api_views: handle ou-wise api-client checks (#71275)

2022-11-17 10:56:30 +01:00 · 2022-11-17 10:56:30 +01:00 · 4240f989ae
parent a7ffb583f8
commit 4240f989ae
2 changed files with 26 additions and 2 deletions
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@ -1434,6 +1434,13 @@ class CheckPasswordSerializer(serializers.Serializer):
 class CheckAPIClientSerializer(serializers.Serializer):
    identifier = serializers.CharField(required=True)
    password = serializers.CharField(required=True)
+    ou = serializers.SlugRelatedField(
+        queryset=OrganizationalUnit.objects.all(),
+        slug_field='slug',
+        default=None,
+        required=False,
+        allow_null=True,
+    )


 class CheckPasswordAPI(BaseRpcView):
@ -1470,6 +1477,7 @@ class CheckAPIClientAPI(BaseRpcView):
    def rpc(self, request, serializer):
        identifier = serializer.validated_data['identifier']
        password = serializer.validated_data['password']
+        ou = serializer.validated_data.get('ou', None)
        api_client = None
        try:
            api_client = APIClient.objects.get(identifier=identifier, password=password)
@ -1477,7 +1485,7 @@ class CheckAPIClientAPI(BaseRpcView):
            pass

        result = {}
-        if api_client is None:
+        if api_client is None or ou and ou != api_client.ou:
            result['err'] = 1
            result['err_desc'] = 'api client not found'
        else:
@ -1487,6 +1495,7 @@ class CheckAPIClientAPI(BaseRpcView):
                'is_anonymous': api_client.is_anonymous,
                'is_authenticated': api_client.is_authenticated,
                'is_superuser': api_client.is_superuser,
+                'ou': api_client.ou.slug if api_client.ou else None,
                'restrict_to_anonymised_data': api_client.restrict_to_anonymised_data,
                'roles': [role.uuid for role in api_client.apiclient_roles.all()],
            }
--- a/tests/api/test_all.py
+++ b/tests/api/test_all.py
@ -2859,7 +2859,7 @@ def test_user_profile_delete(app, superuser):
    )


-def test_check_api_client(app, superuser):
+def test_check_api_client(app, superuser, ou1, ou2):
    url = '/api/check-api-client/'
    payload = {'identifier': 'foo', 'password': 'bar'}
    resp = app.post_json(url, params=payload, status=401)
@ -2888,6 +2888,21 @@ def test_check_api_client(app, superuser):
    assert data['is_superuser'] is False
    assert data['restrict_to_anonymised_data'] is False
    assert data['roles'] == [role1.uuid]
+    assert data['ou'] == get_default_ou().slug
+
+    api_client.ou = ou1
+    api_client.save()
+    resp = app.post_json(url, params=payload)
+    assert resp.json['data']['ou'] == 'ou1'
+
+    payload['ou'] = ou1.slug
+    resp = app.post_json(url, params=payload)
+    assert resp.json['data']['ou'] == 'ou1'
+
+    payload['ou'] = ou2.slug
+    resp = app.post_json(url, params=payload)
+    assert resp.json['err'] == 1
+    assert resp.json['err_desc'] == 'api client not found'


 def test_api_basic_authz_user_phone_number(app, settings, superuser):