authentic/tests/test_manager_apiclient.py

# authentic2 - versatile identity manager
# Copyright (C) 2010-2019 Entr'ouvert
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from urllib.parse import urlparse

import pytest
from django.urls import reverse

from authentic2.a2_rbac.models import Role
from authentic2.models import APIClient

from .utils import login


class TestAuthorization:
    @pytest.fixture
    def app(self, app, user):
        login(app, user)
        return app

    @pytest.fixture
    def api_client(self, db):
        return APIClient.objects.create(
            name='foo', description='foo-description', identifier='foo-description', password='foo-password'
        )

    class Mixin:
        status_code = -1

        def test_list(self, app):
            app.get(reverse('a2-manager-api-clients'), status=self.status_code)

        def test_add(self, app):
            app.get(reverse('a2-manager-api-client-add'), status=self.status_code)

        def test_detail(self, app, api_client):
            app.get(
                reverse('a2-manager-api-client-detail', kwargs={'pk': api_client.pk}), status=self.status_code
            )

        def test_edit(self, app, api_client):
            app.get(
                reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk}), status=self.status_code
            )

        def test_delete(self, app, api_client):
            app.get(
                reverse('a2-manager-api-client-delete', kwargs={'pk': api_client.pk}), status=self.status_code
            )

    class TestAuthorization(Mixin):
        status_code = 403

        @pytest.fixture
        def user(self, simple_user):
            return simple_user

    class TestAuthorizationAdmin(Mixin):
        status_code = 200

        @pytest.fixture
        def user(self, simple_user):
            simple_user.roles.add(Role.objects.get(ou__isnull=True, slug='_a2-manager-of-api-clients'))
            return simple_user


def test_list_empty(superuser, app):
    resp = login(app, superuser, 'a2-manager-api-clients')
    assert 'There are no API client defined.' in resp.text


def test_list_add_button(superuser, app):
    resp = login(app, superuser, 'a2-manager-api-clients')
    anchor = resp.pyquery('span.actions a[href="%s"]' % reverse('a2-manager-api-client-add'))
    assert anchor.text() == 'Add new API client'


def test_list_show_objects(superuser, app):
    api_client = APIClient.objects.create(
        name='foo', description='foo-description', identifier='foo-description', password='foo-password'
    )
    url = '/manage/api-clients/%s/' % api_client.pk
    resp = login(app, superuser, 'a2-manager-api-clients')
    anchor = resp.pyquery('div.content ul.objects-list a[href="%s"]' % url)
    assert anchor.text() == 'foo (foo-description)'


def test_add(superuser, app):
    assert APIClient.objects.count() == 0
    role_1 = Role.objects.create(name='role-1')
    role_2 = Role.objects.create(name='role-2')
    resp = login(app, superuser, 'a2-manager-api-client-add')
    form = resp.form
    # password is prefilled
    assert form.get('password').value
    form.set('name', 'api-client-name')
    form.set('description', 'api-client-description')
    form.set('identifier', 'api-client-identifier')
    form.set('password', 'api-client-password')
    form['apiclient_roles'].force_value([role_1.id, role_2.id])
    response = form.submit().follow()
    assert APIClient.objects.count() == 1
    api_client = APIClient.objects.get(name='api-client-name')
    assert set(api_client.apiclient_roles.all()) == {role_1, role_2}
    assert urlparse(response.request.url).path == api_client.get_absolute_url()


def test_add_description_non_mandatory(superuser, app):
    assert APIClient.objects.count() == 0
    role_1 = Role.objects.create(name='role-1')
    role_2 = Role.objects.create(name='role-2')
    resp = login(app, superuser, 'a2-manager-api-client-add')
    form = resp.form
    form.set('name', 'api-client-name')
    form.set('identifier', 'api-client-identifier')
    form.set('password', 'api-client-password')
    form['apiclient_roles'].force_value([role_1.id, role_2.id])
    response = form.submit().follow()
    assert APIClient.objects.count() == 1
    api_client = APIClient.objects.get(name='api-client-name')
    assert set(api_client.apiclient_roles.all()) == {role_1, role_2}
    assert urlparse(response.request.url).path == api_client.get_absolute_url()


def test_detail(superuser, app):
    role_1 = Role.objects.create(name='role-1')
    role_2 = Role.objects.create(name='role-2')
    api_client = APIClient.objects.create(
        name='foo',
        description='foo-description',
        identifier='foo-identifier',
        password='foo-password',
        restrict_to_anonymised_data=True,
    )
    api_client.apiclient_roles.add(role_1, role_2)
    resp = login(app, superuser, api_client.get_absolute_url())
    assert 'identifier&nbsp;: foo-identifier' in resp.text
    assert 'password&nbsp;: foo-password' in resp.text
    assert 'foo-description' in resp.text
    assert 'Restricted to anonymised data' in resp.text
    assert 'role-1' in resp.text
    assert 'role-2' in resp.text

    edit_button = resp.pyquery(
        'span.actions a[href="%s"]' % reverse('a2-manager-api-client-edit', kwargs={'pk': api_client.pk})
    )
    assert edit_button
    assert edit_button.text() == 'Edit'
    delete_button = resp.pyquery(
        'span.actions a[href="%s"]' % reverse('a2-manager-api-client-delete', kwargs={'pk': api_client.pk})
    )
    assert delete_button
    assert delete_button.text() == 'Delete'


def test_edit(superuser, app):
    api_client = APIClient.objects.create(
        name='foo', description='foo-description', identifier='foo-identifier', password='foo-password'
    )
    assert APIClient.objects.count() == 1
    resp = login(app, superuser, 'a2-manager-api-client-edit', kwargs={'pk': api_client.pk})
    form = resp.form
    assert form.get('password').value == 'foo-password'
    resp.form.set('password', 'easy')
    response = form.submit().follow()
    assert urlparse(response.request.url).path == api_client.get_absolute_url()
    assert APIClient.objects.count() == 1
    api_client = APIClient.objects.get(password='easy')
    assert api_client.identifier == 'foo-identifier'


def test_delete(superuser, app):
    api_client = APIClient.objects.create(
        name='foo', description='foo-description', identifier='foo-identifier', password='foo-password'
    )
    assert APIClient.objects.count() == 1
    resp = login(app, superuser, 'a2-manager-api-client-delete', kwargs={'pk': api_client.pk})
    response = resp.form.submit().follow()
    assert urlparse(response.request.url).path == reverse('a2-manager-api-clients')
    assert APIClient.objects.count() == 0