TMSS-138: Restrict access to Cycle view via REST calls, add tests to...

TMSS-138: Restrict access to Cycle view via REST calls, add tests to demonstrate use of groups and permissions

TMSS-138: Restrict access to Cycle view via REST calls, add tests to...
TMSS-138: Restrict access to Cycle view via REST calls, add tests to demonstrate use of groups and permissions
71db34b5 · Joern jkuensem · Jorrit Schaap · f58a52ef · 71db34b5 · 71db34b5
Commit 71db34b5 authored Feb 04, 2020 by Joern jkuensem Committed by Jorrit Schaap Feb 14, 2020
3 changed files
--- a/SAS/TMSS/src/tmss/settings.py
+++ b/SAS/TMSS/src/tmss/settings.py
@@ -192,8 +192,8 @@ if "OIDC_RP_CLIENT_ID" in os.environ.keys():
    OIDC_DRF_AUTH_BACKEND = 'mozilla_django_oidc.auth.OIDCAuthenticationBackend'

    # For talking to Mozilla Identity Provider:
-    OIDC_RP_SCOPES = "openid email groups"
-    OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', '1')  # Secret, do not put real credentials on Git
+    OIDC_RP_SCOPES = "openid email profile"  # todo: groups are not a standard scope, how to handle those?
+    OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', '2')  # Secret, do not put real credentials on Git
    OIDC_RP_CLIENT_SECRET = os.environ.get('OIDC_RP_CLIENT_SECRET',
                                           'secret')  # Secret, do not put real credentials on Git
    OIDC_ENDPOINT_HOST = os.environ.get('OIDC_ENDPOINT_HOST', 'tmss_test_oidc')
@@ -233,6 +233,7 @@ else:
    REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'].append('rest_framework.permissions.AllowAny')
    logger.warning("No authentication configured! please set either OIDC_RP_CLIENT_ID or TMSS_LDAPCREDENTIALS environment variable.")

+
 LOGIN_REDIRECT_URL = "/api/"
 LOGIN_REDIRECT_URL_FAILURE = "/api/"
 LOGOUT_REDIRECT_URL = "/api/"

--- a/SAS/TMSS/test/CMakeLists.txt
+++ b/SAS/TMSS/test/CMakeLists.txt
@@ -25,6 +25,7 @@ if(BUILD_TESTING)
    lofar_add_test(t_tmssapp_scheduling_django)
    lofar_add_test(t_tmssapp_scheduling_functional)
    lofar_add_test(t_subtask_validation)
+    lofar_add_test(t_tmssapp_specification_permissions)

    # set_tests_properties(t_tmssapp_scheduling_functional PROPERTIES TIMEOUT 300)
 endif()

--- a/SAS/TMSS/test/t_tmssapp_specification_permissions.py
+++ b/SAS/TMSS/test/t_tmssapp_specification_permissions.py
@@ -91,7 +91,6 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
        res = client.post('%s/cycle/' % BASE_URI, data=self.test_data_2)
        self.assertEqual(res.status_code, 201)

-
    def test_Cycle_cannot_be_deleted_without_group(self):

        self.user.groups.set([])
@@ -107,7 +106,7 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
        self.assertEqual(res.status_code, 403)
        self.assertEqual(count + 1, len(models.Cycle.objects.all()))

-    def test_Cycle_can_be_deleted_by_admin(self):
+    def test_Cycle_can_only_be_deleted_by_admin(self):

        self.user.groups.set([self.admin_group])

@@ -120,4 +119,6 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
        # delete
        res = client.delete(url)
        self.assertEqual(res.status_code, 204)
+
+        new_count = len(models.Cycle.objects.all())
        self.assertEqual(count, len(models.Cycle.objects.all()))
\ No newline at end of file