outposts: add tests for permissions
This commit is contained in:
parent
cc8afa8706
commit
501683e3cb
|
@ -6,8 +6,8 @@
|
||||||
|
|
||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff2' %}" as="font" type="font/woff2">
|
<link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff2' %}" as="font" type="font/woff2" crossorigin>
|
||||||
<link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff' %}" as="font" type="font/woff">
|
<link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff' %}" as="font" type="font/woff" crossorigin>
|
||||||
<meta charset="UTF-8">
|
<meta charset="UTF-8">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
||||||
<title>{% block title %}{% trans title|default:config.passbook.branding.title %}{% endblock %}</title>
|
<title>{% block title %}{% trans title|default:config.passbook.branding.title %}{% endblock %}</title>
|
||||||
|
|
|
@ -7,9 +7,10 @@ from uuid import uuid4
|
||||||
from dacite import from_dict
|
from dacite import from_dict
|
||||||
from django.contrib.postgres.fields import ArrayField
|
from django.contrib.postgres.fields import ArrayField
|
||||||
from django.core.cache import cache
|
from django.core.cache import cache
|
||||||
from django.db import models
|
from django.db import models, transaction
|
||||||
from django.db.models.base import Model
|
from django.db.models.base import Model
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
from guardian.models import UserObjectPermission
|
||||||
from guardian.shortcuts import assign_perm
|
from guardian.shortcuts import assign_perm
|
||||||
|
|
||||||
from passbook.core.models import Provider, Token, TokenIntents, User
|
from passbook.core.models import Provider, Token, TokenIntents, User
|
||||||
|
@ -114,10 +115,13 @@ class Outpost(models.Model):
|
||||||
user.save()
|
user.save()
|
||||||
else:
|
else:
|
||||||
user = users.first()
|
user = users.first()
|
||||||
|
# To ensure the user only has the correct permissions, we delete all of them and re-add
|
||||||
|
# the ones the user needs
|
||||||
|
with transaction.atomic():
|
||||||
|
UserObjectPermission.objects.filter(user=user).delete()
|
||||||
for model in self.get_required_objects():
|
for model in self.get_required_objects():
|
||||||
assign_perm(
|
code_name = f"{model._meta.app_label}.view_{model._meta.model_name}"
|
||||||
f"{model._meta.app_label}.view_{model._meta.model_name}", user, model
|
assign_perm(code_name, user, model)
|
||||||
)
|
|
||||||
return user
|
return user
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
"""outpost tests"""
|
||||||
|
from django.test import TestCase
|
||||||
|
from guardian.models import UserObjectPermission
|
||||||
|
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
from passbook.flows.models import Flow
|
||||||
|
from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType
|
||||||
|
from passbook.providers.proxy.models import ProxyProvider
|
||||||
|
|
||||||
|
|
||||||
|
class OutpostTests(TestCase):
|
||||||
|
"""Outpost Tests"""
|
||||||
|
|
||||||
|
def test_service_account_permissions(self):
|
||||||
|
"""Test that the service account has correct permissions"""
|
||||||
|
provider: ProxyProvider = ProxyProvider.objects.create(
|
||||||
|
name="test",
|
||||||
|
internal_host="http://localhost",
|
||||||
|
external_host="http://localhost",
|
||||||
|
authorization_flow=Flow.objects.first(),
|
||||||
|
)
|
||||||
|
outpost: Outpost = Outpost.objects.create(
|
||||||
|
name="test",
|
||||||
|
type=OutpostType.PROXY,
|
||||||
|
deployment_type=OutpostDeploymentType.CUSTOM,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Before we add a provider, the user should only have access to the outpost
|
||||||
|
permissions = UserObjectPermission.objects.filter(user=outpost.user)
|
||||||
|
self.assertEqual(len(permissions), 1)
|
||||||
|
self.assertEqual(permissions[0].object_pk, str(outpost.pk))
|
||||||
|
|
||||||
|
# We add a provider, user should only have access to outpost and provider
|
||||||
|
outpost.providers.add(provider)
|
||||||
|
outpost.save()
|
||||||
|
permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by(
|
||||||
|
"content_type__model"
|
||||||
|
)
|
||||||
|
self.assertEqual(len(permissions), 2)
|
||||||
|
self.assertEqual(permissions[0].object_pk, str(outpost.pk))
|
||||||
|
self.assertEqual(permissions[1].object_pk, str(provider.pk))
|
||||||
|
|
||||||
|
# Provider requires a certificate-key-pair, user should have permissions for it
|
||||||
|
keypair = CertificateKeyPair.objects.first()
|
||||||
|
provider.certificate = keypair
|
||||||
|
provider.save()
|
||||||
|
permissions = UserObjectPermission.objects.filter(user=outpost.user).order_by(
|
||||||
|
"content_type__model"
|
||||||
|
)
|
||||||
|
self.assertEqual(len(permissions), 3)
|
||||||
|
self.assertEqual(permissions[0].object_pk, str(keypair.pk))
|
||||||
|
self.assertEqual(permissions[1].object_pk, str(outpost.pk))
|
||||||
|
self.assertEqual(permissions[2].object_pk, str(provider.pk))
|
||||||
|
|
||||||
|
# Remove provider from outpost, user should only have access to outpost
|
||||||
|
outpost.providers.remove(provider)
|
||||||
|
outpost.save()
|
||||||
|
permissions = UserObjectPermission.objects.filter(user=outpost.user)
|
||||||
|
self.assertEqual(len(permissions), 1)
|
||||||
|
self.assertEqual(permissions[0].object_pk, str(outpost.pk))
|
Reference in New Issue