authentik.rbac.tests.test_roles
RBAC role tests
1"""RBAC role tests""" 2 3from django.urls import reverse 4from rest_framework.test import APITestCase 5 6from authentik.core.models import Group, User 7from authentik.core.tests.utils import create_test_user 8from authentik.lib.generators import generate_id 9from authentik.rbac.models import Role 10 11 12class TestRoles(APITestCase): 13 """Test roles""" 14 15 def setUp(self) -> None: 16 self.login_user = create_test_user() 17 self.user = create_test_user() 18 19 def test_role_create(self): 20 """Test creation""" 21 group = Group.objects.create(name=generate_id()) 22 role = Role.objects.create(name=generate_id()) 23 role.save() 24 role.assign_perms("authentik_core.view_application") 25 group.roles.add(role) 26 group.users.add(self.user) 27 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 28 29 def test_role_create_add_reverse(self): 30 """Test creation (add user in reverse)""" 31 group = Group.objects.create(name=generate_id()) 32 role = Role.objects.create(name=generate_id()) 33 role.assign_perms("authentik_core.view_application") 34 group.roles.add(role) 35 self.user.groups.add(group) 36 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 37 38 def test_remove_group_delete(self): 39 """Test creation and remove""" 40 group = Group.objects.create(name=generate_id()) 41 role = Role.objects.create(name=generate_id()) 42 role.assign_perms("authentik_core.view_application") 43 group.roles.add(role) 44 group.users.add(self.user) 45 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 46 group.delete() 47 user = User.objects.get(username=self.user.username) 48 self.assertFalse(user.has_perm("authentik_core.view_application")) 49 50 def test_remove_roles_remove(self): 51 """Test assigning permission to role, then removing role from group""" 52 group = Group.objects.create(name=generate_id()) 53 role = Role.objects.create(name=generate_id()) 54 role.assign_perms("authentik_core.view_application") 55 group.roles.add(role) 56 group.users.add(self.user) 57 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 58 group.roles.remove(role) 59 user = User.objects.get(username=self.user.username) 60 self.assertFalse(user.has_perm("authentik_core.view_application")) 61 62 def test_remove_role_delete(self): 63 """Test assigning permissions to role, then removing role""" 64 group = Group.objects.create(name=generate_id()) 65 role = Role.objects.create(name=generate_id()) 66 role.assign_perms("authentik_core.view_application") 67 group.roles.add(role) 68 group.users.add(self.user) 69 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 70 role.delete() 71 user = User.objects.get(username=self.user.username) 72 self.assertFalse(user.has_perm("authentik_core.view_application")) 73 74 def test_remove_users_remove(self): 75 """Test assigning permission to role, then removing user from group""" 76 group = Group.objects.create(name=generate_id()) 77 role = Role.objects.create(name=generate_id()) 78 role.assign_perms("authentik_core.view_application") 79 group.roles.add(role) 80 group.users.add(self.user) 81 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 82 group.users.remove(self.user) 83 user = User.objects.get(username=self.user.username) 84 self.assertFalse(user.has_perm("authentik_core.view_application")) 85 86 def test_remove_users_remove_reverse(self): 87 """Test assigning permission to role, then removing user from group in reverse""" 88 group = Group.objects.create(name=generate_id()) 89 role = Role.objects.create(name=generate_id()) 90 role.assign_perms("authentik_core.view_application") 91 group.roles.add(role) 92 group.users.add(self.user) 93 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 94 self.user.groups.remove(group) 95 user = User.objects.get(username=self.user.username) 96 self.assertFalse(user.has_perm("authentik_core.view_application")) 97 98 def test_add_user_api(self): 99 """Test add_user""" 100 role = Role.objects.create(name=generate_id()) 101 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 102 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 103 self.client.force_login(self.login_user) 104 res = self.client.post( 105 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 106 data={ 107 "pk": self.user.pk, 108 }, 109 ) 110 self.assertEqual(res.status_code, 204) 111 role.refresh_from_db() 112 self.assertEqual(list(role.users.all()), [self.user]) 113 114 def test_add_user_api_404(self): 115 """Test add_user""" 116 role = Role.objects.create(name=generate_id()) 117 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 118 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 119 self.client.force_login(self.login_user) 120 res = self.client.post( 121 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 122 data={ 123 "pk": self.user.pk + 3, 124 }, 125 ) 126 self.assertEqual(res.status_code, 404) 127 128 def test_remove_user_api(self): 129 """Test remove_user""" 130 role = Role.objects.create(name=generate_id()) 131 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 132 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 133 role.users.add(self.user) 134 self.client.force_login(self.login_user) 135 res = self.client.post( 136 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 137 data={ 138 "pk": self.user.pk, 139 }, 140 ) 141 self.assertEqual(res.status_code, 204) 142 role.refresh_from_db() 143 self.assertEqual(list(role.users.all()), []) 144 145 def test_remove_user_404_api(self): 146 """Test remove_user""" 147 role = Role.objects.create(name=generate_id()) 148 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 149 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 150 role.users.add(self.user) 151 self.client.force_login(self.login_user) 152 res = self.client.post( 153 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 154 data={ 155 "pk": self.user.pk + 3, 156 }, 157 ) 158 self.assertEqual(res.status_code, 404)
class
TestRoles(rest_framework.test.APITestCase):
13class TestRoles(APITestCase): 14 """Test roles""" 15 16 def setUp(self) -> None: 17 self.login_user = create_test_user() 18 self.user = create_test_user() 19 20 def test_role_create(self): 21 """Test creation""" 22 group = Group.objects.create(name=generate_id()) 23 role = Role.objects.create(name=generate_id()) 24 role.save() 25 role.assign_perms("authentik_core.view_application") 26 group.roles.add(role) 27 group.users.add(self.user) 28 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 29 30 def test_role_create_add_reverse(self): 31 """Test creation (add user in reverse)""" 32 group = Group.objects.create(name=generate_id()) 33 role = Role.objects.create(name=generate_id()) 34 role.assign_perms("authentik_core.view_application") 35 group.roles.add(role) 36 self.user.groups.add(group) 37 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 38 39 def test_remove_group_delete(self): 40 """Test creation and remove""" 41 group = Group.objects.create(name=generate_id()) 42 role = Role.objects.create(name=generate_id()) 43 role.assign_perms("authentik_core.view_application") 44 group.roles.add(role) 45 group.users.add(self.user) 46 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 47 group.delete() 48 user = User.objects.get(username=self.user.username) 49 self.assertFalse(user.has_perm("authentik_core.view_application")) 50 51 def test_remove_roles_remove(self): 52 """Test assigning permission to role, then removing role from group""" 53 group = Group.objects.create(name=generate_id()) 54 role = Role.objects.create(name=generate_id()) 55 role.assign_perms("authentik_core.view_application") 56 group.roles.add(role) 57 group.users.add(self.user) 58 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 59 group.roles.remove(role) 60 user = User.objects.get(username=self.user.username) 61 self.assertFalse(user.has_perm("authentik_core.view_application")) 62 63 def test_remove_role_delete(self): 64 """Test assigning permissions to role, then removing role""" 65 group = Group.objects.create(name=generate_id()) 66 role = Role.objects.create(name=generate_id()) 67 role.assign_perms("authentik_core.view_application") 68 group.roles.add(role) 69 group.users.add(self.user) 70 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 71 role.delete() 72 user = User.objects.get(username=self.user.username) 73 self.assertFalse(user.has_perm("authentik_core.view_application")) 74 75 def test_remove_users_remove(self): 76 """Test assigning permission to role, then removing user from group""" 77 group = Group.objects.create(name=generate_id()) 78 role = Role.objects.create(name=generate_id()) 79 role.assign_perms("authentik_core.view_application") 80 group.roles.add(role) 81 group.users.add(self.user) 82 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 83 group.users.remove(self.user) 84 user = User.objects.get(username=self.user.username) 85 self.assertFalse(user.has_perm("authentik_core.view_application")) 86 87 def test_remove_users_remove_reverse(self): 88 """Test assigning permission to role, then removing user from group in reverse""" 89 group = Group.objects.create(name=generate_id()) 90 role = Role.objects.create(name=generate_id()) 91 role.assign_perms("authentik_core.view_application") 92 group.roles.add(role) 93 group.users.add(self.user) 94 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 95 self.user.groups.remove(group) 96 user = User.objects.get(username=self.user.username) 97 self.assertFalse(user.has_perm("authentik_core.view_application")) 98 99 def test_add_user_api(self): 100 """Test add_user""" 101 role = Role.objects.create(name=generate_id()) 102 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 103 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 104 self.client.force_login(self.login_user) 105 res = self.client.post( 106 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 107 data={ 108 "pk": self.user.pk, 109 }, 110 ) 111 self.assertEqual(res.status_code, 204) 112 role.refresh_from_db() 113 self.assertEqual(list(role.users.all()), [self.user]) 114 115 def test_add_user_api_404(self): 116 """Test add_user""" 117 role = Role.objects.create(name=generate_id()) 118 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 119 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 120 self.client.force_login(self.login_user) 121 res = self.client.post( 122 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 123 data={ 124 "pk": self.user.pk + 3, 125 }, 126 ) 127 self.assertEqual(res.status_code, 404) 128 129 def test_remove_user_api(self): 130 """Test remove_user""" 131 role = Role.objects.create(name=generate_id()) 132 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 133 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 134 role.users.add(self.user) 135 self.client.force_login(self.login_user) 136 res = self.client.post( 137 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 138 data={ 139 "pk": self.user.pk, 140 }, 141 ) 142 self.assertEqual(res.status_code, 204) 143 role.refresh_from_db() 144 self.assertEqual(list(role.users.all()), []) 145 146 def test_remove_user_404_api(self): 147 """Test remove_user""" 148 role = Role.objects.create(name=generate_id()) 149 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 150 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 151 role.users.add(self.user) 152 self.client.force_login(self.login_user) 153 res = self.client.post( 154 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 155 data={ 156 "pk": self.user.pk + 3, 157 }, 158 ) 159 self.assertEqual(res.status_code, 404)
Test roles
def
setUp(self) -> None:
16 def setUp(self) -> None: 17 self.login_user = create_test_user() 18 self.user = create_test_user()
Hook method for setting up the test fixture before exercising it.
def
test_role_create(self):
20 def test_role_create(self): 21 """Test creation""" 22 group = Group.objects.create(name=generate_id()) 23 role = Role.objects.create(name=generate_id()) 24 role.save() 25 role.assign_perms("authentik_core.view_application") 26 group.roles.add(role) 27 group.users.add(self.user) 28 self.assertTrue(self.user.has_perm("authentik_core.view_application"))
Test creation
def
test_role_create_add_reverse(self):
30 def test_role_create_add_reverse(self): 31 """Test creation (add user in reverse)""" 32 group = Group.objects.create(name=generate_id()) 33 role = Role.objects.create(name=generate_id()) 34 role.assign_perms("authentik_core.view_application") 35 group.roles.add(role) 36 self.user.groups.add(group) 37 self.assertTrue(self.user.has_perm("authentik_core.view_application"))
Test creation (add user in reverse)
def
test_remove_group_delete(self):
39 def test_remove_group_delete(self): 40 """Test creation and remove""" 41 group = Group.objects.create(name=generate_id()) 42 role = Role.objects.create(name=generate_id()) 43 role.assign_perms("authentik_core.view_application") 44 group.roles.add(role) 45 group.users.add(self.user) 46 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 47 group.delete() 48 user = User.objects.get(username=self.user.username) 49 self.assertFalse(user.has_perm("authentik_core.view_application"))
Test creation and remove
def
test_remove_roles_remove(self):
51 def test_remove_roles_remove(self): 52 """Test assigning permission to role, then removing role from group""" 53 group = Group.objects.create(name=generate_id()) 54 role = Role.objects.create(name=generate_id()) 55 role.assign_perms("authentik_core.view_application") 56 group.roles.add(role) 57 group.users.add(self.user) 58 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 59 group.roles.remove(role) 60 user = User.objects.get(username=self.user.username) 61 self.assertFalse(user.has_perm("authentik_core.view_application"))
Test assigning permission to role, then removing role from group
def
test_remove_role_delete(self):
63 def test_remove_role_delete(self): 64 """Test assigning permissions to role, then removing role""" 65 group = Group.objects.create(name=generate_id()) 66 role = Role.objects.create(name=generate_id()) 67 role.assign_perms("authentik_core.view_application") 68 group.roles.add(role) 69 group.users.add(self.user) 70 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 71 role.delete() 72 user = User.objects.get(username=self.user.username) 73 self.assertFalse(user.has_perm("authentik_core.view_application"))
Test assigning permissions to role, then removing role
def
test_remove_users_remove(self):
75 def test_remove_users_remove(self): 76 """Test assigning permission to role, then removing user from group""" 77 group = Group.objects.create(name=generate_id()) 78 role = Role.objects.create(name=generate_id()) 79 role.assign_perms("authentik_core.view_application") 80 group.roles.add(role) 81 group.users.add(self.user) 82 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 83 group.users.remove(self.user) 84 user = User.objects.get(username=self.user.username) 85 self.assertFalse(user.has_perm("authentik_core.view_application"))
Test assigning permission to role, then removing user from group
def
test_remove_users_remove_reverse(self):
87 def test_remove_users_remove_reverse(self): 88 """Test assigning permission to role, then removing user from group in reverse""" 89 group = Group.objects.create(name=generate_id()) 90 role = Role.objects.create(name=generate_id()) 91 role.assign_perms("authentik_core.view_application") 92 group.roles.add(role) 93 group.users.add(self.user) 94 self.assertTrue(self.user.has_perm("authentik_core.view_application")) 95 self.user.groups.remove(group) 96 user = User.objects.get(username=self.user.username) 97 self.assertFalse(user.has_perm("authentik_core.view_application"))
Test assigning permission to role, then removing user from group in reverse
def
test_add_user_api(self):
99 def test_add_user_api(self): 100 """Test add_user""" 101 role = Role.objects.create(name=generate_id()) 102 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 103 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 104 self.client.force_login(self.login_user) 105 res = self.client.post( 106 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 107 data={ 108 "pk": self.user.pk, 109 }, 110 ) 111 self.assertEqual(res.status_code, 204) 112 role.refresh_from_db() 113 self.assertEqual(list(role.users.all()), [self.user])
Test add_user
def
test_add_user_api_404(self):
115 def test_add_user_api_404(self): 116 """Test add_user""" 117 role = Role.objects.create(name=generate_id()) 118 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 119 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 120 self.client.force_login(self.login_user) 121 res = self.client.post( 122 reverse("authentik_api:roles-add-user", kwargs={"pk": role.pk}), 123 data={ 124 "pk": self.user.pk + 3, 125 }, 126 ) 127 self.assertEqual(res.status_code, 404)
Test add_user
def
test_remove_user_api(self):
129 def test_remove_user_api(self): 130 """Test remove_user""" 131 role = Role.objects.create(name=generate_id()) 132 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 133 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 134 role.users.add(self.user) 135 self.client.force_login(self.login_user) 136 res = self.client.post( 137 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 138 data={ 139 "pk": self.user.pk, 140 }, 141 ) 142 self.assertEqual(res.status_code, 204) 143 role.refresh_from_db() 144 self.assertEqual(list(role.users.all()), [])
Test remove_user
def
test_remove_user_404_api(self):
146 def test_remove_user_404_api(self): 147 """Test remove_user""" 148 role = Role.objects.create(name=generate_id()) 149 self.login_user.assign_perms_to_managed_role("authentik_core.view_user") 150 self.login_user.assign_perms_to_managed_role("authentik_rbac.change_role", role) 151 role.users.add(self.user) 152 self.client.force_login(self.login_user) 153 res = self.client.post( 154 reverse("authentik_api:roles-remove-user", kwargs={"pk": role.pk}), 155 data={ 156 "pk": self.user.pk + 3, 157 }, 158 ) 159 self.assertEqual(res.status_code, 404)
Test remove_user