From b1892ded173f98a5bec1a68896b778b1393709e0 Mon Sep 17 00:00:00 2001 From: Lebaud Antoine Date: Sat, 24 Feb 2024 11:49:36 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=85(backend)=20drop=20JWT=20authenticatio?= =?UTF-8?q?n=20in=20API=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Force login to bypass authorization checks when necessary. Note: Generating a session cookie through OIDC flow is not supported while testing our API. --- .../templates/test_api_templates_create.py | 8 +- .../templates/test_api_templates_delete.py | 24 +-- .../test_api_templates_generate_document.py | 22 +-- .../templates/test_api_templates_list.py | 29 +-- .../templates/test_api_templates_retrieve.py | 22 +-- .../templates/test_api_templates_update.py | 29 +-- .../core/tests/test_api_template_accesses.py | 165 +++++++++--------- src/backend/core/tests/test_api_users.py | 89 ++++++---- 8 files changed, 215 insertions(+), 173 deletions(-) diff --git a/src/backend/core/tests/templates/test_api_templates_create.py b/src/backend/core/tests/templates/test_api_templates_create.py index b65d5d08..150f67b6 100644 --- a/src/backend/core/tests/templates/test_api_templates_create.py +++ b/src/backend/core/tests/templates/test_api_templates_create.py @@ -6,7 +6,6 @@ from rest_framework.test import APIClient from core import factories from core.models import Template -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -30,15 +29,16 @@ def test_api_templates_create_authenticated(): as the owner of the newly created template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) - response = APIClient().post( + client = APIClient() + client.force_login(user) + + response = client.post( "/api/v1.0/templates/", { "title": "my template", }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 201 diff --git a/src/backend/core/tests/templates/test_api_templates_delete.py b/src/backend/core/tests/templates/test_api_templates_delete.py index 7fcade91..a44863aa 100644 --- a/src/backend/core/tests/templates/test_api_templates_delete.py +++ b/src/backend/core/tests/templates/test_api_templates_delete.py @@ -7,7 +7,6 @@ import pytest from rest_framework.test import APIClient from core import factories, models -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -30,14 +29,15 @@ def test_api_templates_delete_authenticated_unrelated(): related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) is_public = random.choice([True, False]) template = factories.TemplateFactory(is_public=is_public) - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 if is_public else 404 @@ -51,12 +51,14 @@ def test_api_templates_delete_authenticated_member(role): only a member. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, role)]) - response = APIClient().delete( - f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.delete( + f"/api/v1.0/templates/{template.id}/", ) assert response.status_code == 403 @@ -72,12 +74,14 @@ def test_api_templates_delete_authenticated_owner(): owner. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "owner")]) - response = APIClient().delete( - f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.delete( + f"/api/v1.0/templates/{template.id}/", ) assert response.status_code == 204 diff --git a/src/backend/core/tests/templates/test_api_templates_generate_document.py b/src/backend/core/tests/templates/test_api_templates_generate_document.py index 1819a8fb..683cb428 100644 --- a/src/backend/core/tests/templates/test_api_templates_generate_document.py +++ b/src/backend/core/tests/templates/test_api_templates_generate_document.py @@ -5,7 +5,6 @@ import pytest from rest_framework.test import APIClient from core import factories -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -50,16 +49,17 @@ def test_api_templates_generate_document_anonymous_not_public(): def test_api_templates_generate_document_authenticated_public(): """Authenticated users can generate pdf document with public templates.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(is_public=True) data = {"body": "# Test markdown body"} - response = APIClient().post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/generate-document/", data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -72,16 +72,17 @@ def test_api_templates_generate_document_authenticated_not_public(): that are not marked as public. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(is_public=False) data = {"body": "# Test markdown body"} - response = APIClient().post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/generate-document/", data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 404 @@ -91,16 +92,17 @@ def test_api_templates_generate_document_authenticated_not_public(): def test_api_templates_generate_document_related(): """Users related to a template can generate pdf document.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) access = factories.TemplateAccessFactory(user=user) data = {"body": "# Test markdown body"} - response = APIClient().post( + response = client.post( f"/api/v1.0/templates/{access.template.id!s}/generate-document/", data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 diff --git a/src/backend/core/tests/templates/test_api_templates_list.py b/src/backend/core/tests/templates/test_api_templates_list.py index 54011422..5941c51f 100644 --- a/src/backend/core/tests/templates/test_api_templates_list.py +++ b/src/backend/core/tests/templates/test_api_templates_list.py @@ -9,7 +9,6 @@ from rest_framework.status import HTTP_200_OK from rest_framework.test import APIClient from core import factories -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -35,7 +34,9 @@ def test_api_templates_list_authenticated(): an owner/administrator/member of. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) related_templates = [ access.template @@ -48,8 +49,8 @@ def test_api_templates_list_authenticated(): str(template.id) for template in related_templates + public_templates } - response = APIClient().get( - "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/templates/", ) assert response.status_code == HTTP_200_OK @@ -65,7 +66,9 @@ def test_api_templates_list_pagination( ): """Pagination should work as expected.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template_ids = [ str(access.template.id) @@ -73,8 +76,8 @@ def test_api_templates_list_pagination( ] # Get page 1 - response = APIClient().get( - "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/templates/", ) assert response.status_code == HTTP_200_OK @@ -89,8 +92,8 @@ def test_api_templates_list_pagination( template_ids.remove(item["id"]) # Get page 2 - response = APIClient().get( - "/api/v1.0/templates/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/templates/?page=2", ) assert response.status_code == HTTP_200_OK @@ -108,14 +111,16 @@ def test_api_templates_list_pagination( def test_api_templates_list_authenticated_distinct(): """A template with several related users should only be listed once.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) other_user = factories.UserFactory() template = factories.TemplateFactory(users=[user, other_user], is_public=True) - response = APIClient().get( - "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/templates/", ) assert response.status_code == HTTP_200_OK diff --git a/src/backend/core/tests/templates/test_api_templates_retrieve.py b/src/backend/core/tests/templates/test_api_templates_retrieve.py index da90e2a9..98848de1 100644 --- a/src/backend/core/tests/templates/test_api_templates_retrieve.py +++ b/src/backend/core/tests/templates/test_api_templates_retrieve.py @@ -5,7 +5,6 @@ import pytest from rest_framework.test import APIClient from core import factories -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -47,13 +46,14 @@ def test_api_templates_retrieve_authenticated_unrelated_public(): not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(is_public=True) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 assert response.json() == { @@ -76,13 +76,14 @@ def test_api_templates_retrieve_authenticated_unrelated_not_public(): to which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(is_public=False) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 404 assert response.json() == {"detail": "Not found."} @@ -94,15 +95,16 @@ def test_api_templates_retrieve_authenticated_related(): are related whatever the role. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() access1 = factories.TemplateAccessFactory(template=template, user=user) access2 = factories.TemplateAccessFactory(template=template) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 content = response.json() diff --git a/src/backend/core/tests/templates/test_api_templates_update.py b/src/backend/core/tests/templates/test_api_templates_update.py index 4f3ef72e..dd01caef 100644 --- a/src/backend/core/tests/templates/test_api_templates_update.py +++ b/src/backend/core/tests/templates/test_api_templates_update.py @@ -8,7 +8,6 @@ from rest_framework.test import APIClient from core import factories from core.api import serializers -from core.tests.utils import OIDCToken pytestmark = pytest.mark.django_db @@ -41,7 +40,9 @@ def test_api_templates_update_authenticated_unrelated(): Authenticated users should not be allowed to update a template to which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(is_public=False) old_template_values = serializers.TemplateSerializer(instance=template).data @@ -49,11 +50,10 @@ def test_api_templates_update_authenticated_unrelated(): new_template_values = serializers.TemplateSerializer( instance=factories.TemplateFactory() ).data - response = APIClient().put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/", new_template_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 404 @@ -70,7 +70,9 @@ def test_api_templates_update_authenticated_members(): not be allowed to update it. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "member")]) old_template_values = serializers.TemplateSerializer(instance=template).data @@ -78,11 +80,10 @@ def test_api_templates_update_authenticated_members(): new_template_values = serializers.TemplateSerializer( instance=factories.TemplateFactory() ).data - response = APIClient().put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/", new_template_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -99,7 +100,9 @@ def test_api_templates_update_authenticated_members(): def test_api_templates_update_authenticated_administrators(role): """Administrators of a template should be allowed to update it.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, role)]) old_template_values = serializers.TemplateSerializer(instance=template).data @@ -107,11 +110,10 @@ def test_api_templates_update_authenticated_administrators(role): new_template_values = serializers.TemplateSerializer( instance=factories.TemplateFactory() ).data - response = APIClient().put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/", new_template_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -130,7 +132,9 @@ def test_api_templates_update_administrator_or_owner_of_another(): another template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))]) is_public = random.choice([True, False]) @@ -140,11 +144,10 @@ def test_api_templates_update_administrator_or_owner_of_another(): new_template_values = serializers.TemplateSerializer( instance=factories.TemplateFactory() ).data - response = APIClient().put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/", new_template_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 if is_public else 404 diff --git a/src/backend/core/tests/test_api_template_accesses.py b/src/backend/core/tests/test_api_template_accesses.py index cb57e686..d4bc8554 100644 --- a/src/backend/core/tests/test_api_template_accesses.py +++ b/src/backend/core/tests/test_api_template_accesses.py @@ -10,7 +10,6 @@ from rest_framework.test import APIClient from core import factories, models from core.api import serializers -from .utils import OIDCToken pytestmark = pytest.mark.django_db @@ -33,7 +32,9 @@ def test_api_template_accesses_list_authenticated_unrelated(): to which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() factories.TemplateAccessFactory.create_batch(3, template=template) @@ -42,9 +43,8 @@ def test_api_template_accesses_list_authenticated_unrelated(): other_access = factories.TemplateAccessFactory(user=user) factories.TemplateAccessFactory(template=other_access.template) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/accesses/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 assert response.json() == { @@ -61,7 +61,9 @@ def test_api_template_accesses_list_authenticated_related(): to which they are related, whatever their role in the template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() user_access = models.TemplateAccess.objects.create( @@ -75,9 +77,8 @@ def test_api_template_accesses_list_authenticated_related(): other_access = factories.TemplateAccessFactory(user=user) factories.TemplateAccessFactory(template=other_access.template) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/accesses/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -130,14 +131,15 @@ def test_api_template_accesses_retrieve_authenticated_unrelated(): a template to which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() access = factories.TemplateAccessFactory(template=template) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 assert response.json() == { @@ -149,9 +151,8 @@ def test_api_template_accesses_retrieve_authenticated_unrelated(): factories.TemplateAccessFactory(), factories.TemplateAccessFactory(user=user), ]: - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 404 @@ -164,14 +165,15 @@ def test_api_template_accesses_retrieve_authenticated_related(): associated template user accesses. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[user]) access = factories.TemplateAccessFactory(template=template) - response = APIClient().get( + response = client.get( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -211,18 +213,19 @@ def test_api_template_accesses_create_authenticated_unrelated(): which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) other_user = factories.UserFactory() template = factories.TemplateFactory() - response = APIClient().post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/accesses/", { "user": str(other_user.id), }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -232,21 +235,21 @@ def test_api_template_accesses_create_authenticated_unrelated(): def test_api_template_accesses_create_authenticated_member(): """Members of a template should not be allowed to create template accesses.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "member")]) other_user = factories.UserFactory() - api_client = APIClient() for role in [role[0] for role in models.RoleChoices.choices]: - response = api_client.post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/accesses/", { "user": str(other_user.id), "role": role, }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -260,7 +263,9 @@ def test_api_template_accesses_create_authenticated_administrator(): except for the "owner" role. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) other_user = factories.UserFactory() @@ -268,14 +273,13 @@ def test_api_template_accesses_create_authenticated_administrator(): api_client = APIClient() # It should not be allowed to create an owner access - response = api_client.post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/accesses/", { "user": str(other_user.id), "role": "owner", }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -288,14 +292,13 @@ def test_api_template_accesses_create_authenticated_administrator(): [role[0] for role in models.RoleChoices.choices if role[0] != "owner"] ) - response = api_client.post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/accesses/", { "user": str(other_user.id), "role": role, }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 201 @@ -314,21 +317,22 @@ def test_api_template_accesses_create_authenticated_owner(): Owners of a template should be able to create template accesses whatever the role. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "owner")]) other_user = factories.UserFactory() role = random.choice([role[0] for role in models.RoleChoices.choices]) - response = APIClient().post( + response = client.post( f"/api/v1.0/templates/{template.id!s}/accesses/", { "user": str(other_user.id), "role": role, }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 201 @@ -373,7 +377,9 @@ def test_api_template_accesses_update_authenticated_unrelated(): they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) access = factories.TemplateAccessFactory() old_values = serializers.TemplateAccessSerializer(instance=access).data @@ -384,13 +390,11 @@ def test_api_template_accesses_update_authenticated_unrelated(): "role": random.choice(models.RoleChoices.choices)[0], } - api_client = APIClient() for field, value in new_values.items(): - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", {**old_values, field: value}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -402,7 +406,9 @@ def test_api_template_accesses_update_authenticated_unrelated(): def test_api_template_accesses_update_authenticated_member(): """Members of a template should not be allowed to update its accesses.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "member")]) access = factories.TemplateAccessFactory(template=template) @@ -414,13 +420,11 @@ def test_api_template_accesses_update_authenticated_member(): "role": random.choice(models.RoleChoices.choices)[0], } - api_client = APIClient() for field, value in new_values.items(): - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", {**old_values, field: value}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -435,7 +439,9 @@ def test_api_template_accesses_update_administrator_except_owner(): access for this template, as long as they don't try to set the role to owner. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) access = factories.TemplateAccessFactory( @@ -450,14 +456,12 @@ def test_api_template_accesses_update_administrator_except_owner(): "role": random.choice(["administrator", "member"]), } - api_client = APIClient() for field, value in new_values.items(): new_data = {**old_values, field: value} - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data=new_data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) if ( @@ -481,7 +485,9 @@ def test_api_template_accesses_update_administrator_from_owner(): the user access of an "owner" for this template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) other_user = factories.UserFactory() @@ -496,13 +502,11 @@ def test_api_template_accesses_update_administrator_from_owner(): "role": random.choice(models.RoleChoices.choices)[0], } - api_client = APIClient() for field, value in new_values.items(): - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data={**old_values, field: value}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -517,7 +521,9 @@ def test_api_template_accesses_update_administrator_to_owner(): the user access of another user to grant template ownership. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) other_user = factories.UserFactory() @@ -534,14 +540,12 @@ def test_api_template_accesses_update_administrator_to_owner(): "role": "owner", } - api_client = APIClient() for field, value in new_values.items(): new_data = {**old_values, field: value} - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data=new_data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) # We are not allowed or not really updating the role if field == "role" or new_data["role"] == old_values["role"]: @@ -560,7 +564,9 @@ def test_api_template_accesses_update_owner(): a user access for this template whatever the role. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "owner")]) factories.UserFactory() @@ -575,14 +581,12 @@ def test_api_template_accesses_update_owner(): "role": random.choice(models.RoleChoices.choices)[0], } - api_client = APIClient() for field, value in new_values.items(): new_data = {**old_values, field: value} - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data=new_data, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) if ( @@ -607,19 +611,19 @@ def test_api_template_accesses_update_owner_self(): their own user access provided there are other owners in the template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() access = factories.TemplateAccessFactory(template=template, user=user, role="owner") old_values = serializers.TemplateAccessSerializer(instance=access).data new_role = random.choice(["administrator", "member"]) - api_client = APIClient() - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data={**old_values, "role": new_role}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -629,11 +633,10 @@ def test_api_template_accesses_update_owner_self(): # Add another owner and it should now work factories.TemplateAccessFactory(template=template, role="owner") - response = api_client.put( + response = client.put( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", data={**old_values, "role": new_role}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -662,13 +665,14 @@ def test_api_template_accesses_delete_authenticated(): template to which they are not related. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) access = factories.TemplateAccessFactory() - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -681,7 +685,9 @@ def test_api_template_accesses_delete_member(): template in which they are a simple member. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "member")]) access = factories.TemplateAccessFactory(template=template) @@ -689,9 +695,8 @@ def test_api_template_accesses_delete_member(): assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.filter(user=access.user).exists() - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -704,7 +709,9 @@ def test_api_template_accesses_delete_administrators_except_owners(): from the template provided it is not ownership. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) access = factories.TemplateAccessFactory( @@ -714,9 +721,8 @@ def test_api_template_accesses_delete_administrators_except_owners(): assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.filter(user=access.user).exists() - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 204 @@ -729,7 +735,9 @@ def test_api_template_accesses_delete_administrators_owners(): access from the template. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "administrator")]) access = factories.TemplateAccessFactory(template=template, role="owner") @@ -737,9 +745,8 @@ def test_api_template_accesses_delete_administrators_owners(): assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.filter(user=access.user).exists() - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -752,7 +759,9 @@ def test_api_template_accesses_delete_owners(): for a template of which they are owner. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory(users=[(user, "owner")]) access = factories.TemplateAccessFactory( @@ -762,9 +771,8 @@ def test_api_template_accesses_delete_owners(): assert models.TemplateAccess.objects.count() == 2 assert models.TemplateAccess.objects.filter(user=access.user).exists() - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 204 @@ -776,15 +784,16 @@ def test_api_template_accesses_delete_owners_last_owner(): It should not be possible to delete the last owner access from a template """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) template = factories.TemplateFactory() access = factories.TemplateAccessFactory(template=template, user=user, role="owner") assert models.TemplateAccess.objects.count() == 1 - response = APIClient().delete( + response = client.delete( f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 diff --git a/src/backend/core/tests/test_api_users.py b/src/backend/core/tests/test_api_users.py index 25bbc9b6..f88fa181 100644 --- a/src/backend/core/tests/test_api_users.py +++ b/src/backend/core/tests/test_api_users.py @@ -7,7 +7,6 @@ from rest_framework.test import APIClient from core import factories, models from core.api import serializers -from .utils import OIDCToken pytestmark = pytest.mark.django_db @@ -26,11 +25,13 @@ def test_api_users_list_authenticated(): Authenticated users should not be able to list users. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) factories.UserFactory.create_batch(2) - response = APIClient().get( - "/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/users/", ) assert response.status_code == 404 assert "Not Found" in response.content.decode("utf-8") @@ -50,11 +51,13 @@ def test_api_users_retrieve_me_anonymous(): def test_api_users_retrieve_me_authenticated(): """Authenticated users should be able to retrieve their own user via the "/users/me" path.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) factories.UserFactory.create_batch(2) - response = APIClient().get( - "/api/v1.0/users/me/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + "/api/v1.0/users/me/", ) assert response.status_code == 200 @@ -85,10 +88,12 @@ def test_api_users_retrieve_authenticated_self(): The returned object should not contain the password. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) - response = APIClient().get( - f"/api/v1.0/users/{user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + client = APIClient() + client.force_login(user) + + response = client.get( + f"/api/v1.0/users/{user.id!s}/", ) assert response.status_code == 405 assert response.json() == {"detail": 'Method "GET" not allowed.'} @@ -100,12 +105,14 @@ def test_api_users_retrieve_authenticated_other(): limited information. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) other_user = factories.UserFactory() - response = APIClient().get( - f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.get( + f"/api/v1.0/users/{other_user.id!s}/", ) assert response.status_code == 405 assert response.json() == {"detail": 'Method "GET" not allowed.'} @@ -128,16 +135,17 @@ def test_api_users_create_anonymous(): def test_api_users_create_authenticated(): """Authenticated users should not be able to create users via the API.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) - response = APIClient().post( + client = APIClient() + client.force_login(user) + + response = client.post( "/api/v1.0/users/", { "language": "fr-fr", "password": "mypassword", }, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 404 assert "Not Found" in response.content.decode("utf-8") @@ -174,18 +182,19 @@ def test_api_users_update_authenticated_self(): and "timezone" fields. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) old_user_values = dict(serializers.UserSerializer(instance=user).data) new_user_values = dict( serializers.UserSerializer(instance=factories.UserFactory()).data ) - response = APIClient().put( + response = client.put( f"/api/v1.0/users/{user.id!s}/", new_user_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -201,17 +210,18 @@ def test_api_users_update_authenticated_self(): def test_api_users_update_authenticated_other(): """Authenticated users should not be allowed to update other users.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) user = factories.UserFactory() old_user_values = dict(serializers.UserSerializer(instance=user).data) new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data - response = APIClient().put( + response = client.put( f"/api/v1.0/users/{user.id!s}/", new_user_values, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -253,7 +263,9 @@ def test_api_users_patch_authenticated_self(): and "timezone" fields. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) old_user_values = dict(serializers.UserSerializer(instance=user).data) new_user_values = dict( @@ -261,11 +273,10 @@ def test_api_users_patch_authenticated_self(): ) for key, new_value in new_user_values.items(): - response = APIClient().patch( + response = client.patch( f"/api/v1.0/users/{user.id!s}/", {key: new_value}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 200 @@ -281,7 +292,9 @@ def test_api_users_patch_authenticated_self(): def test_api_users_patch_authenticated_other(): """Authenticated users should not be allowed to patch other users.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) user = factories.UserFactory() old_user_values = dict(serializers.UserSerializer(instance=user).data) @@ -290,11 +303,10 @@ def test_api_users_patch_authenticated_other(): ) for key, new_value in new_user_values.items(): - response = APIClient().put( + response = client.put( f"/api/v1.0/users/{user.id!s}/", {key: new_value}, format="json", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 403 @@ -319,11 +331,12 @@ def test_api_users_delete_list_authenticated(): """Authenticated users should not be allowed to delete a list of users.""" factories.UserFactory.create_batch(2) user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) client = APIClient() + client.force_login(user) + response = client.delete( - "/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + "/api/v1.0/users/", ) assert response.status_code == 404 @@ -345,11 +358,14 @@ def test_api_users_delete_authenticated(): Authenticated users should not be allowed to delete a user other than themselves. """ user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) + + client = APIClient() + client.force_login(user) + other_user = factories.UserFactory() - response = APIClient().delete( - f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}" + response = client.delete( + f"/api/v1.0/users/{other_user.id!s}/", ) assert response.status_code == 405 @@ -359,11 +375,12 @@ def test_api_users_delete_authenticated(): def test_api_users_delete_self(): """Authenticated users should not be able to delete their own user.""" user = factories.UserFactory() - jwt_token = OIDCToken.for_user(user) - response = APIClient().delete( + client = APIClient() + client.force_login(user) + + response = client.delete( f"/api/v1.0/users/{user.id!s}/", - HTTP_AUTHORIZATION=f"Bearer {jwt_token}", ) assert response.status_code == 405