147 lines
5.2 KiB
Python
147 lines
5.2 KiB
Python
# authentic2 - versatile identity manager
|
|
# Copyright (C) 2010-2022 Entr'ouvert
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it
|
|
# under the terms of the GNU Affero General Public License as published
|
|
# by the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import pytest
|
|
|
|
from authentic2_auth_oidc.models import OIDCProvider
|
|
|
|
from .utils import login, logout
|
|
|
|
|
|
def test_authenticators_authorization(app, simple_user, superuser):
|
|
resp = login(app, simple_user)
|
|
app.get('/manage/authenticators/', status=403)
|
|
|
|
logout(app)
|
|
resp = login(app, superuser, path='/manage/')
|
|
assert 'Authenticators' in resp.text
|
|
|
|
resp = resp.click('Authenticators')
|
|
assert 'Authenticators' in resp.text
|
|
|
|
|
|
def test_authenticators_password(app, superuser):
|
|
resp = login(app, superuser, path='/manage/authenticators/')
|
|
# Password authenticator already exists
|
|
assert 'Password' in resp.text
|
|
|
|
resp = resp.click('Configure')
|
|
assert 'Click "Edit" to change configuration.' in resp.text
|
|
# cannot delete password authenticator
|
|
assert 'Delete' not in resp.text
|
|
app.get('/manage/authenticators/1/delete/', status=403)
|
|
|
|
resp = resp.click('Edit')
|
|
assert list(resp.form.fields) == [
|
|
'csrfmiddlewaretoken',
|
|
'order',
|
|
'show_condition',
|
|
'remember_me',
|
|
'include_ou_selector',
|
|
None,
|
|
]
|
|
|
|
resp.form['show_condition'] = '}'
|
|
resp = resp.form.submit()
|
|
assert 'template syntax error: Could not parse' in resp.text
|
|
|
|
resp.form['show_condition'] = "'backoffice' in login_hint or remotre_addr == '1.2.3.4'"
|
|
resp = resp.form.submit().follow()
|
|
assert 'Click "Edit" to change configuration.' not in resp.text
|
|
assert (
|
|
"Show condition: 'backoffice' in login_hint or remotre_addr == '1.2.3.4'" in resp.text
|
|
)
|
|
|
|
resp = resp.click('Disable').follow()
|
|
assert 'Authenticator has been disabled.' in resp.text
|
|
|
|
resp = app.get('/manage/authenticators/')
|
|
assert 'class="section disabled"' in resp.text
|
|
|
|
resp = resp.click('Configure')
|
|
resp = resp.click('Enable').follow()
|
|
assert 'Authenticator has been enabled.' in resp.text
|
|
|
|
# cannot add another password authenticator
|
|
resp = app.get('/manage/authenticators/add/')
|
|
assert 'Password' not in resp.text
|
|
|
|
|
|
@pytest.mark.freeze_time('2022-04-19 14:00')
|
|
def test_authenticators_oidc(app, superuser, ou1, ou2):
|
|
resp = login(app, superuser, path='/manage/authenticators/')
|
|
|
|
resp = resp.click('Add new authenticator')
|
|
resp.form['name'] = 'Test'
|
|
resp.form['authenticator'] = 'oidc'
|
|
resp.form['ou'] = ou1.pk
|
|
|
|
resp = resp.form.submit().follow()
|
|
assert OIDCProvider.objects.filter(slug='test').count() == 1
|
|
assert 'Created: April 19, 2022, 2 p.m.' in resp.text
|
|
assert 'Modified: April 19, 2022, 2 p.m.' in resp.text
|
|
assert 'Issuer' not in resp.text
|
|
|
|
resp = resp.click('Edit')
|
|
assert 'enabled' not in resp.form.fields
|
|
resp.form['issuer'] = 'https://oidc.example.com'
|
|
resp.form['scopes'] = 'profile email'
|
|
resp.form['strategy'] = 'create'
|
|
resp.form['authorization_endpoint'] = 'https://oidc.example.com/authorize'
|
|
resp.form['token_endpoint'] = 'https://oidc.example.com/token'
|
|
resp.form['userinfo_endpoint'] = 'https://oidc.example.com/user_info'
|
|
resp.form['idtoken_algo'] = 2
|
|
resp = resp.form.submit().follow()
|
|
|
|
assert 'Issuer: https://oidc.example.com' in resp.text
|
|
assert 'Scopes: profile email' in resp.text
|
|
|
|
resp = app.get('/manage/authenticators/')
|
|
assert 'OpenIDConnect - Test' in resp.text
|
|
assert 'class="section disabled"' in resp.text
|
|
assert 'OIDC provider linked to' not in resp.text
|
|
|
|
resp = resp.click('Configure', index=1)
|
|
resp = resp.click('Enable').follow()
|
|
assert 'Authenticator has been enabled.' in resp.text
|
|
|
|
resp = app.get('/manage/authenticators/')
|
|
assert 'class="section disabled"' not in resp.text
|
|
assert 'OIDC provider linked to https://oidc.example.com with scopes profile, email.' not in resp.text
|
|
|
|
# same name
|
|
resp = resp.click('Add new authenticator')
|
|
resp.form['name'] = 'test'
|
|
resp.form['authenticator'] = 'oidc'
|
|
resp.form['ou'] = ou1.pk
|
|
resp = resp.form.submit().follow()
|
|
assert OIDCProvider.objects.filter(slug='test-1').count() == 1
|
|
OIDCProvider.objects.filter(slug='test-1').delete()
|
|
|
|
# OU is required
|
|
resp = app.get('/manage/authenticators/add/')
|
|
resp.form['name'] = 'test'
|
|
resp.form['authenticator'] = 'oidc'
|
|
resp.form['ou'] = ''
|
|
resp = resp.form.submit()
|
|
assert 'This field is required' in resp.text
|
|
|
|
resp = app.get('/manage/authenticators/')
|
|
resp = resp.click('Configure', index=1)
|
|
resp = resp.click('Delete')
|
|
resp = resp.form.submit().follow()
|
|
assert not OIDCProvider.objects.filter(slug='test').exists()
|