perm("authentik_rbac.change_role", role)) 104 self.assertTrue(self.different_role_user.has_perm("authentik_rbac.change_role", role))
Test InitialPermissions
def
setUp(self) -> None:
18 def setUp(self) -> None: 19 self.user = create_test_user() 20 self.same_role_user = create_test_user() 21 self.different_role_user = create_test_user() 22 23 self.role = Role.objects.create(name=generate_id()) 24 self.different_role = Role.objects.create(name=generate_id()) 25 26 self.group = Group.objects.create(name=generate_id()) 27 self.different_group = Group.objects.create(name=generate_id()) 28 29 self.group.roles.add(self.role) 30 self.group.users.add(self.user, self.same_role_user) 31 self.different_group.roles.add(self.different_role) 32 self.different_group.users.add(self.different_role_user) 33 34 self.ip = InitialPermissions.objects.create(name=generate_id(), role=self.role) 35 self.view_role = Permission.objects.filter(codename="view_role").first() 36 self.ip.permissions.add(self.view_role) 37 38 self.user.assign_perms_to_managed_role("authentik_rbac.add_role") 39 self.client.force_login(self.user)
Hook method for setting up the test fixture before exercising it.
def
test_different_role(self):
41 def test_different_role(self): 42 """InitialPermissions for different role does nothing""" 43 self.ip.role = self.different_role 44 self.ip.save() 45 46 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 47 48 role = Role.objects.filter(name="test-role").first() 49 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role))
InitialPermissions for different role does nothing
def
test_different_model(self):
51 def test_different_model(self): 52 """InitialPermissions for different model does nothing""" 53 self.user.assign_perms_to_managed_role("authentik_stages_dummy.add_dummystage") 54 55 self.client.post( 56 reverse("authentik_api:stages-dummy-list"), {"name": "test-stage", "throw-error": False} 57 ) 58 59 role = Role.objects.filter(name="test-role").first() 60 self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role)) 61 stage = DummyStage.objects.filter(name="test-stage").first() 62 self.assertFalse(self.user.has_perm("authentik_stages_dummy.view_dummystage", stage))
InitialPermissions for different model does nothing
def
test_single_permission(self):
64 def test_single_permission(self): 65 """InitialPermissions adds role permission""" 66 self.ip.save() 67 68 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 69 70 role = Role.objects.filter(name="test-role").first() 71 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 72 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role))
InitialPermissions adds role permission
def
test_many_permissions(self):
74 def test_many_permissions(self): 75 """InitialPermissions can add multiple permissions""" 76 change_role = Permission.objects.filter(codename="change_role").first() 77 self.ip.permissions.add(change_role) 78 79 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 80 81 role = Role.objects.filter(name="test-role").first() 82 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 83 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role))
InitialPermissions can add multiple permissions
def
test_permissions_separated_by_role(self):
85 def test_permissions_separated_by_role(self): 86 """When the triggering user is part of two different roles with InitialPermissions it only 87 adds permissions to the relevant role.""" 88 self.ip.save() 89 different_ip = InitialPermissions.objects.create( 90 name=generate_id(), role=self.different_role 91 ) 92 change_role = Permission.objects.filter(codename="change_role").first() 93 different_ip.permissions.add(change_role) 94 self.different_group.users.add(self.user) 95 96 self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"}) 97 98 role = Role.objects.filter(name="test-role").first() 99 self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role)) 100 self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role)) 101 self.assertFalse(self.different_role_user.has_perm("authentik_rbac.view_role", role)) 102 self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role)) 103 self.assertFalse(self.same_role_user.has_perm("authentik_rbac.change_role", role)) 104 self.assertTrue(self.different_role_user.has_perm("authentik_rbac.change_role", role))
When the triggering user is part of two different roles with InitialPermissions it only adds permissions to the relevant role.