From 71db34b57f4bd61dec670bc73f9aedcf121708dd Mon Sep 17 00:00:00 2001
From: jkuensem <jkuensem@physik.uni-bielefeld.de>
Date: Tue, 4 Feb 2020 18:26:50 +0100
Subject: [PATCH] TMSS-138: Restrict access to Cycle view via REST calls, add
 tests to demonstrate use of groups and permissions

---
 SAS/TMSS/src/tmss/settings.py                        | 5 +++--
 SAS/TMSS/test/CMakeLists.txt                         | 1 +
 SAS/TMSS/test/t_tmssapp_specification_permissions.py | 5 +++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/SAS/TMSS/src/tmss/settings.py b/SAS/TMSS/src/tmss/settings.py
index f087c50bffa..85ce3ea7453 100644
--- a/SAS/TMSS/src/tmss/settings.py
+++ b/SAS/TMSS/src/tmss/settings.py
@@ -192,8 +192,8 @@ if "OIDC_RP_CLIENT_ID" in os.environ.keys():
     OIDC_DRF_AUTH_BACKEND = 'mozilla_django_oidc.auth.OIDCAuthenticationBackend'
 
     # For talking to Mozilla Identity Provider:
-    OIDC_RP_SCOPES = "openid email groups"
-    OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', '1')  # Secret, do not put real credentials on Git
+    OIDC_RP_SCOPES = "openid email profile"  # todo: groups are not a standard scope, how to handle those?
+    OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', '2')  # Secret, do not put real credentials on Git
     OIDC_RP_CLIENT_SECRET = os.environ.get('OIDC_RP_CLIENT_SECRET',
                                            'secret')  # Secret, do not put real credentials on Git
     OIDC_ENDPOINT_HOST = os.environ.get('OIDC_ENDPOINT_HOST', 'tmss_test_oidc')
@@ -233,6 +233,7 @@ else:
     REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'].append('rest_framework.permissions.AllowAny')
     logger.warning("No authentication configured! please set either OIDC_RP_CLIENT_ID or TMSS_LDAPCREDENTIALS environment variable.")
 
+
 LOGIN_REDIRECT_URL = "/api/"
 LOGIN_REDIRECT_URL_FAILURE = "/api/"
 LOGOUT_REDIRECT_URL = "/api/"
diff --git a/SAS/TMSS/test/CMakeLists.txt b/SAS/TMSS/test/CMakeLists.txt
index 97461ce8d99..96f2c42d0e5 100644
--- a/SAS/TMSS/test/CMakeLists.txt
+++ b/SAS/TMSS/test/CMakeLists.txt
@@ -25,6 +25,7 @@ if(BUILD_TESTING)
     lofar_add_test(t_tmssapp_scheduling_django)
     lofar_add_test(t_tmssapp_scheduling_functional)
     lofar_add_test(t_subtask_validation)
+    lofar_add_test(t_tmssapp_specification_permissions)
 
     # set_tests_properties(t_tmssapp_scheduling_functional PROPERTIES TIMEOUT 300)
 endif()
diff --git a/SAS/TMSS/test/t_tmssapp_specification_permissions.py b/SAS/TMSS/test/t_tmssapp_specification_permissions.py
index 847a883c6a8..5408352e981 100644
--- a/SAS/TMSS/test/t_tmssapp_specification_permissions.py
+++ b/SAS/TMSS/test/t_tmssapp_specification_permissions.py
@@ -91,7 +91,6 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
         res = client.post('%s/cycle/' % BASE_URI, data=self.test_data_2)
         self.assertEqual(res.status_code, 201)
 
-
     def test_Cycle_cannot_be_deleted_without_group(self):
 
         self.user.groups.set([])
@@ -107,7 +106,7 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
         self.assertEqual(res.status_code, 403)
         self.assertEqual(count + 1, len(models.Cycle.objects.all()))
 
-    def test_Cycle_can_be_deleted_by_admin(self):
+    def test_Cycle_can_only_be_deleted_by_admin(self):
 
         self.user.groups.set([self.admin_group])
 
@@ -120,4 +119,6 @@ class CycleTest(rest_framework.test.APITransactionTestCase):
         # delete
         res = client.delete(url)
         self.assertEqual(res.status_code, 204)
+
+        new_count = len(models.Cycle.objects.all())
         self.assertEqual(count, len(models.Cycle.objects.all()))
\ No newline at end of file
-- 
GitLab